Computer Security and Information Assurance

Security in Networks – Part 2

a. Introduction
▪ We saw many security controls:
▪ in Program Security topic
▪ Many of these strategies are useful for network security as
well
▪ We will now look for security controls designed specifically
for computer networks
b. Security threat analysis (1)
▪ Threat analysis steps :
1) Analyze system components and their interactions
2) Analyze possible damage to C-I-A
3) Hypothesize possible kinds of attacks
▪ Network elements to be considered:
▪ Local elements
▪ Nodes / comm links / data storage / processes / devices / LANs
▪ Non-local elements
▪ Gateways / comm links / control resources / routers / network
resources (e.g., databases)
Security threat analysis (2)

▪ Network threats:
▪ Accessing pgms or data at remote host
▪ Modifying pgms or data at remote host
▪ Running a pgm at a remote host
▪ Interception of data in transit
▪ Modifying data in transit
▪ Insertion of data into communication traffic
▪ Incl. replaying previous communication
▪ Blocking selected/all traffic
▪ Impersonation of entities
▪ Attack enablers:
▪ Size / anonymity / ignorance / misunderstanding
▪ Complexity / motivation / programming skills
c. Impact of network architecture/
design & implement. on security (1)
▪ Architecture can improve security by:
1) Segmentation
2) Redundancy
3) Single points of failure
4) Other means
Impact of network architecture/ design & implement. on security (2)

1) Segmentation
▪ Architecture should use segmentation to limit scope of
damage caused by network penetration by:
▪ Reducing number of threats
▪ Limiting amount of damage caused by single exploit
▪ Enforces least privilege and encapsulation

▪ Example 1: component segmentation

▪ Placing different components of e-commerce system
on different hosts
▪ Esp. put on separate host most vulnerable system
components
▪ E.g., separate host for web server (w/ public access)
▪ Exploit of one host does not disable entire system
Impact of network architecture/ design & implement. on security (3)

▪ Example 2: access separation

▪ Separating from each other:
▪ Production system
▪ Testing system
▪ Development system
▪ E.g., no developer has access to production system
and no customer has access to development system
Impact of network architecture/ design & implement. on security (4)

2) Redundancy
▪ Architecture should use redundancy to prevent losing
availability due to exploit/failure of a single network
entity
▪ Example: having a redundant web server (WS) in a
company

▪ Types of redundancy include:

▪ Cold spare – e.g., when WS fails, replace it manually
with spare WS
▪ Warm spare – e.g., failover mode = redundant WSs
periodically check each other
▪ Hot spare – e.g., 3 WSs configured to perform
majority voting
Impact of network architecture/ design & implement. on security (5)

3) Single points of failure (SPF)

▪ Architecture should eliminate SPFs to prevent losing availability
due to exploit/failure of a single network entity
▪ Using redundancy is a special case of avoiding SPFs
▪ Network designers must analyze network to eliminate all
SPFs
▪ Example of avoiding SPF (without using redundancy)
▪ Distribute 20 pieces of database on 20 different
hosts (so called partitioned database)
▪ Even if one host fails, 95% of database contents
(19/20=95%) still available

▪ Elimination of SPFs (whether using redundancy or not)

adds cost
Impact of network architecture/ design & implement. on security (6)

4) Other architectural means for improving security

▪ Will be mentioned below as we discuss more network
security controls
d. Encryption
▪ Arguably most important/versatile tool for network
security
▪ it can be used protect the networks:
▪ Confidentiality/Privacy
▪ Authentication
▪ Integrity
▪ Limiting data access
▪ Kinds of encryption in networks(read more on each of
these)
i. Link encryption vs. end-to-end (e2e) encryption
ii. Virtual private network (VPN)
iii. PKI and certificates
iv. SSH protocol
v. SSL protocol (a.k.a. TLS protocol)
vi. IPsec protocol suite
vii. Signed code
f) Strong authentication
▪ Networked environments as well as both ends of
communication need authentication e.g.
One-time passwords, strong password etc
g) Access controls (1)
◼ Before user is allowed access to network resources, must
know:
◼ Who needs access => authentication
◼ What and how will be accessed => access controls

◼ Access controls include:

1) ACLs (Access Control Lists) on router
2) Firewalls
Access controls (2)
1) ACLs on routers (ACL = Access Control List)
◼ Router directs traffic:
◼ To subnetworks it controls
OR
◼ To other routers (for delivery to other subnetworks)
◼ Routers convert external (network-wide)IP address to
internal (subnetwork-wide) MAC address
◼ Recall that MAC address is unique physical address of device’s
NIC—network interface card

◼ Can put ACL on a router to deny access to particular

host D from particular host S
◼ E.g., to prevent spam (flooding) of D with packets from
S, router can delete all packets from S to D
◼ It’s OK if router uses ACLs in a limiteded way
◼ Use sparingly: only for specific & known threats
BUT...
Access controls (3)
◼ ... Problems with putting too many ACLs on routers:
(i) Packet-checking overhead for router
◼ Router must check each packet against each ACL –
a lot of work
=> degraded performance
◼ More ACLs on router => more work
◼ Routers are already busy just routing all packets
ingoing/outgoing to/from their subnets
(ii) Logging overhead for router
◼ To be able to detect spam, router must log source
addresses of packets
◼ Then can analyze to see which source addresses produce
floods
◼ Routers are designed to do only essential work —
anything else is inefficient => logging on router is
inefficient => adds workload
Access controls (4)
◼ ... Problems with putting too many ACLs on routers-CONT.
(iii) Inability of router to detect all spams
◼ Because source addresses in datagrams (UDP
packets) can be easily forged (by attacker using UDP
protocol)
◼ If attacker sends many datagrams with the same
(repeated) forged address, router with ACL can
detect & block them
Otherwise (i.e., if attacker sends datagrams with few
repeated forged addresses), router with ACL will not
even detect being flooded
=> can not block flooding datagrams
Access controls (5)

2) Firewalls
◼ Designed to do screening that routers can’t do efficiently
◼ Because routers designed for routing (of course!)
◼ Firewalls designed for access filtering
AND auditing
AND examining whole packets (not only source/destination
IP/ MAC addresses—which is what routers do)
h) Intrusion Detection Systems: Alarms & Alerts
◼ Example of 2-layer network protection
◼ Provided by router (Layer 1) AND firewall (Layer 2)
◼ We can add one more layer of protection:
intrusion detection systems (IDS) = device placed within
protected network for monitoring for illegitimate actions in
order to detect attacks in progress (beginning, advanced) or
after they have occurred
◼ E.g.: Can detect reconaissance & alert sysadmin or secadmin,
raise alarm, thus preventing „real” attack
OR
◼ Can detect that attack has already occurred & raise alarm,
starting system recovery actions
◼ IDS is a.k.a. IPS = intrusion protection system
◼ A marketing gimmick?
◼ IDS can be Layer 3 of layered network protection
◼ To be discussed in detail soon
i) Honeypots
◼ Honeypot – system built as a bait attracting attackers
◼ Once attackers take the bait:
◼ They are observed to learn how they behave/operate
◼ New attacks / Prefered targets / ...
◼ They are traced to catch them or scare them off
◼ Or at least trace enough to be able to threaten them with
identifying them if they don’t stop
◼ They are diverted from really valuable attack targets
◼ E.g., diverted to phony credit card database while real credit
card database remains obscure to them

◼ User lessons learned (thanks to honeypots) to build better

countermeasures
 B. Network Security Tools

▪ Network security tools

B.1. Firewalls
B.2. Intrusion Detection Systems
B.3. Secure E-Mail
B.1. Firewalls
b. What is a firewall (1a)
◼ Firewall = device (h/w), or software, or combination of
both designed:
1) to prevent unauthorized outside users from accessing
network and/or single workstation
2) to prevent inside users from releasing sensitive
information or accessing insecure resources

It is a wall between protected local (sub)net & outside

global net
◼ Inspect each individual inbound or outbound packet of
data sent to / from protected system
◼ Check if it should be blocked or allowed to enter
What is a firewall (2)

◼ Examples of security policy requirements w.r.t. firewalls:

▪ Block any access from the outside, allow all accesses to
the outside
▪ Allow”from” accesses only for certain activities OR only
to/from certain subnets/hosts/apps/users
▪ E.g., prevent outside access to subnet hosts except for mail
server accesses

