Protection of Communication Infrastructures Chapter 1
Introduction
Threats, Security Goals & Requirements Threat Analysis System Security Engineering Course Objectives & Overview http://www.tu-ilmenau.de/telematik/protection/ http://www.tu-ilmenau.de/telematik/protection/ Protection (SS 17): 01 – Introduction
1 © Dr.-Ing G. Schäfer
A Short Advertisement Before We Begin... :o)
There is an additional course – entitled „Simulative Evaluation of Protocol Functions” (project seminar, 4 SWS) – which is designed to give you a “hands-on” experience with network protocol functions and simulation studies:
Introduces a simulation environment and lets you add protocol functionality Studied protocol functions: forwarding, routing, (interface queues), connection setup, error-, flow- and congestion control Requires good programming skills Knowledge of C++ is an asset (but not a pre-requisite) Allows you to obtain in-depth knowledge of topics covered in Telematics I and the techniques and art of simulation studies – because afterwards “you did it!” :o)
Introduction and inscription: 08.04.2014,15:00 – 16:00, Room Z 1021
Protection (SS 17): 01 – Introduction
2 © Dr.-Ing G. Schäfer
Example: Evaluation of TCP Congestion Control
Protection (SS 17): 01 – Introduction
3 © Dr.-Ing G. Schäfer
Motivation: A Changing World
Mobile communication networks and ubiquitous availability of the global Internet have already changed dramatically the way we
communicate, conduct business, and organize our society
With current research and developments in sensor networks and pervasive computing, we are even creating a new networked world However, the benefits associated with information and communication technology imply new vulnerabilities
Increasing dependence of modern information society on availability and secure operation of communication services
Protection (SS 17): 01 – Introduction
4 © Dr.-Ing G. Schäfer
What is a Threat in a Communication Network?
Abstract Definition:
Examples:
A threat in a communication network is any possible event or sequence of actions that might lead to a violation of one or more security goals The actual realization of a threat is called an attack A hacker breaking into a corporate computer Disclosure of emails in transit Someone changing financial accounting data A hacker temporarily shutting down a website Someone using services or ordering goods in the name of others ...
What are security goals?
Security goals can be defined: n depending on the application environment, or n in a more general, technical way
Protection (SS 17): 01 – Introduction
5 © Dr.-Ing G. Schäfer
Security Goals Depending on the Application Environment
Public Telecommunication Providers:
Protect subscribers privacy
Restrict access to administrative functions to authorized personnel
Protect against service interruptions
Corporate / Private Networks:
Protect corporate / individual privacy
Ensure message authenticity
Protect against service interruptions
All Networks:
Prevent outside penetrations (who wants hackers?)
Sometimes security goals are also called security objectives
Protection (SS 17): 01 – Introduction
6 © Dr.-Ing G. Schäfer
Security Goals Technically Defined
Confidentiality:
Data Integrity:
It should be possible to identify the entity responsible for any communication event
Controlled Access:
It should be possible to detect any modification of data This requires to be able to identify the creator of some data
Accountability:
Data transmitted or stored should only be revealed to an intended audience Confidentiality of entities is also referred to as anonymity
Only authorized entities should be able to access certain services or information
Availability:
Services should be available and function correctly
Protection (SS 17): 01 – Introduction
7 © Dr.-Ing G. Schäfer
Threats Technically Defined
Masquerade:
Eavesdropping:
An entity falsely denies its’ participation in a communication act
Forgery of Information:
Data is being altered or destroyed
Denial of Communication Acts (Repudiation):
An entity uses a service or resources it is not intended to use
Loss or Modification of (transmitted) Information:
An entity reads information it is not intended to read
Authorization Violation:
An entity claims to be another entity
An entity creates new information in the name of another entity
Sabotage (Denial of Service):
Any action that aims to reduce the availability and / or correct functioning of services or systems
Protection (SS 17): 01 – Introduction
8 © Dr.-Ing G. Schäfer
Threats and Technical Security Goals General Threats Technical Masquer- Eaves- Authori- Loss or Mo- Denial of Forgery Security Goals ade dropping sation dification of Communi- of InforViolation (transmitted) cation acts mation information Confidentiality
x
x
Data Integrity
x
x
Accountability
x
x
Availability
x
x
Controlled Access
x
x
Sabotage (e.g. by overload)
x x
x x
x
x
x x
Threats are often combined in order to perform an attack!
