Computer Security and Information Assurance

Security in Networks – Part 2

a. Introduction
 We saw many security controls:
 in Program Security topic
 Many of these strategies are useful for network
security as well
 We will now look for security controls designed
specifically for computer networks
b. Security threat analysis (1)
 Threat analysis steps :
1) Analyze system components and their interactions
2) Analyze possible damage to C-I-A
3) Hypothesize possible kinds of attacks
 Network elements to be considered:
 Local elements

Nodes / comm links / data storage / processes / devices /
LANs
 Non-local elements

Gateways / comm links / control resources / routers /
network resources (e.g., databases)
Security threat analysis (2)
 Network threats:
 Accessing pgms or data at remote host
 Modifying pgms or data at remote host
 Running a pgm at a remote host
 Interception of data in transit
 Modifying data in transit
 Insertion of data into communication traffic

Incl. replaying previous communication
 Blocking selected/all traffic
 Impersonation of entities
 Attack enablers:
 Size / anonymity / ignorance / misunderstanding
 Complexity / motivation / programming skills
c. Impact of network
architecture/ design &
implement. on security (1)
 Architecture can improve security by:
1) Segmentation
2) Redundancy
3) Single points of failure
4) Other means
Impact of network architecture/ design & implement. on security
(2)

1) Segmentation
 Architecture should use segmentation to limit scope of
damage caused by network penetration by:
 Reducing number of threats
 Limiting amount of damage caused by single
exploit
 Enforces least privilege and encapsulation

 Example 1: component segmentation

 Placing different components of e-commerce
system on different hosts
 Esp. put on separate host most vulnerable
system components
 E.g., separate host for web server (w/ public
access)
Impact of network architecture/ design & implement. on security
(3)

 Example 2: access separation

 Separating from each other:
 Production system
 Testing system
 Development system
 E.g., no developer has access to production
system
and no customer has access to development
system
Impact of network architecture/ design & implement. on security
(4)

2) Redundancy
 Architecture should use redundancy to prevent losing
availability due to exploit/failure of a single
network entity
 Example: having a redundant web server (WS) in
a company

 Types of redundancy include:


Cold spare – e.g., when WS fails, replace it
manually with spare WS

Warm spare – e.g., failover mode = redundant
WSs periodically check each other

Hot spare – e.g., 3 WSs configured to perform
majority voting
Impact of network architecture/ design & implement. on security
(5)

3) Single points of failure (SPF)

 Architecture should eliminate SPFs to prevent losing
availability due to exploit/failure of a single
network entity
 Using redundancy is a special case of avoiding
SPFs
 Network designers must analyze network to
eliminate all SPFs
 Example of avoiding SPF (without using
redundancy)
 Distribute 20 pieces of database on 20
different hosts (so called partitioned database)
 Even if one host fails, 95% of database
contents (19/20=95%) still available
Impact of network architecture/ design & implement. on security
(6)

4) Other architectural means for improving security

 Will be mentioned below as we discuss more
network security controls
d. Encryption
 Arguably most important/versatile tool for network
security
 it can be used protect the networks:
 Confidentiality/Privacy
 Authentication
 Integrity
 Limiting data access
 Kinds of encryption in networks(read more on each of
these)
i. Link encryption vs. end-to-end (e2e) encryption
ii. Virtual private network (VPN)
iii. PKI and certificates
iv. SSH protocol
v. SSL protocol (a.k.a. TLS protocol)
vi. IPsec protocol suite
vii. Signed code
viii. Encrypted e-mail
f) Strong authentication
 Networked environments as well as both ends of
communication need authentication e.g.
One-time passwords, strong password etc
g) Access controls (1)
 Before user is allowed access to network resources,
must know:
 Who needs access => authentication
 What and how will be accessed => access
controls

 Access controls include:

1) ACLs (Access Control Lists) on router
2) Firewalls
Access controls (2)
1) ACLs on routers (ACL = Access Control List)
 Router directs traffic:

