Network Security

Essentials

Sixth Edition

by William Stallings

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved .

 Chapter 11
Intruders

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Intruders
• Three classes of intruders:

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Examples of Intrusion
• Performing a remote root compromise of an e-mail server

• Defacing a Web server

• Guessing and cracking passwords

• Copying a database containing credit card numbers

• Viewing sensitive data, including payroll records and medical information, without
authorization
• Running a packet sniffer on a workstation to capture usernames and passwords

• Using a permission error on an anonymous FTP server to distribute pirated software and
music files
• Dialing into an unsecured modem and gaining internal network access

• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and
learning the new password
• Using an unattended, logged-in workstation without permission

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Hackers
• Traditionally, those who hack into computers do so for the thrill of it or for
status
• Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
are designed to counter hacker threats
• In addition to using such systems, organizations can consider restricting remote
logons to specific IP addresses and/or use virtual private network technology

• CERTs
• Computer emergency response teams
• These cooperative ventures collect information about system vulnerabilities and
disseminate it to systems managers
• Hackers also routinely read CERT reports
• It is important for system administrators to quickly insert all software patches to
discovered vulnerabilities

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Criminal hackers
• Organized groups of hackers

• Usually have specific targets, or at least classes of targets

in mind
• Once a site is penetrated, the attacker acts quickly,
scooping up as much valuable information as possible
and exiting
• IDSs and IPSs can be used for these types of attackers,
but may be less effective because of the quick in-and-out
nature of the attack

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Insider Attacks
• Among the most difficult to detect and prevent

• Can be motivated by revenge or simply a feeling of entitlement

• Countermeasures:

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Intrusion Techniques
• Objective of the intruder is to gain access to a system or
to increase the range of privileges accessible on a system
• Most initial attacks use system or software vulnerabilities
that allow a user to execute code that opens a backdoor
into the system
• Ways to protect a password file:

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Password Guessing
1. Try default passwords used with standard accounts that are shipped with the
system. Many administrators do not bother to change these defaults.

2. Exhaustively try all short passwords (those of one to three characters).

3. Try words in the system’s online dictionary or a list of likely passwords.

Examples of the latter are readily available on hacker bulletin boards.

4. Collect information about users, such as their full names, the names of their
spouse and children, pictures in their office, and books in their office that are
related to hobbies.

5. Try users’ phone numbers, Social Security numbers, and room numbers.

6. Try all legitimate license plate numbers for this state.

7. Use a Trojan horse to bypass restrictions on access.

8. Tap the line between a remote user and the host system.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Intrusion Detection
• A system’s second line of defense

• Is based on the assumption that the behavior of the intruder

differs from that of a legitimate user in ways that can be
quantified
• Considerations:
• If an intrusion is detected quickly enough, the intruder can be
identified and ejected from the system before any damage is done or
any data are compromised
• An effective intrusion detection system can serve as a deterrent, so
acting to prevent intrusions
• Intrusion detection enables the collection of information about
intrusion techniques that can be used to strengthen the intrusion
prevention facility
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Approaches to Intrusion
Detection
• Statistical anomaly detection
• Involves the collection of data relating to the behavior of legitimate users
over a period of time
• Then statistical tests are applied to observed behavior to determine whether
that behavior is not legitimate user behavior
• Threshold detection
• This approach involves defining thresholds, independent of user, for the frequency
of occurrence of various events
• Profile based
• A profile of the activity of each user is developed and used to detect changes in
the behavior of individual accounts

• Rule-based detection
• Involves an attempt to define a set of rules or attack patterns that can be used
to decide that a given behavior is that of an intruder
• Often referred to as signature detection

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Audit Records
• Fundamental tool for intrusion detection

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Statistical Anomaly Detection
• Threshold detection
• Involves counting the number
of occurrences of a specific
event type over an interval of
time
• If the count surpasses what is
considered a reasonable
number that one might expect
to occur, then intrusion is
assumed
• By itself is a crude and
ineffective detector of even
moderately sophisticated
attacks
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
• Profile-based
• Focuses on characterizing the
past behavior of individual
users or related groups of
users and then detecting
significant deviations
• A profile may consist of a set
of parameters, so that
deviation on just a single
parameter may not be
sufficient in itself to signal an
alert
 Table 11.1

Measures
That
May
Be
Used
For
Intrusion
Detection
(This table can be found on
page 371 in the textbook.)

© 2017 Pearson Education, Inc., Hoboken, NJ.

