Information Systems Security

Arrianto Mukti Wibowo, M.Sc., Faculty of Computer Science

University of Indonesia

amwibowo@cs.ui.ac.id

Network Security

Firewall Terms

 Network address translation (NAT)

 Internal addresses unreachable from external network

 DMZ - De-Militarized Zone

 Hosts that are directly reachable from untrusted networks

 ACL - Access Control List

 can be router or firewall term

Firewall Terms

• Choke, Choke router

– A router with packet filtering rules (ACLs) enabled

• Gate, Bastion host, Dual Homed Host

– A server that provides packet filtering and/or proxy services

• Proxy server

– A server that provides application proxies

Firewall types

 Packet-filtering router

 Most common

 Uses Access Control Lists (ACL)

 Port

 Source/destination address

 Screened host

 Packet-filtering and Bastion host

 Application layer proxies

 Screened subnet (DMZ)

 2 packet filtering routers and bastion host(s)

 Most secure

Firewall mechanisms

 Proxy servers

 Intermediary, membungkus pesan, sehingga komputer di Internet tidak tahu siapa yang mengirim dari Intranet. Hanya proxy firewall yang tahu!

 Ada 2 macam:

 application level: satu-satu untuk setiap service

 circuit level: berada pada lapisan OSI yang lebih rendah, tidak bisa melihat isi dari paket

 Stateful Inspection

 Ada unsur “mengingat”

 State and context analyzed on every packet in connection

 Jadi kalau ada si Badu request ke Internet melalui UDP port 25, firewall mencatatnya. Nanti kalau ada balasan ke Badu, firewall melihat catatan sebelumnya, dan tentu

mengizinkannya

 Ada kemungkinan rentan DoS

Jenis Proxy

• Application level:

– Transfer & copy dari satu jaringan ke jaringan lain – Satu service, satu jenis proxy server

– Dapat melakukan pengawasan lebih detail dibanding circuit level

– Lebih lambat

• Circuit Level:

– Berada pada lapisan yg lebih rendah

– Bisa mengontrol security untuk aneka macam protokol – Tidak menyediakan kontrol yang mendetail pada isi pada

lapisan aplikasi

– Contohnya: SOCKS server, yang diletakkan di belakang router, dan setiap clientnya harus menggunakan software SOCKS client

Readings on Firewalls

• Please read “Firewalls” handout for more

details

Intrusion Detection (IDS)

• Host or network based

• Context and content monitoring

• Positioned at network boundaries

• Basically a sniffer with the capability to

detect traffic patterns known as attack

signatures

Jenis IDS

• Network-based IDS

– Umumnya ada pada suatu segmen jaringan tertentu dan memonitor segmen itu

– Biasanya ada dalam suatu peralatan jaringan yang

“mendengar” dan menganalisa paket jaringan secara real-time

• Host-based IDS

– Menggunakan program kecil dalam komputer host, yang memantau sistem operasi

– Menulis di log-file dan dapat memicu alarm

– Hanya mendeteksi keanehan pada komputer host,

bukan pada jaringan

-based IDS

• Knowledge-based IDS:

– Low fase alarms

– Peringatannya mudah dipahami oleh operator (karena berdasarkan database)

• Behavior-based IDS:

– Tidak terlalu terkait pada suatu sistem operasi tertentu

– Dapat memahami kalau ada serangan jenis

baru

Web Security

• Secure sockets Layer (SSL)

 Transport layer security (TCP based)

 Widely used for web based applications

 by convention, https:\\

 Secure Hypertext Transfer Protocol (S-HTTP)

 Less popular than SSL

 Used for individual messages rather than sessions

• Secure Electronic Transactions (SET)

 PKI

 Financial data

 Supported by VISA, MasterCard, Microsoft, Netscape

IPSEC

• IP Security

– Set of protocols developed by IETF – Standard used to implement VPNs – Two modes

– Transport Mode

• encrypted payload (data), clear text header

– Tunnel Mode

• encrypted payload and header

– IPSEC requires shared public key

Common Attacks

• This section covers common hacker attacks

• No need to understand them completely, need to be able to recognize the name

and basic premise

Spoofing

• TCP Sequence number prediction

• UDP - trivial to spoof (CL)

• DNS - spoof/manipulate IP/hostname pairings

• Source Routing

Sniffing

• Passive attack

• Monitor the “wire” for all traffic - most effective in shared media networks

• Sniffers used to be “hardware”, now are

a standard software tool

Session Hijacking

• Uses sniffer to detect sessions, get pertinent session info (sequence numbers, IP addresses)

• Actively injects packets, spoofing the client side of the connection, taking over session with server

• Bypasses I&A controls

• Encryption is a countermeasure, stateful

inspection can be a countermeasure

IP Fragmentation

• Use fragmentation options in the IP

header to force data in the packet to be overwritten upon reassembly

• Used to circumvent packet filters

IDS Attacks

• Insertion Attacks

– Insert information to confuse pattern matching

• Evasion Attacks

– Trick the IDS into not detecting traffic

– Example - Send a TCP RST with a TTL setting such that the packet expires prior to

reaching its destination

Syn Floods

• Remember the TCP handshake?

