Modern Computer Networks - High Speed Network Lab @ NCTU

Authentication (cont.)Digital Signature• What’s Authentication?An unique digital IDApplications• E-transaction via networks• E-election via networks• Privacy Enhanced Mail (PEM)• 3 RequirementsAuthentication• The receiver can verify the claimed identity of the sender.Non repudiation• The sender cannot later repudiate the contents of themessage.Integrity• The receiver cannot possibly have concocted themessage itself.Chapter 7: Network Security Modern Computer Networks 13Chapter 7: Network Security Modern Computer Networks 14Authentication without EncryptionMD5 message-digest g algorithm• Authentication only, but without messageencryption e.g., Message broadcast from authorized source• Solution Message Digest (MD)• Use a secure (one-way) hash function H to compute afixed-size tag H(M||SABAB), called a message digest for agiven message M concatenated with a shared secretvalue SAB• For secret-key digital signature• Specified in RFC1321, developed d by Ron Rivest in1992.• Padded an arbitrary length message to multiples of512 bits, then produce a 128-bit message digest• Every bit of the hash code is a function of every bitin the input• Rivest’s s conjecture The difficulty of coming up with two messages having thesame message digest is in the order of 2 64 operations The difficulty of finding a message with a given digest is onthe order of 2 128 operationsChapter 7: Network Security Modern Computer Networks 15Chapter 7: Network Security Modern Computer Networks 16

Application Layer SecuritySecure Socket Layer (SSL)• Secure Socket Layer (SSL)• Security Electronic Transaction (SET)• Why SSL?Provide encryption layer between Application andTCP layersApplicationApplicationSSLSSLTCPTCPIPIPChapter 7: Network Security Modern Computer Networks 17Chapter 7: Network Security Modern Computer Networks 18SSL Handshake• What’s SSL? RFC 2246 :Transport Layer Security (TLS) protocol. Original development by Netscape in 1994Encrypt data with various algorithm• DES, Triple DES, RSA, Digital SignatureSSL Contents• SSL server authentication• SSL client authentication• Encrypted SSL sessionSSL HandshakeClientDigitalSignatureSSL Client HelloSSL Server HelloServer CertificationRequest Client CertificationClient CertificationClientKeyExchange (RSA)Certificate VerifyChangeCipherSpecCi h ServerFinishedEncrypted DataEncrypted data stream (DES)Chapter 7: Network Security Modern Computer Networks 19Chapter 7: Network Security Modern Computer Networks 20

Network Layer SecurityIPSec• IP Security (IPSec)• Virtual Private Network (VPN)• Why IPSec? Provide interoperable,high quality,cryptographically-based security for IPv4 and IPv6communication• Security servicesAccess control IntegrityAuthentication ConfidentialityChapter 7: Network Security Modern Computer Networks 25Chapter 7: Network Security Modern Computer Networks 26Components for IPSecKey Concept: Security Association• Traffic securityAuthentication Header (AH)• Integrity• AuthenticationEncapsulation Security Payload (ESP)• Confidentiality• Key management and distributionSimple Key-management for IP (SKIP)Internet Key Exchange (IKE)• One-way relationship between a sender and areceiverFor two-way secure exchange, two security associations arerequired.• Uniquely identified by an IP and SPISPI: security parameter index• Parameters Authentication algorithm, mode, key(s)Encryption algorithm, mode, transform, key(s) Lifetime of the keys, security association Security level, source IP, ...Chapter 7: Network Security Modern Computer Networks 27Chapter 7: Network Security Modern Computer Networks 28

