#Security of #Information #Systems - Lecture 11 : Network Perimeter Security, Firewalls, Proxies
hello students, welcome to the security of Information Systems later 11, so do today's topic is Network perimeter security. Okay, let's start the outline is as follows for today's lectures. Firewalls routers proxies architectures intrusion detection systems host-based network-based dealing with false alarms wireless LAN Access Control Evolution and history WPA2 robust security network architecture RNs, okay. Perimeter security analogy medieval castle defenses. So this is an analogy to understand what is about primitive secretive you see their observation posts at the most out of walls. There are guards that is normal access gate, which has only one access as you can see. It has breached Gatehouse here and we have other wall then we Either world as another security level then you see the result record mode inner court.
So primitive security is as but some similar to this one. Defending local networks Network perimeter security. So you see there is one access to our system. So this is our system. You see this line represent our system and we have access to Internet normal access. And first we have 5 WC here and we have Gateway and rotors Gateway router and packet filter at the first gate.
So the internet access starts from here and we separate our Network to two parts. First one is external network. Okay, it is damn it is called as the militarized Zone. Let's look for definition. in computer security a DMZ or demilitarized zone sometimes referred to as a perimeter Network or screened subnet is a physical or logical subnetwork that contains and exposes an organization's external facing services to an untrusted usually larger networks such as the internet the purpose of a DMZ is to add an additional layer of security to an organization's local area network Lan an external network node can access only what is exposed in the DMZ while Rest of the organization's network is firewalled one the DMZ functions as a small isolated Network position between the internet and the private Network to the name is from the term demilitarized zone an area between states in which military operations are not permitted.
Here's the function is this on the DMZ functions as a small isolated Network position between the internet and the private Network here we can see that this is the area which has access to the internet and then we have internal Network. So in our DMZ area, we have DNS server mail server web server which servers has to have access to Internet and we have honey pots. We will say about honey pot we have switch and we have IDs which is intrusion detection systems and then we have another five volt. And it has Rose and proxy than our internal Network starts, which is our most crucial and important that work. There are production servers workstations and another internal intrusion detection system and database and another switch. So this is the kind of this is a illustration of that for pain.
Mot security. Okay. Let's start with fireballs. Network perimeter security method firewalls a firewall is a checkpoint that protects the internal networks against attack from outside Networks. The checkpoint decides which traffic can pass in and out based on rules use the external network which has potential dress internet and we have firewall it is equivalent of checkpoint and we have internal resources, okay. Finals also do more things, but we will cover them as we see firewalls overview one. If the risk of having a connection to the internet is unacceptable the most effective way of treating the risk is to avoid the risk altogether and disconnect completely if disconnection from the internet is not practical then firewalls May provide an effective level of protection that can reduce the risk to an acceptable level firewalls are often the first line of defense against external attacks, but should not be the only defense a firewalls purpose is to prevent unauthorized access.
Access to or from a private Network. Okay. So the best best protection is disconnecting from internet. However, if it is not possible pile walls may help us to defend against external attacks, but it should not be the only defense we have the fire will propose is preventing unauthorized access or from a private network access. Okay? firewalls overview 2 All traffic entering or leaving must pass through firewall.
The network owner must Define criteria for what is unauthorized. It means that we have to Define criteria for both. What is unauthorized and or authorized okay? the effectiveness of firewalls depends on specifying authorized traffic in terms of rules The rules defines what to let pass through the rules defines what to block. Okay. Firewalls must be effectively administered updated with the latest patches and monitored. Firewalls can be implemented in both hardware and software or a combination of both important. Usually they are combination of both, but you can have partner firewall or software firewall as well.
Types of firewall technology vehicle analogy so vehicle point of if we look to firewall as an analogy. No analogy the packet filters firewall is like inspects packet headers only so in the vehicle analogy, the packet header is being its plate number you see so this packet filter file will only checking the vehicle plate number. Per vehicle and does nothing else. It doesn't check what is inside there maybe armored armed man inside the car. However packet filter with not check that therefore it will take in an armored men of full of armed men in a car. Okay, for example, then there is a stateful packet filters.
Which analyzed bi-directional traffic therefore in this case? It will check from where the vehicle is coming and where it is going and then application layer proxy, which is its connection inspects payload and analyzes traffic you see in application a proxy Chase what's inside the car as well, and then there is next Generation firewall and His pecs payload and analyze this traffic people see more about them. So the types of file world is like this you see simple packet filters. is like this and to advance transport connection and don't transport condition then entered transport connection and stating for and the proxy Is internal transport condition application application external transport connection and next-generation firewall internal connectors for connection and external transport condition. Okay. Let's continue.
