7. Defence Mechanisms 1 – Protocols and Tools
1
Defence Mechanisms 1:
Protocols and Tools
CITS3004
Alvaro Monsalve
1. Security Protocols
1.1. SSL/TLS
1.2. IPSec
2. Tools
2.1. Firewall
2.2. IDS
Agenda
2
• Security protocols
exists in various layers
of the system
• Lets take a look at the
network model layers
3
1. Security Protocols
Application
Transport
Internet
Network
Access
Kerberos
HTTPS
SSL
IPSec
VPN
PGP
SHTTP
TLS
PPTPPPP
RADIUS
• Are they the same (simply an anagram)?
• A: No
4
SHTTP vs HTTPS
HTTPS
• Secure HTTP – an extension to the HTTP
• Secure each message securely
– Not the communication channel, just the message
– i.e., SHTTP encrypts only the HTTP message
• Does not support server-only authentication
– Supports two-way authentication between client and server
• Don’t really get used anymore
5
SHTTP
• HTTP Secure – runs HTTP through SSL
– Wraps the entire communication within SSL, so the
encryption starts before any protocol data is sent
• Easily noticed with the URL starting : https://
• Provides security for the communication channel
• Slowly moving away from HTTP only
6
HTTPS
• Secure Socket Layer (typically) uses port 443
• HTTPS relies on SSL for providing a secure
communication channel
• Other security protocols at the application layer also do
the same
– E.g., SSMTP, SPOP3 etc.
• SSL provides encryption and authentication of the server
– Client authentication is optional
7
1.1 SSL
8
SSL
1a) Client hello message
3a) Send Client Certificate (optional)
+ session key + cipher specification
1b) Server hello message
2a) Send Server Certificate
2b) Request Client Certificate (optional)
3b) Send Certificate Verification (optional)
4) Commence secure communication
1. Establish details (version, session id,
cipher suite etc)
2. Send server certificate (optionally
send client certificate)
3. Client send encrypted session key
using the server public key, and
specify the cipher to use (optionally
send certificate verification)
4. Commence secure communication
9
SSL
1. Establish details
1a) Client
• Key exchange (RSA, DH, etc.)
• Cipher (3DES, AES, etc)
• MAC (HMAC-DM5, HMAC-SHA1)
• Compression: gzip etc
• SSL version (e.g., 3.x)
• Random number (for symmetric key
generation)
1b) Server
• RSA
• AES
• HMAC-SHA1
• Etc.
10
SSL
2. Server sends certificate
2a) Server
• Serial: 12345678
• Issuer: Verisign
• Valid dates: from xxxx to yyyy
• Public key
• Etc.
11
SSL
3. Client sends details
3a) Client
• Generate session key
• Encrypt session key using the server
public key
• Key exchange
• Validate the server identify
• Decide cipher specifications
• Hand shake Finished
12
SSL
4. Commence secure communication
• Terminate SSL when
– validation fails
– Messages out of order
– Invalid message in the communication
4) Server
• Update cipher specifications
• Hand shake finished
13
SSL Architecture
• Mainly focuses on the two services
– Message integrity
• Using MAC (message authentication code)
• Hash functions: MD5, SHA-1
– Message confidentiality
• Using symmetric encryption with a shared secret key
• Algorithms include AES, IDEA, RC2-40, DES-40, DES, 3DES, RC4-40,
RC4-128
14
SSL Record Protocol
• Validates the authenticity of the message
• Generated by an algorithm that creates a small fixed
size block
• Receiver performs the same computation on
message and checks it matches the MAC
• MAC is not a digital signature
15
MAC
16
MAC
https://en.wikipedia.org/wiki/Message_authentication_code
Can SSL mitigate MITM attack?
• The server key has been stolen
• The Client trusts an untrustworthy CA
• The Client does not validate the certificate against trusted CA
• The Client has been attacked with a fake CA injection
17
Quiz
What type of attacks does SSL prevent/mitigate?
• Attacks against Confidentiality and Integrity:
– Sniffing Attacks
– Hijack Connections
– Change Data
18
Quiz
What happens when SSL uses a flawed cryptosystem?
• Weak Security vulnerable to cryptanalysis
19
Quiz
• There was no data integrity or confidentiality
implemented at the IP level when first introduced in
the 70s
– Designed for small networks for known users only
– Now vulnerable to many types of attacks
• Source spoofing
• Replay packets
• Etc.
20
1.2 IPSec
• IPSec aims to provide confidentiality and/or integrity
of network packets
– Confidentiality – data encryption
– Integrity – hash functions
• Also, to verify the sources of packets using
authentication
• Prevent replaying packets using sequence numbers
– Can also use nonce, timestamp etc.