AuthenticationAuthentication (cont.)• RFC 1828 specifies the use of MD5 forauthentication.• The MD5 algorithm is performed over the IPpacket plus a secret key and then insertedinto the IP packet.• At the destination, the same calculation isperformed on the IP packet plus the secretkey and compared to the received value.• Provides both authentication and dataintegrity.Chapter 7: Network Security Modern Computer Networks 29• Two ways in which IP authentication servicecan be used End-to-end End-to-intermediateIntranetRouter/FirewallEnd-to-end dauthenticationiEnd-to-intermediateInternetChapter 7: Network Security Modern Computer Networks 30Authentication (cont.)Encapsulating Security Payload0 8 16 31Next HeaderLengthReservedSecurity Parameter Index (SPI)Sequence Number FieldAuthentication Data (variable)Length : Length of Authentication Data field in 32-bits words.Security Parameters index: Identifies a security association.i• Provide support for privacy and data integrity for IPpackets.• Two modes Transport-mode ESP mechanism encrypts a transport-layer segment Tunnel-mode ESP mechanism encrypts an entire IP packet• ESP Header SPIParameters dependent on the encryption algorithmChapter 7: Network Security Modern Computer Networks 31Chapter 7: Network Security Modern Computer Networks 32

Transport-Mode ESPTunnel-Mode ESP• Encrypt the data carried by IP ESP header is inserted into the IP packet immediately priorto the transport-layer header (or Destination Option header ispresent)• Suspectable to traffic analysis on the transmittedpackets End-to-end transportIP Header Ext. Header ESP Header Transport tlayer segmentUnencryptedEncrypted• Encrypt an entire IP packetIP HeaderCounter traffic analysis problemSource sends encrypted IP packet to firewallFirewall sends to destination firewallDestination firewall forwards to destinationExt. Header ESP Header IP header + Transport layer segmentUnencryptedEncryptedChapter 7: Network Security Modern Computer Networks 33Chapter 7: Network Security Modern Computer Networks 34Authentication Plus PrivacyAuthentication Plus Privacy y( (cont.)• Encryption before authenticationTransport-mode ESP• Authentication applies to the entire IP packet deliveredto the ultimate destinationTunnel-Mode ESP• Authentication applies to the entire IP packet deliveredto the firewallIP Header Auth. Header ESP Header Transport layer segment e E-TScope of authenticationE-T : Encapsulating Security Payload trailing fieldsChapter 7: Network Security Modern Computer Networks 35• Authentication before encryptionOnly appropriate for tunnel mode ESPAuthentication before encryption is better• AH is protected by ESP• More convenient to perform authentication onunencrypted data, then protected by encryptionIP-H ESP-H IP-H A-H Transport layer segment E-TScope of authenticationChapter 7: Network Security Modern Computer Networks 36

Key managementKey management (cont.)• SKIPProposed by Sun MicrosystemApply Diffie-Hellman key exchange algorithm toshare private keyFor security, public key is authenticated byCertificate Authority y( (CA)• Need Public Key Infrastructure(PKI) support• ISAKMP/Oakley(IKE)Oakley defines key identificationISAKMP defines key distribution• Two phases• Phase 1: ISAKMP SA establishment The two ISAKMP peer establish a secure, authenticatedchannel with which to communicate Unlike IPSec SA, ISAKMP SA is bi-directional• Phase 2: use ISAKMP SA to construct AH or ESP SAChapter 7: Network Security Modern Computer Networks 37Chapter 7: Network Security Modern Computer Networks 38Virtual Private Network (VPN)VPN• Why VPN?Private data network for enterprisesLease line• X.25, Frame Relay , and ATM• Custom-made serviceDisadvantages of lease line• Complexity configuration• High cost of network access equipments• What is VPN?Build private network communication on publicnetwork• How to implement VPNTunnelingEncryption & decryptionKey managementauthenticationti tiChapter 7: Network Security Modern Computer Networks 39Chapter 7: Network Security Modern Computer Networks 40

