Difference between revisions of "Courses/Computer Science/CPSC 526.F2015/Lecture Notes"

From wiki.ucalgary.ca
Jump to: navigation, search
m (Oct 1: Ethics of Network Traffic Sniffing)
m (Oct 6: Firewalls)
Line 172: Line 172:
* firewall policy interpretation models
* firewall policy interpretation models
* gateways, application level firewalls, DPI
* gateways, application level firewalls, DPI
** https://www.ietf.org/rfc/rfc1631.txt
** https://tools.ietf.org/html/rfc3022
class activity: nmap a box with different firewalls rulesets and replies (ACCEPT, REJECT, DROP), icmp-admin-prohibited
class activity: nmap a box with different firewalls rulesets and replies (ACCEPT, REJECT, DROP), icmp-admin-prohibited
watch traffic in wireshark / tcpdump
watch traffic in wireshark / tcpdump
* netfilter architecture: http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
* Wiley Hacker, 1st edition online for free: http://www.wilyhacker.com/1e
* Wiley Hacker, second edition: http://www.wilyhacker.com/
* "A Technique for Counting NAT'd Hosts" https://www.cs.columbia.edu/~smb/papers/fnat.pdf

Revision as of 15:48, 6 October 2015

September 8: Intro and Overview

  • Course policies, grading, etc. (Course Outline, Description, Syllabus)
  • Concepts / Organization

With some background in security concepts and principles, we set security challenges and problems into a networked environment. Basic crypto primitives become building blocks of systems whose major focus is authentication and protecting the confidentiality and integrity of communications channels. This major topic is complemented with a variety of security mechanisms that attempt to provide C-I-A in other ways (e.g., firewalls, IDS, authentication systems & standards).

  • Topics (i.e., knowledge & skills I want you to know by the end of the semester)
    • common networking tools
    • bit-level agility (packet crafting)
    • working knowledge of common applied crypto
    • authentication and secure protocols (design and major examples)
    • network security application domains: routing security, web security
    • network security mechanisms: firewalls, IDS, etc.
  • Semester Highlights
    • EDURange
    • ScapyHunt
    • PGP key signing party
    • web application hacking (Google Gruyere)
    • build a VPN
    • build a CA
    • network introspection

Right now:

  • Write your "Question of the Day": this is one question about network security that you want answered by the end of the semester
    • include your real name
    • include a psuedonym if you wish

September 10: Important Concepts, Basic Threats and Adversaries

Today, we will briefly discuss some security concepts and then dive into a reminder and refresher of some basic Unix networking tools. Our goal is to get two computers, Alice and Bob, to exchange traffic.

Questions of the Day:

Results of Poll: out of 25 votes as of 10:15am, 19 people have not taken CPSC 418 or are taking it concurrently. We will dedicate the opening weeks of tutorials to providing a high-level overview of basic crypto concepts and terminology as well as an introduction to some crypto libraries.

September 15: Intro to the Deception Surface: Setting up a Network From Scratch

We will start with a QoD that leads us back to a discussion of basic network security threats and concepts. It also leads us toward the topic of the "deception surface": the collection of protocols and network state that networked computers and application rely on to accomplish their communication -- but these protocols are also, by their very nature, open to manipulation.

slides: https://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Fall/intro-concepts.pdf

Sept 17

Sept 22

Sept 24: Network Recon: Understanding the State of Alice, Bob, and Everyone in Between (Scanning, Sniffing, etc.)

Today I want to discuss the concepts and tradeoffs involved in scanning the network for other hosts. We will also explore the relationship between scanning and sniffing. Sniffing can be seen as one form of passive scanning.

Neither scanning nor sniffing is inherently "bad"; both good guys and bad guys can undertake scanning and sniffing at various times and for various purposes.

  • penetration testing
  • network auditing (any rogue or forgotten hosts?)
  • reconnaissance, host and service enumeration
  • listening for unwanted traffic, data exfiltration
  • listening for unencrypted traffic, authentication tokens
  • listening for communication flows (traffic analysis)

Sniffing (i.e., listening) complements scanning (i.e., actively probing). Sniffing will only sample the network, and provide only a partial view of who is talking during the sampling period. Scanning allows you to attempt to contact and enumerate hosts and open ports, but hosts are under no obligation to respond to your probes. Thus, sniffing and scanning complement each other, but even together may not provide a complete picture of the network.

