IS :: Security in Networks (Ch7)

1.  Threat & Control

 1) Snooping

: Eavesdropping on a dialog (Interception)

: Encryption for Confidentiality

 2) Spoofing

: Impersonation (Fake src address, why?)

: Hop Count Filtering using TTL

 3) Alternation

: Message modification

: Use Secure Dialog System

 4) Replay Attack

: Retransmit same(authenticated) packets continually that an attacker intercepted

: Time Stamp(fresh packet), Sequence Number(duplication check)

 5) DoS (Denial of Service)

: Disrupt normal services by consuming all available resources

: Connection Flooding

  - Smurf

  - Syn Flooding (preprocess for IP Spoofing)

  - DNS Attack

  - Echo-Chargen, Ping of Death, Traffic Redirection

: EASY TO BE BLOCKED ABOUT LIMITED VOLUME -> DDoS

(1) DDos (Distributed Denial of Service)

: DoS attack by many machines called by zombies(Botnet) 

(2) Amplification Attack

: Attacker - Botnet - Reflector - Victim

: DNS Amplification(DNS query), Broadcasting Ping(Smurf)

(3) Complexity Attack

: more severe according to a target

: such as NIDS(Network-based Intrusion Detection System)

(4) Algorithmic Complexity Attack

: Send carefully chosen messages for the worst-case execution

: Legitimated high traffic volume - “slash-dotted” or “flash crowd”

: Defense

  - Before: Prevention & Preemption (Need good incident response plan)

  - During: Detection & Filtering (Have network monitor and IDS)

  - After: Source Traceback & Identification

2. Attack Prevention

 1) Block Spoofed Src Address: 자신의 주소를 가지지 않은 패킷을 차단(서브넷 라우터 단에서 가능)

 2) Rate Control in upstream: on Specific Packet Type

 3) Use modified TCP connection handling: SYN Cookies (when table full)

 4) Block IP directed broadcasts

 5) Use CAPTCHA: “puzzle” to be solved by only human

 6) Use Mirror Site

3. Firewall

 1) Packet Filter Firewall: checking all packet TCP/IP headers

 2) Application (Proxy) Firewall: use history

4. Intrusion Detection

 1) IDS (Intrusion Detection System)

: detect & report intrusions

 2) IDS Principles

(1) Observe deviations from past history

(2) Parameter = Evaluation Criteria

  - Anomaly Detection: 유저 행동분석 - Threshold Detection(time), Profile based(behavior)

  - Signature Detection: 공격 패턴정의 - Pattern Matching corresponding to a attack type

(3) Problems

  - False Positives(FP): 실제로는 비정상인데 정상으로 잘못 판단하는 경우

  - False negatives(FN): 실제로는 정상인데 비정상으로 잘못 판단하는 경우

  - Must Compromise

   

  * False Positive Rate(FPR) = FP / Total N = FP / (FP + TN)

  * False Negative Rate(FNR) = FN / Total T = FN / (FN + TP)

  * Removing Ambiguity

  True positive는 결과가 Positive이면서 실제 사실과 맞으니까 True이다. 그래서 TP

  True negative는 결과가 Negative이면서 실제 사실과 맞으니까 True이다. 그래서 TN

  False positive는 결과가 Positive인데 잘못된 결과도출이다. 그래서 FP

  False negative는 결과가 Negative인데 잘못된 결과도출이다. 그래서 FN

(4) Location

1) NIDS: Network-based Intrusion Detection System

2) HIDS: Host-based Intrusion Detection System

5. Why Security?

 1) Speed: 보안에 신경쓰다보면 속도에 문제가 쓰이므로 이 방법을 개선해야 함

 2) Ubiquity: 계속해서 새로운 네트워크 환경이 만들어지므로 그러한 환경에서의 보안문제를 개척해야 함