Transcript Document
Learning outcomes
After this session, you should be able to:
•Identify the threat of intruders in systems and networks
and explain how to protect them through password
management
•Describe the operation of viruses, Trojans and worms
and identify relevant software to counteract them
•Explain the effect of unwanted network connections in
an organisation and how to design a firewall that will
balance user freedom in relation to network security
Fundamentals of The Internet
Taxanomy of Malicious Programs
Malicious
Programs
Need
Host
Program
Trapdoors
Logic
Bombs
Independent
Trojan
Horses
Viruses
Zombie
Worms
Fundamentals of The Internet
Definitions
•Trojan Horse - instructions in an otherwise good
program that cause bad things to happen (sending
your data or password to an attacker over the net).
•Logic Bomb - malicious code that activates on an
event (e.g., date, specific key sequence, absence of a
file etc ).
•Trap Door (or Back Door) - undocumented entry point
written into code for debugging that can allow
unwanted users.
Fundamentals of The Internet
Definitions
• Virus - code that infects other executable files by copying
itself.
• A “Bacteria” replicates until it fills all disk space, or CPU
cycles.
• Payload - harmful things the malicious program does, after
it has had time to spread.
• Worm - a program that replicates itself across the network
(usually riding on email messages or attached documents
(e.g., macro viruses).
• Zombie – a program that takes over other Internet-attached
computers to launch attacks that are difficult to trace back
to the original creator of the program. Typically used in
Denial-of-Service Attacks
Fundamentals of The Internet
Virus Phases
Four different phases exist for a virus. However, not all
viruses have all of these four phases.
• Dormant phase - the virus is idle
• Propagation phase - the virus places an identical
copy of itself into other programs
• Triggering phase – the virus is activated to perform
the function for which it was intended
• Execution phase – the function is performed
Fundamentals of The Internet
Virus Protection
Have a well-known virus protection program, configured
to scan disks and downloads automatically for known
viruses.
Do not execute programs (or "macro's") from unknown
sources (e.g., PS files, Hypercard files, MS Office
documents). Do not download .dll, .lib., .hlp, .obj files from
unknown sources.
Avoid the most common operating systems and email
programs, if possible.
Fundamentals of The Internet
Virus Structure
Increases the length of the
host program !!
And, this segment will be
the same in all infected
files !! It is called the
signature of the virus.
Fundamentals of The Internet
A Compression Virus
Fundamentals of The Internet
Types of Viruses
• Parasitic Virus - attaches itself to executable files as
part of their code. Runs whenever the host program
runs.
• Memory-resident Virus - Lodges in main memory as
part of the residual operating system.
• Boot Sector Virus - infects the boot sector of a disk,
and spreads when the operating system boots up
(original DOS viruses).
• Stealth Virus - explicitly designed to hide from Virus
Scanning programs. Compression and controlling disk
I/O are the most common techniques.
• Polymorphic Virus - mutates with every new host to
prevent signature detection. It is achieved either by
randomly shuffling independent instructions in the virus,
or by adding superfluous instructions, or by encryption.
Fundamentals of The Internet
Macro Viruses
• Microsoft Office applications allow “macros”
to be part of the document. The macro could
run whenever the document is opened, or
when a certain command is selected (Save
File).
• Platform independent.
• Infect documents, delete files, generate email
and edit letters.
Fundamentals of The Internet
Antivirus Approaches
1st Generation, Scanners: searched files for any of a
library of known virus “signatures.” Checked
executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more
general signs than specific signatures (code
segments common to many viruses). Checked files
for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory
and look for certain patterns of software behavior
(e.g., scanning files).
4th Generation, Full Featured: combine the best of the
techniques above.
Fundamentals of The Internet
Advanced Antivirus Techniques
• Generic Decryption (GD)
– CPU Emulator
– Virus Signature Scanner
– Emulation Control Module
• If the virus is encrypted it will decrypt
and reveal itself.
• Key question: how long should a GD
scanner run each interpretation?
Fundamentals of The Internet
Firewall Design Principles
• Too many computers with different Operating
Systems exist in corporate networks today.
• They all need Internet access.
• The firewall is inserted between the premises
network and the Internet
• Aims:
– Establish a controlled link
– Protect the premises network from Internet-based
attacks
– Provide a single choke point
Fundamentals of The Internet
Firewall Characteristics
• Design goals:
– All traffic from inside to outside must pass through
the firewall (physically blocking all access to the
local network except via the firewall).
