Professional Documents
Culture Documents
Infrastructure
Security:
The
Emerging
Smart
Grid
Cyber
Security
Lecture
4:
Network
Vulnerabili$es
&
Mi$ga$ons
Carl
Hauser
&
Adam
Hahn
Overview
Network
AHacks
DoS
Spoong
Mi$ga$ons
Cryptographic
Protocols
Firewalls
Intrusion
Detec$on
Overview
Network
AHacks
DoS
Spoong
Mi$ga$ons
Cryptographic
Protocols
Firewalls
Intrusion
Detec$on
Deni$on
DoS
is
an
ac$on
that
prevents
or
impairs
the
authorized
use
of
network
systems,
or
applica$ons
by
exhaus$ng
resources
such
as
central
processing
unit
(CPU),
memory,
bandwidth,
and
disk
space
Techniques
Malformed packet
malformed packet that triggers some soWware vulnerability/weakness causing a system crash
Flooding
Protocol-based
Flooding
Goal:
Overload
the
capacity
of
the
network/system
Network
consume
resources
(e.g.,
bandwidth)
System
exhaust
systems
ability
to
process
data
Types
ICMP Flood
UDP Flood
HTTP Flood
Flooding
-
Con$nued
TCP
Syn
Flood
How
Result
Defense
Malformed
Packet
Causes
soWware
or
opera$ng
system
to
crash
Usually
result
of
soWware
vulnerability/error
Example
Ping
of
Death
ICMP
ping
packet
>
216
bytes
violates
protocols
Caused
buer
overow/crashing
of
older
Windows/Unix
systems
Teardrop
Targets
incorrect
reassembly
of
fragmented
IP
packets
Overlapping
fragments
caused
opera$ng
system
to
crash
Reec$on
Reec$on
How
Why
Example protocols:
TCP
handshake
UDP
(DNS,
NTP,
SNMP)
DDoS
Distributed
DoS
Control
Centralized
Single
aHack
has
control
over
large
number
of
systems
(e.g.,
botnet)
Example:
hHp://blog.cloudare.com/65gbps-ddos-no-problem/
Distributed
hHp://bits.blogs.ny$mes.com/2012/11/15/anonymous-aHacks-israeli-web-sites/
Amplica$on
Assuming
60
byte
request,
512
byte
response
~7617
systems
required
for
the
DoS
aHack
Overview
Network
AHacks
DoS
Spoong
Mi$ga$ons
Cryptographic
Protocols
Firewalls
Intrusion
Detec$on
IP
Spoong
IP
developed
without
authen$ca$on
capabili$es
(1970s)
Source
address
can
be
spoofed
so
receiver
thinks
sender
was
someone
else
S$ll
seen
frequently
(usually
with
DoS
aHacks)
Security
Mechanisms:
Routers
may
lter
packets
with
incorrect
source
IP
addresses
IPsec
provide
authen$ca$on
of
IP
packets
IPv6
default
support
for
IPsec
ARP
Spoong
Recall
ARP
Address
Resolu$on
Protocol
Know
the
IP
address,
but
not
the
MAC
(link
address)
of
a
system
Security
Mechanisms:
Sta$c
arp
tables
on
hosts/network
switches
ARP
Spoong
Normal ARP
ARP R
e q: w h
o is 1.
2.3.4
is
.2.3.4 5
1
:
p
4:5
Res
ARP 1:22:33:4
1
00:
Source
D st M
ac= 0
Spoofed ARP
q: w h o
ARP Re
0:11:2
is 1.2.3.4
ARP Resp:
1.2.3.4 is
11:11:11:11:1
1:11:11
Attacker
Dst M
11:11
11:11:
:
1
1
:
1
:1
ac= 11
2:33:4
4:55
Destination
IP: 1.2.3.4
MAC: 00:11:22:33:44:55
AR P R
e q: w h
o is 1.
