Network Security Lecture

Ubiquitous Network Embedded System
School of Informatics, Walailak University
Computer Network Security
ICT-331 Computer Network 2, Semester 1/59
Chanankorn Jandaeng, cjundang@gmail.com
http://cjundang.ubines.info

Chanankorn Jandaeng, Ph.D. -To push students over their boundary-
Course Description
• Foundation of Network security; network design
consideration; network role based security such as
proxy server and DNS server; management of
information security; security management model;
protection mechanism.
2

Outlines
• Quiz (20%)
• Overview of Computer Network (3)
• Fundamental of Computer Network Security (6)
• Threat and Security Attacking (6)
• Access Control (3)
• Examination (30%)
• Cryptography (3)
• Firewall (3)
• Intrusion Detection/Prevention System (6)
• Computer Forensics (6)
3

Grade Policy
4
Activity Credit (%)
Attendance 5
Test (5 x 5%) 25
Individual Report 5
Laboratory Examination 15
Quiz ( 2 x 10%) 20
Final Examination 30
รวม 100
• More than 80% Get A
• Lower than 40% Get F
• Attendance less than 80% disallow to Quiz and
Examination

Book and Resources
• Slide
• N. Hoque and et. al. (2014), Network attacks: Taxonomy,
tools and systems, Journal of Network and Computer
Applications, 40 pp 307-324.
• Todd Lammle,(2013), CCNA Routing and Switching:
Study Guide, Sybex
5

Module 0
Overview of Computer Network

Outlines
• Inter-networking basics
• TCP/IP model
• Ethernet Networking & Data Encapsulation
• Three-Layer Hierarchical Model
80 -

Inter networking basic
Todd Lammle,(2013), CCNA Routing and Switching: Study Guide, Sybex

A very basic network
• Local Area Network via Hub
• Collision Domain
100 -

Network Segmentation
• Network Segmentation
• Routers, Switches, Bridges
110 -

LAN Trafﬁc Congestions
• Too many host in a collision or broadcast domain
• Broadcast storms
• Too much multicast trafﬁc
• Low bandwidth
• Adding hubs for connectivity to the network
• ARP broadcast
120 -

Broadcast Domain
130 -

Inter-networking Devices
140 -

TCP/IP MODEL

PROTOCOL SUITE
160 -

TELNET
• Telnet is the chameleon of protocols—its specialty is
terminal emulation.
• It allows a user on a remote client machine, called the
Telnet client, to access the resources of another
machine, the Telnet server in order to access a
command-line interface.
• Telnet achieves this by pulling a fast one on the Telnet
server and making the client machine appear as though it
were a terminal directly attached to the local network.
• This projection is actually a software image—a virtual
terminal that can interact with the chosen remote host.
• A drawback is that there are no encryption techniques
170 -

SECURE SHELL (SSH)
• Secure Shell (SSH) protocol
• sets up a secure session that’s similar to Telnet over a
standard TCP/IP connection and is employed for doing
things like logging into systems, running programs on
remote systems, and moving ﬁles from one system to
another.
• And it does all of this while maintaining an encrypted
connection.
180 -

FILE TRANSFER PROTOCOL (FTP)
• File Transfer Protocol (FTP) actually lets us transfer files,
and it can accomplish this between any two machines
using it. But FTP isn’t just a protocol; it’s also a program.
• FTP is used by applications.
• As a program, it’s employed by users to perform file tasks
by hand.
• FTP also allows for access to both directories and files
and can accomplish certain types of directory operations,
such as relocating into different ones
190 -

FILE TRANSFER PROTOCOL (FTP)
• Users must then be subjected to an authentication login
that’s usually secured with passwords and usernames
implemented by system administrators to restrict access.
• You can get around this somewhat by adopting the
username anonymous, but you’ll be limited in what you’ll
be able to access.
200 -

HTTP
• All those snappy websites comprising a graphics, text,
links, ads and so on rely on the Hypertext Transfer Protocol
(HTTP) to make it all possible.
• It’s used to manage communications between web
browsers and web servers and opens the right resource
when you click a link, wherever that resource may actually
reside.
210 -

HTTPS
• Hypertext Transfer Protocol Secure (HTTPS) is also
known as Secure Hypertext Transfer Protocol.
• It uses Secure Sockets Layer (SSL).
• It’s what your browser needs to ﬁll out forms, sign in,
authenticate, and encrypt an HTTP message when you do
things online like make a reservation, access your bank, or
buy something.
220 -

NetwoRK Time Protocol (NTP)
• Network is used to synchronize the clocks on our
computers to one standard time source (typically, an atomic
clock).
• Network Time Protocol (NTP) works by synchronizing
devices to ensure that all computers on a given network
agree on the time.
• This may sound pretty simple, but it’s very important
because so many of the transactions done today are time
and date stamped.
• Network Monitoring System needs NTP
230 -

Domain Name System (DNS)
240 -

Dynamic Host Conﬁguration Protocol
• Dynamic Host Conﬁguration Protocol (DHCP) assigns IP
addresses to hosts.
• It allows for easier administration and works well in small to
very large network environments.
• Many types of hardware can be used as a DHCP server,
including a Cisco router.
• DHCP server can provide:
• IP address, Subnet mask, Domain name, Default gateway
(routers), DNS server address
250 -

Host-to-Host Layer Protocol
• Host-to-Host layer is to shield the upper-layer applications
from the complexities of the network.
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
260 -

Transmission Control Protocol (TCP)
• TCP takes large blocks of information from an application
and breaks them into segments.
• It numbers and sequences each segment so that the
destination’s TCP stack can put the segments back into the
order the application intended.
• After these segments are sent on the transmitting host, TCP
waits for an acknowledgment of the receiving end’s TCP
virtual circuit session, retransmitting any segments that
aren’t acknowledged.
270 -

