NETWORK
SECURITY
Bilal
Khan
1.
Course Overview
The objective of this course is to provide core competency in network
related security issues. Students will acquire both conceptual foundations and extensive practical hands-on laboratory
experience on detecting and preventing attacks originating from the network, as well as methodologies to assess
network security through penetration testing and post-compromise forensic
analysis. The course is designed to
bring students to the frontier
of open problems suitable for dissertation research in network security.
Topics covered include:
PART 1: Foundations
·
Computer
network architecture, protocol layers.
·
Application layer protocols and services: HTTP, FTP, SMTP, DNS,
etc.
·
Aspects
of security, including authentication, integrity, confidentiality, etc.
·
Socket
programming
PART 2: Security within the Network
·
Link-Layer
Security, especially for Wireless.
·
Securing
Routing Protocols: BGP, OSPF, etc.
·
Public
Key Infrastructure, IPSEC.
·
Secure
LAN switching, NAT, VLANs, etc.
·
Firewall
Architectures, Packet Filtering, Proxy Services, Bastions.
·
Transport
Layer Security: SSL/TLS.
·
Wireless
Security: IEEE 802.1x.
·
Cellular
Security: GSM/GPRS/UMTS/EDGE.
PART 3: Network Security Applications
·
Authentication: Kerberos, X509, SSH.
·
Email
security PGP, S/MIME, etc.
·
Web
security
·
Network
management security, SNMP.
·
Common
attack vectors and exploits
·
IDS
and IPS, monitoring.
2.
Textbooks and Course Materials
Required Texts:
·
Richard
Bejtlich,
The Tao of Network Security
Monitoring: Beyond Intrusion Detection
http://www.amazon.com/Tao-Network-Security-Monitoring-Intrusion/dp/0321246772
·
Charlie
Kaufman, Radia Perlman,
Mike Speciner. Network Security: Private
Communication in a Public World. Prentice Hall Series in Computer Networking and Distributed Systems,
2002. ISBN: 0130460192
http://www.amazon.com/Network-Security-Private-Communication-Public/dp/0130460192/ref=sr_1_1/002-0588180-5815237?ie=UTF8&s=books&qid=1194304669&sr=1-1
Tentative Partial List of Optional Texts:
·
Garman,
Jason. Kerberos: The Definitive Guide. O’Reilly Press. August 2003. ISBN 0596004036.
·
Doraswamy, Naganand & Harkins, Dan. IPsec: The New Security Standard for the
Internet, Intranets and Virtual Private Networks. Prentice Hall, July 1999. ISBN 0130118982
·
Lucas,
Michael, PGP and GPG: Email for the practical paranoid. No Starch Press, ISBN 1593270712.
·
Secure
Programming for Linux and Unix HOWTO, by David Wheeler.
3.
Practicum Experiences Provided by this Course
The following topics are EXAMPLES of what is covered in lab projects
and homework.
·
Project
1: Link-layer attacks: packet spoofing, session hijacking, ARP cache poisoning,
attacks in WiFi networks.
·
Project
2: Network security assessment: passive and active OS fingerprinting and
scanning techniques using nmap + p0f etc,
vulnerability assessment using nessus, brute force
attacks.
·
Project
3: Buffer overflows, defenses and countermeasures: students write increasingly
sophisticated buffer overflows against a vulnerable service
using metasploit + hand coded shell code.
·
Project
4: Network intrusion detection: analyzing packet dumps and writing snort IDS
signatures, IDS evasion techniques (packet fragmentation, polymorphic shellcode generators, stealth scanning).
·
Project
5:
·
Project
6: Web security: cookie stealing, SQL injection attacks, auditing vulnerable
web services.
4. Forensic Computing
Laboratory
OVERVIEW
STUDENT'S PERSPECTIVE—What you get:
· A home directory where you can save your
homework assignments and research projects.
· Access to several Virtual Machines (VMs) which run a variety of different types and versions of
Operating Systems (including, e.g. Windows XP, FreeBSD, RedHat,
CentOS, Damn Small Linux, etc.) and tools (e.g.
Backtrack 2, NIMA, etc). These VMs are served as a read-only virtual-machines-templates/ directory by the lab's courseware
server. To use these virtual machines,
you have to copy them to your local virtual-machines-instances/ directory and run them from there.