21
IPSec
IPSec Modes
Transport Mode Tunnel Mode
22
IPSec Modes
• Transport mode (aka host mode)
– IPSec datagram emitted and received by end-system
– Protects upper level protocols
• Tunnel mode
– End routers are IPSec capable
– Most commonly used between gateways or from end station to a gateway
23
IPSec Modes
Transport mode
Tunnel mode
router router
host host
IP Header
Rest of packet
24
IPSec Modes
IP Header
IPSec Header
Rest of packet
New IPSec header
IPSec Header
IP header
Rest of packet
Transport mode
Tunnel mode
Now choose the protocol
1. Authentication Header (AH)
2. Encapsulating Security Payload (ESP)
• IPSec has two protocols
1. Authentication Header (AH)
• Authentication, data integrity
• No confidentiality
2. Encapsulating Security Payload (ESP)
• Data origin authentication, data integrity, data confidentiality
• No IP header authentication
• They satisfy different security requirements
25
IPSec Protocols
• Provides source authentication and data integrity
– Protection from source spoofing and replay attacks
– But no confidentiality protection
26
IPSec – AH
New IP header AH (IPSec) IP header Data
IP header AH (IPSec) Data
Authenticated (except for mutable fields in new IP header)
Authenticated (except for mutable fields)
Transport mode
Tunnel mode
Cleartext!
Encryption at
a higher layer
27
IPSec – AH
Field Content
New IP header
IP header information.
Next header pointing to the AH IP header information.
May also include payload length.
AH (IPSec)
Security Parameter Index (SPI).
Sequence Number.
IP header
Original IP header information.
May also include support information such as initialization vector.
Data Data.
• Provides data origin authentication, data integrity and
confidentiality
– Same as AH, and
– Uses symmetric key encryption algorithms to encrypt packets
28
IPSec – ESP
New IP header ESP (IPSec) IP header Data ESP pad ESP auth
IP header ESP (IPSec) Data ESP pad ESP auth
Encrypted
Transport mode
Tunnel mode
Authenticated
Encrypted
Authenticated
29
IPSec – ESP
Fields Content
New IP header
IP header information.
Next header pointing to the ESP IP header information.
May also include payload length.
ESP (IPSec)
Security Parameter Index (SPI).
Sequence Number.
IP header
Original IP header information.
May also include support information such as initialization vector.
Data Data.
ESP pad
Padding bytes needed for encryption.
Pad length in bytes.
Next header containing the protocol number of the next header in the datagram.
ESP auth ESP authentication data containing the integrity check value.
30
AH vs ESP
New IP header ESP (IPSec) IP header Data ESP pad ESP auth
Encrypted
Authenticated
e.g., Tunnel mode
New IP header AH (IPSec) IP header Data
Authenticated
Not authenticated
No encryption
Extra padding
Similar difference for transport mode
AH
ESP
• IPSec provides transparent security
• Higher layers do not need to be aware of the security at the
lower layer
However…
• It is host-to-host (gateway-to-gateway) security, not aware of
users or applications
• IPSec packets need to be ordered, where IP is designed not to
worry about the order or dropped packets
31
IPSec summary
• Virtual Private Networks
• ESP is often used to implement a VPN
– Packets go from internal network to a gateway with TCP/IP
headers for address in another network
– Entire packet hidden by encryption
• Including original headers so destination addresses are hidden
– Receiving gateway decrypts packet and forwards original IP
packet to receiving address in the network that it protects
– This is known as a VPN tunnel
• Secure communication between parts of the same organisation over
public untrusted Internet
32
VPN – super short overview
• Security protocols are implemented in different
layers of the system
– Very complex due to building on top of the existing models
that did not consider security from the beginning
• Various security protocols exist to enhance security
• Choose the protocols from different layers carefully
to satisfy the security requirements of the system
33
Protocols summary
34
2. Tools
Important
stuff
Prevention
Detection
Reaction
• We create networks and subnets everywhere
– Need to ensure that bad things don’t come into our networks
• Forms the first barrier for protecting LANs
• Sits between the premises network and the Internet
• Typically, all traffic from outside to inside passes through
the firewall
• Unauthorised traffic will be filtered by the firewall
35
2.1 Firewall
• What are the things examined by a firewall?
