Cyber Security Lecture for July 16, 2010 Network Security Dr. Bhavani Thuraisingham
Outline • Introduction to Network Security • Types of Secure Network Systems • Secure Network Protocols
What is Network Security • Network securityconsists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness • The terms network security and information security are often used interchangeably. Network security is generally taken as providing protection at the boundaries of an organization by keeping out intruders (hackers). • Information security, however, explicitly focuses on protecting data resources from malware attack or simple mistakes by people within an organization by use of data loss prevention (DLP) techniques.
What is Network Security • Network security starts from authenticating the user, commonly with a username and a password. • Once authenticated, a firewall enforces access policies such as what services are allowed to be accessed by the network users.[ • Though effective to prevent unauthorized access, this component may fail to check potentially harmful content such as computer worms or Trojans being transmitted over the network. • Anti-virus software or an intrusion prevention system (IPS) help detect and inhibit the action of such malware. An anomaly-based intrusion detection system may also monitor the network and traffic for unexpected (i.e. suspicious) content or behavior and other anomalies to protect resources, e.g. from denial of service attacks or an employee accessing files at strange times. Individual events occurring on the network may be logged for audit purposes and for later high level analysis.
What is Network Security • Communication between two hosts using a network could be encrypted to maintain privacy. • Honeypots essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypot. • A Botnet is a collection of software agents, or robots, that run autonomously and automatically. The term is most commonly associated with malicious software, but it can also refer to a network of computers using distributed computing software.
Network Forensic • Network forensics is essentially about monitoring network traffic and determining if there is an attack and if so, determine the nature of the attack • Key tasks include traffic capture, analysis and visualization • Many tools are now available • Works together with IDs, Firewalls and Honeynets • Expert systems solutions show promise
What is Network Forensics? • Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. • Network forensics systems can be one of two kinds: • "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system. • "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.
Network Forensics Analysis Tools (NFAT): Relationships between IDS, Firewalls and NFAT • IDS attempts to detect activity that violates an organization’s security policy by implementing a set of rules describing preconfigures patterns of interest • Firewall allows or disallows traffic to or from specific networks, machine addresses and port numbers • NFAT synergizes with IDSs and Firewalls. • Preserves long term record of network traffic • Allows quick analysis of trouble spots identified by IDSs and Firewalls • NFATs must do the following: • Capture network traffic • Analyze network traffic according to user needs • Allow system users discover useful and interesting things about the analyzed traffic
NFAT Tasks • Traffic Capture • What is the policy? • What is the traffic of interest? • Intermal/Externasl? • Collect packets: tcpdump • Traffic Analysis • Sessionizing captured traffic (organize) • Protocol Parsing and analysis • Check for strings, use expert systems for analysis • Interacting with NFAT • Appropriate user interfaces, reports, examine large quantities of information and make it manageable
Honeynets/Honeypots • Network Forensics and honeynet systems have the same features of collecting information about computer misuses • Honeynet system can lure attackers and gain information about new types of intrusions • Network forensics systems analyze and reconstruct he attack behaviors • These two systems integrated together build a active self learning and response system to profile the intrusion behavior features and investigate the original source of the attack.
Policies: Computer Attack Taxonomy • Probing • Attackers reconnaissance • Attackers create a profile of an organization's structure, network capabilities and content, security posture • Attacker finds the targets and devices plans to circumvent the security mechanism • Penetration • Exploit System Configuration errors and vulnerabilities • Install Trojans, record passwords, delete files, etc. • Cover tracks • Configure event logging to a previous state • Clear event logs and hide files
Policies to enhance forensics • Retaining information • Planning the response • Training • Accelerating the investigation • Preventing anonymous activities • Protect the evidence
Example Prototype System: Iowa State University • Network Forensics Analysis mechanisms should meet the following: • Short response times; User friendly interfaces • Questions addresses • How likely is a specific host relevant to the attack? What is the role the host played in the attack? How strong are two hosts connected to the attack? • Features of the prototype • Preprocessing mechanism to reduce redundancy in intrusion alerts • Graph model for presenting and interacting with th3 evidence • Hierarchical reasoning framework for automated inference of attack group identification
Example Prototype System: Modules • Evidence collection module • Evidence preprocessing module • Attack knowledge base • Assets knowledge base • Evidence graph generation module • Attack reasoning module • Analyst interface module
Some Popular Tools • Raytheon’s SilentRunner • Gives administrators help as they attempt to protect their company’s assets • Collector, Analyzer and Visualize Modules • Sandstorm Enterprise’s NetIntercept • Hardware appliance focused on capturing network traffic • Niksun’s NetDetector • Its an appliance like NetIntercept • Has an alerting mechanism • Integrates with Cicso IDS for a complete forensic analysis
Types of Secure Network Systems • Internet Security Systems • Intrusion Detection Systems • Firewall Security Systems • Storage Area Network Security Systems • Network disaster recovery systems • Public key infrastructure systems • Wireless network security systems • Satellite encryption security systems • Instant Messaging Security Systems • Net privacy systems • Identity management security systems • Identify theft prevention systems • Biometric security systems • Homeland security systems
Internet Security Systems • Security hierarchy • Public, Private and Mission Critical data • Unclassified, Confidential, Secret and TopSecret data • Security Policy • Who gets access to what data • Bell LaPadula Security Policy, Noninterference Policy • Access Control • Role-based access control, Usage control • Encryption • Public/private keys • Secret payment systems • Directions • Smart cards
Intrusion Detection Systems • An intrusion can be defined as “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource”. • Attacks are: • Host-based attacks • Network-based attacks • Intrusion detection systems are split into two groups: • Anomaly detection systems • Misuse detection systems • Use audit logs • Capture all activities in network and hosts. • But the amount of data is huge!