• Before a transmitting host starts to send segments down
the model, the sender’s TCP stack contacts the
destination’s TCP stack to establish a connection.
• This creates a virtual circuit, and this type of
communication is known as connection-oriented.
• During this initial handshake, the two TCP layers also
agree on the amount of information that’s going to be sent
before the recipient’s TCP sends back an
acknowledgment. With everything agreed upon in
advance, the path is paved for reliable communication to
take place.
280 -

• TCP is a full-duplex, connection-oriented, reliable, and
accurate protocol
• but establishing all these terms and conditions, in
addition to error checking, is no small task.
• TCP is very complicated, and so not surprisingly, it’s costly
in terms of network overhead.
290 -

• And since today’s networks are much more reliable than
those of yore, this added reliability is often unnecessary.
• Most programmers use TCP because it removes a lot of
programming work,
• but for real-time video and VoIP, User Datagram
Protocol (UDP) is often better because using it results in
less overhead.
300 -

TCP Segment Format
• Source port This is the port number of the application on the host sending
the data, which I’ll talk about more thoroughly a little later in this chapter.
• Destination port This is the port number of the application requested on the
destination host.
• Sequence number A number used by TCP that puts the data back in the
correct order or retransmits missing or damaged data during a process
called sequencing.
• Acknowledgment number The value is the TCP octet that is expected next.
310 -

TCP Segment Format
• Header length The number of 32-bit words in the TCP header, which
indicates where the data begins. The TCP header (even one including
options) is an integral number of 32 bits in length.
• Code bits/ﬂags Controls functions used to set up and terminate a
session. Window The window size the sender is willing to accept, in octets.
• Checksum The cyclic redundancy check (CRC), used because TCP
doesn’t trust the lower layers and checks everything. The CRC checks the
header and data ﬁelds.
320 -

User Datagram Protocol (UDP)
• User Datagram Protocol (UDP) is basically the scaled-down
economy model of TCP, which is why UDP is sometimes
referred to as a thin protocol.
• UDP does not sequence the segments and does not care
about the order in which the segments arrive at the
destination.
• UDP just sends the segments off and forgets about them.
• It doesn’t follow through, check up on them, or even allow for
an acknowledgment of safe arrival—complete abandonment.
Because of this, it’s referred to as an unreliable protocol. This
does not mean that UDP is ineffective, only that it doesn’t
deal with reliability issues at all.
330 -

UDP Segment
• Source port Port number of the application on the host
sending the data
• Destination port Port number of the application requested
on the destination host
• Length Length of UDP header and UDP data
• Checksum Checksum of both the UDP header and UDP
data ﬁelds Data Upper-layer data
340 -

Key features of TCP and UDP
350 -

Port Number
360 -

Internet Layer Protocol
• Internet Protocol (IP)
• Internet Control Message Protocol (ICMP)
• Address Resolution Protocol (ARP)
370 -

IP
• Internet Protocol (IP) essentially is the Internet layer.
• It can do this because all the machines on the network
have a software, or logical address called an IP address
• IP receives segments from the Host-to-Host layer and
fragments them into datagrams (packets) if necessary.
• IP then reassembles datagrams back into segments on the
receiving side.
380 -

IP
• Each datagram is assigned the IP address of the sender
and that of the recipient.
• Each router or switch (layer 3 device) that receives a
datagram makes routing decisions based on the packet’s
destination IP address.
390 -

IP Header Format
• Version IP version number.
• Header length Header length (HLEN) in 32-bit words.
• Priority and Type of Service Type of Service tells how the datagram should
be handled. The ﬁrst 3 bits are the priority bits, now called the differentiated
services bits.
• Total length Length of the packet, including header and data.
• Identiﬁcation Unique IP-packet value used to differentiate fragmented
packets from different datagrams.
400 -

IP Header Format
• Flags Specifies whether fragmentation should occur.
• Fragment offset Provides fragmentation and reassembly if the packet is too large to put
in a frame. It also allows different maximum transmission units (MTUs) on the Internet.
• Time To Live The time to live (TTL) is set into a packet when it is originally generated. If
it doesn’t get to where it’s supposed to go before the TTL expires, boom—it’s gone. This
stops IP packets from continuously circling the network looking for a home.
• Protocol Port of upper-layer protocol; for example, TCP is port 6 or UDP is port 17. Also
supports Network layer protocols, like ARP and ICMP, and can referred to as the Type
field in some analyzers. We’ll talk about this field more in a minute.
410 -

IP Header Format
• Header checksum Cyclic redundancy check (CRC) on header
only.
• Source IP address 32-bit IP address of sending station.
• Destination IP address 32-bit IP address of the station this
packet is destined for. Options Used for network testing,
debugging, security, and more.
• Data After the IP option ﬁeld, will be the upper-layer data.
420 -

Protocol Number
430 -

ICMP
• Internet Control Message Protocol (ICMP)
• IP for many different services.
• ICMP is basically a management protocol and messaging
service provider for IP.
• Its messages are carried as IP datagrams.
• ICMP packets have the following characteristics:
• They can provide hosts with information about network
problems.
• They are encapsulated within IP datagrams.
440 -

ICMP error message
450 -

Address Resolution ProtoCOL (ARP)
460 -

IP Addressing
470 -

Reserved IP Address
480 -

Private IP Address
490 -

Ethernet Networking

Ethernet
• Ethernet is a media access
• allow host on a network to share the same link’s
bandwidth
• Ethernet is so readily scalable
• Standard -> Fast -> Gigabit -> Ten Gigabit Ethernet
• Ethernet used both data link and physical layer
510 -

