CS682-Network Security
Module-1
Introduction to Network Security
SYN
This is CS682, Network Security
There is a lab in RH219, get your accounts
Homework-0 is on-line: Part I, II due next
week, Part III, IV due in two weeks
Homework submission:
Handover hardcopies at the beginning of the class
Randomly selected students will be asked for
demos of their work
Website: />Prerequisites for CS682
CS392
Website: /> Textbook: “Computer Security: Art and Science,” Matt
Bishop, 0201440997
CS918 or EL537
Textbook: “TCP/IP Illustrated, Vol. 1,” Richard W. Stevens
Programming Reference: “Unix Network Programming, Vol.
1,” Richard W. Stevens, 013490012X
Basic Understanding of Operating Systems
CS623 – Operating Systems I
Textbook: “Operating System Concepts,” Silberschatz,
Galvin, & Gagne
Prerequisites for CS682
Cryptography & Computer Security:
Symmetric & asymmetric key algorithms
Key Exchange, Authentication etc.
Hash, Message Digests, Signatures etc.
Networking:
TCP/UDP/ICMP
IP
Ethernet, ARP, RARP
Programming Environment:
Unix & C (Mostly Linux and ANSI C)
CASL (Custom Audit Scripting Language)
Server Netw ork
Backbone
Student Network
Accountin
g
Sales
Inf orma tion
systems
Coustomer
service
Human
resources
Server_00
Switch
Internal Router/Firewall
External Router/Firewall
Server_01
Server_02
XYZ Enterprise Network Layout
IDS Sy s t e m
What is This Course about?
We will explore:
Various vulnerabilities in network protocols and services.
Mechanisms to protect networks.
Security tools.
Overview of This Course
TCP/IP Suite
Vulnerabilities and solutions
Security protocols built on top of TCP/IP
Security devices and tools to test and protect networks
Network security theory and practice
In homework
Explore TCP/IP vulnerabilities in detail by exploiting them
using CASL
Learn to analyze a TCP/IP network for vulnerabilities
Write small client/server applications and learn to do
penetration testing on your code and algorithm.
Learn to setup security devices such Firewall’s and IDS
systems, and how to integrate them.
“War Games” – A serious one if time permits
Introduction to TCP/IP
R/L =Http Request and Reply
TH/F = TCP Header and Footer
IH/F = IP Header and Footer
EH/F= Ethernet Header and Footer
Cloud
Network
Host A
HTTP (Web Browser)
TCP
IP
3Com NIC Driver
Host B
HTTP (Web Server)
TCP
IP
1GB NIC Driver
HTTP Protocol
TCP Protocol
Network
EH EF
R
TH TFIH IF
EH EF
L
TH TFIH IF
R
TH TFIH IF
R
R
TH TF
L
TH TFIH IF
L
TH TF
L
EH EF
R
TH TFIH IF
R
TH TFIH IF
R
TH TF
R
EH EF
L
TH TFIH IF
L
TH TFIH IF
L
TH TF
L
(Logical Link)
Security Issues in Networking
Life is great here (An ideal life)
Interruption: An asset of the system is destroyed
or becomes unavailable or unusable. This is an
attack on the availability. Examples include
destruction of a piece of hardware, such as a hard
disk, the cutting of a communication link, or the
disabling of the file management system.
Host A
Host B
Normal Flow
Host A
Host B
Interuption
Security Issues in Networking
Interception: An unauthorized party gains access to an asset. This is an attack on
confidentiality. The unauthorized party could be a person, a program, or a computer.
Examples include wiretapping to capture data in a network. And the illicit copying of files
or programs.
Host A
Host B
Interception
Host C
Modification: An unauthorized party not only gains access to but tampers with an
asset. This is an attack on the integrity. Examples include changing values in a data file,
altering a program so that it performs differently, and modifying the content of a message
being transmitted in a network.
Host A
Host B
Modificition
Host C
Security Issues in Networking
Fabrication: An unauthorized part inserts counterfeit objects into the system. This
is an attack on the authenticity. Examples include the insertion of spurious messages in a
network or the addition of records to a file.