Stateless packet filter so we will now see the details of these types of variables. Okay. A packet filter is a network router that can accept reject packets based on headers. packet filters examine each packets headers and make decisions based on attributes such as Source or destination IP addresses Source or destination port numbers protocol UDP TCP or icmp icmp message type and which interface the packet arrived on unaware of session States at internal or external hosts high-speed but primitive filter, you can see with a stateless packet filters that we can block certain IP certain IP ranges and we can block certain ports and certain Port ranges. Or such actually it can be pretty useful because if you block unnecessary Parts, you would automatically improve your security and if you block certain IP addresses, you may prevent certain website to be access it or it is Broad, but it pours from incoming and outgoing traffic.
It can also check the icmp message type. So let's look For what icmp message time, so don't know. so Okay. He internet control message protocol icmp is a supporting protocol in the Internet Protocol Suite. It is used by network devices including routers to send error messages and operational
information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached to icmp differs from transport protocols such as TCP and UDP. P in that it is not typically used to exchange data between systems nor is it regularly employed by end-user Network applications with the exception of some diagnostic tools like Ping and traceroute which interface the pocket allows phone. Interface. Okay. Anyway, let's continue. So the stateless packet filter is high speed
but primitive filter than we continue. widespread packet filter software Linux if tables netfilter NF TNT tables examples it tables. if tables a forward s13 1.23 4.14 2.33 J accept all packets from Source IP address 1/3 1.23 4.14 2.33 are accepted. it tables a forward PT CPD 10.0.0.0 56 Deport 22j, except all packets using transport protocol and destination address 10.0.0.0 56 and destination Port 22
are accepted. So you see it is pretty easy to Define an IP table and I love certain IP sort important protocol or such. Okay.
problems with stateless filtering assume a typical security policy access from internal to external allowed access from external to internal prohibited example application home network. You see this to do in our home network. We are usually not allowed to have access from external to internal. What does d means that usually it in your home network? You cannot for example become a host to a web server website because your ISP does not allow you to that you to do that. Or you may not set your home network as and mail server to send emails because usually your ISP also blocks set or such. So this is a security typical security policy, but
we are connecting connecting to website but it is from without internal to external policy. naive packet filter configuration Outgoing packet forward incoming packet reject. Okay, I will pause for a moment. Okay State bull filtering internet and internal Network. You see TC, please SI and and the STX TCP syn DST X, okay. TCP syn ack SRC X UDP DNS request DST why UDP DNS response SRC why stateful packet filters stateful packet filters track current state of a connection more intelligent than simple packet filters. stateful packet filters keep track of sessions recognize if a particular packet is part of an established Connection by remembering recent traffic history will add a temporary rule to allow the reply traffic back through the firewall.
When session is finished the temporary rule is deleted. This makes the definition of filtering rules easier to accomplish and therefore potentially more secure. high speed can use relatively Advanced filter rules Requires memory so can be subject to Dos denial of service attacks. Okay. So these are the states of packets you see from internal Network to Internet. That is TCP synchronization packets. Let's see the states or IP packets.
Is this morning related to? Network Okay. So these are the TCP States and with state board stateful filtering. We are the five ball is able to keep the states and take action according to them. Let's read the states. Closed there is no connection. Listen, the local endpoint is waiting for a connection
request from a remote and point IE a passive open was performed established. The third step of the three-way connection handshake was performed. The connection is open Finn, wait one the first step of an active clothes for way handshake was performed. The local
endpoint has sent a connection termination request to the remote end point close. Wait. local and point has received a connection termination request and acknowledged it eg a passive close has been performed and the local endpoint needs to perform an active close to leave this state Finn wait to the remote and point has sent an acknowledgement for the previously sent connection termination request the local endpoint waits for an active connection termination request from the remote and point last stack the local endpoint has performed a passive closed and has a Initiated an active close by sending a connection termination request to the remote and point closing the local endpoint is waiting for an acknowledgement for a connection termination request before going to the time wait State time, wait, the local endpoint waits for twice the maximum segment lifetime MSL to pass before going to close to be sure that the remote end point received the acknowledgement. Applejack Let's continue with stateful packet filters example. Zip tables it tables a forward M state state new. I add 0 J accept.
Except new connections IE TCP syn from network interface, eth0 from inside at 0 is at 10 at 0 from inside and accept TCP syn packages. So let's look for TCP syn. Okay. What can you see there is also TCP syn attack. Okay, one moment. okay, and so you see this scene is synchronization a message to the other. So you see there is TCP syn sync flute and which is an attack type. Let's see it as well.
