Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Intruders
One of the two most publicized threats to security is the intruder (the other is viruses), often referred to as
a hacker or cracker. In an important early study of intrusion, Anderson [ANDE80] identified three classes
of intruders:
• Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s
access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not
authorized, or who is authorized for such access but misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system and uses this control to
evade auditing and access controls or to suppress audit collection
Intruder attacks range from the benign to the serious.At the benign end of the scale, there are many people
who simply wish to explore internets and see what is out there. At the serious end are individuals who are
attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system.
[GRAN04] lists the following examples of intrusion:
• Viewing sensitive data, including payroll records and medical information, without authorization
• Using a permission error on an anonymous FTP server to distribute pirated software and music files
• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the
new password
Patterns of Behavior
(a) Hacker
1. Select the target using IP lookup tools such as NSLookup, Dig, and others.
3. Use Trojan horses (hidden software) to leave back doors for reentry.
2. Access accounts and applications they wouldn’t normally use for their daily jobs.
INTRUSION DETECTION:
An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity
and issues alerts when such activity is discovered. It is a software application that scans a network or a
system for harmful activity or policy breaching. Any malicious venture or violation is normally reported
either to an administrator or collected centrally using a security information and event management
(SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm filtering
techniques to differentiate malicious activity from false alarms.
Although intrusion detection systems monitor networks for potentially malicious activity, they
are also disposed to false alarms. Hence, organizations need to fine-tune their IDS products when
they first install them. It means properly setting up the intrusion detection systems to recognize
what normal traffic on the network looks like as compared to malicious activity.
Intrusion prevention systems also monitor network packets inbound the system to check the
malicious activities involved in it and at once sends the warning notifications.
Classification of Intrusion Detection System:
IDS is basically classified into 2 types:
1. Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the network. It performs an observation of
passing traffic on the entire subnet and matches the traffic that is passed on the subnetts to
the collection of known attacks. Once an attack is identified or abnormal behavior is
observed, the alert can be sent to the administrator. An example of an NIDS is installing it
on the subnet where firewalls are located in order to see if someone is trying crack the
firewall.
Password Protection
The front line of defense against intruders is the password system. Virtually all multiuser
systems require that a user provide not only a name or identifier (ID) but also a password. The
password serves to authenticate the ID of the individual logging on to the system. In turn, the ID
provides security in the following ways:
• The ID determines whether the user is authorized to gain access to a system. In some systems,
only those who already have an ID filed on the system are allowed to gain access.
M21_STAL7044_05_SE_C20.QXD 12/3/09 12:46 PM Page 20-19 20-20 CHAPTER 20 /
INTRUDERS
• The ID determines the privileges accorded to the user. A few users may have supervisory or
“superuser” status that enables them to read files and perform functions that are especially
protected by the operating system. Some systems have guest or anonymous accounts, and users
of these accounts have more limited privileges than others.
• The ID is used in what is referred to as discretionary access control. For example, by listing the
IDs of the other users, a user may grant permission to them to read files owned by that user.
THE VULNERABILITY OF PASSWORDS
To understand the nature of the threat to password-based systems, let us consider a scheme that
is widely used on UNIX, in which passwords are never stored in the clear. Rather, the following
procedure is employed (Figure 20.4a). Each user selects a password of up to eight printable
characters in length. This is converted into a 56-bit value (using 7-bit ASCII) that serves as the
key input to an encryption routine. The encryption routine, known as crypt(3), is based on
DES.The DES algorithm is modified using a 12-bit “salt” value. Typically, this value is related
to the time at which the password is assigned to the user. The modified DES algorithm is
exercised with a data input consisting of a 64-bit block of zeros. The output of the algorithm then
serves as input for a second encryption.This process is repeated for a total of 25 encryptions.The
resulting 64-bit output is then translated into an 11-character sequence. The hashed password is
then stored, together with a plaintext copy of the salt, in the password file for the corresponding
user ID. This method has been shown to be secure against a variety of cryptanalytic attacks .
The salt serves three purposes:
• It prevents duplicate passwords from being visible in the password file. Even if two users
choose the same password, those passwords will be assigned at different times. Hence, the
“extended” passwords of the two users will differ.
• It effectively increases the length of the password without requiring the user to remember two
additional characters. Hence, the number of possible passwords is increased by a factor of 4096,
increasing the difficulty of guessing a password.
• It prevents the use of a hardware implementation of DES, which would ease the difficulty of a
brute-force guessing attack.
When a user attempts to log on to a UNIX system, the user provides an ID and a password. The
operating system uses the ID to index into the password file and retrieve the plaintext salt and the
encrypted password. The salt and user-supplied password are used as input to the encryption
routine. If the result matches the stored value, the password is accepted.
The encryption routine is designed to discourage guessing attacks. Software implementations of
DES are slow compared to hardware versions, and the use of 25 iterations multiplies the time
required by 25. However, since the original design of this algorithm, two changes have occurred.
First, newer implementations of the algorithm itself have resulted in speedups. For example, the
Morris worm described in Chapter 21 was able to do online password guessing of a few hundred
passwords
Malicious Software:
Dealerships need to develop a malicious software strategy that clearly outlines the
objectives and procedures for malicious software control and recovery. Introducing
security measures can involve some risk and these practices should be done under the
advice of qualified dealer network management.
