SI540 Understanding Networked Computing

Network Security
 Review

• Compatibility testing
› If you were responsible for building the reference
implementation for a protocol for VoIP-client-to-
directory-server communications, what would you
build?
• Stakeholder interests and strategies
› Imagine that a small developer is interested in
developing a streaming media client, but does not have
the resources to build and sell a complete system
(including server)
› Would this developer prefer that streaming media
protocols be standardized or not?

2
 Learning Objectives

• Understand Security Goals

• Understand Common Vulnerabilities
• Understand Countermeasures and
Their Limits

3
 Some Sources of Problems

• Accidents
› Software and hardware bugs
› Natural disasters
› Human errors
• Adversaries
› Hackers/Crackers/”Black Hats”
› Hacker has a second meaning as “good programmer”
› Disgruntled employees
› Malicious code: Viruses, Worms, and Trojan Horses

4
 Terminology

• Vulnerability
› A weakness in your system that could be exploited by
an adversary
› More generally, something that could go wrong
• Threat
› A scenario of what an adversary would do
› More generally, something that could go wrong that
you’re worried enough to do something about
• Countermeasure
› Something you do to reduce risks from threats
› Often by reducing vulnerabilities

5
 Reliability and Security Goals

• The next few slides consider each goal,

considering both the vulnerabilities and
the countermeasures that are available
› High availability
› Data persistence and integrity
› Limit access to authorized users and uses

6
 High Availability:
Vulnerabilities
• Off-line upgrade and maintenance
• Software crashes
• Equipment failure
• Denial-of-service (DOS) attack
› Oversized ICMP packets (ping of death)
› Flooding attacks
› Target has to do more work than initiator (so usually
“Distributed” DOS or DDOS attack)
› SYN flood (TCP): Request many new TCP connections
because each one causes recipient to do a lot of work
› Echo floods: Send echo request to some “rebroadcaster,” all
recipients reply to spoofed source address (the target of the
attack)

7
 High Availability:
Countermeasures
• On-line upgrade and maintenance
• More application testing, more rapid bug
reports and fixes
• Equipment or application redundancy
• Operational vigilance
› For example, installing latest software patches
• Access controls
• Firewalls

8
 Availability Discussion

• Which availability countermeasures

would be appropriate for the following
systems?
› Home computer connected via cable
modem running an FTP server so that you
can access your files when you’re away
› SI Computing file servers, used by all
faculty, staff, and students
› eBay web servers

9
 Data Persistence: Vulnerabilities
and Countermeasures
• Hardware failure
› Countermeasure: periodic backup
• Data change
› Countermeasure: integrity checks (how?)
• Hardware obsolescence
› Countermeasure: periodic copy of data to new device
• Data format obsolescence
› Software to process may not be available
› Countermeasures (see F02 midterm)
› Periodic translation of data to new formats
› Continual migration of processing software
› Platform emulators

10
 Access: Vulnerability

• Want to limit access to some data

› Don’t want students to have access to
grade sheets
› Don’t want “black hat” to have access to
Amazon.com’s credit card database
• Without access controls, everyone has
access to everything on a system
› This was the norm for early personal
computer operating systems

11
 Access:
Countermeasures
• Step 1: Authentication: verify user’s identity
› Somewhere you are (location)
› Something you know
› Something you can do
› Something you have
› Something you are
• Step 2: Authorization: limit what a user can do
› Sometimes also called access control
› Maintain a database of authorizations (access control lists)
› Can organize by person/entity, defining which items each
entity allowed to access
› Or organize by items, defining which entities are allowed to
access each item

12
 Vulnerabilities in Location-Based
Authentication/Authorization
• Entity at that network address may not
be who you think it is
› Someone else may have physical access
to the computer
• May not really be at that network
address
› For example, IP spoofing

13
 Exploiting Location-Based
Authentication: IP Spoofing
• Suppose A “trusts” B
› No password required if accessing A from B
• Z knocks out B through denial-of-service attack
• TCP Connect from Z to A
› But pretend to be at location B (give B’s IP address)
• A sends ACK to B
› B doesn’t respond (because of DOS attack)
• Z sends commands to A
› Still pretend to be at location B
› Z ACKs A’s response, even though Z didn’t see it
› Have to guess the right amount of data to ACK, and right
amount of delay

14
 Malicious Code Threats

• Viruses
› File infection: virus attaches itself to a file
› Boot record infection: virus attaches itself to the boot
instructions stored on a storage medium (e.g., hard drive)
› Macro virus: virus attaches itself to a document associated
with an application that support scripting
• Worms
› Designed to copy itself from one computer to another over a
network without human intervention
• Trojan Horses
› Program that conceals its destructive purpose by pretending
to perform a desirable function

