Defending Against Attack – part 1

Dr Diane Gan
Overview
 What is network security?
 Passwords
 Firewalls
 IDSs
 What is network security?
Confidentiality: protect data content/access
• only sender and intended receiver should “understand”
message contents
 sender encrypts message
 receiver decrypts message
Authentication: sender and receiver want to confirm identity of
each other
Message integrity: sender and receiver want to ensure message
not altered (in transit, or afterwards) without detection
Access and availability: services must be accessible and available
to users
First line of defence - Passwords
 Weakest link
 front line defence against intruders

ID provides security in the following ways:-

 determines if a user is authorised
 determines the user’s privileges
 discretionary access control e.g. a user may grant
permission to read their files
Two main threats
 Attacker gains access – brute force attack
 Worse - grab the password file
Rank Password Password 2016

1 123456 123456
2 123456789 password
3 qwerty 12345678 Morris worm
4 12345678 qwerty gained entry via
weak passwords
5 111111 12345
6 1234567890 123456789
7 1234567 football
8 password 1234 Default passwords
9 123123 1234567 can be found on
Shodan
10 987654321 baseball
11 qwertyuiop welcome
22 1q2w3e4r5t

https://www.youtube.com/watch?v=opRMrEfAIiI
 Hacked French network exposed its own passwords during TV interview

• TV5Monde's hacking also hinged on a bad-password issue

• the network's highest-level password was "azerty12345,"
• French-keyboard equivalent of "qwerty12345"
 Hack coordinated by Jason Hart, senior vice president in
Europe for two-factor authentication provider
CRYPTOCard
 He set up his own wireless hotspot called BT Openzone
 As delegates used it, he was able to get their usernames
and passwords during access to web applications
 Got over 350 usernames and passwords in one hour - in a
public Wi-Fi area
 Used Cain & Abel - free password recovery tool
 Breaks the myth that using complex passwords protects
users from hackers
How to encrypt user passwords
 Encrypt passwords using one-way techniques – digest
 digest algorithms (also cryptographic hash functions)
are public
 Need to make it difficult for a hacker to brute force pwds
 Use salt – fixed or variable
 Fixed salt– same for everyone – need to keep this hidden
 Variable salt – creates stronger stored pwd but you need to
store this
 Iteration count – number of times that you apply this to
itself
 minimum recommended number of iterations is 1,000
 SALT HASH RESULT

Interation count n HASH FUNCTION

least 8 random bytes

SALT PASSWORD
 Apply BASE64 encoding and store the digest
 Could also use hexadecimal strings
 Store the hash + salt
Value of the salt
 Identical passwords will have different hashes
 Hides small passwords – all are the same length
 A large salt value prevents precomputation attacks,
including rainbow tables,
 older Unix passwords used a 12-bit salt
 SHA2-crypt and bcrypt methods – salt = 128 bits
 used in Linux, BSD Unixes and Solaris

 80% of breaches used privilege credentials

How to crack a password
Dictionary attack
 Uses a list of common passwords
 10% to 20% of a password file can be cracked
 75% of online adults use words found in online lists

Brute Force Attack

 Hackers hope you have used 5 or 6 character (not on
the above list)
 Will only take a few hours
 Or use the Rainbow tables – precomputed hashes
 To crack passwords try the following steps:-
1. User’s name, initials, account name or any other
personal data
2. Words from various dictionaries
3. Various permutations from step 2, including
making the first letter uppercase or the entire word
4. Reversing the word from step 2
5. Various capitalisation permutations not included in
step 3
• gives approx. 3 million words
 3% of users have passwords of 3 chars. or less
 2 chars gives 676 combinations!

 8 chars gives 208 million combinations

 words found in a dictionary – easily cracked

 wiretapping - telnet session
 keystroke logging (BO, devices, etc)

 Users find it hard to remember 13-digit passwords

 5 years ago, an 8-digit password was considered strong
 5 years from now, 18 digits may not be strong enough
How fast can we crack these?
 computers are getting faster and cracking algorithms are
getting better
 a list of 16,000 encrypted passcodes were given to a news
editor
 he was challenged to crack as many as possible
 he cracked nearly half of them in a few hours
 Then given to skilled hackers
 one cracked 90% of the codes in about 20 hours
 13-digit password that mixes alphanumeric characters and
punctuation systems is considered impractical to break
with today’s technology.
https://www.youtube.com/watch?v=O5aR-hUIY6A
If passwords are so bad, lets get rid
of them! But the alternative?
 Why not use biometrics?
 Your biometric data is already out there
 Types – finger print, iris scan, selfie, voice recognition,
your DNA
 Stored as a binary file