Worm Detection: Introduction • What are worms? • Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims • Evil worms • Severe effect; Code Red epidemic cost $2.6 Billion • Automatic signature generation possible • EarlyBird System (S. Singh. -UCSD); Autograph (H. Ah-Kim. - CMU) • Goals of worm detection • Real-time detection • Issues • Substantial Volume of Identical Traffic, Random Probing • Methods for worm detection • Count number of sources/destinations; Count number of failed connection attempts • Worm Types • Email worms, Instant Messaging worms, Internet worms, IRC worms, File-sharing Networks worms
Email Worm Detection using Data Mining • Task: • given some training instances of both “normal” and “viral” emails, • induce a hypothesis to detect “viral” emails. • We used: • Naïve Bayes • SVM Outgoing Emails The Model Test data Feature extraction Classifier Machine Learning Training data Cleanor Infected ?
Firewall Security Systems • Firewall is a system or groups of systems that enforces an access control policy between two networks • Benefits • Implements access control across networks • Maintains logs that can be analyzed • Data mining for analyzing firewall logs and ensuring policy consistency • Limitatations • No security within the network • Difficult to implement content based policies • Difficult to protect against malicious code • Data driven attacks
Firewall Log File Mining Log File Using Frequency Filtering Rule Generalization Edit Firewall Rules Identify Decaying & Dominant Rules Generic Rules Traffic Mining • To bridge the gap between what is written in the firewall policy rules and what is being observed in the network is to analyze traffic and log of the packets– traffic mining • Network traffic trend may show that some rules are out-dated or not used recently Firewall Policy Rule
Storage Area Network Security Systems • High performance networks that connects all the storage systems • After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability • Database systems is a special kind of storage system • Benefits include centralized management, scalability reliability, performance • Security attacks on multiple storage devices • Secure storage is being investigated
Network Disaster Recovery Systems • Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery palm • Policies and procedures have to be defined and subsequently enforced • Which machines to shut down, determine which backup servers to use, When should law enforcement be notified
Public Key Infrastructure Systems • A certificate authority that issues and verifies digital certificates • A registration authority that acts as a verifier for the certificate authority before a digital certificate is issued to a requester • One or more directories where the certificates with their public keys are held • A certificate management systems
Digital Identity Management • Digital identity is the identity that a user has to access an electronic resource • A person could have multiple identities • A physician could have an identity to access medical resources and another to access his bank accounts • Digital identity management is about managing the multiple identities • Manage databases that store and retrieve identities • Resolve conflicts and heterogeneity • Make associations • Provide security • Ontology management for identity management is an emerging research area
Digital Identity Management - II • Federated Identity Management • Corporations work with each other across organizational boundaries with the concept of federated identity • Each corporation has its own identity and may belong to multiple federations • Individual identity management within an organization and federated identity management across organizations • Technologies for identity management • Database management, data mining, ontology management, federated computing
Identity Theft Management • Need for secure identity management • Ease the burden of managing numerous identities • Prevent misuse of identity: preventing identity theft • Identity theft is stealing another person’s digital identity • Techniques for preventing identity thefts include • Access control, Encryption, Digital Signatures • A merchant encrypts the data and signs with the public key of the recipient • Recipient decrypts with his private key
Biometrics • Early Identication and Authentication (I&A) systems, were based on passwords • Recently physical characteristics of a person are being used for identification • Fingerprinting • Facial features • Iris scans • Voice recognition • Facial expressions • Biometrics techniques will provide access not only to computers but also to building and homes • Systems are vulnerable to attack e.g., Fake biometrics
Homeland Security Systems • Border and Transportation Security • RFID technologies? • Emergency preparedness • After an attack happens what actions are to be taken? • Chemical, Biological, Radiological and Nuclear security • Sensor technologies • Information analysis and Infrastructure protection • Data mining, security technologies
Other Types of Systems • Wireless security systems • Protecting PDAs and phones against denial of service and related attacks • Satellite encryption systems • Pretty Good Privacy – PGP that uses RSA security • Instant messaging • Deployment of instant messaging is usually not controlled • Should IM be blocked? • Net Privacy • Can we ensure privacy on the networks and systems • Privacy preserving access?
