CS682-Network Security Module-1 Introduction to Network Security SYN This is CS682, Network Security There is a lab in RH219, get your accounts Homework-0 is on-line: Part I, II due next week, Part III, IV due in two weeks Homework submission: Handover hardcopies at the beginning of the class Randomly selected students will be asked for demos of their work Website: http://isis.poly.edu/courses/cs682/ Prerequisites for CS682 CS392 Website: http://isis.poly.edu/courses/cs392-f2002/ Textbook: “Computer Security: Art and Science,” Matt Bishop, 0201440997 CS918 or EL537 Textbook: “TCP/IP Illustrated, Vol 1,” Richard W Stevens Programming Reference: “Unix Network Programming, Vol 1,” Richard W Stevens, 013490012X Basic Understanding of Operating Systems CS623 – Operating Systems I Textbook: “Operating System Concepts,” Silberschatz, Galvin, & Gagne Prerequisites for CS682 Cryptography & Computer Security: Symmetric & asymmetric key algorithms Key Exchange, Authentication etc Hash, Message Digests, Signatures etc Networking: TCP/UDP/ICMP IP Ethernet, ARP, RARP Programming Environment: Unix & C (Mostly Linux and ANSI C) CASL (Custom Audit Scripting Language) What is This Course about? XYZ Enterprise Network Layout Student Network External Router/Firewall Server_00 Switch Coustomer service Sales IDS System Server Netw ork Accountin g Backbone Server_01 Server_02 Internal Router/Firewall Human resources Information systems We will explore: Various vulnerabilities in network protocols and services Mechanisms to protect networks Security tools Overview of This Course TCP/IP Suite Vulnerabilities and solutions Security protocols built on top of TCP/IP Security devices and tools to test and protect networks Network security theory and practice In homework Explore TCP/IP vulnerabilities in detail by exploiting them using CASL Learn to analyze a TCP/IP network for vulnerabilities Write small client/server applications and learn to penetration testing on your code and algorithm Learn to setup security devices such Firewall’s and IDS systems, and how to integrate them “War Games” – A serious one if time permits Introduction to TCP/IP L (Logical Link) R HTTP Protocol HTTP (Web Browser) HTTP (Web Server) R L TH Host A L TCP Protocol TF TH TH R TH L L R TF IF IH TH L TF IF EF IH TH Network IH TH R TF IF L IH TH R TF IF TF IF EH 3Com NIC Driver EH TF IF IP TF IF EH R Host B TF IP IH TH TF TCP TF IH TH R IH TH TCP EF 1GB NIC Driver EF EH IH TH L TF IF EF Network Cloud R/L =Http Request and Reply TH/F = TCP Header and Footer IH/F = IP Header and Footer EH/F= Ethernet Header and Footer Security Issues in Networking Host A Host A Normal Flow Host B Life is great here (An ideal life) Interuption Host B Interruption: An asset of the system is destroyed or becomes unavailable or unusable This is an attack on the availability Examples include destruction of a piece of hardware, such as a hard disk, the cutting of a communication link, or the disabling of the file management system Security Issues in Networking Interception Host B Host A Host C Interception: An unauthorized party gains access to an asset This is an attack on confidentiality The unauthorized party could be a person, a program, or a computer Examples include wiretapping to capture data in a network And the illicit copying of files or programs Modificition Host B Host A Host C Modification: An unauthorized party not only gains access to but tampers with an asset This is an attack on the integrity Examples include changing values in a data file, altering a program so that it performs differently, and modifying the content of a message being transmitted in a network Security Issues in Networking Fabricition Host B Host A Host C Fabrication: An unauthorized part inserts counterfeit objects into the system This is an attack on the authenticity Examples include the insertion of spurious messages in a network or the addition of records to a file Attacks can be classified into two broad categories: Active Attack Passive Attack Passive Attacks can only observe communications or data Active Attacks can actively modify communications or data, Often difficult to perform, but very powerful Example: Mail forgery/modification, and TCP/IP spoofing/session hijacking Security Issues in TCP/IP TCP/IP was not designed with security in mind Most of the attacks present today were unheard of during the design of TCP/IP It was designed to protect DoD network infrastructures Does not have strong authentication mechanism The primary objective during the design, was to have robust communication protocol that would survive partial network damage There was no threat from the insider, the notion of having a malicious node did not exist (Nodes were missile silos) Network Programming in Unix Network programming jargons: Address: a bit string identifying a machine Port: an entry point via network into a machine Socket: {address, port} pair Binding: process of attaching to a port Client-Server Model: Request Client Server Response Client-Side Programming 1 Initialize environment Create a socket Identify server’s IP address, port number Establish a connection to server Read/write as if the socket were a file Close connection Exit program struct sockaddr_in