· The main features of the lab are:
· No restrictions: You have root/administrative access on all
these VMs, so you can explore the operating system
without restrictions.
· No boundaries: You can make network connections between
the different VMs that you run, and you can make
network connections between your VMs and the VMs that other lab users are running. You are all in the same network playpen and
can attack or examine each other's machines.
· No worries: You have the peace of mind that even if you
destroy the OS accidentally by erasing some files, it will reset to its
original state once you power off the VM.
Almost all of these VMs haveindependent
disks, which means that after you power them off (in VMPlayer),
they will revert back to their original pristine condition[1]. Traffic that originates from within a VM is
restricted to the lab VLAN and cannot escape the forensic computing lab.
· No live-versus-forensic divide: You can take snapshots of your VMs memory and disk at any point in time and do a forensic
analysis on the images in the same way that you would on on
images of a real machine.
· You have access to:
· A communal wiki
in which you have write permissions.
· A practicum website where exercises and
solutions are available for practice.
· A discussion board and a shared directory
where course materials are made available.
· A trouble ticket mailing list: fclab_admin@yahoogroups.com
· Student Lab Admins
(Fall 2007) Jarek Paduch
and Carol Dottin.
5. Outline of Lectures
Lecture 1: Overview of networking
protocols, part I.
Topics: Link Layers: Ethernet, Wi-Fi. Network Layers: IP, OSPF,
BGP. Transport Layers: UDP, TCP.
Required
·
Section
1.5 of [KPS].
·
Relevant
chapters from Kurose and Ross.
·
Reflections
on Trusting Trust, Ken Thompson, ACM
Turing Award Lectures: The First Twenty Years 1965-1985.
Lecture 2: Overview of networking
protocols, part II.
Topics: Application layers: DNS, SMTP, FTP, HTTP.
Required
·
Relevant
chapters from Kurose and Ross.
·
Why Cryptosystems Fail, Ross Anderson, Proceedings
of the First Conference on Computer and Communication Security,
Lecture 3: Security issues in network
protocols & an introduction to cryptography.
Topics: Overview
of security goals, including: authentication, authorization, confidentiality,
integrity, non-repudiation, accounting. Specific focus on issues in TCP, DNS,
SMTP, and Routing protocols. Buffer overflows as a case study of a common
meta-bug. Required
·
Chapter
2 of [KPS]: Introduction
to Cryptography.
·
A Look Back at
Security Problems in the TCP/IP Protocol Suite, S. Bellovin, AT&T Labs, 20th Annual
Computer Security Applications Conference, 2004.
·
Using
the Domain Name System for System Break-Ins,
Attack
Class: Buffer Overflows, Evan
Thomas, Hello World!
·
Buffer Overflows: Attacks and
Defenses for the Vulnerability of the Decade, Crispin Cowan, et al. Proceedings of DARPA Information Survivability
Conference and Exposition (DISCEX), vol. 2, pp. 119-129, Jan. 2000.
·
Smashing The Stack For Fun
And Profit, Aleph One, Phrack Volume 7, Issue 49.
·
Setuid Demystified, Chen, Wagner, and Dean (first three pages and section 5.2),
Proceedings of the Eleventh USENIX Security Symposium, San Francisco, CA,
August 2002.
·
Defeating the Stack Based
Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server, David Litchfield, NGS Research
Whitepaper, August 9, 2003
Optional
·
Once upon a free(), anonymous, Phrack
Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12
·
Intel
Architecture Guide for Software Developers, Intel (esp. pages 155-162)
·
How to
hijack the Global Offset Table with pointers for root shells, c0ntex, Open Security
·
Basic Integer Overflows, blexim, Volume
0x0b, Issue 0x3c, Phile #0x0a of 0x10
·
Exploiting Format
String Vulnerabilities, team teso, 2001.
·
Windows
access control pages, Microsoft.
Lecture 4: Confidentiality in Distributed
Systems
Topics: Quick
overview of secret key encryption: DES, IDEA, AES, and public key encryption:
RSA, Diffie-Hellman, DSS. The mathematical details
will be delegated to FCM 700, but we will address protocol design.
Required
·
Chapter
3 of [KPS]: Secret Key
Cryptography.
·
Chapter
6 of [KPS]: Public Key
Cryptography.