All rights reserved.
 Rule-Based Intrusion Detection
• Techniques detect intrusion by observing events in the system
and applying a set of rules that lead to a decision regarding
whether a given pattern of activity is or is not suspicious
• Rule-based anomaly detection
• Is similar in terms of its approach and strengths to statistical
anomaly detection
• Historical audit records are analyzed to identify usage patterns and to
automatically generate rules that describe those patterns
• Current behavior is then observed, and each transaction is matched
against the set of rules to determine if it conforms to any historically
observed pattern of behavior
• In order for this approach to be effective, a rather large database of
rules will be needed
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Rule-Based Intrusion Detection
• Rule-based penetration identification
• Typically, the rules used in these systems are specific to the machine
and operating system
• The most fruitful approach to developing such rules is to analyze
attack tools and scripts collected on the Internet
• These rules can be supplemented with rules generated by
knowledgeable security personnel

• USTAT
• A model independent of specific audit records
• Deals in general actions rather than the detailed specific actions
recorded by the UNIX auditing mechanism
• Implemented on a SunOS system that provides audit records on 239
events
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Table 11.2
USTAT Actions versus SunOS Event Types

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Base-Rate Fallacy
• To be of practical use, an intrusion detection system should detect a
substantial percentage of intrusions while keeping the false alarm rate at an
acceptable level
• If only a modest percentage of actual intrusions are detected, the system
provides a false sense of security
• If the system frequently triggers an alert when there is no intrusion, then either
system managers will begin to ignore the alarms or much time will be wasted
analyzing the false alarms

• Because of the nature of the probabilities involved, it is very difficult to

meet the standard of high rate of detections with a low rate of false alarms
• If the actual numbers of intrusions is low compared to the number of legitimate
uses of a system, then the false alarm rate will be high unless the test is
extremely discriminating

• See Appendix J for a brief background on the mathematics of this problem

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Distributed Intrusion
Detection
• Traditional systems focused on single-system stand-alone
facilities
• The typical organization, however, needs to defend a distributed
collection of hosts supported by a LAN or internetwork
• A more effective defense can be achieved by coordination and
cooperation among intrusion detection systems across the network

• Major design issues:

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Honeypots
• Decoy systems that are designed to lure a potential attacker away from critical systems

• Because any attack against the honeypot is made to seem successful, administrators have
time to mobilize and log and track the attacker without ever exposing productive systems
• Recent research has focused on building entire honeypot networks that emulate an
enterprise, possible with actual or simulated traffic and data

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Intrusion detection exchange
format
• To facilitate the development of distributed intrusion detection
systems that can function across a wide range of platforms and
environments, standards are needed to support interoperability
• IETF Intrusion Detection Working Group
• Purpose of the group is to define data formats and exchange
procedures for sharing information of interest to intrusion
detection with response systems and to management systems that
may need to interact with them
• Have issued the following RFCs:
• Intrusion Detection Message Exchange Requirements (RFC 4766)
• The Intrusion Detection Message Exchange Format (RFC 4765)
• The Intrusion Detection Exchange Protocol (RFC 4767)
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Password Management
• Front line of defense against intruders

• Virtually all multiuser systems require that a user provide

not only a name or identifier (ID) but also a password
• Password serves to authenticate the ID of the individual
logging on to the system
• The ID provides security by:
• Determining whether the user is authorized to gain access to a
system
• Determining the privileges accorded to the user
• Used in discretionary access control

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Attack strategies and countermeasures

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Attack strategies and countermeasures

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Unix implementations
• Crypt(3)
• Was designed to discourage guessing attacks
• This particular implementation is now considered inadequate
• Despite its known weaknesses, this UNIX scheme is still often required for
compatibility with existing account management software or in multivendor
environments

• MD5 secure hash algorithm

• The recommended hash function for many UNIX systems, including Linux, Solaris,
and FreeBSD
• Far slower than crypt(3)

• Bcrypt
• Developed for OpenBSD
• Probably the most secure version of the UNIX hash/salt scheme
• Uses a hash function based on the Blowfish symmetric block cipher
• Slow to execute
• Includes a cost variable
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Table 11.3

Passwords
Cracked
from a
Sample Set
of 13,797
Accounts
[KLEI90]
(This table can be found on page 386
in the textbook.)

* Computed as the number of matches divided by the search size. The more words that needed to be
© 2017 Pearson Education, Inc., Hoboken, NJ. tested for a match, the lower the cost/benefit ratio.
All rights reserved.
 Password selection strategies
• The goal is to
eliminate guessable
passwords while
allowing the user to
select a password
that is memorable
• Four basic
techniques are in use:

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Summary
• Intruders
• Behavior patterns • Password management
• Intrusion techniques • The vulnerability of
passwords
• Intrusion detection • The use of hashed passwords
• Audit records • User password choices
• Statistical anomaly detection • Password selection strategies
• Rule-based intrusion detection • Bloom filter
• The base-rate fallacy
• Distributed intrusion detection
• Honeypots
• Intrusion detection exchange
format

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.