Collision Domain
520 -

A typical Network today
530 -

Broadcast Domain
• How to break broadcast domain in switch
540 -

CSMA/CD
• Carrier Sense Multiple Access with Collision Detection
• help devices share bandwidth evenly while preventing to
devices from transmitting simultaneously on the same
network medium.
550 -

CSMA/CD
• A Jam signal informs all devices that collision occurred
• The collision invokes a random back off algorithm
• Each device on Ethernet segment stops transmitting for a
show time until its back-off timer expired
• All hosts have equal priority to transmit after time expires
560 -

CSMA/CD
• The ugly effects of having a CSMA/CD network sustain
heavy collisions
• delay
• low throughput
• congestion.
570 -

Ethernet at the Data Link Layer
• Ethernet Addressing
• Physical address, MAC Address
580 -

Ethernet Frame
• Data Link
• to combine bits into bytes and bytes into frames
• to encapsulate packet from network layer for transmission
on a type media access
590 -

Ethernet Frame
• Preamble An alternating 1,0 pattern provides a 5 MHz
clock at the start of each packet, which allows the receiving
devices to lock the incoming bit stream.
• Start Frame Delimiter (SFD)/Synch The preamble is seven
octets and the SFD is one octet (synch). The SFD is
10101011, where the last pair of 1s allows the receiver to
come into the alternating 1,0 pattern somewhere in the
middle and still sync up to detect the beginning of the data.
600 -

Ethernet Frame
• Destination Address (DA) This transmits a 48-bit value using the
least significant bit (LSB) first. The DA is used by receiving stations
to determine whether an incoming packet is addressed to a
particular node. The destination address can be an individual
address or a broadcast or multicast MAC address. Remember that
a broadcast is all 1s—all Fs in hex— and is sent to all devices. A
multicast is sent only to a similar subset of nodes on a network.
• Source Address (SA) The SA is a 48-bit MAC address used to
identify the transmitting device, and it uses the least significant bit
first. Broadcast and multicast address formats are illegal within the
SA field.
610 -

Ethernet Frame
• Length or Type 802.3 uses a Length ﬁeld, but the
Ethernet_II frame uses a Type ﬁeld to identify the Network
layer protocol. The old, original 802.3 cannot identify the
upper-layer protocol and must be used with a proprietary
LAN—IPX, for example.
• Data This is a packet sent down to the Data Link layer from
the Network layer. The size can vary from 46 to 1,500 bytes.
620 -

Ethernet at Physical Layer
• Ethernet standard
• 10Base-T
• 100Base-TX
• 100Base-FX
• 1000Base-T
• …
630 -

Ethernet at Physical Layer
• Ethernet Cabling
64
UTP
0 -

Ethernet cabling
650 -

Rolled Cable
660 -

Fiber Optic
670 -

Data Encapsulation
680 -

PDU & ADDRESSING
690 -

THREE LAYER HIERARCHICAL MODEL
700 -

Module 1
Fundamental of Computer
Network Security

Outlines
• Challenges
• Terminology
• Identiﬁcation and Authentication
721 -

Challenges

Why security is difﬁcult?
• Speed of Attacks
• Widely available of modern tools : Used to scan systems
• To ﬁnd weaknesses
• Lunch attacks
• Most tools are automated
• Easy to attack target systems
741 -

• Sophistication of attacks
• Security attacks are becoming more complex
• Difﬁcult to detect
• Faster detection of weakness
• Newly discovered system vulnerability double annually
• More difﬁcult for software developer to update their
products
• Zero Day Attack
751 -

• Distributed attacks
• Multiple system can be used to attack against a single
computer or network
• Impossible to stop an attack by identifying and blocking
the source
• Difﬁcult in patching
761 -

Terminology

Security
• Security
• Security is about the protection of assets
• Protective measures
• Prevention
• Detection
• Reaction
781 -

Computer Security
• Computer Security
• Computer security deals with the prevention and
detection of unauthorized actions by users of computer
system
• The goal is to protect data and resources
• Only an issue on shared systems
• Like a network or a time-sharing OS
• No “global” solution
791 -

Computer Security
• Computer security
• No absolute “secure” system
• Security mechanisms protect against speciﬁc classes of
attacks
• Network security
• Security of data in transit
• Over network link/store-and-forward node
• Security of data at the end point
• Files, Email, Hardcopies
801 -

Network Security vs Computer Security
• Attacks can come from anywhere, anytime
• Highly automated (script)
• Physical security measures are inadequate
• Wide variety of applications, services, protocols
• Complexity
• Different constraints, assumptions, goals
• No single “authority”/administrators
811 -

Security Objectives
• To protect Conﬁdentiality, Integrity, Availability
• Conﬁdentiality:
• Ensure that only authorized user can view data
• Or no data is disclosed intentionally or unintentionally
821 -

Security Objectives
• Integrity:
• No data is modiﬁed by authorized person or software
• No authorized changes are made by authorized person
• Data remain consistent
831 -

Security Objectives
• Availability:
• service/data is available to authorized users
841 -

Security Mechanism & Service
• Security Mechanism
• A mechanism that designed to detect, prevent, or recover
from a security attack
• Security Service
• A service that enhances the security of data processing
systems and information transfers
• Makes use of one or more security mechanisms
851 -

Security Attack
• Security Attack
• Any action that compromises security information
86
Attack on availability Attack on conﬁdentiality
Attack on integrity Attack on authenticity
1 -