– IP address
– Protocol headers, payload, or port number
– Track of client-server sessions
– Application level protocols
36
Firewall
• Packet filtering firewall (Gen 1)
• Stateful inspection firewall (Gen 2)
• Application proxy firewall (Gen 3)
• Circuit-level proxy firewall (Gen 3)
37
Types of Firewalls
• Defines a set of rules for each IP packet
• Apply the rules to determine the packet is forwarded
or dropped
38
Gen1: Packet filtering
Internet Private
network
Security perimeter
• Filtering rules are based on the following
– Source IP address
– Destination IP address
– Transport level address (e.g., TCP or UDP port number)
– IP protocol field
– Interfaces
• A firewall with 3 or more ports, which interface the packet came
from or is going to
39
Gen1: Packet filtering
• A list of rules are established using the information
• If the incoming (or outgoing) packet matches to one
of the rules, that rule is invoked (forward/discard)
• What happens when there is no matching rule?
– A: invoke a default action
• Default discard (everything is discarded)
• Default forward (everything is allowed)
40
Gen1: Packet filtering
41
Gen1: Packet filtering
Action Ourhost Port Theirhost Port comment
Block * * * * Default
Allow * 25 * * Connect to SMTP
Block * * badSMTP * Don’t trust this host
allow * * * 25 Connect to the mail
server
We want to allow users to connect to our mailing server via SMTP at port 25.
We don’t want users coming from badSMTP, what would be the rule to add?
We want to connect to their mail server via SMTP, what would be the rule to add?
42
Gen1: Packet filtering
allow * * * 25 Connect to the mail
server
• Q: What could be a potential problem with this rule?
– A: The restriction relies only on their port number, which
cannot be controlled
– An attacker can use the port to access internal machines
Action Ourhost Port Theirhost Port comment
43
Gen1: Packet filtering
allow * * * 25 Connect to the
mail server
• Once a connection is set up, the ACK flag of a TCP
segment is set to acknowledge segments sent from the
other side
• The ACK signifies that the packet is part of an ongoing
conversation
Allow * 25 * * ACK Check their
reply
Action Ourhost Port Theirhost Port Flags Comment
• Advantages:
– Simple
– Typically transparent to users and are very fast
• Disadvantages:
– Cannot prevent attacks at the application layer
– Limited logging capabilities
– No advanced user authentication
– TCP/IP protocol bugs can be exploited – e.g., IP spoofing
44
Gen1: Packet filtering
• Generation 1 firewalls do not examine higher layer
context
• Generation 2 firewalls address this problem by examining
each IP packet in context
– Keeps the track of client-server sessions
– Check each packet validity – e.g., does it belong to someone?
• Provides better capabilities to detect bogus packets
45
Gen2: Stateful inspection
46
Gen2: Stateful inspection
Internet Private
network
State
Info
• TCP connections (typically)
– Server port number < 1024
– Client port number between 1024 and 16383
• Permanent assignments
– (20, 21 -> FTP), (23 -> Telnet), (25 -> SMTP), (80 -> HTTP)
• If client wants to use port 2048, firewall must allow
incoming traffic on this port
• Sol: To keep track of the outgoing requests
47
Gen2: Stateful inspection
48
Gen2: Stateful inspection
• The firewall keeps track of currently established connections
• The packet filter allows incoming traffic to high-numbered
ports only for those packets that fit the profile
49
Gen2: Stateful inspection
Source IP Source Port Dest. IP Dest. Port Con. State
192.168.1.100 1030 210.9.34.11 80 Established
192.168.1.103 1875 173.46.34.101 25 Established
192.43.1.101 2248 192.168.1.6 80 Established
210.168.1.113 1056 192.168.1.6 80 Established
222.99.1.73 1301 168.39.45.67 79 Established
• Options to keep track of the TCP sequence numbers
– To prevent attacks that depend on the sequence number
– Q: What attack was it?