server; bzero(&server, sizeof(server)); sockfd=socket(AF_INET, SOCK_STREAM, 0) server.sin_family=AF_INET; server.sin_port=htons(80); inet_pton(AF_INET, argv[1], &server.sin_addr) connect(sockfd, &server, sizeof(server)) read(sockfd, buffer, max_buffer) close(sockfd) exit(0) Server-Side Programming 1 Initialize environment Create socket Bind socket to a port Listen on port Accept connection Read/write Close connection Exit program struct sockaddr_in server; bzero(&server, sizeof(server)); listenfd=socket(AF_INET, SOCK_STREAM, 0); server.sin_family=AF_INET; server.sin_addr.s_addr=hto nl(INADDR_ANY); server.sin_port=htons(80); bind(listenfd, &server, sizeof(server)); listen(listenfd, 0); connfd=accept(listenfd, NULL, NULL); read(connfd, buffer, buff_max); close(connfd); exit(0); On the Wire connect() SYN_SENT ESTABLISHED listen() SYN accept() SYN_RCVD SYN,ACK ACK write() ESTABLISHED Request read() write() Reply, ACK read() close() FIN_WAIT1 FIN_WAIT2 TIME_WAIT ACK FIN CLOSE_WAIT ACK close() LAST_ACK FIN ACK Client CLOSED Server References and Reading Assignments Read about TCP/IP from http://citeseer.nj.nec.com/cache/papers/cs/21491/http:zSzzSz www.cs.um.edu.mtzSz~kvelzSzCSA401zSzibm-tcpip.pdf/tcpip-tutorial-and.pdf (Look for “tcp ip security” at http://www.researchindex.com) From Books 24x7 (http://dibner.poly.edu/) Read about Linux Socket programming from Book 24x7 Search in Google for more practical examples Review CS392 lecture notes for general issues in information security (http://isis.poly.edu/courses/cs392/) Taxonomy of Network Vulnerabilities Vulnerabilities Classification: Improper Design of Protocol (e.g.: 802.11 Security) Improper Implementation of Protocol (e.g.: Teardrop) Improper Configuration of Protocol (e.g.: Smurf) Exploit Modes: Passive Exploits (e.g.: Packet Sniffing) Blind Exploits (e.g.: Spoofing) Active Exploits (e.g.: Session Hijacking) Where to Find Vulnerabilities: Application Level (e.g.: Cross Site Scripting) Protocol Level (e.g.: Teardrop) MAC (e.g.: Jamming) Packet Sniffing Sniffers are wire-tap devices (software+hardware) that can be plugged into a computer network to eavesdrop on computers in the network Sniffing requires physical access to network medium It is a passive activity, in that sniffing doesn’t introduce new packets into network Sniffing is useful in two ways: Eavesdropping (e.g.: extracting passwords or IDS) Traffic Analysis (e.g.: tracking ssh connections) Packet Sniffers have two phases: Packet Capture Phase Protocol Analysis Phase Two essential ingredients for successful sniffing: Shared Media Promiscuous Mode Operations Anatomy of a sniffer Application Sniffer yes no is destination? is destination? Promiscuous Mode Network Interface Operation Normal Network Interface Operation In normal mode, network interface card discards packets not destined to the current host Promiscuous mode disables this function and allows all packets to flow through the network stack A sniffer would simply capture these packets for consumption There is more to a sniffer than setting a network card to promiscuous mode Anatomy of a sniffer Logging/Editing Packets Decode Buffer Capture Driver Media Popular sniffers: Ethereal – excellent protocol analyzer tcpdump – you’ll use this in homework Carnivore – FBI uses this at ISPs Aerosnort – 802.11 wireless sniffer Media: usually an Ethernet card but it could also be a wireless card or anything else Capture Driver: software driver to capture and filter network traffic E.g.: pcap and BPF Buffer: packets must be temporarily buffered prior to storage or processing Usually fill-buffered or round-robin Decode: packets must be decoded to a human readable form Logging: permanent storage of packets for offline analysis Uses of sniffers Stealing clear-text content on the wire and in the air Passwords Credit card numbers “Secret” email conversations Network traffic analysis If the network content is encrypted then perform traffic analysis to extract partial information Famous pizza delivery to Pentagon story Intrusion detection systems are built on sniffers Traffic logging for forensics Fault analysis of networks Performance analysis to identify bottlenecks Are sniffers bad? Yes and no! Sniffing out the sniffers… Sniffing is a passive activity, hence done properly it is impossible to detect a sniffer! However, there are some practical solutions Local detection of promiscuous mode Improper response to ping Improper response to ARP queries Improper response to DNS queries Source routing to suspicious node Employing a honeypot Network latency monitoring Time-domain reflectometers SNMP monitoring Can you design a sniffer to counter these detection methods? Detection of promiscuous mode # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:AA:AA:AA:AA:AA inet addr:0.0.0.0 Bcast:0.0.0.55 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:595017 errors:0 dropped:0 overruns:0 frame:0 TX packets:113401 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0xb800 If you suspect a machine is running a sniffer then use ifconfig to find out if the NIC is in promiscuous mode Obviously, you will use an ifconfig binary from a trusted machine or CD-ROM Improper Response to Pings Remember how the sniffers put the network card to promiscuous mode? Any