What is a syn flood attack? TCP syn flood AKA syn flood is a type of distributed denial-of-service DDOS attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive essentially with syn flood DDOS. The offender sends TCP connection requests faster than the targeted machine can process them causing Network saturation. Attack description when a client and server establish a normal TCP three-way handshake The Exchange looks like this client requests Connection by sending sin synchronized message to the server server acknowledges by sending synack synchronize acknowledged message back to the client client responds with an act acknowledged message and the connection is established. In a syn flood attack the attacker sends repeated syn packets to every port on the targeted server often using a fake IP address the server unaware of the attack receives multiple apparently legitimate requests to establish communication. It responds to each attempt with a syn/ack packet from each open port. The malicious client either does not send the expected act or if the IP address is spoofed never receives the synack in the first place either way, the server under attack will wait for acknowledgement of its syn/ack packet for some time. So you see you are able to
Spook your IP when sending packages you just remove the head and put a fake IP when sending the scene command does For the server's things that you are some other IP and with a single. I've you can spoof the an exhaustive service. This is like this data concerns multiple seen request to server open a port and server has only so many ports. So it is not countless and open the port and way it started waiting for acknowledgement message and sends you see This understand sync acknowledgement message back to the client, but it never and also the attacker because detected has already spoke with its IP and therefore the connections of the Soul exhaust the number of ports ands.
during this time the server cannot close down the connection by sending an rst packet and the connection stays open before the connection can time out another syn packet will arrive this leaves an increasingly large number of connections half open and indeed syn flood attacks are also referred to as half-open attacks eventually as the server's connection overflow tables Phil service to legitimate clients will be denied and the server may even malfunction or Crash while the classics in flood described above tries to exhaust Network ports syn packets can also be used in DDOS attacks that try to clog your pipes with fake packets to achieve Network saturation. The type of packet is not important still syn packets are often used because they are the least likely to be rejected by default. Okay, there are some essence of Me music eight with the mitigation as well as learn them to methods of mitigation while modern operating systems are better equipped to manage resources, which makes it more difficult to overflow connection tables servers are still vulnerable to syn flood attacks. There are a number of common techniques to mitigate syn flood attacks including Mike Roblox administrators can allocate a micro record as few as 16 bytes in the server memory for each incoming sin request instead of a complete connection object syn cookies using cryptographic hashing the server sends its synack response with a sequence number sick know that is constructed from the client IP address port number and possibly other unique identifying information. When the client responds this hash is included in the ACT packet the server verifies the act and only then allocates memory for the connection rst cookies for the first request from a given client, the server intentionally sends an invalid synack. This should result
in the client generating an rst packet which tells the server something is wrong. If this is received the server knows the request is legitimate logs the client and accept when incoming connections from it stack tweaking administrators can tweak TCP Stacks to mitigate the effect of sin floods this can either involve reducing the time out until a stack freeze memory allocated to a connection or selectively dropping incoming connections. Obviously, all of the above mentioned methods rely on the target networks ability to handle large scale volumetric DDOS attacks with traffic volumes measured in tens of gigabits and even hundreds of gigabits per second. Okay, so, we now know the what is Team TCP syn, and we can accept requests from certain IP with this command from to our firewall it tables a forward M state state established related Jay accept. Except all packets which belong to an established TCP connection or a related to an existing UDP communication.
stateful packet filter evaluation strengths low overhead and high throughput supports almost any application. Weaknesses unable to interpret application layer data commands may allow insecure operations to occur allows direct connection between hosts inside and outside firewall. Okay. personal firewalls a personal firewall is a program that is designed to protect the computer on which it is installed. Personal firewalls are frequently used by home users to protect themselves from the internet. Can you see such as Internet Kaspersky Internet Security has personal firewall and
I think you can see it from more details and Let's see cloth rotation quality. I danced with a bunch of has made on service network beta blockers you see Fireball. nowadays for example included in Windows Advantage compared to network firewall rules can take applications into account. This is true. You can blow connections or allow connections based on applications and such in for example,
Port Kaspersky Internet Security or The fireball of the Windows PC Windows 10 has firewall and network protection like this. You can set rules you see Allah and up to five bonus for going to turn troubleshooter and such. Okay. PV for Network address translation Nat. Okay ipv4. Let's see. Not used to increase ipv4 address space.
