Security of Communication
Networks
Slim REKHIS
SUPCom
INDP3
IST, IRES, RSM
Semestre I, 2011/2012
�Course outline
Content
Security Fundamentals
Virtual Private Networks
Firewalls
Access control and multi-level security
Intrusion detection
�Chapter1
Security Fundamentals
INDP3
IST, IRES, RSM
Semestre I, 2011/2012
Slim REKHIS
SUPCom
�Motivations
Information systems have been penetrated by
unauthorized users and rogue programs
Increased volume of security breaches (Computer
Emergency Response Team , CERT, reports a
tremendous increase of security incidents).
Security attacks are of increasing severity and
sophistication.
Distributed Denial of Service (DDOS) attacks.
�Examples of security attacks
Worm attacks (e.g., code red).
Capture of network traffic (e.g., userIDs, passwords)
Exploitation of software bugs.
Unauthorized access to resources (modification,
and destruction of resources).
Compromised system used as attack facility.
Identity spoofing as authorized user or end system.
Insider malice (deliberate insertion of malicious or
infected code, information disclosure )
5
�Attacks sophistication versus Intruder knowledge
�Percentage of keytype of incidents
By percent of responders
�Percentage of keytype of incidents
By percent of responders
�Factors contributing to intrusions
Lack of awareness of threats and risks.
Importance to security measures is not grated until an
Enterprise has been penetrated by malicious users.
Wide-open network policies (many Internet sites allow
wide-open Internet access).
Vast majority of network traffic is unencrypted.
Lack of security in TCP/IP protocol suite
Complexity of security management and administration.
Existence of software bugs.
Attackers skills keep improving.
10
�Catagories of attacks
Interruption: A system asset is destroyed or becomes unavailable
Attack on availability
E.g., destroying file system, flooding a communication link with packets.
Interception: An unauthorized party gains access to an asset.
Attack on confidentiality
E.g., Unauthorized copying of data or programs, sniffing network traffic.
Modification: An unauthorized party gains access and alters an asset.
Attack on integrity
e.g., modifying the expected functionality of a program, changing the contents
of a message.
Fabrication: Unauthorized party inserts a fake object to the system.
Attack on authenticity
E.g., insertion of records in a log file, insertion of a fake datagram in a network
11
�Attacks on security protocols
12
�Active vs. passive attacks
Passive attacks
Release of message content: a message may be carrying sensitive data.
Traffic analysis: an intruder makes inference (even if messages are
encrypted) by observing message patterns: host location and identity can be
revealed
Footprinting: creating a complete profile of an organizations security
capabilities
Active attacks
Masquerade: an entity pretends to be some other entity.
Replay: an entity captures a data unit and retransmit it to produce an
unauthorized effect.
Message modification : en entity modifies a portion of a legitimate message
to produce an undesirable effect.
Denial of service: Inhibits normal use of computer and communications
resources.
13
�Caracterizing digital attacks
Digital attacks have additional properties
with regard to traditional ones
Coordination
Tracing difficulty
Rapid propagation
Self-propagation
Remote execution
Weakness of the legal frameworks
�Attack features
Coordination: Multiple attackers can cooperate
through resource sharing, task allocation, and
synchronization.
Generated alerts are characterized by an amount
of uncertainty.
Should be taken into consideration when making
decisions based on generated alerts
Versioning: Statistics show that attack schemes
seldom vary.
Attackers often introduce several slight modifications
on the attack tool in order to adapt to the existing
vulnerabilities or to bypass the protection mechanisms.15
�Some definitions
Security attack: any action that compromises the
security of information owned by an organization
or an individual.
Security mechanism: a mechanism that
implements functions designed to prevent,
detect, or respond to a security attack.
Security service: A service that enhances the
security of data processing systems and
information transfers.
A security service uses one or more security
mechanisms to counter a security attack.
16
�Some definitions
Alert: A message sent by attack detection tools
(e.g., IDS) when they observe an attack.
Threat: possible attack on the system.
Vulnerability: a weakness that may be exploited
to cause loss or harm
Risk: a measure of the possibility of security
breaches and severity of the obtained damages.
Requires assessment of threats and
vulnerabilities
17
�Classifying vulnerabilities
Application-level vulnerabilities
Operating systems
Web applications (e.g., servers, servlets)
Database applications
Network protocol implementations
Protocol vulnerabilities
Human-related vulnerabilities
Misconfiguration of equipments (i.e firewall, router,
switch)
Weak password protection
Confidentiality violations
�DDoS attacks in 2G Cellular Networks
Weaknesses of DDoS attacks in 2G cellular networks are mainly
linked to authentication vulnerabilities in the used protocols.