– E.g., session hijacking
• Some may also inspect application data for well
known protocols
– e.g., FTP
50
Gen2: Stateful inspection
• Application proxy (application level gateway)
• Relays application-level traffic
51
Gen3: Application proxy
52
Gen3: Application proxy
Internet
Private
network
Telnet
daemon
FTP
daemon
SMTP
daemon …
Network Connection
Telnet
proxy
FTP
proxy
SMTP
proxy
Daemon spawns the proxy when
a communication is detected
• Proxy at the transport layer (TCP/IP model)
– Establishes two TCP connections
• Typically used for trusted inside users
• Monitors TCP data packet handshaking and session
fulfilment of firewall rules and policies
• Does not filter individual packets
• Relays TCP segments without examining contents
• Enforce a security function
– That determines which connections will be allowed
53
Gen3: Circuit-level proxy
• Application level
– Considers commands in the application protocols
• Circuit level
– Does not consider application protocols, but
– Provides service for a wide variety of different protocols
• Multi-level firewalls
54
Gen3 and more
The Goods The Bads
• All communication goes through a
single point
• Specific location(s) for monitoring
events
• Provides a platform for various
Internet functions not security related
• e.g., serve as the platform for
IPSec
• Attackers can bypass firewall
• Cannot protect from internal threats
• Improper network design can be
penetrated from outside
• e.g., not so secure wireless LAN
• Infected devices can be brought into
the internal network
• e.g., laptop, tablets, mobile
phones, USB
55
Firewalls summary
• Intrusion Detection System
• To catch criminals in the cyberspace
• Means to identify intrusions
56
2.1 IDS
• Intrusion is…
– A set of actions that compromises CIA
– Actions include
• Causing DoS
• Installing Backdoors
• Spreading Viruses
• Exploiting software vulnerabilities
• Etc.
57
IDS
• Intrusion detection is…
– Detecting signs of security problems and analysing the
events happening in a computer/network systems
– We assume that system activities (e.g., users, program) can
be monitored
– Steps
1. Monitor – analyse hosts/networks
2. Identify – any misuse/abnormal activities
3. Assess – severity and alert administrators 58
IDS
• Intrusion detection system is…
– Combinations of software and hardware to perform
intrusion detection
– Can be placed in multiple locations in the network
59
IDS
Internet Private
network
IDS
• ID models
– Misuse detection (signature or knowledge-based)
– Anomaly detection (behaviour-based)
• Detect intrusion from
– Hosts
– Networks
– Hybrid
60
IDS
• Misuse detection
– Well-known attack signatures are stored in the database
– Current audit trails are compared with stored signatures
• Anomaly detection
– Identify deviation from normal usage pattern
– Apply statistical measures to classify activities/behaviours
61
IDS
Misuse Anomaly
Pros
• Accurate
• Easy and quick to setup
• Fast
• Detect variations (new attacks)
Cons
• Slow
• Cannot detect variations
• Need to update the signature
database (keeps growing)
• High false results
• Requires profiling behaviours
62
IDS
• IDS placements – Host and Network
• HIDS (Host-based IDS)
– Sits inside the host system
– Monitor the system usage
– OS dependent
• NIDS (Network-based IDS)
– Sits in the network attached at a location
– Capture and monitor packets in the network
63
IDS
• There are many other tools that are useful for defence
(as well as attacks), such as
– Wireshark
– Metasploit
– Nessus
– Snort
– Burp
– OpenVAS
– Etc.
64
Other cool tools
• It allows you to examine data from a live network or from
a capture file on disk.
– But you can only sniff the interface you have the access to.
• Wireshark has several powerful features, including a rich
display filter language and the ability to view the
reconstructed stream of a TCP session.
• It also supports hundreds of protocols and media types.
65
Wireshark
• A quick demo video
– https://www.youtube.com/watch?v=mrLaUaowt-w
66
Metasploit
• SSL
– http://tldp.org/HOWTO/Apache-WebDAV-LDAP-HOWTO/ssl.html
• IPSec
– http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=3
– http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH.htm
– http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP.htm
• VPN
– https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/14106-how-vpn-works.html?dtid=osscdc000283
– https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-
R2-and-2008/cc771298(v=ws.10)
• Firewall
– https://www.digitalocean.com/community/tutorials/what-is-a-firewall-and-how-does-it-work
• IDS
– https://csrc.nist.gov/publications/detail/sp/800-94/final
67
Additional Items
http://tldp.org/HOWTO/Apache-WebDAV-LDAP-HOWTO/ssl.html
http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=3
http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH.htm
http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP.htm
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14106-how-vpn-works.html?dtid=osscdc000283
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771298(v=ws.10)
https://www.digitalocean.com/community/tutorials/what-is-a-firewall-and-how-does-it-work
https://csrc.nist.gov/publications/detail/sp/800-94/final
• List of security tools
– https://sectools.org/
• Emotet analysis
– https://blog.malwarebytes.com/threat-analysis/2018/05/malware-analysis-
decoding-emotet-part-1/
– https://blog.malwarebytes.com/threat-analysis/2018/06/malware-analysis-
decoding-emotet-part-2/
• TrickBot
– https://blog.malwarebytes.com/detections/trojan-trickbot/
• Malicious pcap files
– http://malware-traffic-analysis.net/training-exercises.html
68
Additional Items
https://sectools.org/
http://malware-traffic-analysis.net/training-exercises.html