packet, whether it is destined to the machine or not, is sent thru the network stack We can exploit this fact to trick the sniffers to give up their locations Send a ping (ICMP Echo Request) to a suspected sniffer with the IP of the sniffer but with a MAC of another machine What happen in the network stack: Card receives the packet Since it is in promiscuous mode, ignores the MAC address, removes the Ethernet header and send the packet to IP IP checks the IP destination, since it is the proper destination sends the packet to ICMP ICMP sends an Echo Reply! Ooops! We know we should not be receiving a reply for this packet since the MAC and IP are mismatch! Improper Response to Pings This method can be generalized to: Any protocol or service that sends a response, such as TCP connection establishment or telnet Any protocol or service that generates an error message in response, such as bad IP packets Can we fix the sniffer not to give up its location? Sure Do more sanity checks on the packets addressed to the machine using a software filter Improper response to ARP queries Similar to the method describe earlier Send ARP to a non-broadcast address, if a machine replies then it is running in promiscuous mode Another method: ARP requests are cached, since the machine that sends the request sends it own mapping in the request Send a non-broadcast ARP Send a broadcast ping The machine that replies without an ARP could have only gotten the mapping from our previous ARP, so it should be in promiscuous mode Improper Response to DNS Queries Some sniffers reverse-DNS lookups on IP addresses they see To identify sniffers, a ping sweep on addresses that not exist Watch the DNS server for reverse-DNS queries for these addresses By doing a reverse-DNS lookup sniffers violate the passive activity code, they begin to inject packets into network Probably not a good design decision Source routing to suspicious node In source routing, intermediate routers ignore routing tables and simply forward the packets to next hop in the list We use the idea in the following way: Create a source routed ping to the suspicious node Make the intermediary nodes non-routing Send the packet on wire If we get a response from suspicious node then the node is on promiscuous mode Because our intermediary would have dropped the packet since it doesn’t route, so the suspicious node could only have gotten this packet by sniffing the wire Other Methods Employing a honeypot: Let a automated script generate clear-text traffic and lure the hackers into sniffing the traffic The fact that the password is sniffed can be used to identify the sniffer Network latency monitoring: Uses the fact that sniffers process unusually large number of packets to detect the sniffer Load the network with dummy packets and ping sweep the machines The ones with sniffers will have large latency (Not a viable solution.) Time-domain reflectometers: TDRs work like RADAR It sends out a pulse and detects reflections off the wire This can also detect adressless passive hardware sniffers on the wire SNMP monitoring: Lets you track connection details If a packet takes unusual path on the network, most probably a sniffer is trying to lure packets its way Known as ARP spoofing How to avoid sniffers Replace the hub (shared medium) with a switch (switched medium) Switch jamming ARP spoof ICMP Redirect ICMP Router Advertisements Cable taps Never send clear-text messages on the wire SSH for telnet SFTP for FTP SSL Tunneled IMAP for IMAP PGP for unencrypted email VPN for clear-text traffic Broadband and wireless connections are sniffable Sniffers and Anti-Sniffers tcpdump* Ethereal Etherpeek AeroSnort Snoop Dsniff Snort Antisniff Sentinel ifconfig/ifstatus NEPED (Network Promiscuous Ethernet Detector) CPM (Check Promiscuous Mode) Route Discovery Packets to and from a host have route symmetry on the Internet Which means, with high probability packets from node A to node B travel the same path as packets from node B to node A And most often packets from the same source to the same destination follow the same path Our goal is to find the intermediate nodes a packet travel to reach a remote node How shall we implement this? Using IP Record Route Option (RR) We can use IP record route option with ICMP Echo Request (ping –R) This allows intermediate routers to put their IP addresses in the header and when the packet reaches the destination it copies the route into Echo Reply and send it back to the source This is not a good implementation Why? Requires all routers to support RR Requires a ping server at the destination Most ping servers reflect the Echo Request so the return path is also recorded There is no room for long paths IP header has room for only addresses but routes in current Internet are longer, average is about 14 hops So we need an implementation that doesn’t depend on any special servers and works by default on any router Using IP TTL Field TTL field is used as a simple hop count at the routers When a router receives a datagram with TTL or it discards the datagram and sends a ICMP Time Exceeded message to the source This Time Exceeded message has the router’s IP as the source address We can now easily build a route discovery based on this information: i=1 while(i