TunnelingPPTP• Layer 2 tunneling Extend the PPP model by allowing the L2 and PPPendpoints to reside on different devices• Save the long-term toll charge• Use Internet to transmit PPP framesSupport multi-protocolt l• IP, IPX, NetBEUI, AppleTalk• Take advantage of PPPPPTPL2TP• Layer 3 tunneling IPSec• Microsoft proposed protocol• PPP frames are encapsulated in IP packets• Tunnel modes Client-initiated• Client creates PPTP connection to remote PPTP serverdirectlyISP-initiated• Client creates PPP session with access server of ISP• Access server e of ISP make tunnel with remote PPTP servere• MultiplexingCall IDChapter 7: Network Security Modern Computer Networks 41Chapter 7: Network Security Modern Computer Networks 42L2TPOther issues• Combine Cisco proposed L2F and PPTP• Message types Control message• Establishment, maintenance and clearing of tunnels and calls• Transmitted on reliable control channelData message• Encapsulate PPP frames being carried over the tunnel• Transmitted on unreliable data channel• MultiplexingCall ID• Encryption and decryption Previously described• Key management Described in IPsec section• AuthenticationUser authentication• Password,ID card• PAP, CHAP in PPPEquipment authentication• X.509 certificateChapter 7: Network Security Modern Computer Networks 43Chapter 7: Network Security Modern Computer Networks 44

VPN typesVirtual Leased Line (VLL)• Virtual Leased Line (VLL)Simplest type of VPN• Virtual Private Routed Networks (VPRN)Works on network layer• Virtual Private Dial Networks (VPDN)• Virtual Private LAN Segment (VPLS)Works on link layer• Two CPE devices are connected by point to pointlink CPE connects to ISP node via link layer connection IP tunnels are set up between ISP nodes• Link layer type ATM VCCFrame relay circuitit• To a customer, it looks like if a single ATM VCC orFrame Relay circuit it were used to interconnect t theCPE devicesChapter 7: Network Security Modern Computer Networks 45Chapter 7: Network Security Modern Computer Networks 46VLL exampleVirtual Private Routed Network (VPRN)CPE10.2.3.5FrameRelayCircuitISP edge nodeIPBackboneIP tunnelsubnet = 10.2.3.4/30ISP edge nodeFrameRelayCircuitCPE10.2.3.6• Packet tforwarding is carried out at tthe network klayer• A VPRN consistsA mesh of IP tunnels between ISP routers Routing capabilities needed to forward site• A VPRN specific forwarding table is located at each ISP router• Benefit Minimum complexity and configuration of CPE outers• Heavy works are done by ISP edge router• Disadvantage poor scalability• Full mesh topology are not appropriate in the case of large number ofISP routersChapter 7: Network Security Modern Computer Networks 47Chapter 7: Network Security Modern Computer Networks 48

CPE10.5.5.0/30ISPedgerouter10.11.11.1/30ISPedgerouterCPE10.6.6.0/30Virtual Private Routed Network (VPRN)IPBackboneISPedgerouter10.11.11.4/30 10.11.11.7/30VPRN example• Backup link is used in the case of failure ofprimary link• Backdoor link refers to a link between twocustomer sites that does not traverse the ISPnetwork10.7.7.0/30CPE CPE 10.8.8.0/30IP tunnelstub linkbackdoor linkChapter 7: Network Security Modern Computer Networks 49Chapter 7: Network Security Modern Computer Networks 50Virtual Private Dial Network (VPDN)Tunneling mechanisms• Remote user connect through an ad hoctunnel into another site User us connected to a public IP network via adial-up PSTN or ISDN link• L2TP allows for the extension of user PPPsession from an L2TP Access Concentrator(LAC) to a remote L2TP Network Server(LNS)• Compulsory tunnelingLAC extends a PPP session across a backboneusing L2TP to a remote LNS• Dial and network access server act as LAC• Voluntary tunnelingAn individual host connects to a remote site usinga tunnel originating on the host, with noinvolvement from intermediate network nodesChapter 7: Network Security Modern Computer Networks 51Chapter 7: Network Security Modern Computer Networks 52