Terminology
• Risk
• A measure of the cost of a realized vulnerability that
incorporates the probability of a successful attack
• Risk Analysis
• Provides a quantitative means of deterring whether an
expenditure on safeguards is warranted
871 -

Terminology
• Spies
• A person who
• Has been hired to break into a computer and steal
information
• Do not randomly search for unsecured computers to
attack
881 -

Terminology
• Cyberterrorist
• Terrorists that attack the network and computer
infrastructure to
• Deface electronic information (such as web sites)
• Deny service to legitimate computer users
• Commit unauthorized intrusions into system and
network that result in infrastructure outages and
corruption of vital data
891 -

Identiﬁcation and
Authentication

Ident. and Authen.
• Authentication Basics
• Password
• Biometrics
911 -

Authentication Basic
• Authentication
• A process of verify a user’s identity
• Two reason of authentication a user
• The user identity is parameter in access control decision
(for a system)
• The user identity is recorded when logging security-
relevant events in an audit trail
921 -

• Authentication
▪ Binding of an identity to a principal (subject)
▪ An identity must provide information to enable the system
to conﬁrm its identity
931 -

• Authentication
▪ Information (one or more)
• What the identity knows (such as password or secret
information)
• What the identity has (such as a badge or card)
• What the identity is (such as ﬁngerprints)
• Where the identity is (such as in front of a particular
terminal)
941 -

• Authentication process
▪ Obtaining information from the identity
▪ Analysis the data
▪ Determining if it is associated with that identity
▪ Thus authentication process is
▪ The process of verifying a claimed identity
951 -

• Username and Password
• Very common and simple identities
• Used to enter into a system
• Username
• Announce who a user is
• This step is called identiﬁcation
• Password
• To prove that the user is who claims to be
• This step is called authentication
961 -

Authentication Mechanism
• Password
• Password Aging
• One-Time Password
971 -

Password
• Based on what people know
• User supplies password
• Computer validates it
• If the password is associated with the user, the the user’s
identity is authenticated
981 -

Password
• Choosing passwords
• Password guessing attack is very simple and always
works !!
• Because users are not aware of protecting their
passwords
• Password choice is a critical security issue
• Choose passwords that cannot be easily guessed
991 -

Password
• Password defenses
• Set a password to every account
• Change default passwords
• Password length
• A minimum password length should be prescribed
• Password Format
• Mix upper and lower case symbols
• Include numerical and other non-alphabetical system
1001 -

Password
• Password Format
• Mix upper and lower case symbols
• Include numerical and other non-alphabetical system
• Avoid obvious password
1011 -

How to improve password security?
• Password checking tools
• Check password against some dictionary of weak
password
• Password generation
• Utility in some system
• Producing random password for users
• Password Aging
1021 -

• Password Aging
• A requirement that password be changed after some
period of time
• Requires mechanism
• Forcing users to change to a difference password
• Providing notice of need to change
• A user-friendly method to change password
1031 -

• One-Time Password
• The password is validate for only one user
• Limit login attempt
• A system monitors unsuccessful login attempt
• Reacts by locking the user account if logging in process
failed
1041 -

• Inform user
• After successful login a system display
• The last login time
• The number of of failed login attempt
1051 -

Attacking password
• Password guessing
• Exhaustive search (brute force)
• Try all possible combination of valid symbol
• Dictionary Attack
• Random Selection of password
• Pronounceable and other computer-generated password
• User selection password that base on account names,
user name, computer name
1061 -

Biometrics
• The automated measurement of biological or behavioral
features that identiﬁes a person
• Method:
• A set of measurement of a user is taken when user is
given an account
• When a user access the system
• The biometric authentication mechanism identify the
identity
1071 -

Biometrics
• Fingerprint
• Voices
• Eyes
• Faces
• Keystroke : interval, pressure
• Combination
1081 -

Module 2
Network Attack: Taxonomy, Tools, and
System
N. Hoque and et. al. (2014), Network attacks: Taxonomy, tools and systems, Journal of Network and
Computer Applications, 40 pp 307-324.

Outlines
• Anomalies in network
• Step in launching an attack
• Launching and detecting attacks
• Taxonomy of Attacks
1102 -

Anomalies in network
• Anomalies are non-conforming interesting pattern
compared to the well-defined notion of normal behavior
• Traffic anomalies in computer network:
• network operation anomaly
• flash crowds
• network abuse anomaly
• All these anomalies can be detected by analyzing the traffic
volume transmitted from station to station
1112 -

Anomalies in network
• Examples: DoS/DDoS, scan, worn, outage, ingress shift,
information gathering, passive attack, spooﬁng attack, man
in middle, DNS cache poisoning
• All attacking cause damage and destruction to the network
environment
• Anomalies can have large impacts on both performance
and security.
• network anomalies cause service degradation and
impact on network speed
• network performance may suffer considerably.
1122 -

Step in launching an attack
1. Information gathering:
• The attacker attempts to gather vulnerability information
from the network with the hope that some of the
information can be used to aid in the ensuing attack
1132 -

2. Assessing vulnerability:
• Based on the vulnerabilities learned in the previous
step,
• the attacker attempts to compromise some nodes in the
network by exploiting malicious code, as a precursor to
the launching of attack(s).
1142 -

3. Launching attack:
• The attacker launches the attack on the target victim
machine(s) using the compromised nodes.
1152 -

4. Cleaning up:
• Finally, the attacker attempts to eliminate the attack
history by cleaning up all the registry or log ﬁles from
the victim machine(s).
1162 -

Launching attacks
• Before launching an attack, an attacker ﬁrst attempts to
gather vulnerability information about the target system that
may help in attack generation.
• An attacker scans the network using information gathering
tools like nmap and ﬁnds loopholes in the system.
• Based on the gathered information, the attacker exploits
some malicious code, possibly available on the network.
1172 -