The "Big Picture" concept for today is that you'll often be asked some form of the question "how good is this tool?"; evaluating the power and limitations of tools, frameworks, techniques, mechanisms, algorithms, etc. entails an understanding how how they work, how they might fail, etc.

Class Activities

Today we will play a bit with traceroute and nmap.

We've already spent 1.5 weeks on the "who am I" question. Here are some other questions

  • Where am I? Where are you? What are you (running)?

We can seek to answer these questions with:

  • netstat (what services am I offering to the world? local broadcast? local machine?)
  • iptables (what communication flows or packets is my kernel actually blocking for me? How? What is 'stealth mode'?)
  • traceroute (where are you in relation to me? How do I anticipate this affecting the flow of packets between us?)
  • nmap (what services are you running (that I can see?))
  • tcpdump (how does nmap actually work? what is scanning, after all? what does a scan produce, and what are the expected replies?)

For example, how far away from scanme.nmap.org are we? http://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Winter/files/traceroute-nmap.org

Scan Activity

Pick a partner. One of you is Alice, the other is Bob.

Have Bob list his open ports:

  netstat -lptun

Have Bob list his firewall rules:

  iptables -L   //for Linux, for Windows, see [netsh http://windowsitpro.com/windows-server/top-10-windows-firewall-netsh-commands] for Mac, see ipfw or pfctl

Have Bob start up tcpdump:

  tcpdump -i eth1 -n

Have Alice nmap Bob with

  nmap -sS -sV -O -n --reason --traceroute bob.ip.addr.ess 

What packets does Bob see? What ports does Alice see? If Bob flushes his firewall:

  iptables --flush

does this change the scan results?


For the past two weeks, we've looked at the (inherent!) weaknesses of the basic network fabric and low-level services/protocols --- the so-called deception surface. We made the point that these weaknesses are also strengths in terms of providing low-configuration connectivity and plug-and-talk type communication. The Internet probably wouldn't have taken off if participants had to sign complex multilateral treaties and do complex cryptographic dances simply to bind an IP address to a MAC address.

While countermeasures exist to detect many basic forms of layer2 and layer3 spoofing, poisoning, and flooding attacks and there are authentication protocols to provide basic network access control, our experience has shown us the need for a combination or composition of functionality that (a) provides connectivity and (b) protects the confidentiality, integrity, and availability of such channels. To this end, we will examine the role cryptography plays in network security over most of the rest of the semester.

However, it is worth noting that even with good crypto, and even with simple countermeasures for protecting against ARP flooding, ARP poisoning, DHCP hijacking, DNS poisoning, DoS, etc., many networks still have an ill-defined "edge" and many often have open doors; for example, management interfaces that may be accessible on a public-facing IP via telnet (perhaps on a "hidden/undocumented" port, or available via port-knocking). BYOD also makes the definition of "your" network quite fuzzy. Networks are also composed of more than just desktop computers and servers. See the links below for efforts that provide scanners, a census of the internet, network topology information, and search engines.



Sept 29: Network Recon: Scanning + Sniffing

In this session, we will continue observing what various probes to the network actually look like. We will also begin to take a look at the topic of firewalls.


  • Announcements, dump eth1, consider the ethics of this
  • Selected questions of the day
    • Octavissi: What is a backdoor and how does it work?
    • T3AA8: How can we tie network security into virus and malware [the course?]
    • John: How does IP sniffing and IP spoofing affect a network? Can ethical hacking prevent that?
    • [anon]: How can we detect intrusions and find the breach?
  • Current events:
  • Scanning and sniffing, plus firewalls
    • netcat
    • netstat
    • iptables
    • tcpdump, Wireshark
    • nmap


Read Chapter 23 in your textbook. For class on Thursday, read this paper:

and write 1 paragraph summarizing it and 1 paragraph taking a position on the question of whether it is ethical to listen to network traffic, with, e.g., tcpdump. Be prepared to discuss your position on Thursday.

Oct 1: Ethics of Network Traffic Sniffing

Today we will discuss the ethics of listening to network traffic.

Oct 6: Firewalls

Today we will consider the topic of firewalls

class activity: nmap a box with different firewalls rulesets and replies (ACCEPT, REJECT, DROP), icmp-admin-prohibited watch traffic in wireshark / tcpdump