 What if it is stolen!
 Your password can be easily changed
 Apple's Touch ID system was found vulnerable within one
day
 Hackers photographed a print and broke in with it
Second line of defence - Firewalls
 system or group of systems that enforces an access
control policy between two networks

 two mechanisms:
 one that blocks traffic
 one which permits traffic

 monitors and controls traffic into and out of secure

networks
 normally located at the gateway to a network
Firewalls: Why do we need one?
prevent denial of service attacks:
• SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections
prevent illegal modification/access of internal data.
• e.g., attacker replaces homepage with something else
allow only authorized access to inside network (set of
authenticated users/hosts)

three types of firewalls:

• stateless packet filters
• stateful packet filters (deep packet inspection)
• application (proxy) gateways
 demilitarised zone
(DMZ)

gateway Web safe traffic

server
Internet
Router / Mail Router / Internal
firewall firewall network
server

Public
FTP
server
Firewalls have the following design goals:-

1. All traffic from inside to outside must pass through

the firewall
2. and vice versa
3. Only authorised traffic will be allowed to pass
(defined by the local security policy)
4. The firewall itself is immune to penetration

Provides access control and enforcement of a site’s

security policy
Four general techniques :-
 Service control - services that can be accessed
inbound or outbound
 Direction control
 User control - typically applied to users behind a
firewall
 Behaviour control - how services are used – e.g.
filter emails
 Application
Proxy firewall
Layer

Transport Layer

Packet filtering firewall

Network Layer
Application-Level Firewall

 examines the client application and the server

application it is connecting to server
 allows access to only specified applications
 client application – e.g. Web browser
 server application
 creates two connections – one on each side
 enables individual user authentication
 Application-Level Firewall
Proxy for
HTTP

each protocol has its own proxy

Policy rules

added benefit – very difficult to “hide” traffic within other

services e.g. Back Orifice configured to use port 80
susceptible to flooding attacks – once established
Packet Filtering Firewalls
 Policy rules are enforced through the use of packet
inspection filters
 filters examine the packet headers
 filtering based on:-
 Source addresses - easily forged - limited benefit
 Destination addresses
 Protocol - use TCP port numbers to filter packets, e.g. allow
FTP but block Telnet
 Connection - network layer filtering [stateful inspection]
 Stateless packet filtering Should arriving packet be
allowed in?
Departing packet let out?

Internet

 internal network connected to Internet via router firewall

 router filters packet-by-packet, decision to forward/drop packet
based on:
 source IP address, destination IP address
 TCP/UDP source and destination port numbers
 ICMP message type
 TCP SYN and ACK bits
 Stateless packet filtering: example
example 1:
block incoming and outgoing datagrams with IP protocol
field = 17 and with either source or dest port = 23
 all incoming, outgoing UDP flows and telnet
connections are blocked
example 2:
Block inbound TCP segments with ACK=0
 prevents external clients from making TCP connections
with internal clients, but allows internal clients to
connect to outside.

IP protocol field = 17 is UDP

source or destination port = 23 is Telnet
Stateless packet filtering: more examples
Policy
No outside Web access.
No incoming TCP connections, except
those for the institution’s public Web
server only.
Prevent Web-radios from eating up the
available bandwidth.
Prevent your network from being used
for a Smurf DoS attack.
Prevent your network from being
tracerouted
Firewall Setting
Drop all outgoing packets to any IP address going
to port 80
Drop all incoming TCP SYN packets to any IP
except 130.207.244.203 and port 80
Drop all incoming UDP packets - except DNS and
router broadcasts.
Drop all ICMP packets going to a “broadcast”
address (eg 130.207.255.255).
Drop all outgoing ICMP TTL expired traffic
Stateful packet filtering
 stateless packet filter: heavy handed tool
 Allows packets that “make no sense,” e.g., dest port = 80, ACK
bit set, even though no TCP connection established:

source destination source dest flag

action protocol
address address port port bit
allow outside of 222.22/16
TCP 80 > 1023 ACK
222.22/16

 stateful packet filter: tracks status of every TCP connection

 track connection setup (SYN), teardown (FIN): can determine
whether incoming, outgoing packets “makes sense”
 timeout inactive connections at firewall: no longer admit packets
 Stateful Packet Inspection
Client sends TCP connection request to the server

ACK stateful inspection web

RST server
SYN

80

SYN ACK

anything
Xelse
Policy rules

stateful inspection
 Use with any protocol that runs over IP
 generally packet filtering firewalls can handle more
traffic
 do not have the overhead of setting up extra
connections