Compulsory tunneling exampleVoluntary tunneling exampledialconnectionHOSTNAS (LAC)IPBackboneGW (LNS)Corp. Network10235 10.2.3.5 10236 10.2.3.6L2TP TunnelPPP sessionHOST (LAC)10.2.3.5dialconnectionNASIPBackboneL2TP Tunnel with PPP sessionorIPSec TunnelGW (LNS)Corp. Network10.2.3.6Chapter 7: Network Security Modern Computer Networks 53Chapter 7: Network Security Modern Computer Networks 54Virtual Private LAN Segment (VPLS)• Emulation of a LAN segment using Internetfacilities• Difference from VPRNEach VPLS edge node implements link layerbridging rather than network forwardingVPLS exampleISPedgenodeISPedgenodeCPECPE10.5.5.1/24 10.5.5.2/24IPBackboneISPedgenodeCPE10.5.5.3/24IP tunnelstub linkChapter 7: Network Security Modern Computer Networks 55Chapter 7: Network Security Modern Computer Networks 56

Open Source ImplementationMain flowchart of Frees/Wan• Frees/WanMain components• KLIPS (KerneL IP Security) kernel IPSEC Work as a module in Linux kernel implements AH, ESP, and packet handling within the kernel• Pluto IKE daemonimplements IKE, negotiating connections with othersystems• Administrator interfaceSTARTinit_module()ipsec_init() init()cleanup_module()Chapter 7: Network Security Modern Computer Networks 57Chapter 7: Network Security Modern Computer Networks 58ipsec_tdbinit()ipsec_radijinit()Flowchart of ipsec_init( ()Part IESPpfkey_init()register_netdevice_notifier()YESipsec_tunnel_initinit_device()Flowchart of ipsec_init( )Part IINOinet_add_protocol(&esp_protocol)SYSCTLYESYESAHinet_add_protocol(&ah_protocol)NONOipsec_sysctl_register( )IPCOMPYESinet_add_protocol(&comp_protocol)RETURNChapter 7: Network Security Modern Computer Networks 59Chapter 7: Network Security Modern Computer Networks 60

Function descriptionFunction description• ipsec_tdbinit( ) Initailize tunnel description block TDB is used for record information of communication• Source IP, destination IP, error message, currentstatus…t• ipsec_radijinit( ) Initialize a radix tree structure for routing table of IPSec• pfkey_init( ) Key distribution and management for two communicationendpointsChapter 7: Network Security Modern Computer Networks 61• register_netdevice_notifier( td i tifi ) Register ipsec as a virtual network interface• Should be mapped to a physical interface• inet_add_protocol ( ) Register protocol to inetd depends on the command givenby administrator• ipsec_rev( ) Protocol handler• ipsec_tunnel_init_device( )Used to define operations of ipsec devices• ipsec_sysctl_register( )Used if sysctl command is receivedChapter 7: Network Security Modern Computer Networks 62Flowchart of PlutoSTART7.3 Firewallinitializationwait for eventtimerevent?YES• Introduction• Network layer: packet filter• Application layer: TIS—Trusted InformationSystemNOinvoke timer handlerinvoke packethandlerChapter 7: Network Security Modern Computer Networks 63Chapter 7: Network Security Modern Computer Networks 64

Introduction of FirewallWhat can a firewall protect against?• A system or group of systems that enforcesan access control policy between twonetworks Redirects request to actual server Hide intranet servers from internetAccess logs, invasion detection and alarms• Protect against unauthenticated interactivelogins from the “outside” world• Record and monitor status of the protectednetwork suspicious data access• Monitor abnormal instruction ti of the protectedt network Intrusion detection Against network-borne attackChapter 7: Network Security Modern Computer Networks 65Chapter 7: Network Security Modern Computer Networks 66Firewall categoriesNetwork layer firewall• Network layer firewall• Application layer firewall• Works on the network layer of OSI modelPacket filter• Based on the header of the IP packet andrules defined by administrator• Fields checkedProtocol IDSource IP addressDestination IP addressSource TCP/UDP portDestination TCP/UDP portChapter 7: Network Security Modern Computer Networks 67Chapter 7: Network Security Modern Computer Networks 68