– Syn, Syn-Ack, Ack

• Send a lot of Syns

• Don’t send Acks

• Victim has a lot of open connections, can’t accept any more incoming

connections

• Denial of Service

Telecom/Remote Access Security

• Dial up lines are favorite hacker target

– War dialing

– social engineering

• PBX is a favorite phreaker target

– blue box, gold box, etc.

– Voice mail

Virtual Private Networks

• PPTP - Point to Point Tunneling Protocol

– Microsoft standard

– creates VPN for dial-up users to access intranet

• SSH - Secure Shell

– allows encrypted sessions, file transfers – can be used as a VPN

• Please read VPN handout

RAID

• Redundant Array of Inexpensive(or Independent) Disks - 7 levels

– Level 0 - Data striping (spreads blocks of each file across multiple disks)

– Level 1 - Provides disk mirroring

– Level 3 - Same as 0, but adds a disk for error correction

– Level 5 - Data striping at byte level, error

correction too

Cabling Failures

• Coaxial-These are coaxial cables with many workstations/servers attached. Do not exceed specified length

• Twisted Pair-CAT3 and CAT5. Difference is how tightly wound the copper wires are. The tightness determines the cables resistance to interference, the allowable distance, and the data’s

transmission speed before attenuation. Cable length is the most common failure here.

• Fiber Optic-Can carry a heavy load much easier than copper

types. Commonly used for infrastructure backbones, server farms, or connections that need large amounts of bandwidth. Drawbacks are cost, and the high level of expertise needed for the install.

General Classes of Network Abuse

• Class A: Unauthorized access of restricted network services

– This type of usage is called logon abuse. It refers to legitimate users accessing networked services that would normally be restricted to them. Unlike network intrusion, this type of abuse focuses primarily on those users who may be internal to the network, legitimate users of a different system, or users who have a lower security

classification.

• Class B: Unauthorized use of a network for nonbusiness purposes

– This style of network abuse refers to nonbusiness or personal use of a network by otherwise authorized users, such as internet surfing to inappropriate content sites (porn sites etc.). According to ISC2 code of ethics, the use of networked services for other than business

purposes is abuse.

• Class C: Eavesdropping

– This type of network attack consists of unauthorized interception of network traffic. Eavesdropping attacks occur through the interception of network traffic, such as sniffing. Tapping refers to the physical

interception of a transmission medium (like splicing of cable).

– Passive eavesdropping-covertly monitoring or listening to

transmissions that are unauthorized by either sender or receiver – Active eavesdropping-tampering with a transmission to create a

covert signaling channel, or actively probing the network for infrastructure information.

• Class D: Denial Of Service and other disruptions

– These attacks create service outages due to the saturation of networked resources. This saturation can be aimed at network devices, servers, or bandwidth. This attack can also be used as a diversion to enable an intentional hack to gain info from a different part of the system by diverting the company’s information technology resources elsewhere.

• Class E: Network Intrusion

– This type of attack refers to the use of unauthorized access to break into a network from the external. Unlike a login abuse attack, the intruders are not considered to be known to the company. Also known as a penetration attack, it exploits known security vulnerabilities

• Spoofing

• Piggybacking-refers to an attacker gaining unauthorized access by using a legit account.

• Backdoors-Intrusions via dial up or external network connections.

• Class F: Probing

– An active variation of eavesdropping. It is usually used to give an attacker a road map of the network in preparation for an intrusion or a DOS attack. It can list available services. If you’re inside the network you can use a sniffer to see what services are being utilized, thus you can acquire knowledge of what services to exploit.

– Probing can be manual or automatic. Manual checks are performed using telnet for banner grabbing. Automated is like using a tool to do it like nmap.

Tipe Denial of Service

• Yang umum

– filling up the targets hard drive using email attachments or large transfers

– sending a message, which resets a targets host’s subnet mask.

– using up all of a targets resources to accept

network connections, resulting in additional

requests to be denied.

Tipe Denial of Service (2)

• Buffer overflow-when a process receives more data than expected and has no way to deal with the excess data

• SYN attack – when an attacker floods a target with SYNs, but it does not respond when a target system sends an ACK back from those requests. This causes the target system to “time out” while waiting for the proper response.

• Teardrop attack-Consists of modifying the length and

fragmentation offset fields in sequential IP packets. The target system becomes confused and crashes after it receives

contradictory instructions on how the fragments are offset on these packets.