Translates public IP addr left/right Arrow private IP addr and ports currently we are all or not actually CG not because the ipv4 addresses that we use are extremely limited. Actually, they're exhausted. Therefore. Our internet service providers are using a single IP. To make some time tens of some time hundreds of users to connect the internet. For example today. The discourse was Bonnet my IP address window. I didn't do anything because our IP
is shaded it maybe a hundred another customer therefore this court for example sees that I am doing attacks to the discourse Network because when maybe thousands Of requests come from the single IP. They may see that as I am as I am an attacker. So this is Don beat by not translation. It's an advanced topic. However, let's try to understand it in a short time each local network can reuse private IP address ranges artificially increases the number of usable IP addresses.
possibilities static mapping permanent mapping of public to private address. No gain. Dynamic mapping mapping of public to private address when needed unmapped when no longer needed. Pat port address translation multiple internal addresses mapped to same public address, but with different port number this is what is being used. You see here. I will try to explain you. We have one public internet access IP address that we are all being connected to and our internal network is being the network of to our internet service provider. Okay,
such as per online or TT net and Internally our internet service provider assigned us a private IP address and a private part. So with combination of these private IP address and private Port they are able to differentiate the outgoing ports and incoming outgoing and incoming connections. For example, it assigns the public Port 5000 one to me 5,000 to another customer 5003 to another customer dashboard which different public Port assignment they can map which connection belongs to the which client. Okay. So with this way, they can even connect 1,000 or 10,000 or different computers to the same public internet Alco address.
This has so many drawbacks, of course, for example, what has happened to me today. This court had panicked me or if another client commits a crime through this public IP address and if the there if there are no proper records hold in my ISP, they may not convert. Whoo. Who has committed that crime and it remote server which which holds the which are the crime committed does not keep the incoming connection public Port that that still cannot be translated to the who has committed crime and such and such. This is really an advanced topic and if you wonder how it works you can Look for articles.
I will show you some. I will find a good article for you to read. Okay, for example, these are system is good. You may read this how it works. Anyway, and so you see here host 10001. For example, it is the client one. Okay sense that's a gram to these remote are these remote IP from Port 80 then this connection request is opened with the internal Port 3345. The destination this IP address with public Port 80. Okay, then it goes to the internal.
Switch. Okay and this switch you see tan 004 translate these requests to do some public requests you see with public requests to From to our public IP address and with the public Port 5000 1 then the remote server sends page the data with 5001 public Port the sea which translate this to bake to us to server client one. So the public Port here is being the determine minor of who has sent and we buy used. These are private Network, which is our internet service provider Pines who has sent that request. Okay. ipv4 net plus sin advantages helps enforce control over outbound connections helps restrict incoming traffic helps conceal internal network configuration makes Port scanning more difficult.
Can't be used with protocols that require a separate back-channel protocols that encrypt TCP headers such as ipsec embedded TCP address info not recommended with IPv6 that are also some other disadvantages. You may also look for them on the Internet. application layer proxy 1 external client sends a request to the server which is intercepted by the outwards facing firewall proxy to inwards facing proxy sends request to server on behalf of client 3 server sends reply back to inwards facing firewall proxy for outwards facing proxy sends reply to the client client and server both think they communicate directly with each other not knowing that they actually talk with a proxy. The proxy can inspect the application data at any level of detail and can even modify the data. So you see that is optically the that is all for Streisand proxy here The Orange Box and that is in words what facing proxy which is green one. So when client wants the communicate its server actually it communicates with proxy. However, it is not being available. Of it is communicating with a proxy. Okay.
So this is application layer proxy. next-generation firewalls and gfw inspects payload in end-to-end or proxy application connection support specific application protocols EG HTTP telnet FTP SMTP Etc each protocol supported by a specific proxy H WS W module. This is haunted and this is soft wedge. Can be configured to filter specific user applications EG Facebook YouTube LinkedIn can filter detailed elements in each specific user application. For example, if you are connected behind an application that firewall your data can also be read by the firewall.