Screened Host FirewallScreened host firewallInternetallowIP filtering routerdisallowBaston HostPrivate Network• Bastion host A exposed gateway machine• highly-defended and secured strong point thatcan resist attack• Router operation Traffic from Internet to bastion host is permittedAll traffic from inside to Internet are rejected unless itcomes from bastion host• Advantage Simple router filtering rules• Disadvantage Packet can go inside directlyChapter 7: Network Security Modern Computer Networks 69Chapter 7: Network Security Modern Computer Networks 70Screened subnet FirewallScreened subnet firewallBaston HostPrivateInternetNt NetworkIP filtering router DMZ IP filtering routerChapter 7: Network Security Modern Computer Networks 71• DMZ (demilitarized zone) An area between inside firewall and outside firewall• Inside firewall refers to router located in privatenetwork• Outside firewall refers to Internet access router Hosts in private network are protected by two or morefirewalls• Create private network and DMZ by two routers• Advantage No site in private network is exposed to InternetRouter closed to private network has better routingperformance than bastion hostChapter 7: Network Security Modern Computer Networks 72

Application layer firewallDual-Homed gateway• Works on the application layer of OSI model Proxy serverInternetPrivate NetworkDual-Homed GatewayIP routing andforwarding disabledChapter 7: Network Security Modern Computer Networks 73Chapter 7: Network Security Modern Computer Networks 74Dual - Homed gatewayOpen Source Implementation- Netfilter• Dual – Homed gatewayA highly secured host that runs proxy softwareBlock all IP traffic between two networkRouting and forwarding capability are disabled• What is netfilter? A set of checkpoints in the packet’s traversal of the protocolstack• The checkpoints are called hooks• Actions taken on hooks NF_ACCEPTNF_DROP NF_STOLEN NF_QUEUE NF_REPEAT• Packet selection is done by IP TablesChapter 7: Network Security Modern Computer Networks 75Chapter 7: Network Security Modern Computer Networks 76

Open Source Implementation- NetfilterOpen Source Implementation - iptables• Hooks in packet traversal NF_IP_PRE_ROUTING A ROUTE C D NF_IP_LOCAL_INNF_IP_FORWARDFORWARD ROUTE NF_IP_POST_ROUTING NF_IP_LOCAL_OUT OUTB ELocal Process• Rule structureStruct ipt_entry• struct ipt_ip• nf-cache• target_offset• next_offset• comefrom• struct ipt_countersStrcut ipt_entry_matchStruct ipt_entry_targetChapter 7: Network Security Modern Computer Networks 77Chapter 7: Network Security Modern Computer Networks 78Open Source Implementation- TISHttp-Gw• Set of programs to facilitate the networkfirewall• Software componentsSmap• SMTP serviceNetacl• TELNET service, finger, and Access control listftp-gw, http-gw, rlogin-gw,telnet-gwgw gw• Proxy server for FTP,http,rlogin, and telnet• A proxy server with proxy capability forhttp,gopher,and ftp• May cooperate with squidhttp-gw has no caching capability Squid act as a caching Web proxy• May filter specific URLs or sitesChapter 7: Network Security Modern Computer Networks 79Chapter 7: Network Security Modern Computer Networks 80

Netperm-table• Common configuration file for TIS• Rule matching is from top to bottom, left toright• Example of http-gw part of Netperm-tabletablehttp-gw: userid roothttp-gw: directory /www_datahttp-gw: timeout 60http-gw: permit-hosts 177.3.4.*http-gw: deny-hosts *Chapter 7: Network Security Modern Computer Networks 81STARTYESbind listen- DAEMON acceptNO(inetd)ReadConfigurationGet user'ss httprequestForward httprequestReceive httpresponsetext/htmlYESContent filterwith FSMYES(child)NOfork=0NO(parent)http example ofTrusted information system (TIS)Block transferbetweenconnectionsENDChapter 7: Network Security Modern Computer Networks 827.4 Intrusion Detection SystemNetwork Intrusion• Introduction• Intrusion• Protection• Open Source Implementation- ti Snort• What’s network intrusion?Intrude a system via networks such as, Internetand Intranet===== Welcome ======Login: UnsafePassword: HereYouAreServerChapter 7: Network Security Modern Computer Networks 83Chapter 7: Network Security Modern Computer Networks 84