◼ Choice of default firewall behavior

1) Default permit
◼ „That which is not expressly forbidden is allowed”
2) Default deny
◼ „That which is not expressly allowed is forbidden”
◼ Users prefer default permit, security experts prefer
default deny
◼ Sysadmin must make the choice
c. What firewalls can—and can’t—block

▪ Firewalls are not a panacea - only a perimeter protection

▪ Points 2 remember about firewalls — see text, p.466-467
▪ Can protect environment only if control its whole perimeter
▪ Do not protect data outside the perimeter
▪ Are most visible subnet component – attractive attack targets
▪ Must be correctly configured, & config must be periodically updated
▪ Firewall platforms should not have any s/w that could help attacker
who penetrates firewall in subsequent exploits
▪ Firewalls exercise very limited control over content they let in
▪ Other means of verifying/enforcing accuracy/correctness must
be used inside perimeter
B.2. Intrusion Detection Systems
a. Introduction (1)
▪ It is better to prevent attack than to detect it after it
succeeds
Unfortunately, not all attacks can be prevented
◼ Some attackers become intruders — succeed in breaking defenses

◼ Intrusion prevention — first line of defense

Intrusion detection — second line of defense
◼ Intrusion detection system (IDS) - a device (typically a seprate
computer) monitoring system activities to detect malicious /
suspicious events
◼ IDSs attempt to detect
◼ Outsiders breaking into a system
OR
◼ Insiders (legitimate users) attempting illegitimate
actions
◼ Accidentally OR deliberately
Introduction (3)

▪ IDS terminology
◼ Anomaly — abnormal behavior
◼ Might either be still legitimate OR illegitimate
◼ Misuse — activity that violates the security policy
(subset of “anomaly” – anomaly that is illegitimate)
◼ Intrusion — misuse by outsiders and insiders
◼ Audit — activity of looking at user/system behavior,
its effects, or collected data
◼ Profiling — looking at users or systems to determine
what they usually do
b. Types of IDSs (1a)

▪ IDS types w.r.t. scope:

◼ Host-based
◼ Runs on a host
◼ Monitors activities on this host only
◼ Network-based
◼ Stand–alone device
◼ Monitors entire (sub)network
b. Types of IDSs (1b)

▪ IDS types w.r.t. their operation

i. Signature-based IDSs (“block only ‘blacklisted’ behavior”)
◼ Models & looks for unacceptable system activities (= an attack)
◼ Each known attack characterized by its „signature” (pattern)
◼ To detect attack, matches current activities to known attack
signatures
◼ Problem: Unable to detect new attacks (unknown signatures!)
ii. Anomaly-based (heuristic) IDSs (“allow only permitted behavior”)
◼ Solves the above problem (but might generate more false alarms)
◼ Uses model of acceptable user activities
◼ Not models (signatures) of unacceptable system activities
◼ Raises alarm upon detection of deviation form model behavior
iii. Other IDS types
◼ E.g., hybrid IDSs (combining signature- and anomaly-based
IDSs), immune-system-based IDSs
c. Goals for IDSs (1)

▪ IDS goals
1) Detect all attacks correctly
◼ Avoid false positives (false alarms)
◼ False alarms annoy sysadmins, users, ...
◼ Avoid false negatives (not recognizing attacks)
2) Little overhead / performance impacts
B.3. Secure E-Mail
a. Introduction
▪ E-mail is the most heavily used network-based application
Yet, ordinary email is very public, exposed
It has no C / I (confid./integ)
◼ Unencrypted message contents can be peeked at either in transit or
by privileged users at destination host
Security for e-mail (2)

◼ Secure e-mail requirements:

◼ Msg confidentiality (protection from disclosure)
◼ Msg integrity (protection from modification)
◼ Sender authentication
◼ Non-repudiation (preventing denial by sender)

▪ Not every msg requires all 4 capabilities

but all 4 needed to cover requirements of all kinds of msgs
For more go through chapter 7 of the book by Charles P.
Pfleeger, Security in computing, fourth edition, Prentice Hall

I cannot teach anybody anything, I can only make them

think.- Socrates

The function of education is to teach one to think

intensively and to think critically. Intelligence plus character
- that is the goal of true education.-Martin Luther King, Jr.