NETWORK SECURITY.doc

《NETWORK SECURITY.doc》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

InternetSecurity14INTERNETSECURITYPAPERFORIT884NetworkTechnologyIT884COURSETUTOR:DR.SAMBAYERLearner:MarkMoran6791ZimmermanDriveWentworth,SD57075(605)256-5821(W)(605)483-3239(H)mark.moran@dsu.eduMentor:TobedeterminedFieldofStudy:OrganizationandManagementDegree:Ph.D.EnrolledinIT884NASubmittedtoTutor:NA InternetSecurity14AbstractThispaperiswrittentopresentthecurrentstatusofelectronicnetworksecuritysystems.Thepaperisnotintendedtobecomprehensive.Iintendtopresentnetworksecurityissuesandastatementofthecurrentsolutionstothoseissues.Thesourcesusedforthispaperincludeperiodicpublications,technicalbooks,andotherresearchsources.Thefindingsofthispaperconcludethattherearesufficientresourcestoensurenetworksecurity,butmanyoftheavailablesecuritymethodsarenotutilized. InternetSecurity14InternetSecurityThereisalargeamountofmaterialpublishedrelatingtonetworksecurity.AnInternetsourcebibliographyofnetworkrelatedarticlescontainingover70,000referenceitemsgeneratedover5000referenceswhenthesearchtopic“security”wastypedintotheBibTeXquerybox.ThegoalofthispaperistotakeasmallsamplingofthevastinformationavailableonnetworksecurityandpresentasummaryofInternetsecuritysystemsandprocedures.Thebackgroundofthefieldwillbepresentedbutthescopeofthispaperdoesnotallowforanexhaustivediscussion.E-networksecuritymethodswillbeintroducedandIwillattempttoprovideinformationsufficientforanetworkprofessionaltounderstandthebasicprincipleofInternetsecuritysystems.TheInternetThehumbleoriginsoftheInternetbythedepartmentofdefensein1971,thencalledARAPANET,hasmushroomedintothevastWorldWideWeb(WWW)weexperiencetoday.Thiscommunicationhighwaywasintendedfortechnicalcommunicationsbetweenthemilitaryandaselectnumberofresearchersandcontractors.Theopennatureofcommunicationsbetweenthemilitaryandtheirsupplierandresearchesresultedinaveryopencommunicationsystem.Gradually,thenetworkcommunityispatchingsomeofthesesecurityholes.TheInternetstartedwithonlyfourusesinitially,butnowitisestimatedthatthenumberofusersonthewebincreases15percenteachmonth(WheredidtheInternetcomefrom?1999).TheInternetoriginatorsneverimaginedacomputervirusorsomethinglikea“denialofservice”attackonane-commerceserver(Rabinovitch,2001). InternetSecurity14ProtocolsIn1982theInternetworkingWorkingGroupintroducedtheTransmissionControlProtocolandtheInternetProtocolsuitecommonlyreferredtoastheTCP/IPsuite.TheUnitedStatesDepartmentofDefense(DOD)adoptedthissuiteastheirstandardfornetworkcommunicationandeventuallytheterm“Internet”wasattachedtotheinformationsuperhighway.EventhoughthisprotocolsuitewasdevelopedunderthedirectionoftheDODthereareanumberofalarmingsecurityflawsinthem.Computersonanetworkusinganycommunicationprotocolmustcutthedatainthefilecontainingtheinformationintomanageablepiecesandpackagethisinformationintoadataframecontainingtheoriginaldataandseveralotherrelateditems.Theinformationinthesedataframes,orpackets,isdictatedbyastandardcalledtheOpenSystemsInterconnect(Tittle,1999),orOSImodel.Simplyput,theOSImodelconsistsofsevenlevels,aslistedbelow.LevelDescriptionApplicationProvidesasetofinterfacesforapplicationstoaccesstonetworkedservices.PresentationFormatsinformationfornetworkcommunication.SessionMaintainsacommunicationsession.TransportManagesthetwowaycommunicationsbetweenthenodesonanetworkNetworkAddressespacketsfordeliveryandtranslateslogicalnamesintotheirphysicalcounterparts.DataLinkFormatsandtransmitsthedataframescalledprotocoldataunits(PDU’s).PhysicalConvertsthedataintosignalsforoutgoingmessagesandconvertssignalsintobitsfortheincomingdataframes