Launching attacks
• The malicious code may be used to ﬁrst compromise hosts
in the network or it may be used to directly launch an attack
and disrupt the network.
• There are many methods for launching an attack.
• one may use Trojans or worms to generate an attack on a
system or a network.
• Scanning or information gathering may be coordinated
with an attack and performed simultaneously.
• One can also use attack launching tools such as Dsniff ,
IRPAS, Ettercap and Libnet to generate MAC attacks,
ARP attacks or VLAN attacks.
1182 -

Launching attacks
• The main purpose of the attacker in many cases is to
disrupt services provided by the network either by
consuming resources or consuming bandwidth.
• These types of attacks can be launched using flooding of
legitimate requests as in TCP SYN flooding, ICMP flooding
and UDP flooding.
1192 -

Detecting an Attack
• To detect an attack, one must know the characteristics of
an attack and its behavior in a network.
• The network administrator needs a visualization or
monitoring system to observe differences between the
characteristics of abnormal traffic and the normal.
• An attack can be detected from the traffic volume based on
the packet header or network flow information.
1202 -

Detecting an Attack
• However, such detection usually requires processing huge
volumes of data in near real- time.
• Obviously, designing a real-time defense mechanism that
can identify all attacks is a challenging and quite likely
impossible task.
• Most detection methods need some prior information about
attack characteristics to use during the detection process.
1212 -

Detecting an Attack
• The evaluation of these intrusion detection mechanisms or
systems is performed using misclassiﬁcation rate or false
alarm rate.
• To obtain satisfactory results, an IDS designer needs to be
careful in choosing an approach, matching mechanism or
any heuristic or in making assumptions.
• Approaches that have been able to obtain acceptable
results include statistical, soft computing, probabilistic,
knowledge-based and hybrid.
1222 -

Detecting an Attack
• Detection systems are designed to protect the network from
different types of vulnerabilities
• which may crash the network or may capture private or
secure information.
• Deployment of an accurate and efﬁcient anomaly detection
system demands appropriate design as per standard
security requirements and risk analysis.
• The detection system can be either host based or network
based.
1232 -

Chanankorn Jandaeng, Ph.D. -To push students over their boundary-1242 -

Detecting an Attack
• A typical network structure with a protected LAN, a
demilitarized zone and a deployed IDS console.
• A demilitarized zone (sometimes referred to as a perimeter
network) is a physical or logical subnetwork that contains
and exposes an organization's external-facing services to a
larger untrusted network, usually the Internet.
• An attacker may launch an attack from various machines
connected to the network either via wired or wireless media.
1252 -

Detecting an Attack
• The increasing number of highly sophisticated attacks of
complex and evolving nature has made the task of
defending networks challenging.
• The appropriate use of tools and systems can simplify the
task signiﬁcantly.
• This necessitates an awareness of the characteristics and
relevance of these tools and systems, and their usage.
1262 -

Network Security Tools
• People use different attack tools to disrupt a network for
different purposes.
• Attackers generally target Web sites or databases as well
as enterprise networks by gathering information based on
their weaknesses.
• In general, attackers use relevant tools for the class of
attack they desire to launch.
• A large number of defense tools also have been made
available by various network security research groups as
well as private security professionals.
• These tools have different purposes, capabilities and
interfaces.
1272 -

Taxonomy of Attacks

Taxonomy of Tools
1292 -

Sniffing Tools: Tcpdump
• Tcpdump:
• Tcpdump is a premier packet analyzer for information
security professionals.
• It enables one to capture, save and view packet data.
• This tool works on most flavors of the Unix operating
system.
• One can also use third party open source software, e.g.,
wireshark to open and visualize tcpdump captured traffic.
1302 -

Sniffing Tools: Tcpdump
• Ethereal:
• Ethereal is a sniffing and traffic analyzing software tool for
Windows, Unix and Unix-like OSs, released under the GNU
license scheme.
• It includes two primary library utilities,
• GTKþ, a GUI based library
• libpcap, a packet capture and filtering library.
• Ethereal is also capable of reading the output of tcpdump and
can apply tcpdump filters to select and display records
satisfying certain parameters.
• Ethereal offers decoding options for a large number (>400) of
protocols and is useful in network forensics.
1312 -

Sniffing Tools: Ethereal
• Ethereal:
• Ethereal is a sniffing and traffic analyzing software tool for
Windows, Unix and Unix-like OSs, released under the GNU
license scheme.
• It includes two primary library utilities,
• GTKþ, a GUI based library
• libpcap, a packet capture and filtering library.
• Ethereal is also capable of reading the output of tcpdump and
can apply tcpdump filters to select and display records
satisfying certain parameters.
• Ethereal offers decoding options for a large number (>400) of
protocols and is useful in network forensics.
1322 -

Sniffing Tools
• Sniffing tools are not equally useful for all purposes all the time.
• Their usefulness and importance depend on the user's
requirements and purpose at a certain point in time.
• For example, one cannot use the Cain & Able to capture live
network traffic since it performs only password cracking.
• Most people use tcpdump and libpcap as network sniffing tools
to capture all information in packets and store them in a file.
• One can use the Nfsen and Nfdump tools for NetFlow traffic
capture whereas Gulp is used for packet level traffic capture.
However, these tools also use tcpdump as an implicit tool for
packet as well as NetFlow capture.
1332 -

Scanning Tools
• A network scanning tool aims to identify active hosts on a
network,
• to attack them,
• to assess vulnerabilities in the network.
• It provides an overall status report regarding network hosts,
ports, Its, etc.
1342 -