Attacks can be classified into two broad categories:
Passive Attacks can only
observe communications or
data
Host A
Host B
Fabricition
Host C
Passive Attack
Active Attack
Active Attacks can actively modify
communications or data, Often difficult
to perform, but very powerful. Example:
Mail forgery/modification, and TCP/IP
spoofing/session hijacking
Security Issues in TCP/IP
TCP/IP was not designed with security in mind
Most of the attacks present today were unheard of during the
design of TCP/IP
It was designed to protect DoD network infrastructures
Does not have strong authentication mechanism
The primary objective during the design, was to have robust
communication protocol that would survive partial network
damage.
There was no threat from the insider, the notion of having a
malicious node did not exist (Nodes were missile silos)
Network Programming in Unix
Network programming jargons:
Address: a bit string identifying a machine
Port: an entry point via network into a machine
Socket: {address, port} pair
Binding: process of attaching to a port
Client-Server Model:
Client Server
Response
Request
Client-Side Programming
1. Initialize environment
2. Create a socket
3. Identify server’s IP
address, port number
4. Establish a connection
to server
5. Read/write as if the
socket were a file
6. Close connection
7. Exit program
1. struct sockaddr_in server;
bzero(&server,
sizeof(server));
2. sockfd=socket(AF_INET,
SOCK_STREAM, 0)
3. server.sin_family=AF_INET;
server.sin_port=htons(80);
inet_pton(AF_INET,
argv[1], &server.sin_addr)
4. connect(sockfd, &server,
sizeof(server))
5. read(sockfd, buffer,
max_buffer)
6. close(sockfd)
7. exit(0)
Server-Side Programming
1. Initialize environment
2. Create socket
3. Bind socket to a port
4. Listen on port
5. Accept connection
6. Read/write
7. Close connection
8. Exit program
1. struct sockaddr_in server;
bzero(&server,
sizeof(server));
2. listenfd=socket(AF_INET,
SOCK_STREAM, 0);
3. server.sin_family=AF_INET;
server.sin_addr.s_addr=hto
nl(INADDR_ANY);
server.sin_port=htons(80);
bind(listenfd, &server,
sizeof(server));
4. listen(listenfd, 0);
5. connfd=accept(listenfd,
NULL, NULL);
6. read(connfd, buffer,
buff_max);
7. close(connfd);
8. exit(0);
On the Wire
connect()
SYN_SENT
SYN
SYN,ACK
listen()
accept()
SYN_RCVD
ESTABLISHED
ACK
ESTABLISHED
write()
Request
read()
write()
Reply, ACK
ACK
read()
close()
FIN_WAIT1
FIN
CLOSE_WAIT
ACK
FIN
ACK
FIN_WAIT2
close()
LAST_ACK
TIME_WAIT
CLOSED
Client Serve
r
References and Reading Assignments
Read about TCP/IP from
/>www.cs.um.edu.mtzSz~kvelzSzCSA401zSzibm-tcpip.pdf/tcp-
ip-tutorial-and.pdf
(Look for “tcp ip security” at )
From Books 24x7 ( /> Read about Linux Socket programming from
Book 24x7
Search in Google for more practical examples
Review CS392 lecture notes for general issues in
information security.
( />Taxonomy of Network Vulnerabilities
Vulnerabilities Classification:
Improper Design of Protocol (e.g.: 802.11 Security)
Improper Implementation of Protocol (e.g.: Teardrop)
Improper Configuration of Protocol (e.g.: Smurf)
Exploit Modes:
Passive Exploits (e.g.: Packet Sniffing)
Blind Exploits (e.g.: Spoofing)
Active Exploits (e.g.: Session Hijacking)
Where to Find Vulnerabilities:
Application Level (e.g.: Cross Site Scripting)
Protocol Level (e.g.: Teardrop)
MAC (e.g.: Jamming)
Packet Sniffing
Sniffers are wire-tap devices (software+hardware) that can be
plugged into a computer network to eavesdrop on computers
in the network.
Sniffing requires physical access to network medium.
It is a passive activity, in that sniffing doesn’t introduce new
packets into network.
Sniffing is useful in two ways:
1. Eavesdropping (e.g.: extracting passwords or IDS)
2. Traffic Analysis (e.g.: tracking ssh connections)
Packet Sniffers have two phases:
1. Packet Capture Phase
2. Protocol Analysis Phase
Two essential ingredients for successful sniffing:
1. Shared Media
2. Promiscuous Mode Operations
Anatomy of a sniffer
In normal mode,
network interface card
discards packets not
destined to the
current host.
Promiscuous mode
disables this function
and allows all packets
to flow through the
network stack.
