Difference between revisions of "Courses/Computer Science/CPSC 526.F2015/Lecture Notes"

From wiki.ucalgary.ca
Jump to: navigation, search
m (Nov 3: Advanced Password-based Authentication)
m
Line 333: Line 333:
 
* Otway-Rees
 
* Otway-Rees
 
* nonce definition & types
 
* nonce definition & types
 
== Nov 3 ==
 
 
== Nov 5 ==
 
  
 
== Nov 10 ==
 
== Nov 10 ==

Revision as of 20:45, 30 October 2015

September 8: Intro and Overview

  • Course policies, grading, etc. (Course Outline, Description, Syllabus)
  • Concepts / Organization

With some background in security concepts and principles, we set security challenges and problems into a networked environment. Basic crypto primitives become building blocks of systems whose major focus is authentication and protecting the confidentiality and integrity of communications channels. This major topic is complemented with a variety of security mechanisms that attempt to provide C-I-A in other ways (e.g., firewalls, IDS, authentication systems & standards).

  • Topics (i.e., knowledge & skills I want you to know by the end of the semester)
    • common networking tools
    • bit-level agility (packet crafting)
    • working knowledge of common applied crypto
    • authentication and secure protocols (design and major examples)
    • network security application domains: routing security, web security
    • network security mechanisms: firewalls, IDS, etc.
  • Semester Highlights
    • EDURange
    • ScapyHunt
    • PGP key signing party
    • web application hacking (Google Gruyere)
    • build a VPN
    • build a CA
    • network introspection


Right now:

  • Write your "Question of the Day": this is one question about network security that you want answered by the end of the semester
    • include your real name
    • include a psuedonym if you wish

September 10: Important Concepts, Basic Threats and Adversaries

Today, we will briefly discuss some security concepts and then dive into a reminder and refresher of some basic Unix networking tools. Our goal is to get two computers, Alice and Bob, to exchange traffic.

Questions of the Day:

Results of Poll: out of 25 votes as of 10:15am, 19 people have not taken CPSC 418 or are taking it concurrently. We will dedicate the opening weeks of tutorials to providing a high-level overview of basic crypto concepts and terminology as well as an introduction to some crypto libraries.

September 15: Intro to the Deception Surface: Setting up a Network From Scratch

We will start with a QoD that leads us back to a discussion of basic network security threats and concepts. It also leads us toward the topic of the "deception surface": the collection of protocols and network state that networked computers and application rely on to accomplish their communication -- but these protocols are also, by their very nature, open to manipulation.

slides: https://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Fall/intro-concepts.pdf

Sept 17

Sept 22

Sept 24: Network Recon: Understanding the State of Alice, Bob, and Everyone in Between (Scanning, Sniffing, etc.)

Today I want to discuss the concepts and tradeoffs involved in scanning the network for other hosts. We will also explore the relationship between scanning and sniffing. Sniffing can be seen as one form of passive scanning.

Neither scanning nor sniffing is inherently "bad"; both good guys and bad guys can undertake scanning and sniffing at various times and for various purposes.

  • penetration testing
  • network auditing (any rogue or forgotten hosts?)
  • reconnaissance, host and service enumeration
  • listening for unwanted traffic, data exfiltration
  • listening for unencrypted traffic, authentication tokens
  • listening for communication flows (traffic analysis)

Sniffing (i.e., listening) complements scanning (i.e., actively probing). Sniffing will only sample the network, and provide only a partial view of who is talking during the sampling period. Scanning allows you to attempt to contact and enumerate hosts and open ports, but hosts are under no obligation to respond to your probes. Thus, sniffing and scanning complement each other, but even together may not provide a complete picture of the network.

The "Big Picture" concept for today is that you'll often be asked some form of the question "how good is this tool?"; evaluating the power and limitations of tools, frameworks, techniques, mechanisms, algorithms, etc. entails an understanding how how they work, how they might fail, etc.

Class Activities

Today we will play a bit with traceroute and nmap.

We've already spent 1.5 weeks on the "who am I" question. Here are some other questions

  • Where am I? Where are you? What are you (running)?

We can seek to answer these questions with:

  • netstat (what services am I offering to the world? local broadcast? local machine?)
  • iptables (what communication flows or packets is my kernel actually blocking for me? How? What is 'stealth mode'?)
  • traceroute (where are you in relation to me? How do I anticipate this affecting the flow of packets between us?)
  • nmap (what services are you running (that I can see?))
  • tcpdump (how does nmap actually work? what is scanning, after all? what does a scan produce, and what are the expected replies?)

For example, how far away from scanme.nmap.org are we? http://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Winter/files/traceroute-nmap.org

Scan Activity

Pick a partner. One of you is Alice, the other is Bob.

Have Bob list his open ports:

  netstat -lptun

Have Bob list his firewall rules:

  iptables -L   //for Linux, for Windows, see [netsh http://windowsitpro.com/windows-server/top-10-windows-firewall-netsh-commands] for Mac, see ipfw or pfctl

Have Bob start up tcpdump:

  tcpdump -i eth1 -n

Have Alice nmap Bob with

  nmap -sS -sV -O -n --reason --traceroute bob.ip.addr.ess 

What packets does Bob see? What ports does Alice see? If Bob flushes his firewall:

  iptables --flush

does this change the scan results?