Protection (SS 17): 01 – Introduction
9 © Dr.-Ing G. Schäfer
Architectural View of our “Object” to be Protected
Endsystem
Endsystem Network
Layer Layer55
Application Layer
Layer Layer55
Layer Layer44
Transport Layer
Layer Layer44
Layer Layer33
Network Layer
Layer Layer33
Layer Layer33
Network Layer
Layer Layer33
Layer Layer22
Data Link Layer
Layer Layer22
Layer Layer22
Data Link Layer
Layer Layer22
Layer Layer11
Physical Layer
Layer Layer11
Layer Layer11
Physical Layer
Layer Layer11
Communication in Layered Protocol Architectures Protection (SS 17): 01 – Introduction
10 © Dr.-Ing G. Schäfer
Security Analysis of Layered Protocol Architectures 1
Network
Endsystem (Initiator)
?
Endsystem (Responder)
?
?
Dimension 1: At which interface could an attack take place?
Protection (SS 17): 01 – Introduction
11 © Dr.-Ing G. Schäfer
Security Analysis of Layered Protocol Architectures 2
?
Layer Layer55
Application Layer
Layer Layer55
?
Layer Layer44
Transport Layer
Layer Layer44
?
Layer Layer33
Network Layer
Layer Layer33
Layer Layer33
Network Layer
Layer Layer33
?
Layer Layer22
Data Link Layer
Layer Layer22
Layer Layer22
Data Link Layer
Layer Layer22
?
Layer Layer11
Physical Layer
Layer Layer11
Layer Layer11
Physical Layer
Layer Layer11
Dimension 2: In which layer could an attack take place?
Protection (SS 17): 01 – Introduction
12 © Dr.-Ing G. Schäfer
Systematic Threat Analysis on the Message Level
A systematic security analysis of a layered protocol architecture has to consider the following attacking techniques:
Passive attacks: n Eavesdropping Active attacks: n Delay of PDUs (Protocol Data Units) n Replay of PDUs n Deletion of PDUs n Modification of PDUs n Insertion of PDUs
Successful launch of one of the above attacks requires:
There are no detectable side effects to other communications (connections / connectionless transmissions) There are no side effects to other PDUs of the same connection / connectionless data transmission between the same entities
Protection (SS 17): 01 – Introduction
13 © Dr.-Ing G. Schäfer
Security Analysis of Communication Infrastructures
On the preceding slides, the analysis was basically concentrated on potential attacks on the transmission of information Of equal importance, however, are attacks against the systems, that are part of or making use of a communication network:
We, therefore, have to extend our analysis framework:
End systems Routers Important infrastructure servers: DNS, Email, WWW, file servers, etc. Dimension S.1: Which system could be attacked? Dimension S.2: Which component of the system is attacked (OS, protocol stack, application process, etc.)?
However, this introduces a new difficulty:
An active entity (system) offers much more different attacking opportunities than a passive data object (like a PDU) It is, therefore, much harder to conduct a systematical analysis
Protection (SS 17): 01 – Introduction
14 © Dr.-Ing G. Schäfer
Towards Systematic Threat Analysis
One not very systematic approach is producing of arbitrary threat lists by any ad-hoc brainstorming method
Example: Hospital Information System
Corruption of patient medical information Corruption of billing information Disclosure of confidential patient information Compromise of internal schedules Unavailability of confidential patient information ...
Drawbacks of this approach:
Questionable completeness of identified threats Lack of rationale for identified threats other than experience Potential inconsistencies (e.g. disclosure vs. unavailability of confidential patient information in the example above)
Protection (SS 17): 01 – Introduction
15 © Dr.-Ing G. Schäfer
Threat Trees: One Systematic Threat Analysis Approach
Definition: threat tree
Technique for establishing threat trees:
A threat tree is a tree with: n nodes describing threats at different levels of abstractions, and n subtrees refining the threat of the node they are rooted at, n where the child nodes of one node give a complete refinement of the threat represented by the parent node Start with a general abstract description of the complete set of threats that exist for a given system (e.g. “security of system X compromised”) Iteratively introduce detail by gradually refining the description with care Each introduced node may itself become the root of a subtree further describing the threat represented by the node Eventually, each leaf node of the tree provides a description of a threat that can be used for a (less arbitrary) threat list
The main idea of this technique is to postpone the creation of (arbitrary) treat lists as much as possible
Protection (SS 17): 01 – Introduction
16 © Dr.-Ing G. Schäfer
Example: A Hospital Information System Threat Tree Hospital System Threats
Patient Medical Information
Life Threatening
Non Life Threatening
Non Patient Medical Information
Billing
Non Billing
... ...