Problem
 if an attack is launched against a server on an open
service that is allowed by the firewall policy rule, then
the firewall will permit it
 internal addresses are not hidden
Packet filtering firewalls
Usually hardware based
Advantages
 simple – fast – transparent to users
Weaknesses
 limited information avail to the firewall when logging
 does not support user authentication
 generally vulnerable to attacks that exploit problems within
TCP/IP protocol stack
Common attacks
 IP spoofing, source routing attacks, tiny fragment attacks
A Bastion host - a critical strong point

Firewall Configurations
 Simple configuration – single firewall

Three common firewall configurations:-

 screened host firewall, single homed bastion;
 screened host firewall, dual-homed bastion;
 screened subnet firewall
Single firewall DMZ
Internet

mail server

Web server FTP server

internal internal
server server
three-pronged
firewall
Screened host firewall,
proxy
single-homed bastion Bastion functions
host

Internet

packet-filtering
router

Web server

packet-level and application-level filtering

 Screened host firewall, dual-homed bastion
Bastion proxy
functions
host

Internet

packet-filtering
router

information
server
packet-level and application-level filtering
 Screened subnet firewall
creates an isolated
subnetwork
Bastion
host
private
network
Internet
outside inside
router router

information
server

Three levels of defence dmz

1. outside router advertises only the screened subnet to the Internet
2. internal network is not visible from the Internet
3. hosts in the private network cannot construct direct routes to the Internet
 Firewalls are a powerful tool for network security
 A well designed, configured and maintained firewall is
nearly impenetrable
 but skilled hackers will work around it
 exploit trust relationships
 weakest link security vulnerabilities
 go through the VPN or dial-up account

 need to know the first few steps an attacker will perform

to bypass your firewall
 Limitations of firewalls
 IP spoofing: router can’t know if data “really” comes from
claimed source
 Poorly trained administrators
 New services and protocols
 Lack of patching
 Never checking the logs

 tradeoff: degree of communication with outside world vs

level of security
 many highly protected sites still suffer from attacks.
 There are things Firewalls cannot do:-
 protect against attacks that bypass the firewall
 disgruntled employees
 insider threat
 transfer of a virus-infected program
 social engineering attacks

 Code Red, Nimda worm and Storm penetrated firewalls

 port scanning, probing and banner-grabbing
 determine the type, version and rules of almost any
firewall
 Some firewalls advertise themselves by using fixed ports
 simple port scans reveal them
Information gathering tools
 traceroute
 ping
 nslookup

 Zenmap (nmap for windows)

 Kali

 Identifying Firewalls - nmap

 constructs packets with TTL which expire one hop past the
firewall
 allowed to pass – expires as expected (msg)
 blocked – no response or ICMP type 13 Admin Prohibited
Filter pkt
Third line of defence –
Intrusion Detection/Prevention Systems

 designed to warn if you are under attack

 real-time capture and analysis technologies are used
 Examines network traffic to detect vulnerabilities
 has to differentiate between an authorised entry and a
malicious intrusion
 Example - a firewall will not block TCP connections to
port 80 (HTTP)
 compliments rule-based protection mechanisms
 IDS is a passive system
Intrusion Prevention System
 Sends an alarm
 Drop suspect packets
 Block traffic using the source address
 Reset the connection involved
Detection
 statistical anomaly-based detection
 Uses a baseline of normal behaviour
 signature-based detection
 Maintain a dictionary of signatures
 Identifies individual exploits (exploit-facing)
 Broader signature relating to an underlying vulnerability –
detects variants of an exploit (vulnerability-facing
No condition to warrant an alarm Present condition should be alarmed

False
True
Positive
Positive Alert was
Alert was
generated
generated

False
True
Negative
Negative

Alert was not

Alert was not
generated
generated
  multiple IDSs: different types of checking at
different locations
internal
network
application firewall
gateway

Internet

Web
Network server
DNS
IDS server Host IDS
sensors FTP sensors
server

Demilitarized zone
IDS vs IPS
IDS
 Some latency involved when malicious packet is
detected
 Needs real time detection
 Works on preconfigured rules

 Advantage - little impact on the network

 Disadvantage – will not stop an attack

 May be vulnerable to a hacker circumventing detection
 May give high false positive readings
IDS vs IPS
IPS
 Sits inline and all packets must pass through it
 Advantage – can detect an attack – may drop packets
 Disadvantage – can slow the network traffic
 Needs to be up to date to block the latest attacks

 Host Intrusion Prevention System (HIPS)

 Can analyse encrypted traffic
 Detects abuse of privileges
 Place on DMZ servers
Putting it all together