To subnetworks it controls
OR

To other routers (for delivery to other
subnetworks)
 Routers convert external (network-wide)IP address
to internal (subnetwork-wide) MAC address
 Recall that MAC address is unique physical address of
device’s NIC—network interface card

 Can put ACL on a router to deny access to

particular host D from particular host S

E.g., to prevent spam (flooding) of D with
packets from S, router can delete all packets
from S to D
 It’s OK if router uses ACLs in a limiteded way

Access controls (3)
 ... Problems with putting too many ACLs on
routers:
(i) Packet-checking overhead for router
 Router must check each packet against
each ACL – a lot of work
=> degraded performance

More ACLs on router => more work
 Routers are already busy just routing all
packets ingoing/outgoing to/from their
subnets
(ii) Logging overhead for router
 To be able to detect spam, router must log
source addresses of packets

Then can analyze to see which source addresses
produce floods
 Routers are designed to do only essential
work — anything else is inefficient =>
Access controls (4)
 ... Problems with putting too many ACLs on routers-CONT.
(iii) Inability of router to detect all spams
 Because source addresses in datagrams
(UDP packets) can be easily forged (by attacker
using UDP protocol)
 If attacker sends many datagrams with the
same (repeated) forged address, router with
ACL can detect & block them
Otherwise (i.e., if attacker sends datagrams with
few repeated forged addresses), router with ACL
will not even detect being flooded
=> can not block flooding datagrams
Access controls (5)

2) Firewalls
 Designed to do screening that routers can’t do
efficiently

Because routers designed for routing (of course!)
 Firewalls designed for access filtering
AND auditing
AND examining whole packets (not only
source/destination IP/ MAC addresses—which is what
routers do)
h) Intrusion Detection Systems: Alarms &
Alerts
 Example of 2-layer network protection
 Provided by router (Layer 1) AND firewall (Layer 2)
 We can add one more layer of protection:
intrusion detection systems (IDS) = device placed
within protected network for monitoring for
illegitimate actions in order to detect attacks in
progress (beginning, advanced) or after they have
occurred

E.g.: Can detect reconaissance & alert sysadmin or
secadmin, raise alarm, thus preventing „real” attack
OR

Can detect that attack has already occurred & raise alarm,
starting system recovery actions
 IDS is a.k.a. IPS = intrusion protection system

A marketing gimmick?
 IDS can be Layer 3 of layered network protection
 To be discussed in detail soon
i) Honeypots
 Honeypot – system built as a bait attracting
attackers
 Once attackers take the bait:

They are observed to learn how they
behave/operate
 New attacks / Prefered targets / ...

They are traced to catch them or scare them
off
 Or at least trace enough to be able to threaten them
with identifying them if they don’t stop

They are diverted from really valuable attack
targets
 E.g., diverted to phony credit card database while
real credit card database remains obscure to them
 User lessons learned (thanks to honeypots) to build
 B. Network Security Tools

 Network security tools

B.1. Firewalls
B.2. Intrusion Detection Systems
B.3. Secure E-Mail
B.1. Firewalls
b. What is a firewall (1a)
 Firewall = device (h/w), or software, or combination
of both designed:
1) to prevent unauthorized outside users from
accessing network and/or single workstation
2) to prevent inside users from releasing sensitive
information or accessing insecure resources

It is a wall between protected local (sub)net &

outside global net
 Inspect each individual inbound or outbound
packet of data sent to / from protected system
 Check if it should be blocked or allowed to enter
What is a firewall (2)

 Examples of security policy requirements w.r.t.

firewalls:
 Block any access from the outside, allow all
accesses to the outside
 Allow”from” accesses only for certain activities
OR only to/from certain subnets/hosts/apps/users

E.g., prevent outside access to subnet hosts except for
mail server accesses
 Choice of default firewall behavior
1) Default permit