Scanning Tools: nmap
• Nmap:
• This network mapping tool facilitates network exploration and
security auditing.
• It can scan large networks fast, especially against single hosts.
• It is effective in using raw IP packets to identify a large number
of useful parameters,
• such as available hosts, services offered by the hosts, OSs
running, and use of packet ﬁlters or ﬁrewalls.
• In addition to its use in security audits, network administrators
can use it for routine tasks such as maintaining network
inventory, managing service upgrade schedules, and
monitoring host or service uptime.
1352 -

Scanning Tools
• For scanning a large network, one can use nmap as the most
effective tool.
• Nmap has the ability to scan a large network to determine multiple
parameters such as active hosts and ports, host operating systems,
protocols, timing and performance, firewall/IDS evaluation and
spoofing, and IPv6 scanning.
• Due to its multiple functionalities, network administrators find it very
useful to monitor a large network.
• Amap and Vmap do not support many of the functionalities
performed by nmap.
• Attackers use namp to find the vulnerabilities in a host to
compromise it for constructing BotNets during DDoS attack
generation using the agent handler architecture.
1362 -

Attack Launching Tools
• A large number of network security tools that use
cryptographic mechanisms to launch attacks are available
on the Web.
• People can freely download these tools and can use them
for malicious activities:
• Trojan propagation, network mapping, probe attacks,
buffer overﬂow attacks, DoS/DDoS attacks, and
application layer attacks.
1372 -

Attack Launching Tools
• Such tools can be used to launch layer speciﬁc and
protocol speciﬁc attacks:
• HTTP, SMTP, FTP or SNMP related attacks.
• Other tools can be used to launch DoS/DDoS attacks,
• That can disrupt the services of a network or a Website
very quickly.
• Some tools are used in wired networks to capture and
exploit valuable information while others are used in
wireless networks.
1382 -

Trojans
• Trojans are malicious executable programs developed to
break the security system of a computer or a network.
• A Trojan resides in a system as a benign program ﬁle.
• Once the user attempts to open the ﬁle, the Trojan is
executed, and some dangerous action is performed.
1392 -

Trojans
• Victims generally unknowingly download the Trojan from
multiple sources:
• Internet, FTP archive, peer-to-peer ﬁle exchange using
BitTorrent, Internet messaging.
• Typically, Trojans are of seven distinct types:
• Remote access Trojans, Sending Trojans, Destructive
Trojans, Proxy Trojans (e) FTP Trojans, Security software
disable Trojans, DoS Trojans.
1402 -

Trojans
• Remote access
• Trojans are malware programs that use back- doors to
control the target machine with administrative privilege.
• These type of Trojans are downloaded invisibly with a
user request for a program such as a game or an email
attachment.
• Once the attacker compromises a machine, the Trojan
uses this machine to compromise more machines to
construct a BotNet for launching a DoS or DDoS attack.
1412 -

Trojans
• Remote access
• An example of remote access Trojan is danger.
• Sending Trojans are used to capture and provide
sensitive information such as passwords, credit card
information, log ﬁles, e-mail addresses, and IM contact
lists to the attacker.
• In order to collect such information, such Trojans attempt
to install a keylogger to capture and transmit all recorded
keystrokes to the attacker.
• Examples of this type of Trojans are Badtrans.B email
virus, and Eblast.
1422 -

Trojans
• Destructive Trojans
• Trojans are very destructive for a computer and often
programmed to delete automatically some essential
executable programs such as configuration and dynamic
link library (DLL) files.
• Such Trojans act either
• (i) as per the instructions of a back-end server, or
• (ii) based on pre-installed or programmed instructions,
to strike on a specific day, at a specific time.
• Two common examples of this type are Bugbear virus
and Goner worm.
1432 -

Trojans
• Proxy Trojans
• Trojans attempt to use a victim's computer as a proxy
server.
• A Trojan of this kind compromises a computer and
attempts to perform malicious activities such as
fraudulent credit card transactions, and launching of
malicious attacks against other networks.
• Examples of proxy Trojans are TrojanProxy:Win32,
Paramo.F.
1442 -

Trojans
• FTP Trojans
• Trojans attempt to open port 21 and establish a
connection from the victim computer to the attacker using
the File Transfer Protocol (FTP).
• An example of FTP Trojan is FTP99cmp.
1452 -

Trojans
• Security software disable Trojans
• Trojans attempt to destroy or to thwart defense
mechanisms or protection programs such as antivirus
programs or ﬁrewalls.
• Often such a Trojan is combined with another type of
Trojan as a payload.
• Some examples are trojan.Win32.KillAV.ctp and
trojan.Win32.Disable.b.
1462 -

Trojans
• DoS Trojans
• Trojans attempt to ﬂood a network instantly with useless
trafﬁc, so that it cannot provide any service.
• Some examples of this category of Trojan are ping of
Death, and teardrop.
1472 -

Denial of Service (DoS)
• Denial of service (DoS) is a commonly found, yet serious
class of attack caused due to an explicit attempt of an
attacker to prevent or block legitimate users of a service
from using desired resources.
• Such an attack occurs in both distributed as well as in a
centralized setting.
• SYN ﬂooding, smurf, fraggle, jolt, land, and ping-of-
death.
1482 -

• A Distributed Denial of Service (DDoS) attack is a
coordinated attempt on the availability of services of a
victim system or a group of systems or on network
resources, launched indirectly from a large number of
compromised machines on the Internet.
• Typically, a DDoS attacker adopts an m : 1, i.e., many
compromised machines to a single victim machine or an
m : n approach that makes it very difﬁcult to detect or
prevent.
• A DDoS attacker normally initiates such a coordinated
attack using either an architecture based on agent handlers
or Internet relay chat (IRC).
1492 -