A sniffer would simply
capture these packets
for consumption.
There is more to a
sniffer than setting a
network card to
promiscuous mode.
is destination?
no
yes
Application
Normal Network
Interface Operation
is destination?
Sniffer
Promiscuous Mode
Network
Interface Operation
Anatomy of a sniffer
Media: usually an Ethernet
card but it could also be a
wireless card or anything
else.
Capture Driver: software
driver to capture and filter
network traffic. E.g.: pcap
and BPF
Buffer: packets must be
temporarily buffered prior to
storage or processing.
Usually fill-buffered or
round-robin.
Decode: packets must be
decoded to a human readable
form.
Logging: permanent storage
of packets for offline analysis.
Media
Decode
Buffer
Capture Driver
Logging/Editing
Packets
Popular sniffers:
Ethereal – excellent protocol analyzer
tcpdump – you’ll use this in homework
Carnivore – FBI uses this at ISPs
Aerosnort – 802.11 wireless sniffer
Uses of sniffers
Stealing clear-text content on the wire and in the air
Passwords
Credit card numbers
“Secret” email conversations
Network traffic analysis
If the network content is encrypted then perform traffic
analysis to extract partial information
Famous pizza delivery to Pentagon story
Intrusion detection systems are built on sniffers
Traffic logging for forensics
Fault analysis of networks
Performance analysis to identify bottlenecks
Are sniffers bad? Yes and no!
Sniffing out the sniffers…
Sniffing is a passive activity, hence done properly it is
impossible to detect a sniffer!
However, there are some practical solutions
Local detection of promiscuous mode
Improper response to ping
Improper response to ARP queries
Improper response to DNS queries
Source routing to suspicious node
Employing a honeypot
Network latency monitoring
Time-domain reflectometers
SNMP monitoring
Can you design a sniffer to counter these detection
methods?
Detection of promiscuous mode
If you suspect a machine is running a sniffer
then use ifconfig to find out if the NIC is in
promiscuous mode.
Obviously, you will use an ifconfig binary
from a trusted machine or CD-ROM.
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:AA:AA:AA:AA:AA
inet addr:0.0.0.0 Bcast:0.0.0.55 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:595017 errors:0 dropped:0 overruns:0 frame:0
TX packets:113401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0xb800
Improper Response to Pings
Remember how the
sniffers put the network
card to promiscuous
mode?
Any packet, whether it
is destined to the
machine or not, is sent
thru the network stack.
We can exploit this fact
to trick the sniffers to
give up their locations.
Send a ping (ICMP Echo Request)
to a suspected sniffer with the IP of
the sniffer but with a MAC of
another machine.
What happen in the network
stack:
1. Card receives the packet
2. Since it is in promiscuous mode,
ignores the MAC address, removes
the Ethernet header and send the
packet to IP.
3. IP checks the IP destination, since
it is the proper destination sends
the packet to ICMP.
4. ICMP sends an Echo Reply!
5. Ooops!
We know we should not be
receiving a reply for this packet
since the MAC and IP are
mismatch!
Improper Response to Pings
This method can be generalized to:
1. Any protocol or service that sends a response,
such as TCP connection establishment or telnet.
2. Any protocol or service that generates an error
message in response, such as bad IP packets.
Can we fix the sniffer not to give up its
location?
Sure. Do more sanity checks on the packets
addressed to the machine using a software filter.
Improper response to ARP queries
Similar to the method describe earlier
Send ARP to a non-broadcast address, if a machine
replies then it is running in promiscuous mode.
Another method:
ARP requests are cached, since the machine that sends the
request sends it own mapping in the request.
1. Send a non-broadcast ARP
2. Send a broadcast ping
3. The machine that replies without an ARP could have only
gotten the mapping from our previous ARP, so it should be
in promiscuous mode.
Improper Response to DNS Queries
Some sniffers do reverse-DNS lookups on IP
addresses they see.
To identify sniffers, do a ping sweep on
addresses that do not exist.
Watch the DNS server for reverse-DNS
queries for these addresses.
By doing a reverse-DNS lookup sniffers
violate the passive activity code, they begin to
inject packets into network. Probably not a
good design decision.
Source routing to suspicious node
In source routing, intermediate routers ignore
routing tables and simply forward the packets to
next hop in the list.