Tipe Denial of Service (3)

• Smurf -Uses a combo of IP spoofing and ICMP to saturate a target network with traffic. It consists of 3 elements. The source site, the bounce site, and the target site. The attacker (source site) sends a spoofed ping packet to the broadcast address of a large

network (bounce site). This modified packet contains the address of the target site. This causes the bounce site to broadcast the misinformation to all of the

devices on it’s local network. All of these devices now

respond with a reply to the target system which is then

saturated with those replies.

Active Attacks

• Brute force attacks

• Masquerading

• Packet replay

• Message modification

• Unauthorized access of network service

• Spoofing

• Denial of Service

Passive Attacks

• Network Analysis

• Eavesdropping

• Traffic Analysis

Remote Access Security

Remote access security

• Today’s organizations require remote access connectivity to their information resources for different types of users

such as employees, vendors,

consultants, business partners and customer representatives.

• In providing this capability, a variety of

methods and procedures are available to

satisfy an organization’s business need

for this level of access.

Contoh Remote Access dengan VPN

Remote Access Protocols

• SLIP - Serial Line Internet Protocol

• PPP - Point to Point Protocol

– SLIP/PPP about the same, PPP adds error checking, SLIP obsolete

• PAP - Password authentication protocol

– clear text password & user ID

• CHAP - Challenge Handshake Auth. Prot.

– Encrypted password – Challenge & response – DSL, cable dan ISDN

Remote Access Protocols

• TACACS, TACACS+

– Terminal Access Controller Access Control System – Event logging

– Network devices query TACACS server to verify passwords – Pada server TACACS ada ACL Network

– TACACS+

• Dari CISCO

• adds ability for two-factor (dynamic) passwords

• User bisa ubah password

• Radius

– Standar dari IETF

– Remote Auth. Dial-In User Service

Remote access security risks

• Denial of service

• Malicious third parties

• Misconfigured communications software

• Misconfigured devices on the corporate computing infrastructure

• Host systems not secured appropriately

• Physical security issues over remote

users’ computers

Remote access security controls

• Policy and standards

• Proper authorizations

• Identification and authentication mechanisms

• Encryption tools and techniques, such as the use of VPN

• System and network management

Remote Access Security Methods

• Restricted access

– Filters out unauthorized users based on source IP. This procedure authenticates the node, it is not a user

authentication method.

• Caller ID

– Checks incoming phone number against an approved phone list. Very hard to defeat. Hard to administer for traveling users who call from hotels while on vacation.

• Callback

– User attempting to initiate the session supplies a password and some type of id code. The access server then hangs up and calls the user back to verify they called from that number.

Again, this is node authentication, not user authentication.

Monitoring Systems Access

Mekanisme Pemantauan Aktifitas

• Membuat perbandingan antara pola aktifitas user. Ini dapat meliputi:

– pola aktifitas eksekusi program – pola akses/login ke manan saja – pola waktu aktifitas

• Bisa melihat dari billingnya, yang tiba-tiba melonjak sangat tinggi

• Bisa mempergunakan system log dari sistem operasi, termasuk attemps

• Menggunakan perintah ps, lalu melihat proses apa yang diperkenankan.

• Bisa juga dapat menggunakan program khusus untuk melakukan monitoring.

• Menggunakan log dari firewalls.

Audit logging

• Provides to the management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID

• A periodic review of system-generated logs can detect security problems, including

attempts to exceed access authority or gain

system access during unusual hours

Tools for audit trails (logs) analysis

• Audit reduction tools

• Trends/variance-detection tools

• Attack signature-detection tools

Security Protocols

Dipakai di mana?

• Browser, terutama secure website dengan SSL

• Payment system, SET (meskipun beberapa pilot project gagal. UI thn 1998-1999 pernah meneliti SET)

• Secure E-mail (S/MIME, PGP)

• Document signing dan kontrak digital

• VPN, Intranet

• Secure wireless network(termasuk WAP)

• Smartcard applications

• Extranet dan distribution/supply chain information system

• Timestamping service dan digital notary

Security Pada Protokol Jaringan

Backups

Backup

• Manfaatnya :

– untuk mengembalikan sistem kalalu sistem dihancurkan – sebagai bahan forensic, terutama menentukan kapan dan

bagaimana penyerang melakukan penyerangan terhadap sistem.

• Ada full backup dan incremental/differential backup.

• Most recent backup = last full backup + ∆d, dimana

∆d adalah differential backup.

Jenis Backup

• Full-backup

• Incremental backup:

– copies only files that have been recently added or changed that day

– Ignores any other backup set

• Differential backup

– copies all files that have changed since last full backup was performed

– Sifatnya additive: backup hari ini dan semua

perubahan lain-lain sesudah full backup