Okay, therefore if you have installed the firewalled route Certificate the administrator can see even the content of your HTTP connection? We will see about that. you see can support tls/ssl encrypted traffic inspection can provide intrusion detection and intrusion prevention very high processing load in firewall. High-volume needs high performance Hardware or else will be slow. You see it has of course very high processing load because it inspects every package inside. high performance ngf W's High range model, PA 7050 up to 120 gigabits per second throughput prices starting from 200,000 United States dollars, by the way. This is probably old and outdated right now, but you get the idea. This prices are not extreme. They are real high range model 61,000
security system up to 400 gigabits per second throughput prices starting from United States dollars Okay, let's look for some updates prices. Okay, they are not showing here. Next look you see these are very low of throat put it is not even one gigabit per second. And this price is $1,200 and let's look for something. Good. For example 75 gigabit per second. You see it is $250,000. And is it not even 100 gigabits
per second if you get something one terabits per second or this is not that you see they are extremely expensive such firewalls are extremely expensive you see These are the models. But the prices are not included here. Anyway, you get the idea. They are extremely expensive. One moment. Okay.
inline deep packet inspection deep packet inspection looks at application content instead of individual or multiple packets deep inspection keeps track of application content across multiple packets potentially unlimited level of detail in traffic filtering. You see with deep inspection. They can see the payload data as well. And what is the content of the received message received traffic? It takes IP header UDP headers payload data. tls/ssl encrypted traffic inspection in firewalls TLS designed for end-to-end encryption normally impossible to inspect in order to inspect TLS proxy must pretend to be external TLS server proxy creates proxy server certificate with the name of external server. EG facebook.com signed by local proxy route private key assumes that local proxy root certificate is installed on all local hosts. The proxy server certificate is automatically validated by local client so user may Eve that he/she has TLS connection to the external server. Okay. So you see for this
work local proxy root certificate has to be installed on your computer or device. If it is not installed you would get an error message from your browser therefore. For example, if you are working in a company and company has provided you a computer your HTTP traffic may not be secure as you might think because they may read your traffic content as well if they have installed a proxy root certificate to your computer or device. Okay,
so it works like this client request data from server. For example from Facebook. I'll request CO2 first proxy be Which has a internet Pi root certificate then the server's inspect TSL connect encrypted connection back and proxy behaves as as the client itself in here for Facebook the proxy behaves as a client and for Clyde it behaves as a Facebook. Therefore both sides are not aware of the proxy. You see proxy certificate be
the name see signed by flexible certificate see name see signed by a certificate certificate Authority in the internet's PKA. Okay. TLS inspection attack with Rogue proxy server depending on network attackers may be able to install Rogue proxy Rogue TLS inspect does not assume pre-installed proxy root certificate proxy creates fake server certificate with the name of external server. EG facebook.com that EG can be self-signed fake server certificate is not validated. So browser asks user to accept it fake certificate has name equals
domain name so browser sets up TLS and use Believes that he/she has TLS connection to the external server. The key point of rock server is that your browser asks you to accept certificate. So when you see such warning from your browser, it's asks you to accept certificates. For example. Let me show you what I mean by that. Okay, for example, you will get an error like this. Your connection is not private attackers
might be trying to steal your information from example comb and when you click the advanced it it's allows you to continue with this self-signed certificate or such. Therefore. You should never ask accept it unless you are sure about it. Lenovo and the superfish scam superfish root certificate and diversion in ship Lenovo models during 2014. All HTTP connections diverted to superfish server to inject advertisements superfish created fake server certificates with names of web servers. EG facebook.com signed by superfish root private key fake server certificates were automatically validated so users believe that he she had secure end-to-end HTTP connection.
Web server scam discovered in 2015 superfish cert deleted and diversion removed embarrassment for Lenovo. Superfish changed name to just visual. So yeah, so you see when a root certificate install it to your computer then they may do anything they want because your browsers would automatically accept that certificate as valid and let you proceed. So this is a danger for example currently been open and then I open a website my computer trust server certificate by Kaspersky. You see here issued by Kaspersky anti-virus person root certificate.
So in that case, it was certificate by Lenovo. However, you were not aware of that. I mean Super fish not Nova. Application proxy firewalls plus and this is positive side and negative size the strengths are as follow. Strengths easy logging and audit of all incoming traffic provides potential for best security through control of application layer data commands.
Weaknesses may require some time for adapting to new applications much slower than packet filters much more expensive than packet filters also that can be privacy issues because your data is not any more private even if you connect through SSL. Sports because the system administrators can inspect and see your content. Firewalls simple firewall architecture. So there is a firewall rotor. This is a gateway which connects your network to the internet and there are internal internal networks such as DNS server web server image server, both stations production systems and database.