Reflections

For the past two weeks, we've looked at the (inherent!) weaknesses of the basic network fabric and low-level services/protocols --- the so-called deception surface. We made the point that these weaknesses are also strengths in terms of providing low-configuration connectivity and plug-and-talk type communication. The Internet probably wouldn't have taken off if participants had to sign complex multilateral treaties and do complex cryptographic dances simply to bind an IP address to a MAC address.

While countermeasures exist to detect many basic forms of layer2 and layer3 spoofing, poisoning, and flooding attacks and there are authentication protocols to provide basic network access control, our experience has shown us the need for a combination or composition of functionality that (a) provides connectivity and (b) protects the confidentiality, integrity, and availability of such channels. To this end, we will examine the role cryptography plays in network security over most of the rest of the semester.

However, it is worth noting that even with good crypto, and even with simple countermeasures for protecting against ARP flooding, ARP poisoning, DHCP hijacking, DNS poisoning, DoS, etc., many networks still have an ill-defined "edge" and many often have open doors; for example, management interfaces that may be accessible on a public-facing IP via telnet (perhaps on a "hidden/undocumented" port, or available via port-knocking). BYOD also makes the definition of "your" network quite fuzzy. Networks are also composed of more than just desktop computers and servers. See the links below for efforts that provide scanners, a census of the internet, network topology information, and search engines.

Links

Reading

Sept 29: Network Recon: Scanning + Sniffing

In this session, we will continue observing what various probes to the network actually look like. We will also begin to take a look at the topic of firewalls.

Agenda

  • Announcements, dump eth1, consider the ethics of this
  • Selected questions of the day
    • Octavissi: What is a backdoor and how does it work?
    • T3AA8: How can we tie network security into virus and malware [the course?]
    • John: How does IP sniffing and IP spoofing affect a network? Can ethical hacking prevent that?
    • [anon]: How can we detect intrusions and find the breach?
  • Current events:
  • Scanning and sniffing, plus firewalls
    • netcat
    • netstat
    • iptables
    • tcpdump, Wireshark
    • nmap

Homework

Read Chapter 23 in your textbook. For class on Thursday, read this paper:

and write 1 paragraph summarizing it and 1 paragraph taking a position on the question of whether it is ethical to listen to network traffic, with, e.g., tcpdump. Be prepared to discuss your position on Thursday.

Oct 1: Ethics of Network Traffic Sniffing

Today we will discuss the ethics of listening to network traffic.

Oct 6: Firewalls

Today we will consider the topic of firewalls


class activity: nmap a box with different firewalls rulesets and replies (ACCEPT, REJECT, DROP), icmp-admin-prohibited watch traffic in wireshark / tcpdump

References

Oct 8: Firewalls (cont.)

We'll talk about some terminology, firewall policy interpretation, various kinds of firewall architecture, and play with some iptables rule sets.

We began by reviewing the table of contents for the Wiley Hacker, 1st edition book http://www.wilyhacker.com/1e and thinking about how it reflects the state of the growing Internet and nascent topic of network security in the early 1990's. We then tried to put together some basic iptables rules for:

http://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Fall/tasks.txt

Issues Involved in Firewalls

  • semantics of rule interpretation (order: first, last, best match)
  • Scaling
    • how do you handle scaling of 1000's of rules?
    • how much does the firewall slow down traffic processing? What kind of hardware do you need for a network edge?
  • How are rule conflicts handled / detected / resolved
    • how is this done in a distributed environment?

Current Events

Oct 13: A Motivating Threat: Internet Worms

The topic of Internet worms is a good way to transition from our consideration of the lack of security in basic network protocols along with the capabilities and limitations of firewalls to a more nuanced view of network security. To a certain extent, worms illustrate how firewalls can sometimes be effective (if a worm signature is precise enough), but they also illustrate the problem of network security being reliant on endpoint (i.e., node) security.

QoD

  • What is the relation between all elements in network to provide security? The big picture, elements and relations between them and weak points and bottlenecks, what to improve and how? [pg 22, Stallings. But we must also recognize the cost to our other values of implementing 'complete' security -Ed.]
  • How secure is peer-to-peer file sharing ?
  • Is there a way to secure a network such that the only possible attack left is social engineering (i.e., no software penetration can be successful)
  • Can you envisage any circumstances wherein a network is completely secure? (and that connects to an outside network)?


Current Events

Links

Oct 15: No lecture

Oct 20: Introduction to Authentication

This week, we begin our discussion of the topic of authentication by considering the topic of challenge-response protocols. We started by looking at HTTP Basic authentication and Unix login-based authentication.

Something you know, something you have, something you are

QotD

  • How can you be sure that the person you are talking to is who they say they are, if you've never met them before in person (Online verification / Chain of Trust)

Read

  • Textbook, Chapter 9
  • Textbook, Chapter 10

Supplemental Readings

Oct 22: Password-based Authentication Lulz

  • Storing passwords
  • Lamport's Hash

Top 25 passwords listed at http://us.cnn.com/2012/10/25/tech/web/worst-passwords-2012/index.html?hpt=hp_bn5

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball
  11. iloveyou
  12. trustno1
  13. 1234567

...

Incidents

Oct 27: Authentication Protocol Basics

Oct 29: Protocol Pitfalls

Protocol Fails Exercise

Nov 3. Protocol Pitfalls (cont)

Nov 5: Advanced Password-based Authentication

Nov 10

Nov 12: No Class (Reading Week)

Nov 17

Nov 19: Guest Lecture by Prof. Aycock

Guest lecture.

Nov 24

Nov 26

Dec 1

Dec 3

Dec 8