InternetSecurity14TheIPprotocolinparticularintroducesariskfactorbecauseitisaconnectionlessprotocolanddependsonotherprotocols,namelyTCP,toensurereliabledeliveryofthedata(Tittle,1999).TheTCP/IPprotocolsuiteisactuallymadeupofseveralothersub-protocolsthatworkwiththemtoprovidealltheservicesrequiredbytheInternet.Someoftheprotocolsincludedinthissuitearelistedbelow:Internetcontrolmessageprotocol(ICMP)isaprotocolusedtosendcontrolmessagesatthenetworklayeroftheOSImodelAddressResolutionProtocol(ARP)isalsoanetworklayerprotocolusedtolinkalogicalIPaddresstoanetworkcard’smediaaccesscontrol(MAC)address.AMACnumberiselectronicallyembeddedineverynetworkcardmanufactured.Userdatagramprotocol(UDP)issimilartoTCPbutisgenerallyfaster.Domainnamesystem(DNS)isanametoaddressresolutionprotocol.InternethostsmaintainatablethatcorrelatestheIPaddresstoeachsystemsdomainname.Filetransferprotocol(FTP)isanapplicationthatprovidesservicesforfiletransferprocesses.Telnetisaremoteterminalemulationprotocolusedtoprovideconnectionbetweennotsimilarsystems(e.g.apersonalcomputerandaUnixworkstation).SimpleMailTransportProtocol(SMTP)isusedformessagingservicesontheInternet.RoutingInformationProtocol(RIP)isusedtorouteIPmessagesdirectlytothetargetnetwork.TherearemoreprotocolsintheTCP/IPsuite;thelistaboveisnotintendedtobeacomprehensivelist. InternetSecurity14TheTCP/IPsuitepredatestheOSImodelbyabouttenyears,butthesuitefitsthemodelverywell.TCP/IPfitsinthebottomfourOSIlevels.TheupperlevelsintheOSImodelcorrelatetoTCP/IPapplicationprotocolsliketelnetorFTP.Let’sexploretheInternetsuiteinmoredetail.Theprotocols,inthissuite,thatpresentmostofthesecurityissuesareTCP,IP,UDP,andICMP.ThesuiteisdefinedbyaseriesofdocumentsdevelopedandmaintainedbytheInternetEngineeringTaskForce(IETF).ThedefinitionforhowtheyworkarelistedinseveralRequestforComment(RFC)documentsthatcanbeexaminedanddownloadedatwww.ietf.org/rfc.html.TCPandUDPcorrelateroughlytotheOSItransportlayer;andIPandICMPcorrelatetotheNetworklayer.SecurityinconjunctionwithTCP/IPhasbeenconsideredonlyrecently(Schneider,2001).TheenhancedsecurityprotocoliscalledIPSecbutithasnotbeenwidelyaccepted(Radcliff,2001).IPSecisdefinedinRFCs2401and2412andoffersauthenticationofthedatasource,andincorporatessecurityatthenetworklayeroftheOSI.AllprotocolsthatareatorabovethenetworklayerofheOSImodelcantakeadvantageoftheenhancedsecurityintroducedbyIPSec.IPSecisreallytwoprotocols,theAuthenticationHeader(AH)andtheEncapsulatingSecurityPayload(ESP).Theycanbeusedtogetherinonepacketorseparately.TheAHmakesIPpacketssecuresohackerscannotsendpacketsimpersonatinganothermachine.ESPisusedtoencryptpacketssonon-authorizedpeoplecan’treadthedata.ThecurrentversionofIPbeingusedmostisversion4.IPSeccanbeusedtoupdatethesecurityofIP,butnotmanyInternetsitesareusingit.Thereasonforitslimitedadoptionismostlyduetothecomplexityofitsimplementation.ThereareseveraloptionsinIPSecspecifications,sotwonetworksmayimplementtheprotocolcorrectlybutstillnotbeabletocommunicatebetweentheirnetworks.Inaddition,IPSecrequiresthedistributionofencryption