Disclosure
...
Integrity Denial of Service
It is important that at each level of refinement the child nodes of a node maintain demonstrable completeness so that one can be confident that nothing has been missed (source: [Amo94]) Protection (SS 17): 01 – Introduction
17 © Dr.-Ing G. Schäfer
Inferring Composed Threat in Threat Trees
The child nodes of one node can actually be in different relations to their parent node with the two most common relations being: Disjunction
Conjunction
Threat
Threat
OR
AND
Subthreat
Subthreat
Subthreat
Subthreat
These relations can be used to infer composed threat:
Augment nodes with effort estimations (e.g. easy, moderate, high) Infer effort of an OR-related composed threat as the lowest effort value of its child nodes (the attacker will most likely take the easy way...) For AND-related composed threats, the highest effort is inferred
Protection (SS 17): 01 – Introduction
18 © Dr.-Ing G. Schäfer
Supporting System Security Engineering with Threat Trees
When augmented with appropriate attributes (e.g. estimated criticality and attacker effort for individual threats), threat trees can help to gain insight where to spend resources to decrease the overall system’s vulnerability: Threat
Threat
OR
OR
Subthreat A
Subthreat B
Criticality = 4 Effort = 2 Risk = 2
Criticality = 6 Effort = 1 Risk = 6
→
Subthreat A
Subthreat B
Criticality = 4 Effort = 2 Risk = 2
Criticality = 6 Effort = 3 Risk = 2
The second threat tree re-evaluates risk after some protective measure has been taken to increase the attacker’s effort for subthreat B In the above example, risk is assessed with the following formula:
Risk = Criticality / Effort
Protection (SS 17): 01 – Introduction
19 © Dr.-Ing G. Schäfer
A High Level System Security Engineering Process
Specify system architecture:
Identify threats, vulnerabilities and attack techniques:
Taking into account the components’ importance
Identify and install safeguards:
However, removing subjectivity from initial assessments is often impossible and other attributes than criticality and effort (e.g. risk of detection) might have to be considered as well
Prioritize vulnerabilities:
The threat tree technique provides help for this step
Estimate component risks by adding attributes to the threat tree:
Identify components and interrelations
Apply protection techniques to counter high priority vulnerabilities
Perform potential iterations of this process
Re-assess risks of the modified system and decide, if more iterations are required
Protection (SS 17): 01 – Introduction
20 © Dr.-Ing G. Schäfer
A High Level Model for Internet-Based IT-Infrastructure Private Networks
Public Internet
Mobile Communication Networks Access Network
...
Web-Server
ISP Networks
Network DNS Management Server
...
Support Infrastructure
Protection (SS 17): 01 – Introduction
21 © Dr.-Ing G. Schäfer
A High Level Threat Tree for Internet-Based IT-Infrastructure
Protection (SS 17): 01 – Introduction
22 © Dr.-Ing G. Schäfer
Countering Attacks: Three Principle Classes of Action
Prevention:
Detection:
All measures taken in order to avert that an attacker succeeds in realizing a threat Examples: n Cryptographic measures: encryption, computation of modification detection codes, running authentication protocols, etc. n Firewall techniques: packet filtering, service proxying, etc. Preventive measures are by definition taken before an attack takes place All measures taken to recognize an attack while or after it occurred Examples: n Recording and analysis of audit trails n On-the-fly traffic monitoring
Reaction:
All measures taken in order react to ongoing or past attacks
Protection (SS 17): 01 – Introduction
23 © Dr.-Ing G. Schäfer
Safeguards Against Information Security Threats 1
Physical Security:
Personnel Security:
Identification of position sensitivity Employee screening processes Security training and awareness
Administrative Security:
Locks or other physical access control Tamper-proofing of sensitive equipment Environmental controls
Controlling import of foreign software Procedures for investigating security breaches Reviewing audit trails Reviewing accountability controls
Emanations Security:
Radio Frequency and other electromagnetic emanations controls Referred to as TEMPEST protection
Protection (SS 17): 01 – Introduction
24 © Dr.-Ing G. Schäfer
Safeguards Against Information Security Threats 2
Media Security:
Lifecycle Controls:
Trusted system design, implementation, evaluation and endorsement Programming standards and controls Documentation controls