„That which is not expressly forbidden is allowed”
2) Default deny

„That which is not expressly allowed is forbidden”
 Users prefer default permit, security experts
prefer default deny
 Sysadmin must make the choice
c. What firewalls can—and can’t—
block

 Firewalls are not a panacea - only a perimeter

protection
 Points 2 remember about firewalls — see text,
p.466-467

Can protect environment only if control its whole perimeter

Do not protect data outside the perimeter

Are most visible subnet component – attractive attack
targets

Must be correctly configured, & config must be periodically
updated

Firewall platforms should not have any s/w that could help
attacker who penetrates firewall in subsequent exploits

Firewalls exercise very limited control over content they let
in

Other means of verifying/enforcing accuracy/correctness
must be used inside perimeter
B.2. Intrusion Detection Systems
a. Introduction (1)
 It is better to prevent attack than to detect it after it
succeeds
Unfortunately, not all attacks can be prevented
 Some attackers become intruders — succeed in breaking
defenses
 Intrusion prevention — first line of defense
Intrusion detection — second line of defense
 Intrusion detection system (IDS) - a device (typically a
seprate computer) monitoring system activities to
detect malicious / suspicious events
 IDSs attempt to detect
 Outsiders breaking into a system
OR
 Insiders (legitimate users) attempting illegitimate
actions

Accidentally OR deliberately
Introduction (3)
 IDS terminology
 Anomaly — abnormal behavior

Might either be still legitimate OR illegitimate
 Misuse — activity that violates the
security policy
(subset of “anomaly” – anomaly
that is illegitimate)
 Intrusion — misuse by outsiders and
insiders
 Audit — activity of looking at
user/system behavior, its effects, or
collected data
 Profiling — looking at users or systems to
determine what they usually do
b. Types of IDSs (1a)

 IDS types w.r.t. scope:

 Host-based

Runs on a host

Monitors activities on this host only
 Network-based

Stand–alone device

Monitors entire (sub)network
b. Types of IDSs (1b)
 IDS types w.r.t. their operation
i. Signature-based IDSs (“block only ‘blacklisted’ behavior”)

Models & looks for unacceptable system activities (= an attack)

Each known attack characterized by its „signature”
(pattern)

To detect attack, matches current activities to known attack
signatures

Problem: Unable to detect new attacks (unknown signatures!)
ii. Anomaly-based (heuristic) IDSs (“allow only permitted
behavior”)

Solves the above problem (but might generate more false alarms)

Uses model of acceptable user activities
 Not models (signatures) of unacceptable system activities

Raises alarm upon detection of deviation form model behavior
iii. Other IDS types

E.g., hybrid IDSs (combining signature- and anomaly-based
IDSs), immune-system-based IDSs
c. Goals for IDSs (1)

 IDS goals
1) Detect all attacks correctly

Avoid false positives (false alarms)
 False alarms annoy sysadmins, users, ...

Avoid false negatives (not recognizing attacks)
2) Little overhead / performance impacts
B.3. Secure E-Mail
a. Introduction
 E-mail is the most heavily used network-based
application
Yet, ordinary email is very public, exposed
It has no C / I (confid./integ)
 Unencrypted message contents can be peeked at either in
transit or by privileged users at destination host
Security for e-mail (2)
 Secure e-mail requirements:
 Msg confidentiality (protection from disclosure)
 Msg integrity (protection from modification)
 Sender authentication
 Non-repudiation (preventing denial by sender)

 Not every msg requires all 4 capabilities

but all 4 needed to cover requirements of all kinds
of msgs
For more go through chapter 7 of the book by
Charles P. Pfleeger, Security in computing, fourth
edition, Prentice Hall

I cannot teach anybody anything, I can only make

them think.- Socrates

The function of education is to teach one to think

intensively and to think critically. Intelligence plus
character - that is the goal of true education.-Martin
Luther King, Jr.