InternetSecurity14keysanddigitalcertificates.Thereisnotanautomateddistributionsystemforthisexchangesonetworkadministratorsneedtodistributethesemanually.IPSecisbuiltintothenextgenerationofIP,knowasIPversion6.IETFproposedthisversionin1998(Gilligan,1999)buthasnotbeenimplemented.TCPisresponsibleformessagesegmentationandreassemblybysequencingthepacketstoensurepropermessagedelivery.EachTCPpacketincludestwoportnumbers:asourceportandadestinationport.Theseportsdon’tphysicallyexist;theTCP/IPsoftwaregeneratesthem.Portsare16-bitnumbersthatrepresentdoorsheredatacanbesentoutorreceived.IETFassignsportsformanycommonInternetactivities,TelnetandHTTPareassignedTCPports23and80respectively.Therecanbeasmanyas65,535differentports(2^16–1).TCPzeroisreservedandisnotused.WhenaTCPapplicationisactiveonasystem,itmonitorstheporttypicallyassignedtothatprogramforTCPpacketstocomefromaclient.Suchaportisknownasanopenport,whileaportwherenothingislisteningisknownasaclosedport.Systemadministratorscanconfigureanyapplicationtouseanyport,butnormallymostsystemsuseTCPportsasdescribedinRFC1700.Thenumberofportsactiveonaserverdependsonthediligenceoftheadministrator;oftenmoreportsareavailablethanthecommonlyusedTCPports.Allnetworkoperatingsystemshaveautilitytochecktheportstatus;Window2000andUNIXuseautilitynamedNetstat(fornetworkstatus).SecurityissueswithprotocolsTCPnormallyestablishescommunicationwithanetworkinathree-wayhandshake.Theclientinitiatesapacketwithaninitialsequencenumber(ISN).Theserveracknowledgesitand InternetSecurity14sendsapacketbackwithanACK(foracknowledge)bitsetandthesameISN,theclientfinishesthehandshakebysendingapacketwiththeACKbitset.Followingthisthree-parthandshakethecommunicationsessioncanstartusingsequencingnumbersthetwosystemsnegotiatedduringtheconnectionprocess.Thesesequencenumbersaremoreorlessrandomnumbers.Innetworksatrustrelationshipexistsbetweennodes.Atrustednodecanaccesstheresourcesonthetrustingserver.IfamaliciouspersoncouldpredicttheserverISNthenitcouldbecomeatrustednodeandtransmitdataorprogramsthatcouldgeneratedestructiveresults.ThenhowcanthisISNguessingbedone,iftheyaretrulyrandomnumbersitshouldbeimpossibletoguesstherightnumber.MostsystemsusethefollowingmethodofgeneratingISNs.InmostcommunicationsessionstheinitialISNisincrementedbyaconstantamountonceeachsecond,andbyhalfthatamounteachtimeanewconnectionismade.So,ifausermakesalegitimateconnectionandmonitorstheISNtheservertransmitsthenhecan,withafairdegreeofaccuracy,calculatetheISNgeneratedforthenextconnectionattempt.HackerscanguessthissequencingnumberandtrickaservertomakethehackeratrustedhostonthenetworkThereisaneasiermethodtogettrustedhoststatuswithoutneedingtoguessanISN.IftheNetstatserviceisrunningontheserverthenallthehackerneedstodoisasktheserverwhichportsareopenontheserver.ThereareatleastacoupleofpublicdomainutilitiesthatcanbedownloadedthatallowindividualstomovedataoveranyTCPorUDPopenport.Manynetworkprofessionalsdon’tknowthisvulnerabilityandsimplyallowtheNetstatservicetoinstallbydefault.TheobviousdefenseforthissequencenumberattackisfirsttoensureNetstatserviceisremovedandthenrandomizetheincrementandtheperiodfortheISN.AusefulalternativeistouseanencryptiondevicetoeliminatetheriskofguessingISN’salltogether. InternetSecurity14UDPissimplerthanTCP.TCPestablishedaconnectionusingthethree-partsequencedescribedabove.UDPisaconnectionlessprotocol;itjustsendspacketsinafairlyunreliablemanner.Someapplicationsreallydon’tneedgoodpackettrackinglikestreamingaudioorvideo.Humanperceptionwillnotdetectifapixelortwoaremissingfromavideofeed.TheadvantageisthatUDPisfasterthanTCP,soitistheprotocolofchoiceforsomeapplications.ThemostwidelyusedUDPserviceisDNSthroughUDPport53,anotherapplicationisaudiofilesonport7070.IfanattackerfindsthateitheroftheseportsareopenhecanprobetheserverwithoneoftheavailableDNStoolsoraRealPlayerclient.SecurityOnceanattackerisinsideanetworkthereareplentyofopportunitiestowreekhavoc.Ahackercouldalterordeletewebpages,damagedatabasefiles,oreventrytoreformatyourserversharddiskdrive.Oneofthemorecommoninvasionsisthepropagationofviruses.Theprevioussectionoutlinesjustacoupleofthecommonsecuritythreats.Thissectionwilloutlinemethodstoimproveonthesecurityofane-network.FirewallsAfirewallisdesignedtokeepfire,oncestarted,fromspreadinginabuilding.Inanetwork,afirewallisasetofprogramsattheperipheryofanetworkthatprotectsthenetworkfromoutsideusers.AfirewallallowsthenetworkuserstoaccesstheInternetbutpreventsoutsidersfromaccessingthenetworkresources.Firewallsareclassifiedintothreecategories:packetfilteringrouters,circuit-levelgateways,andapplicationlevelgateways. InternetSecurity14IPisresponsibleforaddressingtheTCP/IPpackets.IPpacketsareidentifiedwitha32-bitaddressconsistingoffourbyteswitheachbyteseparatedbyaperiod.Eachbyteisnotedusinganumberbetween1and254.Eightbitshave256possiblecombinations;zeroand255arereservedforbroadcasttransmissionsotheycannotbeusedforaddresses.PacketfilteringrouterApacketfilteringroutersubmitsallincomingIPaddressestoafilterapplyingcertainrules.TheinformationcheckedcanincludetheIPaddressforboththesourceanddestination,andportnumber.Ifamatchismade,theparticularruleisapplied,eitheracceptingorrejectingthepacket.Severalpredeterminedpoliciesareavailableandareimplementeddependingonthepoliciesofthenetwork.Discardingapacketbydefaultisthemostsecurepolicy,butitrequiresthenetworkadministratortoenteracceptableaddressesintoatable.Permissivenetworksallowforwardingbydefault.Networksecurityrequiresthatjustcertainportsandaddressesareallowedtolimitexposuretohacking.Sourceroutingattack,tinyfragmentattack,andIPaddressspoolingarethemostcommonattackmethods.Circuit-LevelGatewaysCircuitlevelgatewaysestablishconnectionsbetweenusersontheoutsideandusersontheinsideofanetwork.Oncetheconnectionissecured,thepacketstravelthoughwithoutcheckingthecontent.Circuitlevelgatewaysdoblockmostoftheprotocolshackersusetotrytogathersite-relateddata.Application-LevelGatewaysThesetypesoffirewallsallowthenetworkadministrationtocontrolaccessattheapplicationlevel.Theyarestricterthanpacketfilteringroutersandareeasiertosetup. InternetSecurity14Applicationgatewaysrequireadedicatedgatewayforeachapplication,butinsomeinstancestheenhancedsecurityisworththeprice.ProxyServersAproxyserverhidesnetworkcomponentsfromoutsidethenetwork.Theyinterceptallrequeststotherealserveranddetermineiftheycanfulfilltherequestitself.Likeanapplicationgateway,proxyserversfocusonapplications.Anadvantageofproxyserversisthattheyimprovenetworkperformancebycachingrecentlyretrieveddata.Inaddition,proxyserverscanbeusedtofilterrequests.Afirmcoulduseaproxyservertopreventitsemployeesfromaccessingaspecificsetofwebsites.TheSecureSocketLayerAnotheroptionforprovidingsecurityservicesforTCP/IPistoaddsecuritytoalayerjustaboveTCP/IPontheOSImodel,knownastheSocketLayer.TheSecureSocketLayer(SSL),originallypublishedbyNetscape,allowsanapplicationtohaveverifiedencryptedcommunicationsacrossanetwork.TheapplicationrequiringthesecuritymustincludeaversionofSSL.SSLincludesdigitalcertificatesupdatedin1999,bytheIETFtoTransportLayerSecurityasstatedinRFC2246.MostofusdonotrealizewhenSSLissecuringaconnection.WhenyouaccessasecurewebsiteusingSSL,thekeyorlockinthelowercornerofyourbrowserturnstoanintactlockorkey,yourbrowserhasestablishedanSSLconnectionwiththesiteandverifieditscertificate.Also,whenyouaccessasitewithhttps,youareactuallyrunningthehttpprotocoloverSSL. InternetSecurity14DiscussionThecommunicationsinusetodayhaveseveralsecurityholes.Therearemanyvendorshypingtheirlatestrelease(Cheng,2001),butmanyintroduceadditionalsecuritygapsbyreleasingproductsbeforetheyareready.Inexperiencedsystemadministratorswhodon’thavethetimeortheincentivetouncoversecurityproblemsrunmanynetworks.ImustadmitthatpriortoresearchingthispaperIbelievedthatIknewmostofthesecurityissuesfore-networks.IdiscoveredthatthesecurityissuesrelatedtotheInternetaremanyandthatthesolutionstothoseissuesarecomplex.Toensureasecurefuture,vendorsandothergroupsmustmakeaconcertedefforttoplacesecurityasthehighestpriority.Cooperationbetweenpossiblecompetitorswillbenecessarytoimplementthisscheme.Thesenewsecuritysystemsmustbetestedthoroughlyandholesinthesystemmustbepatchedrapidlyandautomatically.TheInternetisstillinitsinfancyanditmightwellbefiveortenyearsbeforethisyoungindustrygetstogethertoensureasecurefuture.ConclusionsIhavefoundthisexerciseofpreparingacourselearningplan,anannotatedbibliography,followedbyapaperoutline,andfinallythispapertobeafrustratingbutfulfillingtask.PC501,DegreeCompletionStrategieshastakenmefrommydoubtsaboutgettingadoctoraldegreetothepointwhereIamtoday.TodayIknowIcancompletetheprogram.Ihavelearnedmuchduringthisthree-stepprocess.Infact,IwouldhavedonethisprojectdifferentlyifIhadknownwhatIknownow.Thelearningprocessispainful,butitisanecessaryprocess.. InternetSecurity14IstartedoutpreparingthebibliographyusingtheAPApublicationmanual.MostofmyfrustrationscouldhavebeenreducedifIhadfoundthefollowingitemsearlier.IeventuallyfoundaNetworkBibliographyatwww.cs.columbia.edu/~hgs/netbib,itconsistsofover70,000referencesaboutcomputernetworks.ReferencesfoundwiththissiteweremoreusefulthananyIfoundusinglibraryresources.ThebestthingthisassignmentdidformewastoleadmetotheconclusionthatIneededareferencetooltohelpmewiththetechnicalwriting.Ithankyou,Dr.Barton,forsuggestingthatIgetEndnote(Endnote,theeasybibliographywritter,2001).IsuggestthatyouletthestudentsknowinthenextsessionofthisclassthatdemonstrationcopiesofEndnoteandProciteareavailableathttp://www.endnote.comandhttp://www.procite.com/pchome.asp.Ibelievethestudentswouldbenefitfromexposuretoeitheroftheseproducts.IwasevaluatingProcite("Procite,yourinformationtoolbox,"2001)whenIgotyouremailbacksuggestingEndnote.Afterevaluatingbothpackages,IstronglyagreewithyouaboutthesuperiorityofEndnoteversion5. InternetSecurity14ReferencesCheng,P.(2001).AnarchitecturefortheInternetkeyexchangeprotocol.IBMSystemsJournal,40(3),721-746.Endnote,theeasybibliographywritter(2001).Retrieved,fromtheWorldWideWeb:http://www.endnote.com/Gilligan,R.,Thomson,S.,Stevens,W.(1999).BasicSocketInterfaceExtensionsforIPv6.Retrieved12-07-2001,fromtheWorldWideWeb:http://www.ietf.org/rfc/rfc2553.txt?number=2553Procite,yourinformationtoolbox.(2001).Rabinovitch,E.(2001).Thenever-endingsagaofInternetsecurity:why?how?andwhattodonext?IEEEcommunicationsmagazine,395,56-58.Radcliff,D.(2001).MeansofimprovedIPsecuritycloseathand.RetrievedNov.11,2001,2001,fromtheWorldWideWeb:http://www.howtech.com/ipsec2.htmSchneider,G.,andPerr,J.(2001).Securitythreatstoelectroniccommerce,Electroniccommerce(2nd.ed.,pp.157-198).Boston,MA:CourseTechnologies.Tittle,E.,andJohnson,D.(1999).AGuidetoNetworkingEssentials.Boston,MA:CourseTechnology.WheredidtheInternetcomefrom?(1999).RetrievedDec.03,2001,fromtheWorldWideWeb:http://www.pcworld.com.eg/internet_nov99.htm#HOWTODAY'SINTERNET