– Only authorized traffic (defined by the local
security policy) will be allowed to pass.
– The firewall itself is immune to penetration (use of
trusted system with a secure operating system).
Fundamentals of The Internet
Firewall Characteristics
Four general techniques:
•User control
–Controls access to a service according to which user
is attempting to access it (may need authentication
procedures).
•Behavior control
–Controls how particular services are used (e.g. filter email).
•Service control
–Determines the types of Internet services that can be
accessed (such as FTP, HTTP) , inbound or outbound.
•Direction control
–Determines the direction in which particular service
requests are allowed to flow.
Fundamentals of The Internet
Types of Firewalls
• Three common types of Firewalls:
– Packet-filtering routers
– Stateful Inspection Firewalls
– Application-level gateways
– Circuit-level gateway
Fundamentals of The Internet
Types of Firewalls
Packet-filtering Router:
–Applies a set of rules to each incoming IP packet and then
forwards or discards the packet
–Filter packets going in both directions
–The packet filter is typically set up as a list of rules based on
matches to fields in the IP or TCP header
–Two default policies (discard or forward)
Fundamentals of The Internet
Types of Firewalls
All these fields can be used in a packet filter:
•Source and Destination IP address
•Source and Destination Port Numbers
•IP Protocol field, which defines the higher-level protocol in the
IP packet
•MAC address in case there are more than one.
Packet filtering example:
action
src
port
dest
port
comment
block
SPIGO
T
*
{our
hosts}
*
we don’t trust these
people
allow
*
*
{our
hosts}
25
connection to our SMTP
port
Fundamentals of The Internet
Types of Firewalls
Stateful Inspection Firewalls:
A traditional packet filter allows or denies packet on an individual basis after
analysing IP and TCP packet headers in the arriving packet. A stateful
inspection firewall, on the other hand, considers the status of ongoing TCP
connections in addition to the header information in the arriving packets.
Block packets that scan this
Example Stateful Furewall Connection State Table: port !!
Source
Address
Source Port
Destination
Address
Destination
Port
Connection
State
192.168.1.100
1030
210.9.88.29
80
Active
192.168.1.101
80
216.32.42.123
2552
Released
192.168.1.105
1990
192.168.1.6
79
Active
223.43.21.231
2112
192.168.1.6
80
Active
210.99.212.18
3321
192.168.1.6
80
Active
Fundamentals of The Internet
Types of Firewalls
Application-level Gateway (proxy):
–
–
–
–
–
Also called proxy server
Acts as a relay of application-level traffic
Requires user authentication
More secure than packet filtering and stateful inspection
More processing overhead as well.
Fundamentals of The Internet
Types of Firewalls
Circuit-level Gateway:
– Sets up two TCP connections
– Requires user authentication
– The gateway typically relays TCP segments from one connection to
the other without examining the contents
– The security function consists of determining which connections will
be allowed
– Typically use is a situation in which the system administrator trusts
the internal users
Fundamentals of The Internet
Firewall Configurations
• In addition to the use of simple configuration of a single system
(single packet filtering router or single gateway), more complex
configurations are possible.
• A “Bastion Host” (means a well-fortified area) serves as a
platform for an application-level or circuit-level gateway.
– they use a secure operating system,
– only the essential services are installed (including proxies for
Telnet, DNS, FTP, SMTP, and user authentication),
– each proxy module is a very small software package (fewer
than 1000 lines) to minimise any security flaw
– each proxy is independent
– proxies have no disk access and they run as nonprivileged
users
Fundamentals of The Internet
Firewall Configurations
Screened host firewall system (single-homed bastion host):
– Only packets from and to the bastion host are allowed to
pass through the packet filter
– The bastion host performs authentication and proxy
functions
– Both packet-level and application-level filtering
Fundamentals of The Internet
Firewall Configurations
Screened host firewall system (dual-homed bastion host):
– Traffic between the Internet and other hosts on the private
network has to flow through the bastion host
– Even if the packet filter is compromised, the private network
is physically isolated from the Internet by the Bastion host
Fundamentals of The Internet
Firewall Configurations
Screened-subnet firewall system:
– Most secure configuration of the three
– An isolated sub-network is created between the Internet and
the private network
– The private network is not visible to the Internet
– The Internet is not visible to the private network
Fundamentals of The Internet