2.3.4
is
.2.3.4 6
1
:
p
Res
55:6
ARP 22:33:44:
:
00:11
Destination
IP: 1.2.3.4
MAC: 00:11:22:33:44:55
Other
Spoong
TCP
stateful
connec$on
hHp://www.cnet.com/news/how-pakistan-knocked-youtube-oine-and-how-to-make-
sure-it-never-happens-again
hHp://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/
hHp://www.bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-
providers/
hHp://www.bgpmon.net/the-canadian-bitcoin-hijack/
DNS Spoong
AHackers
could
spoof
DNS
response
to
get
a
user
to
visit
a
dierent
system
If
MITM
aHack
Simply
manipulate
DNS
response
AHacker could guess future query IDs and inject spoofed DNS responses
Examples
hHp://www.computerworld.com/ar$cle/2516831/security0/china-s-great-rewall-spreads-
overseas.html
hHp://www.theguardian.com/world/2014/mar/21/turkey-blocks-twiHer-prime-minister
Security Mechanisms
DNS
Spoong
DNS
HTTP
Local Network
1
8
10
Local
Name
Server
2
3
5
Internet
Root
Name
Server
.Com
Name
Server
RandomSite.com
Name
Server
aHacker.com
www.RandomSite.com
RandomSite
Network
Overview
Network
AHacks
DoS
Spoong
Mi$ga$ons
Cryptographic
Protocols
Firewalls
Intrusion
Detec$on
Security
Protocols
Necessary
to
communicate
securely
across
untrusted
network
Provide
integrity,
conden$ality,
authen$city
of
communica$ons
Based
on
previously
discussed
cryptographic
mechanisms
TCP/IP Stack
Security Protocols
Applica$on
(HTTP,DNS)
HTTPS/
DNSSEC
TLS
Transport
(TCP/UDP)
Transport
(TCP/UDP)
Internet
(IP)
Internet
Network
(Ethernet)
Network
Unsecure
(IPSEC)
(802.1x)
Secure
TLS
Previous
Secure
Sockets
Layer
(SSL)
Originally
designed
to
support
secure
HTTP
(HTTPS)
Runs
over
TCP
Datagram
TLS
TLS
equivalent
for
UDP
Currently
used
to
secure
many
other
protocols
Provides:
Authen$ca$on/Integrity
uses
MACs
Conden$ality
encryp$on
of
messages
TLS/SSL
Versions
Older
TLS
1.1
xes
some
issues
with
CBC
mode,
other
xes
TLS
1.2
specify
SHA-2
(256,512
bit)
hash
func$ons
Type:
Handshake
Stateful
connec$on
Handshake
used
to
communicate/agree
on
various
parameters
TLS/SSL
versions
Ciphers
Cer$cates
Pre-master
secret
Master
secret
Session
ID
TLS
Handshake
Proposes
1)
version,
2)
ciphers,
3)
session
ID,
4)
random
number
Species:
1)
version,
2)
cipher,
3)
random
number
Server
cer$cate
Public
key
parameters
Client
cer$cate
(op$onal)
Premaster
secret
TLS
Ciphers
Cipher
contains
set
of
crypto
algorithms
necessary
to
perform
following
func$ons:
Key
exchange
algorithm
E.g.
RSA,
Die
Hellman,
ECDH
Data
Integrity/Auth.
MAC
algorithms,
HMAC
with
(MD5,
SHA1,
SHA256)
IPsec
IPsec
Commonly
used
to
build
secure
VPNs
Security Associa$ons
Benets
Provide
conden$ality,
integrity,
authen$ca$on
of
all
IP
packets
(routable
trac)
Transparent
to
users
Security
Associa$ons
One
way
rela$onship
between
sender
and
receiver
about
security
protocol
parameters
Algorithms
and
keys
used
to
protect
the
communica$on
Need
two
SAs
for
two
way
communica$on
Includes
Security
Parameter
Index
(SPI)
iden$er
for
the
SA
IP
des$na$on
address
des$na$on
endpoint
of
the
SA
Crypto algorithms/keys
External Hosts
Unsecure
Connec$on
IPsec
(Tunnel)
IPsec
(Transport)
Trusted Network A
Trusted Network B
TLS
vs
IPsec
Connec$on
Establishment
IPSec
pre-established
Security
Associa$ons
to
agree
on
ciphers,
etc.
Addi$onal
overhead
Trust
Establishment
IPSec
pre-established
during
SA
TLS
based
on
trusted
cer$cate
authority
pre-shared
cer$cates
IEC
62351
Data
and
communica$ons
security
standard
for
power
systems
Provides
standard
for
IEC
62351-9
Key
management
X509
cer$cates
for
devices
Group
Domain
of
Interpreta$on
(GDOI)
Symmetric
key
management
Based
on
trusted
key
server
Overview
Network
AHacks
DoS
Spoong
Tampering
Mi$ga$ons
Cryptographic
Protocols
Firewalls
Intrusion
Detec$on
Firewalls
Why?
Separate
more
cri$cal/less
cri$cal
networks
Restrict
Internet
trac
to
systems
Firewall
Types
Internet
Transport
Applica$on
TCP/IP
Stack
HTTP
DNP
DNS
TCP
UDP
IP
ICMP
Network/Link
Firewall
Types
Packet
Filtering
Stateful
inspec$on
Applica$on-Layer
proxy
Packet
Filtering
Internet
Transport
Applica$on
TCP/IP
Stack
HTTP
DNP
DNS
IP
ICMP
Ac$on
Network/Link
Source/Des$na$on
IP
Source/Des$na$on
Port
Protocol
(e.g.,
TCP/UDP)
Accept/Deny
Src Port
Dst Addr
Conn State
AcLon
In
External
----
1.2.3.4
20000
TCP
New, Established
Permit
Out
1.2.3.4
20000
External
----
TCP
Established
Permit
Both
Any
Any
Any
Any
Any
New, Established
Deny
Applica$on
Firewall
Internet
Transport
Applica$on
TCP/IP
Stack
HTTP
DNP
DNS
TCP
UDP
IP
ICMP
Network/Link
Overview
Network
AHacks
DoS
Spoong
Tampering
Mi$ga$ons
Cryptographic
Protocols
Firewalls
Intrusion
Detec$on
Intrusion Detec$on
Components
IDS
Categories
Sensor
Types
Analysis Types
Anomaly-based
Detec$on
Overview:
Approaches
Strength
Weakness
1.0
True
Posi$ve
Yes
ANack
Present
False
Posi$ve
No
True Posi$ve
Yes
No
False
Nega$ve
True
Nega$ve
0.0
0.0
False Posi$ve
False nega$ves
1.0
Signature-based
Detec$on
Overview:
Strength
Weakness
Example:
Snort IDS
Snort
IDS
Open-
source
Signature
based
IDS
Modes
Architecture
Decoder
Detec$on Engine
Logger/Alerter
Snort
Rules
Ac$on:
what
do
to
when
you
iden$fy
a
packet
Op$ons