FIREWALL
A firewall is a dedicated hardware, or software or a combination of both, which
inspects network traffic passing through it, and denies or permits passage based
on a set of rules.
FIREWALL CHARACTERISTICS
Firewall Capabilities
A firewall defines a single choke point that keeps unauthorized users out the
protected network……..
A firewall provides a location for monitoring security-related events. Audits
and alarms can be implemented on the firewall system.
A firewall is a convenient platform for several Internet functions that are not
security related.
A firewall can serve as the platform for IPSec. Using the tunnel mode
capability, the firewall can be used to implement virtual private network.
Firewall Limitations
The firewall can not protect against attacks that bypass the firewall (dial-
up…).
The firewall does not protect against internal threats.
The firewall can not protect against the transfer of virus-infected programs or
files.
DESIGN GOALS
All traffic from inside to outside, and vice verse, must pass through the
firewall.
Only authorized traffic, as defined by the local security policy, will be allowed
to pass.
The firewall itself is immune to penetration. This implies the use of a trusted
system with a secure operating system
User control
Only authorized users are having access to the other side of the firewall
Access control
The access over the firewall is restricted to certain services. A service is
characterized e.g. by IP address and port number.
Behavior control
For an application, the allowed usage scenarios are known. E.g. filters for e-mail
attachments (virus removing)
Direction control
Different rules for traffic into the Intranet and outgoing traffic to the Internet
can be defined
TYPES OF FIREWALL
Packet Filtering
Packet filtering is the simplest packet screening method. A packet filtering
firewall does exactly what its name implies -- it filters packets. The most common
implementation is on a router or dual-homed gateway. The packet filtering
process is accomplished in the following manner. As each packet passes through
the firewall, it is examined and information contained in the header is compared
to a pre-configured set of rules or filters. An allow or deny decision is made
based on the results of the comparison. Each packet is examined individually
without regard to other packets that are part of the same connection.
Application Gateways/Proxies
An application gateway/proxy is considered by many to be the most complex
packet screening method. This type of firewall is usually implemented on a
secure host system configured with two network interfaces. The application
gateway/proxy acts as an intermediary between the two endpoints. This packet
screening method actually breaks the client/server model in that two connections
are required: one from the source to the gateway/proxy and one from the
gateway/proxy to the destination. Each endpoint can only communicate with the
other by going through the gateway/proxy.
Circuit-level Gateway
Unlike a packet filtering firewall, a circuit-level gateway does not examine
individual packets. Instead, circuit-level gateways monitor TCP or UDP sessions.
Once a session has been established, it leaves the port open to allow all other
packets belonging to that session to pass. The port is closed when the session is
terminated. In many respects this method of packet screening resembles
application gateways/proxies and adaptive proxies, but circuit-level gateways
operate at the transport layer (layer 4) of the OSI model.
.
TRUSTED SYSTEMS
The basic elements of the model are as follows: Subject: An entity capable of
accessing objects. Generally, the concept of subject equates with that of process.
Object: Anything to which access is controlled. Examples include files, portions of
files, programs, and segments of memory. Access right: The way in which an
object is accessed by a subject. Examples are read, write, and execute.
read
(a)Access matrix
A collection of software called the ``trusted computing base'' (TCB) maintains the
parts of the system that are related to security. The TCB consists of the UNIX system
kernel (the heart of the operating system) and the trusted utilities that reference and
maintain relevant security data. The TCB implements the security policy of the
system. The security policy is a set of rules that oversee and guard interactions
between ``subjects'' (such as processes, which are programs running on the system)
and ``objects'' (such as files, devices, and interprocess communication objects). At the
C2 level, this consists of ``discretionary access control'' (DAC), discussed later in this
section, and object reuse (which dictates that information in a storage object must be
cleared before allocation). Much of the software that you interact with is part of the
system's TCB. SCOadmin provides a menu-driven interface to help you maintain the
TCB.
Accountability
On a trusted system, all actions can be traced to a responsible person. Most UNIX
systems lack good accountability because some actions cannot be traced to a person.
For example, pseudo-user accounts, such as lp or cron, run anonymously; their actions
can be discovered only by changes to system information. As described later, a trusted
UNIX system improves accountability by associating each account with a real user,
auditing every action, and associating each action with a specific user on the system.
On a typical UNIX system, each process has a real and effective user ID as well as a
real and effective group ID. A process with the effective user ID set to root can set
these identifiers to any user. The C2 level of trust requires that the TCB be able to
identify each user uniquely and thus enforce individual accountability. The concept of
user identity is expanded on trusted UNIX systems to add a separate identifier called
the ``login user identifier'' (LUID). The LUID is an indelible stamp on every process
associated with a user. The LUID identifies the user who is responsible for the
process's session. Once stamped, the process's LUID cannot be changed by anyone.
Child processes inherit the LUID of their parent.
The SCO OpenServer security policy prescribes a relationship between access rules
and access attributes. The access attributes allow the system to define several distinct
levels of authorization, and the access rules provide the mechanism for the system to
prevent unauthorized access to sensitive information.
Access to a file is determined by the file's absolute pathname. The kernel determines
whether or not to allow a process the kind of file access requested (read, write,
execute/search) based on
These access checks are performed at the time the file is opened, rather than at the
time a read or write is actually attempted.