So a firework is a gateway that lets your systems to connect to the internet. This is the demilitarized zone. We have seen that firewalls DMZ firewall architecture. So in the DMZ fiber architecture that are two Fireballs first one is external router firewall, which lets your must be internet connected devices to the internet here DNS server web server image server and then it connects your demilitarized zone to your internal network with internal wrote on fire. Well, then there are workstations production systems and database server and such so didn't have any tries its own example is like this. DM Z equals a part of your land with other restrictions EG allowing publicly available Services web servers mail Etc. So you said that is a sundial public network internet and then we have five relax tunnel. Then we have web server Feast FTF server. They are
in the demilitarized zone and then we have 5 volt internal which connects our internals Network internal servers to our demilitarized zone servers such as web server. FTF FTP Service Okay now. Intrusion detection systems ID's IDs is intrusion detection system.
intrusion detection and prevention intrusion actions aimed at compromising the security of a Target Network confidentiality Integrity availability of resources. Intrusion detection the identification of possible intrusion through intrusion signatures and network activity analysis, its intrusion detection systems. Intrusion prevention the process of both detecting intrusion activities and managing automatic responsive actions throughout the network IPS intrusion prevention systems idps intrusion detection and prevention systems. intrusion detection systems Ed's are automated systems that detect suspicious activity AIDS can be either host-based or network-based a host-based ID's is designed to detect intrusions only on the host. It is installed on monitor changes to host so s files and traffic sent to the host network-based ID's nids detect intrusions and one or more Network segments to protect multiple hosts monitor Network s looking for suspicious traffic what can be detected attempted and successful misuse. External and internal agents malware Trojan programs viruses and worms dos denial of service attacks. So you see and idea system can even detect drug and programs viruses or worms.
to the internet and we have internal carotid Fireball and you see there are network intrusion detection intrusion detection systems. Network pays it so it checks the incoming traffic here. And also we have one peers. So we ensure that both in the demilitarized Network and internal
Network. We try to detect intrusion attacks, okay. So what are the techniques intrusion detection techniques? Misuse detection use attack signatures need a model of the attack sequences of system calls patterns of network traffic Etc. Must know in advance. What attacker will do how can only detect known attacks relatively few false positives. So this is based on the time of mine. It attacks actually can only detect known attacks. Therefore. It has relatively few people false positives because it knows, the attack signatures anomaly detection using a model of normal system Behavior try to detect deviations and abnormalities EG raise an alarm when a statistically rare events occurs can potentially detect unknown attacks many false positives because the dynamic 1 and base it on the events occurring it tries to detect an attack. For example, let's say your network usually get 100 or
incoming connections at any time and let's say it's your call your system starts getting 100,000 connections at any given time out of nothing and that is a that is an alarming situation because let's say you are operating a web server and some hackers may be trying to find vulnerabilities and exploits on your web service web server. Try to crawl your web forms and submit. Harmful coats to find whether you are web server has let's say SQL injection vulnerability or such. So the anomaly detection is harder and yet it may capture more type of attacks. popular nids snort popular open source tool large rule sets for known vulnerabilities EG the 31st of March 2009 a programming error in MySQL server may allow a remote attacker to cause a denial-of-service Dos against a vulnerable machine the 27th of March 2009 Microsoft Windows GDI buffer overflow a programming error in the Microsoft Windows kernel may allow a remote attacker to execute code with system-level.
Is this may be exploited when specially crafted EMF files are viewed using Microsoft Internet Explorer. Bro developed by Vern Paxson separates data collection and security decisions event engine distills the packet stream into high-level events describing what's happening on the network policy script interpeter uses a script defining the network security policy to decide what to do in response. Okay.
example vulnerability + snort rule so does this snort rule? And checks possible leak of turn on heat memory and take action according to that. Okay. Anyway, let's continue. Port scanning many vulnerabilities are os specific bugs in specific implementations default configuration. This is sorts of the hackers usually second with automated tools to your system and they check the already discovered vulnerabilities on an event is for example, if you are using Windows Server 2000, let's say 3 and you have on pages server. So they check that.
This thing or discovered vulnerabilities vulnerabilities in your server, whether you have you are using a patched version of Windows or not or let's say you are using popular Forum software such as my baby and they are checking whether you have fixed it previously discovered exploits or not. So they check based on your system either your operating system or the software you are using Port scan is often a Prelude to an attack attacker tries many ports and many IP addresses for example looking for an old version of some Demon with an unpatched buffer overflow. If characteristic Behavior detected Mount attack the art of intrusion virtually every attack involves Port scanning and password cracking. So example Network side of this on Windows computers.