Intrusion Procedure• Why network intrusion?For funGather information or resource of the targetsystemDamage data and filesCrash target systemEmbedEmbedbackdoorbackdoorfor fornext nextcomingcomingGatherGatherInformationInformationIntrudeIntrudeGet InformationGet InformationCrack targetCrack targetClear logClear logChapter 7: Network Security Modern Computer Networks 85Chapter 7: Network Security Modern Computer Networks 86Intrusion WaysMonitoring• Monitoring• Password Cracking• Security Holes• Malicious iCode• Denial of Service• Scanning• What’s Monitoring?i Monitor the MAC frame, IP packet, andapplication layer information of the target t system• To get MAC address• To get TCP/IP information• To get username and password• To get some useful information• ToolsSniffit,http://reptile.rug.ac.be/~coder/sniffit/sniffit.html NetXray,Chapter 7: Network Security Modern Computer Networks 87Chapter 7: Network Security Modern Computer Networks 88

Password CrackingSecurity Holes• How to crack password Guess Brute force with dictionary file• Unix, /etc/passwd and /etc/shadowfiles• Windows 2000, SAM file Plain text transmission without encryption• ToolsNetcat, http://www.atstake.com/research/tools/nc11nt.zipWWWHack, http://packetstorm.securify.com/Crackers/wwwhack.zipsecurify com/Crackers/wwwhack L0phtCrack, http://www.l0pht.com/l0phtcrack/dist/l0phtcrack25.exeJohn-16d.zip, http://www.openwall.com/johnChapter7: Network Security Modern Computer Networks 89• What’s security hole?Bugs of systems, applications, or protocols• Types of security holeBuffer overflowInput Validation ErrorConfiguration ErrorSystem bugSoftware bugProtocol bugChapter 7: Network Security Modern Computer Networks 90Buffer overflow• Put more data to the specified bufferCause buffer overflowPoint to the cracked file //execute the cracked filestack pointervoid called(){. . .char buffer[200];. . .}. . .. . .buffer (200 bytes)stack pointerPut more data to bufferthen cause buffer overflowand point to the crackedfile address. . .. . .buffer (200 bytes)Malicious Code• What’s Malicious Code?Computer programs are written specifically tocause mischief or, worse, cause damage toinfected computersTwo types of Malicious Code• Backdoor (i.e., Trojan Horses)• Virus. . . . . .return addresscracked file addressChapter 7: Network Security Modern Computer Networks 91Chapter 7: Network Security Modern Computer Networks 92

• Backdoor, i.e.,Trojan HorsesUnlike a virus, but Trojan horse does not replicateitself.Stay in the target system• Masquerade as a legitimate program• Inflict damage• Report information to the remote attacker• Allow remote attacker takes control of the target• Virus Self-replicating Destruct Type of virus• Marco virus• COM and EXE virus• Boot virus• Joke virus• Java Malicious Code• ActiveX Malicious Code• VBScript、JavaScript and HTML virus.Chapter 7: Network Security Modern Computer Networks 93Chapter 7: Network Security Modern Computer Networks 94Denial of ServiceExamples:• First Internet Virus “Internet Worm” by Robert T. Morris Jr., 1988.• Famous virus via email “I love you” , 2000.• Attack Microsoft IIS “Code Red”, 2001. “Nimda”, 2001.Virus list• http://www.wildlist.org/• What’s DoS?Not a intrusion attack, but deny services of targetsystemExhaust target resourcesStop providing servicesChapter 7: Network Security Modern Computer Networks 95Chapter 7: Network Security Modern Computer Networks 96