• The attacking hosts are usually personal computers with
broadband connections to the Internet.
• These computers are compromised by viruses or Trojan
programs called bots.
• These compromised computers are usually referred to as
zombies.
• The actions of these zombies are controlled by remote
perpetrators often through
• (a) BotNet commands and
• (b) a control channel such as IRC.
• Generally, a DDoS attack can be launched using any one of
the following ways.
1502 -

Classiﬁcation of DoS
• By degree of automation:
• The attack generation steps such as recruit, exploit, infect,
and use phase can be performed in three possible ways:
• manual, automatic, and semi-automatic.
• By exploited vulnerability:
• The attacker exploits the vulnerability of a security system to
deny the services provided by that system to legitimate users.
• In semantic attacks, it exploits a speciﬁc feature or
implementation bug of some protocols or applications
installed in the victim machine to overload the resources used
by that machine.
• An example of such attack is the TCP SYN attack.
1512 -

• By attack network used:
• To launch a DDoS attack, an attacker may use either an
agent handler network or an IRC network.
• By attack rate dynamics:
• Depending on the number of agents used to generate a
DDoS attack, the attack rate may be either a constant
rate or a variable rate attack.
• Besides these, an increasing rate attack and a ﬂuctuating
rate attack can also be mounted using a rate change
mechanism.
1522 -

• By victim type:
• DDoS attacks can be generated to paralyze different
types of victims.
• Example include application attacks, host attacks,
network attacks, and infrastructure attacks.
• By impact:
• Based on the impact of a DDoS attack, it may be either a
disruptive or a degrading attack.
• By agent:
• A DDoS attack can be generated by a constant agent set
or a variable agent set.
1532 -

Packet forging attack tools
• Packet forging tools are useful in forging or manipulating packet
information.
• An attacker can generate trafﬁc with manipulated IP addresses
based on this category of tools.
• Nemesis is widely used to generate custom packets using different
protocols.
• It supports most protocols such as ARP, DNS, ICMP, IGMP, IP,
OSPF, RIP, TCP and UDP.
• This makes it very effective compared to other tools. Other
advantages of this tool are that:
• anyone can generate custom packets from the command
prompt or using shell scripts in a system,
• attackers ﬁnd it very useful to generate attack packets.
1542 -

Application Layer Attack
• The attacker uses legitimate application layer HTTP
requests from legitimately connected network machines to
overwhelm a Web server.
• The application layer attack may generate a session
flooding attack, request a flooding attack or an asymmetric
attack.
• Application layer DDoS attacks are more subtle than
network layer attacks and the detection of application layer
attacks is difficult because they use legitimate protocols and
legitimate connections.
• Examples: HTTP-related attacks, SMTP-related attacks, FTP-
related attacks, SNMP-related attacks.
1552 -

Fingerprinting attack tools
• Fingerprinting tools are used to identify specific features of
a network protocol implementation by analyzing its input
and output behavior.
• The identified features include protocol version, vendor
information and configurable parameters.
• Fingerprinting tools are used to identify the operating
system running on a remote machine and can also be used
for other purposes.
1562 -

Fingerprinting attack tools
• Existing fingerprinting tools show that implementations of
most key Internet protocols such as ICMP, TCP, TELNET
and HTTP have bugs.
• Network administrators can use remote fingerprinting to
collect information to facilitate management, and an
intrusion detection system can capture the abnormal
behavior of attackers or worms by analyzing their
fingerprints.
1572 -

User Attack Tools
• In user attacks, either the attacker
• attempts as a normal legitimate user to gain the
privileges of a root or superuser, or
• attempts to access a local machine by exploiting its
vulnerabilities without having an account on that
machine.
• Both types of attempts are very difﬁcult to detect because
their behavior resembles normal characteristics.
• We discuss these attacks by category along with launching
tools.
1582 -

U2R Attack
• The attacker initially attempts to gain access to the local
victim machine as a legitimate user.
• The means may be a password snifﬁng attempt, dictionary
attack, or any social engineering approach.
• The attacker then explores possible vulnerabilities or bugs
associated with the operating system running on the victim
machine to perform the transition from user to superuser or
root level.
• Once root privileges are acquired, the attacker possesses
full control of the victim machine to install backdoor entries
for future exploits, manipulate system ﬁles to gather
information, and other damaging actions.
1592 -

U2R Attack
1602 -

U2R Attack
• Two well-known U2R attack tools are described next.
• Yaga: This tool is used to create a new administrator
account by compromising registry ﬁles. The attacker
edits the registry ﬁle to crash some system services on
the victim machine and create a new administrator
account.
• SQL attack: Here, the attacker creates a TCP connection
with an SQL database server on a Unix machine. The
database shell exits when a special escape sequence is
issued and the root shell of the machine is started by
running the Perlmagic3
script.
1612 -

R2L Attack
• A remote attacker, without an account on a local machine,
attempts to send packets to that machine by gaining local
access based on the vulnerabilities of that machine.
• To gain access to the local machine, the attacker attempts
various ways.
• Two such ways are
• using online and ofﬂine dictionary attacks to acquire the
password to access the machine, and
• making repeated guesses at possible usernames and
passwords.
1622 -

R2L Attack
1632 -

R2L Attack
• The attacker also attempts to take advantage of those
legitimate users who are often casual in choosing their
passwords.
• Below are two R2L attack tools.
• Netcat: This R2L attack tool uses a Trojan program to install
and run Netcat on the victim machine at port number 53. The
Netcat program works as a backdoor to access the machine
using Netcat port without any username and password.
• ntfsdos: The attacker gains the console of a WinNT machine
by running ntfsdos. The program mounts the machine's disk
drives. Thus the attacker is able to copy secret ﬁles on the
secondary media.
1642 -