·
The Protection
of Information in Computer Systems,
J.H. Saltzer and M.D. Schroeder
Lecture 5: Integrity in Distributed Systems
Date:
Topics: Hashes
and message digests. Birthday attacks.
Required
·
Chapter
5 of [KPS]: Hashes and
Message Digests.
·
Improving the
security of your site by breaking into it, Dan Farmer, Wietse Venema,
Usenet Posting to comp.security.unix, 3. Dec. 1993.
Lecture 6: Authentication and Authorization
in Distributed Systems
Date:
Topics: Password-based
and Address-based authentication, KDCs and CAs.
Required
·
Chapter
9 of [KPS]: Overview of
Authentication Systems.
·
Chapter
11 of [KPS]: Security
Handshake Pitfalls.
·
The Twenty
Most Critical Internet Security Vulnerabilities (reference)
Lecture 7: Kerberos
Topics:
Required
·
Chapter
13 of [KPS]: Kerberos V4.
·
Chapter
14 of [KPS]: Kerberos V5.
·
Limitations
of the Kerberos Authentication System, Steven M. Bellovin, Michael Merritt, USENIX
Conference Proceedings,
·
DOS Attacks on Kerberos, CERT,
·
Replay
attacks on Kerberos, Kimmo Kasslin et al, Proceedings
of the Australian Information Warfare and IT Security Conference 2003.
·
Attacking
Kerberos on Windows 2000, Kimmo Kasslin, Antti Tikkanen, Proceedings of
the Australian Information Warfare and IT Security Conference 2004.
·
Password
attacks on Windows 2000, Kimmo Kasslin, Antti Tikkanen, Proceedings of
the Australian Information Warfare and IT Security Conference 2004.
·
On Active Attacks to
Kerberos Telnet, Simon Josefsson, unpublished from RSA Laboratories.
·
Function
Call Tracing Attacks to Kerberos V,
Julian L. Rrushi, Emilia Rosti, Proceedings of DIVMA: Detection of Intrusions and Malware & Vulnarability Assessment, Vienna Austria 2005.
Optional
·
Garman,
Jason. Kerberos: The Definitive Guide.
· Windows 2000 Kerberos Authentication
·
Kerberos
Infrastructure HOWTO for Linux
Lecture 8: Public Key Infrastructure
Topics: Certificate
Authority (CA), Registry Authority (RA) or Local Registry Authorities (LRA),
Directory Service, Time Stamping (as an additional service).
Required
·
Chapter
15 of [KPS]: PKI
·
Chapter
16 of [KPS]: Real-time
Communication Security.
·
Certificate
Authorities,
·
Everything
you Never Wanted to Know about PKI but were Forced to Find Out, Peter Gutman
·
Private Key Infrastructure,
or Why there is no Public Key Infrastructure, Rik Farrow
Lecture 9: IPSEC
Topics: Authentication
Header, Encapsulating Security Payload, Internet Key Exchange.
Required
·
Chapter
17 of [KPS]: IPSEC- AH and
ESP.
·
Chapter
18 of [KPS]: IPSEC- IKE.
·
An Illustrated Guide
to IPsec,
Steve Friedl
Optional
· Doraswamy, Naganand &
Harkins, Dan. IPsec:
The New Security Standard for the Internet, Intranets and Virtual Private
Networks.
·
IPSEC and You, Analog X
·
Step-by-Step
Guide to IPSEC, Microsoft
·
IPSEC
troubleshooting, Microsoft
·
Flying
Raccoons, IPSEC, Mac OS X Server 10.2 and You, Parts 1, 2, 3, 4. Joel Rennich
(AFP549.com)
Lecture 10: Denial of Service Attacks
Topics: DOS,
DDOS, IP Traceback, DNS Poisoning.
Required
·
Chapter
23 of [KPS]: Firewalls.
·
Practical
network support for IP Traceback, S. Savage, et al. Proceedings of IEEE
SIGCOMM 2000, pp. 295-305.
·
A DoS-Limiting
Network Architecture, Yang, Wetherall, and Anderson, Proceedings of the 2005 conference
on Applications, technologies, architectures, and protocols for computer
communications, Philadeliphia PA 2005.
·
A Detailed DDoS extortion story, Scott Berinato, CSO Online.