Computer / System Security:
Safeguarding storage of information Controlling marking, reproduction and destruction of sensitive information Ensuring that media containing sensitive information are destroyed securely Scanning media for viruses
Protection of information while stored / processed in a system Protection of the computing devices / systems themselves
Communications Security:
Protection of information during transport from one system to another Protection of the communication infrastructure itself
Protection (SS 17): 01 – Introduction
25 © Dr.-Ing G. Schäfer
Communications Security: Some Terminology
Security Service:
Cryptographic Algorithm:
An abstract service that seeks to ensure a specific security property A security service can be realised with the help of cryptographic algorithms and protocols as well as with conventional means: n One can keep an electronic document on a floppy disk confidential by storing it on the disk in an encrypted format as well as locking away the disk in a safe n Usually a combination of cryptographic and other means is most effective A mathematical transformation of input data (e.g. data, key) to output data Cryptographic algorithms are used in cryptographic protocols
Cryptographic Protocol:
A series of steps and message exchanges between multiple entities in order to achieve a specific security objective
Protection (SS 17): 01 – Introduction
26 © Dr.-Ing G. Schäfer
Security Services – Overview
Authentication
Integrity
The most popular security service, ensuring the secrecy of protected data
Access Control
In some kind, the “small brother” of the authentication service, as it ensures, that data created by specific entities may not be modified without detection
Confidentiality
The most fundamental security service which ensures, that an entity has in fact the identity it claims to have
Controls that each identity accesses only those services and information it is entitled to
Non Repudiation
Protects against that entities participating in a communication exchange can later falsely deny that the exchange occurred
Protection (SS 17): 01 – Introduction
27 © Dr.-Ing G. Schäfer
Course Objectives
The course Network Security (held every fall term) focuses on:
Introduction to information security technology (incl. cryptology) Network security protocols to ensure: n Entity authentication n Data confidentiality & data integrity Some established techniques to realize access control in networks
This course takes a complementary view on the following aspects:
Threats to and measures for ensuring availability Threats and measures concerning systems (beyond pure network security protocols which are more targeting transmission security) Measures for intrusion detection and response Additionally, some case studies to be performed by students (talks, potentially based on experimentation) shall: n provide background and guidelines on securing specific applications n add a practical perspective to the gathered conceptual knowledge
Protection (SS 17): 01 – Introduction
28 © Dr.-Ing G. Schäfer
Preliminary Course Overview 1. 2. 3. 4. 5. 6. 7. 8.
Introduction Security Aware System Design and Implementation Denial-of-Service Attacks and Countermeasures Routing DNS Security Internet Firewalls Intrusion Detection and Response Security in Sensor Networks (Challenges in Constraint Environments) 9. Securing Group Communications (if time permits) 10. Joint Discussion: “Open source vs. proprietary software: will open source lead to more secure systems?”
Protection (SS 17): 01 – Introduction
29 © Dr.-Ing G. Schäfer
General Course Bibliography [Amo94] [Amo99] [Cha95] [For94b] [Gar96] [GW03] [NN01] [SR14] [VM02]
E. Amoroso. Fundamentals of Computer Security Technology. Prentice Hall. 1994. E. Amoroso. Intrusion Detection. Intrusion.Net Books, 1999. Brent Chapman and Elizabeth Zwicky. Building Internet Firewalls. O'Reilly, 1995. Warwick Ford. Computer Communications Security - Principles, Standard Protocols and Techniques. Prentice Hall. 1994. Simson Garfinkel and Gene Spafford. Practical Internet & Unix Security. O'Reilly, 1996. M.G. Graff, K.R. van Wyck. Secure Coding. O’Reilly, 2003 S. Northcutt, J. Novak. Network Intrusion Detection - An Analyst’s Handbook. second edition, New Riders, 2001. G. Schäfer, M. Rossberg. Netzsicherheit - dpunkt.verlag, 676 Seiten, Gebunden, 49,90 Euro, 2014. J. Viega, G. McGraw. Building Secure Software. Addison-Wesley, 2003.
Protection (SS 17): 01 – Introduction
30 © Dr.-Ing G. Schäfer