Chanankorn Jandaeng, Ph.D. -To push students over their boundary-1652 -

Module 3
Access Control

Outlines
• Overview of Access Control
• Access Control Methods
1683 -

Overview of Access Control

Overview of Access Control
• What is Access Control?
• The ability to allow only authorized users, programs or
processes system or resource access
• The granting or denying, according to a particular
security model, of certain permissions to access a
resource
• An entire set of procedures performed by hardware,
software and administrators, to monitor access, identify
users requesting access, record access attempts, and
grant or deny access based on pre-established rules.
• Access control is the heart of security
1703 -

Example of Access Control
• Social Networks:
• In most social networks, such as Facebook and
MySpace, some of your personal information can only be
accessed by yourself
• some can be accessed by your friends, and some can
be accessed by everybody. The part of system that
implements such kind of control is doing access control.
1713 -

• Web Browsers:
• When you browse a web site, and run JavaScript code
from that web site, the browser has to control what such
JavaScript code can access, and what it cannot access.
• For example, a code from one web site cannot access
the cookies from another web site, and it cannot modify
the contents from another web site either.
• These controls are conducted by the browser’s access
control.
1723 -

• Operating Systems:
• In an operating system, one user cannot arbitrarily
access another user’s ﬁles
• a normal user cannot kill another user’s processes.
• These are done by operating system access control.
1733 -

• Memory Protection:
• In Intel 80x86 architecture, code in one region cannot
access the data in another more privileged region
• This is done by the access control implemented in the
CPU (e.g. 80386 Protection Mode).
1743 -

• Firewalls:
• Firewalls inspect every incoming (sometimes outgoing)
packet,
• if a packet matches with certain conditions,
• it will be dropped by the ﬁrewalls, preventing it from
accessing the protected networks.
• This is also access control.
1753 -

What should we learn about access control?
• Access Control Policy Models
• how access control policies are conﬁgured and
managed.
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
1763 -

• Access Control Mechanism:
• how access control is implemented in systems.
• Access Control Matrices
• Access Control List
• Capability
• Role-Based Access Control
1773 -

• Design Principles:
• what are the useful principles that can guide the design
and contribute to an implementation that is strong in
security.
• Building a protection system is like building a bridge.
• We never ask people without civil engineering training
to build a bridge for us, because we know that to build
a bridge, we need to follow some civil engineering
principles.
1783 -

DAC: Discretionary Access Control
• Deﬁnition:
• An individual user can set an access control mechanism
to allow or deny access to an object.
• Relies on the object owner to control access.
• DAC is widely implemented in most operating systems, and
we are quite familiar with it.
• Strength of DAC: Flexibility: a key reason why it is widely
known and implemented in main-stream operating systems.
1793 -

MAC: Mandatory Access Control
• Deﬁnition:
• A system-wide policy decrees who is allowed to have
access; individual user cannot alter that access.
• Relies on the system to control access.
• Examples: The law allows a court to access driving records
without the owners’ permission.
• Traditional MAC mechanisms have been tightly coupled to
a few security models.
• Recently, systems supporting ﬂexible security models start
to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.)
1803 -

Access Control Method

Access Control Methods
• a simple framework for describing a protection system by
describing the privileges of subjects on objects.
• Subject can be users, processes, agents, groups
• Objects can be data, memory banks, other processes
• Privileges(permissions, rights) can be read, write,
modify,
1823 -

• a triple(S, O, M)
• where S is a set of subjects, O set of object and M is a
matrices deﬁning the privileges/rights of a subject s ∈ S
on an object o ∈ O
1833 -

• M provide a basis for different possible enforcement
mechanism :
• Access control list
• Capacities list
• Disadvantage:
• In a large system, the matrix will be enormous in size
and mostly sparse.
1843 -

• The column of access control matrix.
• Advantage:
• Easy to determine who can access a given object.
• Easy to revoke all access to an object
• Disadvantage:
• Difﬁcult to know the access right of a given subject.
• Difﬁcult to revoke a user’s right on all objects.
• Used by most mainstream operating systems.
1853 -

• ACL is usually used for DAC.
• It is compact and easy to review,
deleting an object is simple but
for subjects is more difﬁcult.
1863 -

• Capability List
• The row of access control matrix.
• A capability can be thought of as a pair(x,r) where x is the name
of an object and r is a set of privileges or rights.
• Advantage:
• Easy to know the access right of a given subject.
• Easy to revoke a users access right on all objects.
• Disadvantage:
• Difﬁcult to know who can access a given object.
• Difﬁcult to revoke all access right to an object.
• A number of capability-based computer systems were
developed, but have not proven to be commercially successful.
1873 -

• Capability List
1883 -

RBAC
1893 -

Access Control List Examples
• UNIX ACL
• Abbreviations of Access Control Lists:
• Three classes: owner, group, other users
• Full Access Control Lists
1903 -

• Windows NT
• Generic rights: No access, Read, Change, Full control. –
Built-in Groups (each has different privileges)
• Everyone: all users
• Interactive: users logged on locally
• Network: users logged on over the network
• System: the operating system
• Creator / Owner: creator or owner of a ﬁle or a resource
1913 -

• Social networks
• Most social networks use ACL as its main access control
model. Users can specify who can access their proﬁles,
friend lists, etc.
1923 -

Network Security Lecture

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Network Security Lecture

Ähnlich wie Network Security Lecture (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Network Security Lecture