Example Network Services on a Windows computer. So you see these ports are listed by the windows. What does listen it mean? Listen, it means that the server periodically checks whether there are any incoming data from these plots and if there are Income data, it automatically accepted and processed it therefore if they're on a exploit if there is an exploit on that Port previously discovered it and You are using an unpaid ticket Windows therefore that exploit Still Remains on your windows. So the attacker can exploit it without your inter inter intervention. Okay without your interaction. So this is about poor speaking. Therefore. You should keep on use it ports closet that would improve your system security with prevention of Of previously discovered exploits or undiscovered exploits, okay. intrusion detection problems lack of training data with real attacks, but lots of normal Network traffic system called Data data drift statistical methods detect changes in Behavior attacker can attack gradually and incrementally discriminating characteristics hard to specify many attacks may be within bounds of normal range of activities false identifications are very costly sis. Adam
will spend many hours examining evidence. Okay, probability density function profile of individual behavior and profiler of authorized user Behavior. So they have overlapping behavior. And in this area you may block an authorized it usage or you may unloved intrude. Okay. intrusion detection errors false negatives attack is not detected big problem in signature-based misuse detection false positives harmless behavior is classified as a tack big problem in statistical anomaly detection. Both types of ID's suffer from both error types, both false positives and false negatives are problematic attacks are fairly rare events. It's often suffer from base rate fallacy.
base rate fallacy Consider statements a attack occurs D detection occurs, we can measure estimate p d a probability of detection given that attack occurs PDA probability of detection given that no attack occurs PA probability of attack. We want to know false true positives PA D probability of attack given that detection triggers Bayes theorem. PA D equals p d a Pee Pee Pee Dee equals p d a pa 47p da pa plus p d a, PA base rate fallacy example scanner is 99% correct PDA equals 0.99 PDA equals 0.01 attack probability, PA equals one ten-thousandth. PA D equals result 0.99. 0.0001 48 0.99. 0.0001 plus 0.01 0.9999 equals.
zero zero nine eight to one percent accuracy 99 false positives / true positives So let's say you accept all everything as a Nun Attack in that case. You would have 99 accuracy, but you would miss that one attack. So this is base rate fallacy. It is really hard to detect rare events in a lot of events. You may also find an explaining article to this. The base rate fallacy also called base rate neglect or base rate bias is a fallacy if presented with related base rate information IE general information on prevalence and specific information IE information pertaining only to a specific case people tend to ignore the base rate in favor of the individuating information rather than correctly integrating the two one.
Okay. Anyways, let's continue. remarks on intrusion detection most alarms are false positives requires automated screening and filtering of alarms. Most true positives are trivial incidents can be ignored the attacks will never be able to penetrate any system serious incidents need human attention can be dealt with locally may require external expertise potential for improvement through more intelligent. It's less false positives
better detection of advanced attacks apt. Okay. intrusion prevention systems intrusion prevention system IPS is a relatively new term that can mean different things most commonly and IPS is a combination of an ID's and a firewall A system that detects an attack and can stop it as well can be application-specific deployed on a host to stop attacks on specific applications. Such as is can be an extension of an nids false positives are problematic because automated prevention measures can block services but also positive happens. It means that You have below cuts and authenticated users. So they are really problematic.
And honey pots which are extremely popular. A Honeypot is a computer configured to detect Network attacks or malicious behavior appears to be part of a network and seems to contain information or a resource of value to attackers. But honey pots are isolated are never advertised and are continuously monitored all connections to Honey pots are per definition malicious can be used to extract attack signatures. Honeynet is an International Security Club. See next slide. Okay wireless LAN security about honey pots. I will show you an article. Okay.
Okay, there is an article on the cusp of sky. What is a Honeypot? The definition of a Honeypot one Honeypot definition comes from the world of Espionage. We're Mata Hari style spies who use a romantic relationship as a way to steal secrets are described as setting a Honey Trap or Honeypot often an enemy spy is compromised by a Honey Trap and then forced to hand over everything. He she knows in computer security terms a
cyber Honeypot Works in a similar way baiting a trap for hackers. It's a sacrificial computer system that's intended to attract cyberattacks like a decoy it mimics a target for hackers and uses their intrusion attempts to gain information about cyber criminals and the way they are operating or to distract them from other targets. How honey pots work? The honey pot looks like a real computer system with applications and data fooling cybercriminals into thinking it's a legitimate Target. For example, a Honeypot could mimic a company's customer Billing System a frequent Target of attack for criminals who want to find credit card numbers. Once the hackers are in they can be tracked and their behavior assessed for Clues on how to make the real Network more secure. Honey pots are made attractive to attackers by building in deliberate.