15
Malicious Code Countermeasures

• Prevention
› Know where code comes from before executing
› Check digital signature on the code
› Run code in "sandbox“
› A virtual machine on which unsafe instructions are
not executed
› Events on the virtual machine do not affect the real
machine
• Detection
› Notice changes
› Scan for known bad code fragments

16
 Malicious Code and
OS/Application Diversity
• Working in an environment that uses a variety
of OSs and/or applications has several
implications for malicious code:
› More vulnerabilities
› Each OS/app has a different set of weaknesses,
requiring a different set of remedies
› Less damage from a problem
› Malicious code that targets one system doesn’t
affect the others
› Can use unaffected machines to work on fixing the
problems

17
 Malicious Code Discussion

• Which kind of malicious code…

› Is easiest to guard against? Why?
› Spreads most quickly? Why?
• How would you manually clean a
system that is infected with…
› A Trojan horse?
› A macro virus?
› A boot sector virus?

18
 Firewalls (Packet Filters)

• Located at border between private and public

networks
› All traffic between the two must pass through
the firewall
• Examines IP packets
› IP header
› TCP or UDP header (if using those protocols)
› TCP ACK flag (if TCP packet)
› TCP payload

19
 Public hosts Global Internet

Firewall

Internal hosts

Protected enclave
20
 Firewalls (Packet Filters)

• Discard some packets, selecting based on:

› Which host is initiating the connection (e.g.,
public or private)
› IP address or domain name (source or
destination)
› Protocol
› Sender port number
› Receiver port number
› Packet content (“sniff” for words or phrases)
› Connection status

21
 What Can Firewalls Filter?

• Based on the filtering capabilities described,

which of the following can a firewall filter?
› Packets to or from specified IP address?
› Packets to or from specified domain name?
› All HTTP traffic?
› All email to fred@si.umich.edu?
› All pornographic web pages?
› All web pages criticizing the government?

22
 Proxy Servers

• Located at border between private network

and the firewall or public network
› With a proxy server, the client never actually
connects to outside network; instead the proxy
makes the connection and relays allowable
protocols/content to the client
› Filters at the application layer (HTTP, FTP,
Telnet, etc.)

23
 Public hosts Global Internet

Firewall
Firewall

Proxy
Server

Internal hosts
Internal hosts

Protected enclave Protected enclave

24
 Proxy Servers

• Proxy receives requests for certain applications

› For example, an HTTP request for a particular URL
• Proxy checks if request is permitted
› For example, users might not be allowed to access
gambling sites from a corporate computer
• If request is okay, proxy passes request on to final
destination
› Otherwise, request is denied
• Proxy may also serve a caching function
› If request can be handled locally, don’t bother to pass it
on to final destination

25
 Typical Firewall Configurations

• Transparent • Proxy as Bastion

› Allow incoming traffic to
web server on port 80
› Allow incoming traffic to
any machine on ports >
1023
› Allow outgoing traffic to
any IP address, any port
› Block all other packets
› In this configuration, the
proxy is the only point of
contact between the public
and private networks
› Allow incoming traffic to
web server on port 80 and
> 1023
› Allow outgoing traffic from
Bastion/Proxy server on
ports 23, 80 to any IP
address
› Block all other packets

Note: In this context, the direction of the traffic indicates which host is
responsible for opening the connection. Once open, data flows both ways. 26
 More Permissive Configuration

• Block incoming from known bad addresses

› Avoids some IP spoofing attacks
• Block incoming known bad ports
› E.g., multicast, if you’re not using multicast
› E.g., napster
• Allow others
• Security experts prefer policies that prohibit everything
not explicitly permitted
• Permitted unless prohibited enables more innovation
› E.g., access to experimental new services

27
 Vulnerability Assessment Tools

• Check configurations for known

weaknesses
• Check for violations of organization’s
security policy
› For example, an individual office computer
that allows modem connections
• Simulate known attacks

28
 Intrusion Detection Tools
• Monitor activity
› Look for known “signatures” of cracking
› Look for “unusual activity”
› Requires some model of normal activity
• What to monitor
› Host-based: logs of activity on individual machines
› Network-based
› “Promiscuous mode” intercepts all packets
› Process them as fast as you can
› Unlike packet filter, can look for patterns in sequences of
packets
• Problem of false alarms
› Each alarm requires human investigation

29
 Summary

• Understand Security Goals

• Understand Common Vulnerabilities
• Understand Countermeasures and
Their Limits
› Malicious code
› Firewalls and proxy servers
› Vulnerability assessment
› Intrusion detection

30