OSI Model • The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization. • It is a way of sub-dividing a communications system into smaller parts called layers. A layer is a collection of conceptually similar functions that provide services to the layer above it and receives services from the layer below it. • On each layer an instance provides services to the instances at the layer above and requests service from the layer below.
OSI Model • The Physical Layer defines the electrical and physical specifications for devices. In particular, it defines the relationship between a device and a physical medium. • This includes the layout of pins, voltages, cable specifications, hubs, repeaters, network adapters, host bus adapters (HBAs used in storage area networks) and more. • The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. • The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks, while maintaining the quality of service requested by the Transport Layer. The Network Layer performs network routing functions, and might also perform fragmentation and reassembly, and report delivery errors. Routers operate at this layer—sending data throughout the extended network and making the Internet possible.
OSI Model • The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. • Some protocols are state and connection oriented. This means that the Transport Layer can keep track of the segments and retransmit those that fail. • Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the Transport Layer, typical examples of Layer 4 are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
OSI Model • The Session Layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. • Presentation layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. • The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is sometimes called the syntax layer.
Application Layer • APPC, Advanced Program-to-Program Communication • DNS, Domain Name System (Service) Protocol • FTAM, File Transfer Access and Management • FTP, File Transfer Protocol • Gopher, Gopher protocol • HL7, Health Level Seven • HTTP, Hypertext Transfer Protocol • IMAP, IMAP4, Internet Message Access Protocol • IRCP, Internet Relay Chat Protocol • LDAP, Lightweight Directory Access Protocol • LPD, Line Printer Daemon Protocol • MIME (S-MIME), Multipurpose Internet Mail Extensions and Secure MIME
Application Layer • NFS, Network File System • NIS, Network Information Service • NTP, Network Time Protocol • POP, POP3, Post Office Protocol (version 3) • SIP, Session Initiation Protocol • SMTP, Simple Mail Transfer Protocol • SNMP, Simple Network Management Protocol • SSH, Secure Shell • TELNET, Terminal Emulation Protocol of TCP/IP • VTP, Virtual Terminal Protocol • X.400, Message Handling Service Protocol • X.500, Directory Access Protocol (DAP)
Network Protocols Technologies • Token Bus • Token Ring • X.25 • Routing protocols • IEEE 802 Standards
TCP/IP • In the TCP/IP model of the Internet, protocols are not as rigidly designed into strict layers as the OSI model.[ • TCP/IP does recognize four broad layers of functionality which are derived from the operating scope of their contained protocols, namely the scope of the software application, the end-to-end transport connection, the internetworking range, and lastly the scope of the direct links to other nodes on the local network. • The Internet Application Layer includes the OSI Application Layer, Presentation Layer, and most of the Session Layer. Its end-to-end Transport Layer includes the graceful close function of the OSI Session Layer as well as the OSI Transport Layer. The internetworking layer is a subset of the OSI Network Layer (see above), while the Link Layer includes the OSI Data Link and Physical Layers, as well as parts of OSI's Network Layer.
IPV4 • Internet Protocol version 4 (IPv4) is the fourth revision in the development of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet. IPv4 is still by far the most widely deployed Internet Layer protocol. • IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing, or avoid duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol (e.g., Transmission Control Protocol).
IPSEC • Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host • IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be used for protecting any application traffic across the Internet.
TLS/SSL • Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer. • Several versions of the protocols are in widespread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP). • The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security.
TLS/SSL • In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server's identity), but not vice versa (the client remains unauthenticated or anonymous). • TLS also supports the more secure bilateral connection mode (typically used in enterprise applications), in which both ends of the "conversation" can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party's certificate). This is known as mutual authentication, or 2SSL. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario).
DMZ • DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. • The term is normally referred to as a DMZ by IT professionals. It is sometimes referred to as a Perimeter Network. • The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.
DMZ • In a network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, web and DNS servers. • Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder were to succeed. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. • This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.
WAP • Wireless Application Protocol (WAP) is an open international standard[for application-layer network communications in a wireless-communication environment. Most use of WAP involves accessing the mobile web from a mobile phone or from a PDA. • A WAP browser provides all of the basic services of a computer-based web browser but simplified to operate within the restrictions of a mobile phone, such as its smaller view screen. Users can connect to WAP sites: websites written in, or dynamically converted to, WML (Wireless Markup Language) and accessed via the WAP browser.
Instant Messaging • Instant messaging (IM) is a form of real-time direct text-based communication between two or more people using personal computers or other devices, along with shared software clients. The user's text is conveyed over a network, such as the Internet. More advanced instant messaging software clients also allow enhanced modes of communication, such as live voice or video calling. • IM falls under the umbrella term online chat, as it is a real-time text-based networked communication system, but is distinct in that it is based on clients that facilitate connections between specified known users ("Contact List"), whereas online 'chat' also includes web-based applications that allow communication between (often anonymous) users in a multi-user environment
VPN • A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same, secure capabilities, but at a much lower cost. • It encapsulates data transfers between two or more networked devices not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks. There are many different classifications, implementations, and uses for VPNs.
Next Steps • Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. • Secuity issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.