• How does DoS do?TCP SYN flood with IP spoofing attackICMP reply flood attackPing of DeathTeardrop attackUDP flood attackDDoS – Distributed DoS• Hierarchy of attacker, master, client, and targett• DDoS – Distributed ib t DoS Launch coordinated UDP flood DoS attacks frommany sources Hierarchy of attacker, master, client, and target• Attacker, the Intruder• A small number of servers, or masters• A large number of clients, or daemons• Target, the victimTwo of the tools have seen are known as• Trinoo (or trin00)• Tribe Flood Network (or TFN), and TFN2KChapter 7: Network Security Modern Computer Networks 97Chapter 7: Network Security Modern Computer Networks 98Scanningport 27665/TCPrequest: port 27444/UDPreply: py port 31335/UDPcommand1. UDP flood attackAgent2. TCP SYN flood attack3. ICMP echo request flood attackattack4. M attack5. Targa3 attackMastercommandAttackercommandAgentMasterattackTarget Target Target TargetChapter 7: Network Security Modern Computer Networks 99Agent• What’s scanning? Dawn of attacking Scanning services and security holes of the target only, butnot real attackingScanning types• Local scanningCOPSTIGER• Remote scanningSATAN (Security Administrator’s Tool for Analyzing Networks)SAINT (Security Administrator’s i t Integrated t Network Tool)FluxayChapter 7: Network Security Modern Computer Networks 100

Examples of attackingProtectionSecurity Hole Attack Typesendmail Failure to Handle DoSExceptional ConditionsWu-ftpd 2.6 Buffer overflow Remote exploitGroup Apache1312 1.3.12Design error Remote and localexploitsPiranha withRedhat 6.2Configuration error Remote exploitLinux “man”MaliciousAccess validation errorLocal exploit• Prevent (Encryption, Authentication) Refer to 7.2.1 and 7.2.2• Access control (firewall) Refer to 7.3• Detection (monitoring, scanning)• Audit (Auditing)Chapter 7: Network Security Modern Computer Networks 101Chapter 7: Network Security Modern Computer Networks 102DetectionAudit• Detection ti types Monitoring• Network-based monitorDetection of DoS attack• Host-based monitor Tools• Tripwire, http://www.tripwiresecurity.comtripwiresecurity com• RealSecure, http://www.iss.netScanning• Scanning for known patterns• Prevent virus and backdoorprogramsChapter 7: Network Security Modern Computer Networks 103• Recording system login and security related event Prevent intrusionTrace intrusion• Audit records operations Analyzing Maintenance Backup• Tools Stalker, http://www.haystack.com IDES/NIDES, http://www.sri.com Unix’s Syslog Watchdog, http://www.infstream.com/var/adm/sulog fileChapter 7: Network Security Modern Computer Networks 104

Open Source Implementation- SnortSnort Commands• Three modesSniffer• Read and decode network packetsPacket logger• Log packets to diskIntrusion detection system• Analyze traffic based on pre-defined rules• Perform actions based upon what it seesChapter 7: Network Security Modern Computer Networks 105• Command line : snort -[options] • Sniffer ./snort -v• Run snort and show IP andTCP/UDP/ICMP headers• Packet logger ./snort -dev -l ./log• Collect packets and places it in logdeirctory• Intrusion detection system./snort -dev -l ./log -h 192.168.1.0/24 -c snort.confChapter 7: Network Security Modern Computer Networks 106Snort RulesWriting Snort Rules• A powerful description languageSnort takes action based upon rule type Divide into two sections :• Rule header action, protocol source and destination IP address, port information• Rule optionAlert messageWhich part of packet should be inspected• Rule headeralert tcp any any - > 192.168.1.0/24 111action protocol Source addressand port number• Rule optiondestination addressand port number(content : “|00 01 86 a5|” ; msg : “mounted access” ;)inspective partalert messageChapter 7: Network Security Modern Computer Networks 107Chapter 7: Network Security Modern Computer Networks 108