Vulnerabilities for instance a honey pot might have ports that respond to a port scan or weak passwords vulnerable ports might be left open to entice attackers into the Honeypot environment rather than the more secure live Network. A honey pot isn't set up to address a specific problem like a firewall or antivirus instead. It's an information tool that can help you understand existing threats to your business and spot the emergence of new threats with the intelligence obtained from a Honeypot security efforts can be prioritized and focused.
different types of honey pot and how they work different types of Honey Pot can be used to identify different types of threats various. Honeypot definitions are based on the threat type that's addressed all of them have a place in a thorough and effective cyber security strategy. There are other things if you want to learn more about them.
You can read this article. Okay, let's continue to our lectures. IEEE 802.11 standards for w LAN IEEE 802.11 formed in 1990s Charter to develop a protocol and transmission specifications for wireless Lans WLA ends since then the demand for WLA ends at different frequencies and data rates has exploded new ever-expanding list of Standards issued from 10. Megabits per second to 1 gigabit per second transmission rate our mobile devices laptops and such.
Or it device's Wi-Fi security and we have access point or modem and you connect to the internet. 802.11 Wi-Fi security only authorized terminals or users may get access through wireless. LAN should be impossible to set up Rogue AP interception of traffic by radios within range should be impossible. Okay, so there are the security let's say protocols web BPA BPA to usually currently we are using all the EPA to and you see authentication and key generation web. Yap. Yap, and encryption is received for Darcy for our ticket.
Such I remember that in mm. You were able to decorate YP passports just by gathering some London why keep data over with listening that Wi-Fi data transmitted was possible. However, we trees in autumn vacation with PPA to it is impossible. For example, I will show you WEP cracking in order to crack WEP we need first to capture the large number of packets. That means we can capture a large number of IVs. Once we have done that we will use a tool called are
cracking this tool will be able to use statistical attacks to determine the key stream and the WEP key for the Target Network. This method is going to be better when we have more than two packets and our chances of breaking the key will be higher. Let's look at the most basic case of cracking a WEP key to do this. We will set Wi-Fi card in monitor mode after this. We will run a command are Odom in wlan0 to see all of the
networks that are within our Wi-Fi range and then we will Target one of those networks where wlan0 stands for the interface the following output will be displayed after executing this command Okay, so it was so easy to correct depth passports Okay, you see there's already a tool. Okay, however recent applications all new VP a clue and which is extremely harder to create made impossible. WEP wired equivalent privacy broken WPA Wi-Fi protected access EAP extensible Authentication Protocol rc4 rivest Cipher for a stream Cipher tkip temporal key Integrity protocol ccmp counter mode with CBC message Authentication Protocol RSN robust security network. Okay. IEEE 802 terminology station sta Wireless terminal that communicates with 802.11 functionality access point AP
receives radio signals and controls access to network basic service set BSS set of stations and 1ap extended service set s set of multiple BSS has distribution system. Dee's contains an authentication server as integrates. Multiple. BSS has into 1s. Network components and architecture You see access points Bond basic service set and there are the stations and access point to and there are stations and this is the distribution service. 802.11 IRS n services and protocols Access Control IAA. 802.11 Port is Access Control extensible authentication access point mode Authentication Protocol T cape and CMP computational data original identification and the integrity and the protection identification HK generation and access control. Okay.
cryptographic algorithms is okay. So all of the authentication happens first phase on discovery of access point there is to identification with authentication Service phase TDK management phase for protected asset transfers and Faceoff connection termination. 802.11 I Wi-Fi access control. One mutual identity request between STA and ap2 mutual authentication between STA and has three derive pair wise master key pmk between sta an AP for encrypt radio link and open port connect to network access controlled Port from AP to network is closed disconnected before authentication is open Connected after successful authentication. You see it. The first step we request of we connect access point the then there is going an incoming connection and at the fourth step we get an encrypted connection. You see an airport is
getting open it with authentication server at the phase 2. Then there is a control that part open it for Arch station and from that Port we communicate with the local network and then with internet. When you don't control the W LAN? Often you want to connect to a wireless LAN over which you have no control EG in Cafe options. If you can connect securely WPA2 802.11. I Etc beware of SSL stripping if unsecured
connect to online resources securely use a VPN virtual private network ipsec connection to home Gateway tls/ssl connections to secure web server with hsts. Be careful not to expose passwords watch for direct attacks on untrusted Networks Okay, so when you're connecting and connecting internet from an unsecured Network like from internet coffee or from your hotel room if you are going to work on sensitive data using VPN. So VPN will increase your Data encryption level and also always use SSL. So if you use both SSL and a VPN, it is extremely unlikely or let's say impossible for that network administrator to see your content. See your data transmission. Okay, I think it is enough for this week you get the idea of The topics you can always look for articles to get more details. Okay, hopefully see you
next week and and of lectures.