We use the idea in the following way:
1. Create a source routed ping to the suspicious node
2. Make the intermediary nodes non-routing
3. Send the packet on wire
4. If we get a response from suspicious node then the node is
on promiscuous mode. Because our intermediary would
have dropped the packet since it doesn’t route, so the
suspicious node could only have gotten this packet by
sniffing the wire.
Other Methods
Employing a honeypot:
Let a automated script generate clear-text traffic and lure the
hackers into sniffing the traffic. The fact that the password is
sniffed can be used to identify the sniffer.
Network latency monitoring:
Uses the fact that sniffers process unusually large number of
packets to detect the sniffer. Load the network with dummy packets
and ping sweep the machines. The ones with sniffers will have large
latency. (Not a viable solution.)
Time-domain reflectometers:
TDRs work like RADAR. It sends out a pulse and detects reflections
off the wire. This can also detect adressless passive hardware
sniffers on the wire.
SNMP monitoring:
Lets you track connection details. If a packet takes unusual path on
the network, most probably a sniffer is trying to lure packets its
way. Known as ARP spoofing.
How to avoid sniffers
Replace the hub (shared medium) with a switch
(switched medium)
Switch jamming
ARP spoof
ICMP Redirect
ICMP Router Advertisements
Cable taps
Never send clear-text messages on the wire
SSH for telnet
SFTP for FTP
SSL Tunneled IMAP for IMAP
PGP for unencrypted email
VPN for clear-text traffic
Broadband and wireless connections are sniffable.
Sniffers and Anti-Sniffers
tcpdump*
Ethereal
Etherpeek
AeroSnort
Snoop
Dsniff
Snort
Antisniff
Sentinel
ifconfig/ifstatus
NEPED (Network Promiscuous
Ethernet Detector)
CPM (Check Promiscuous Mode)
Route Discovery
Packets to and from a host have route
symmetry on the Internet.
Which means, with high probability packets
from node A to node B travel the same path as
packets from node B to node A.
And most often packets from the same source
to the same destination follow the same path.
Our goal is to find the intermediate nodes a
packet travel to reach a remote node.
How shall we implement this?
Using IP Record Route Option (RR)
We can use IP record route option with ICMP Echo Request
(ping –R).
This allows intermediate routers to put their IP addresses in
the header and when the packet reaches the destination it
copies the route into Echo Reply and send it back to the
source.
This is not a good implementation. Why?
1. Requires all routers to support RR
2. Requires a ping server at the destination. Most ping servers
reflect the Echo Request so the return path is also recorded.
3. There is no room for long paths. IP header has room for only 9
addresses but routes in current Internet are longer, average is
about 14 hops.
So we need an implementation that doesn’t depend on any
special servers and works by default on any router.
Using IP TTL Field
TTL field is used as a simple hop count at the routers.
When a router receives a datagram with TTL 1 or 0 it
discards the datagram and sends a ICMP Time
Exceeded message to the source.
This Time Exceeded message has the router’s IP as
the source address.
We can now easily build a route discovery based on
this information:
i=1
while(i<=255){
send_UDP(TTL=i, dest, port=65521);
if(receive_ICMP(dest) == “Port Unreachable”)
break;
++i;
};
Using IP TTL Field
The algorithm works as follows:
1. We send a UDP packet to a large port number (65521),
wrapped in a IP datagram with TTL=1…255
2. When the TTL reaches 1 or 0 routers return ICMP Time
Exceeded. Then, we increment TTL by one and send the
packet again.
3. When the packet reaches the destination, it sends out a
ICMP Port Unreachable message, because it is highly
unlikely that any application is listening on the port we
randomly chose.
4. Algorithm terminates either when it gets Port Unreachable
or TTL=255.
This implementation relies only on default
behaviors of routers and a standard UDP
implementation at the destination.
Uses of Route Discovery
Maps out the network topology (Look at the
map of Internet in our lab)
To get an idea of the network neighborhood
Network fault analysis
Router failures
Routing loops
Network bottlenecks
Route Discovery Tools:
traceroute/tracert
Visual Route (fun stuff)
Summary of Today’s Lecture
You have two weeks utmost to play catch up
Drop by the lab and get your accounts
Start working on homework-0
We covered:
Extremely quick review of networking
Somewhat quick review of network programming
Sniffing
Route discovery
Coming up next week…
CASL
Fingerprinting
Spoofing