Open Source Implementation- Snort(cont.)initial programvariableParse commandlineOpen Source Implementation- Snort(cont.)set packetprocessorIf not specifyconfig datainitial specifiedinterfaceIf usingrule systemsinitial allplugin modulesSet logdirectoryset safe UIDand GIDno rules,sniffing or loggingexitset defaultalert functionSpecify commandline alertOpen interface forreading packetsChapter 7: Network Security Modern Computer Networks 109assign eachinterface a threadChapter 7: Network Security Modern Computer Networks 110Attack vs. ProtectPitfalls and misleadingAtta ckMonitoringProtectionEncryption Authentication AccesscontrolpreventAudit Monitor ScanPasswordcrackSecurityprevent Decrease Record DetecttholesScanning Prevent Record DetectMaliciousCodeRecord Detect DetectDoS Decrease Record Detect• Private key vs. public key• Why RSA works?• Security of DES and Triple DES• SSL vs. SET• High-level firewall vs. low-level firewallSocialEngineeringChapter 7: Network Security Modern Computer Networks 111Chapter 7: Network Security Modern Computer Networks 112

Further readingsFurther readings• [1] Dorothy E. Denning, Peter J. Denning, "Internet Besieged", Addison Wesley, Oct1997• [2] SecurityFocus, "SecurityFocus.com", http://www.securityfocus.com• [3] Cryptographic Algorithms, "DES",http://www.ssh.fi/tech/crypto/algorithms.html#DES• [4] Cryptographic Algorithms, "IDEA",http://www.ssh.fi/tech/crypto/algorithms.html#IDEA• [5] Cryptographic Algorithms, "RSA",http://www.ssh.fi/tech/crypto/algorithms.html#RSA• [6] Cryptographic Algorithms, "Diffie-Hellman",http://www.ssh.fi/tech/crypto/algorithms.html#Diffie-Hellman• [7] MIT distribution site for PGP, "Welcome to the MIT Distribution Center for PGP(Pretty Good Privacy)", http://web.mit.edu/network/pgp.html• [8] The Secure Shell Community Site, "The Secure Shell Community Site",http://www.ssh.org• [9] R. Rivest, "The MD5 Message-Digest Algorithm", Apr 1992,http://sunsite.auc.dk/RFC/rfc/rfc1321.html• [10] S. Kent and R. Atkinson, “Security Architecture t for the Internet t Protocol,”IETF RFC 2401,November 1998• [11] B. Gleeson, A. Lin, J. Heinanen, G. Armitage and A. Malis, “ AFramework for IP Based Virtual Private Networks,” IETF RFC 2764,February 2000• [12] M. Curtin and M.J Ranum, ”Internet Firewalls: Frequently AskedQuestions,” http://www.interhack.net/pubs/fwfaq/Chapter 7: Network Security Modern Computer Networks 113Chapter 7: Network Security Modern Computer Networks 114Exercises• What’s the primary encryption function of each iteration ti of DES system?• Figure out the breaking time of key size 32, 56, 128, and 168 bits, if singledecryption time are 1 us and 10 -6 us, respectively.• In a public key system stem using RSA with public key is e=5, n=35. The trudyintercepts the ciphertext C=10. What’s the plaintext M?• The encryption scheme used for UNIX passwords is one way, it is notpossible to reverse it. Therefore, would it be accurate to say that this is, infact, a hash code rather than an encryption of the password?• What’s requirements of digital signature?• What’s the difference between network and application layer firewall?• What’s the differences between virtual lease line,virtual private routednetwork, virtual private dial network, and virtual private LAN segment?• How to achieve authentication and privacy simultaneously by usingauthentication header and encapsulation security payload in IPSec?• What’s the procedure of DDoS attack? What’s the attack procedure of“Nimda” virus in October 2001?Chapter 7: Network Security Modern Computer Networks 115