One of the most known DoS attacks is the false BTS attack that first
appeared with GSM networks.
The malicious BTS sends stronger signals to users in the current cell
Users will be detached from the network
19
�DDoS attacks in 2.5G networks
2.5G cellular networks and beyond are offering data
services, several vulnerabilities were inherited from the
Internet.
Protocols used for data-services such as TCP and ICMP are
vulnerable to DDoS attacks.
Openness of the network to Internet.
TCP SYN Flood attack represents one of the famous
DDoS attacks in 2.5G networks
An intruder takes control of a sufficient number of mobiles by
means of viruses
He instructs them to establish a set of successive half open TCP
connections to a server in order to exhaust its memory and fill up
20
connections queue.
�DDoS attacks in 3G networks
DDoS attacks are more significant
Use of a huge number of PUSH services, which are initiated from Internet.
Use of packet switching technology and vulnerability to IP-based attacks.
Radio channels consumption
An attacker breaks into weakly secure UE and uses them as zombies.
Later he instructs them to generate incomplete calls at the same time
With a significant number of attackers in each cell, the network can be broken
down for a long period of time.
Telephonic servers abuse
An attackers makes a large number of cell phones simultaneously calling a
voice server.
The target will be unreachable during the attack.
21
�Example of Web application vulnerability
IIS/PWS Extended Unicode Directory Traversal vulnerability
Normally, IIS checks URL strings to ensure that certain constructs
do not occur.
e.g., a requester attempts to access some parent of the /scripts directory
http://www.example.com/scripts/..\../winnt/system32/cmd.exe?/c+dir
IIS catches this and returns an HTTP 404 - File not found response.
When the exact same request is made in the following form by
encoding some characters in unicode
http://www.example.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
The response is:
Directory of c:\inetpub\scripts
10/01/2001 03:46p
<DIR> .
10/01/2001
03:46p
<DIR> ..
0 File(s) 0 bytes 2 Dir(s) 2,527,547,392 bytes free
22
�Example of operating system vulnerability
ICMP ping of death
Some Windows OSs allow non-standard ICMP messages
to be generated
Maximum ICMP packet size is 65507 bytes.
Any echo packet exceeding this size will be fragmented
by the sender and the receiver will try to reconstitute
the packet.
The hacker sends an illegal echo packet with more bytes
than allowed, causing the data to be fragmented.
When the receiver tries to reconstitute the packet, it
causes a buffer overflows, kernel dumps, and crashes
23
�Example of protocol vulnerability
IPSpoofing
IP packet carries no authentication of
source address
IP spoofing is possible
IP spoofing can help malicious users to
bypass IP-based authentication mechanisms
IP spoofing occurs on other packet-switched
networks also, such as Novells IPX
24
�Security services (X.800)
Privacy/confidentiality/Secrecy :
Requires that the information in a computer system and transmitted information
are accessible only for reading by authorized parties.
Integrity/authenticity:
Requires that only authorized parties are able to modify computer system assets
and transmitted information ( information should be protected from tampering.).
Authentication:
Requires that the origin of a message or electronic document is correctly identified.
Any party can verify that the other party is who he or she claims to be
Non repudiation:
requires that neither the sender nor the receiver of message be able to
deny the transmission.
Access Control :
Requires that access to information resources may be controlled by or for
the target system.
25
�Security requirements for transmitting information
Authorization
Requires that an entity be specifically and explicitly authorized by the
proper authority to access the contents of an information asset
Availability
Requires that a service/resource be accessible and usable upon demand by
an authorized entity.
Accountability
Requires that every activity undertaken by an entity be attributed or
traceable uniquely to that entity.
Identification
Requires that an information system possesses the characteristic of
identification when they are able to recognize individual users
26
�Authentication VS. Authorization
Authentication:
to prove a person is really who he/she claims to be.
Authorization:
verify that whether a legal person has the privilege to perform
a task or a right to access certain resources after the person
has been authenticated.
Example:
A process P created by a user U contacts a server to delete
a file F. The server needs to handle the two issues:
Is this actually the process of U ? (authentication)
Is U allowed to delete the file ? (authorization)
27
