CS代写 ECS 726: Security and Authentication

ECS 726: Security and Authentication
Network Security
Pasquale Malacaria Week 09
EECS, QMUL

Networks’ Concepts Recap 1
Last week we have seen fundamental concepts in networks:
◃ Network, internet,
◃ IP address, MAC address
◃ ICMP (Internet Control Message Protocol), ping,

Networks’ Concepts Recap 2
◃ Local Area Network (LAN), LAN topologies
◃ Switches and routers,
◃ Subnetting, masks
◃ ARP (Address Resolution Protocol) to resolve IP to MAC,
◃ DHCP (Dynamic Host Configuration Protocol) to assign IP address in LAN

Networks’ Concepts Recap 3
◃ OSI model: Application, Presentation, Session, Transport, Network, Data Link, Physical layers
◃ Packets and frames, TCP/IP, three-way Handshake, UDP/IP, ports
◃ Port forwarding,
◃ Firewalls basics, VPN basics

Network Security
Network security is about the techniques, policies, processes and practices adopted to prevent, detect and monitor unauthorized access and misuse of a computer network and network-accessible resources.

Network Security
Authentication (check identity)
Encryption (protect data)
Honeypots (surveillance)
Network security
(restrict network access)
Anti-virus and IPS (detect malware)
Main techniques and components in Network Security

Offensive Network security: Example Network Vulnerabilities and Attacks

Port Scanning
many attacks begin with a port scanning:
◃ Port scanning: probing/inspecting a network segment to gather information about its connected devices (hardware), the services they run (software), and hence, the vulnerabilities they may be susceptible to.
– Port scanning is not an attack itself, but can be used to prepare for an attack

Port Scanning
Port scanning can be done as a network management/admin activity too (not necessarily for malicious activity!)
Malicious port scanning can usually be detected (e.g. many requests on different ports from some IP address)
Example port scanning applications: ◃ Free: nmap, openvas
◃ Commercial: nessus, tenable, Rapid7 nexpose, Qualys, . . .

Signal Interception, packet sniffing
Once the data leaves your device, it can be viewed (intercepted, wiretapped, sniffed, eavesdropped) by others along the way.
◃ Packet Sniffing on a LAN can be done using for example Wireshark

Spoofing/Poisoning
we have seen several protocols for resolutions:
◃ ARP to resolve ip addresses to MAC addresses
◃ DNS to resolve domain names to ip addresses
these resolutions can be poisoned i.e. an attacker could provide a malicious MAC address in ARP or a malicious ip address in DNS

ARP Spoofing
ARP: A network protocol used to find the hardware (MAC) address of a host from an IP address (on a LAN)
ARP request-response protocol example.

ARP Spoofing
ARP spoofing/Poisoning: false ARP responses could be sent by an adversary!
Illustration of ARP cache poisoning attack.

IP Address Spoofing Attacks
A DDoS attack enabled by IP Spoofing.

DNS Spoofing
􏰀 Domain Name System (DNS) is a system that associates domain names (e.g. URLs, email addresses and other human-readable domain names) with their corresponding IP addresses.
◃ In a DNS spoofing attack, attacker spoofs DNS responses in order to reroute a specific domain name to a different IP address (e.g., one that they control)

DNS Spoofing
An example scenario of a DNS cache poisoning attack (ref)

common network attacks
􏰀 list of common network attacks:
◃ malware (trojan, spyware, viruses, worms …)
installed on a network machine
◃ social engineering (phishing)
◃ brute force credentials
◃ Denial of service DOS
◃ injection attacks (SQL, code, …)

Defensive Network Security: controls

􏰀 Firewall:
◃ A component or a set of components that restricts
access between a protected network and the Internet
or between different sections of a network.
◃ Firewalls typically operate by filtering packets (aka
screening):

What firewalls can do:
􏰀 A firewall can enforce a security policy, i.e. concerning access control
􏰀 it can log Internet activity efficiently
􏰀 it can block unwanted traffic if the traffic can be characterized,
◃ e.g. with an IP 5-tuple: IP source address, IP destination address, source port number, destination port number, transport protocol
􏰀 it can limit exposure to security problems in one part of a network, i.e., contain a breach.