Lecture 11: Network defense
Topics:
Firewalls, Intrusion Detection, Shapers, Filters.
Required
·
Insertion, Evasion, and Denial
of Service: Eluding Network Intrusion Detection, T. Ptacek, Secure Networks, Inc Technical
Report 1998.
·
Bro: A System for
Detecting Network Intruders in Real-Time, V. Paxon. in Proceedings of the 7th USENIX
Security Symposium,
·
Linux Firewall - the
Traffic Shaper , J. Wortelboer and J. Van Oorschot,
Security Focus January 2001.
Lecture 12: Securing Email; Spam and Phishing attacks.
Topics: PGP, S/MIME, Spam, and Phishing.
Required
·
Chapter
21 of [KPS]: PGP.
·
Attacking PGP, by infiNity.
·
Chapter
20 of [KPS]: S/MIME.
·
How to forge an
S/MIME signature, John Udell, March 2004.
·
Anti-phishing report
, Aaron Emigh, Radix Labs, October 2005.
Optional
·
PGPPretty Good Privacy. Garfinkel, Simson.
O’Reilly, November 1994, ISBN 1565920988.
·
PGP and GPG: Email for the practical
paranoid. Lucas, Michael.
No Starch Press, ISBN 1593270712.
·
Email Encryption for
the Lazy (Windows), Jorn Ronnow 2003.
·
Getting
and Installing Command Line PGP for Linux (Being Sneaky Pays Off) , By Chuck Steele,
·
S/MIME A Beginner’s
Guide (Windows), Mark Noble.
·
How to set up
encrypted email on Mac OS X, by
François Joseph de Kermadec 2004.
·
S/MIME
on Mozilla,
Javier Delgadillo and Terry Hayes, Mozilla.org.
·
Gmail S/MIME,
Richard Jones 2005.
Lecture 13: Malware
and Network worms
Topics: Malware including computer viruses, Spyware,
Key-loggers, Bots. Attacks and defenses against worms.
Required
·
Hunting for Metamorphic,
·
Computer
Virus-Antivirus Coevolution. Carey Nachenberg, Communications of the ACM, 40(1), pp. 46-51, 1997
·
Know
your Enemy: Tracking Botnets, Honeynet Project, March 2005.
·
A Tour of the
Worm, Don Seely,
Proceedings of the Winter 1989 Usenix Conference.
·
Inside the
slammer worm, S. Savage, IEEE
Journal on Security and Privacy 2003.
·
Automated worm
fingerprinting, S. Singh et al.
Proc. Usenix Symp.
Operating System Design and Implementation, Usenix
Assoc., 2004, pp. 45–60.
·
Shield:
Vulnerability-Driven Network Filters for Preventing Known Vulnerability
Exploits, Helen J. Wang et al.
Proceedings of ACM SIGCOMM, August, 2004,
Lecture 14: Wireless and Cellular Security
Topics:
Security mechanisms for WiFi, Bluetooth, and WiMAX. Architecture and security of GSM, GPRS, EDGE.
Required
·
WEP:
Dead Again, Part 1 and 2.
·
WPA,
WPA2
·
Security
in Wireless Cellular Networks,
Ali Gardezi
·
UMTS
Security, K. Boman,
G. Horn, P. Howard, and V. Niemi, IEEE Electronics
& Communication Engineering Journal, October 2002.
Optional
·
UMTS Security, UMTSWorld
· http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group7/index.html
·
http://www.gsm-security.net/gsm-security-faq.shtml
Lecture 15: Web Browser and Website
Security
Topics:
Web security and web privacy issues, including cookie poisoning, SQL injection
and client authentication.
Required
·
Chapter
19 of [KPS]: SSL and TLS
·
Chapter
25 of [KPS]: Web Issues.
·
Protecting Browser
State from Web Privacy Attacks,
Jackson et al.
·
Cross site scripting explained, Amit Klein
·
SQL Injection attacks, Chris Anley
·
Dos and Don'ts of
Client Authentication on the Web,
Kevin Fu et al.
Optional
·
Securing
Java, McGraw and Felten, Chapter 2.
·
SSL, IETF Draft
·
SSL And TLS Designing and
building secure systems, Chapter 9.
E. Rescorla
·
http
over TLS, RFC 2818, E. Rescorla RTFM
·
Kerberos
Web Authentication, NCSA.