What firewalls can NOT do:
􏰀 firewalls cannot protect against “malicious insiders”;
􏰀 they cannot protect against connections that do not go through it;
􏰀 A firewall cannot fully protect against viruses,
◃ e.g. viruses can still spread through emails (as usual),
and the email service is allowed by the firewall;
􏰀 they cannot guarantee that the parameters that their rules are based are not spoofed by attackers, as they normally do not perform cryptographic operations, e.g. message authentication;

Two types of packet filtering:
􏰀 Stateless: each decision (allow/drop/reject/log) is made based on inspecting a single packet, e.g.: drop any packet with a specific source ip-address.
􏰀 Stateful: decisions may depend on previous packets (to take into account the state of the connection/operations that the packet is part of).
◃ Stateful firewalls with application inspection maintain a table of open connections, inspecting the payload of some packets and intelligently associating new connection requests with existing legitimate ones.
􏰀 Stateful firewalls are more flexible than stateless, but require more resources, & may introduce delay.

Specifying packet filtering rules:
􏰀 As a packet filter protects one part of a network from another with different trust levels, there is a notion of the direction of traffic:
◃ Inbound: The traffic is coming from an interface which is outside the protected network and its destination can be reached on an interface which is connected to the protected network
◃ Outbound: the opposite of inbound
◃ For every packet filtering rule this direction is
specified as either inbound, outbound, or either.

Firewalls: an example
the precise way firewalls rules are entered depends on the system used
◃ in linux for example firewall rules can be entered using the command iptables
◃ e.g. iptables -A OUTPUT -p tcp -d youtube.com -j ACCEPT
to allow outgoing tcp packets to youtube.com
◃ in details: iptables -A =add firewall rule, OUTPUT -p tcp -d youtube.com= for outbound tcp traffic with destination youtube.com, -j ACCEPT = accept packets

Firewalls: an example
◃ So if we wanted to block inbound tcp packets from youtube.com we could use
◃ iptables -A INPUT -p tcp -s youtube.com -j DROP
◃ notice that if there are multiple firewall rules they are applied sequentially starting from the first
◃ further details: https://opensource.com/article/18/9/linux-iptables- firewalld

Firewalls: DMZ
􏰀 It is important to isolate servers that are required to be “Internet-facing” (such as mail, web and DNS servers)
◃ They should be not be fully exposed to the Internet and they should be isolated from internal networks
􏰀 The solution is to create a de-militarized zone (DMZ):
◃ Access to a DMZ from the Internet is restricted (to protect machines within the DMZ from the Internet)
◃ Access from the DMZ to an internal network is restricted (to protect machines within the internal networks from the DMZ)

◃ IDS: intrusion detection system. They aim to detect possible intruders in the network
◃ IPS: intrusion protection system IDS+ some technique to block access to detected intruders

Why an IDS?
◃ Firewalls block traffic to particular ports or addresses; they also constrain certain protocols to limit their impact.
◃ But by definition, firewalls have to allow some traffic to enter a protected area.
◃ Watching what that traffic actually does inside the protected area is an IDS’s job.

Intrusion detection systems complement the preventive controls of firewalls/access controls as the next line of defense.
◃ An Intrusion Detection System (IDS) is a device/programme that monitors activity to identify malicious or suspicious events (in near real-time).
The response to an IDS incident is typically to alert a person that will then decide on further action.
◃ However, if the IDS by itself can go into protection mode & trigger a response, e.g. isolate a suspected intruder and constrain access, then such a system is called an Intrusion Protection System (IPS).

Two major types of IDS:
◃ Signature Based: perform simple pattern-matching and report situations that match a pattern (a signature) corresponding to a known attack type
◃ Anomaly Based (heuristic): build a model of acceptable (normal) behavior/characteristics over time and flag exceptions to that model (anomalies). It can also learn over time from previous responses.

Anti-malware
􏰀 An anti-malware software is designed to detect malicious code.
◃ They may signature based, e.g. they may look for some snipped of code that is known to be malicious
◃ or they may look for more abstract elements, e.g. system calls patterns, control graphs etc.

􏰀 Honeypots are essentially network-accessible decoys,
◃ They may be deployed in a network as surveillance and early-warning tools.
◃ Honeypots are placed at a point in the network where they appear vulnerable and undefended, but they are actually isolated and monitored

Questions?

程序代写 CS代考加微信: powcoder QQ: 1823890830 Email: powcoder@163.com

Related Posts