Basic TrainingEditors: Michael Howard, [email protected] A. Whittaker, [email protected]
The first question to address iswhat we mean by “network secu-rity.” Several possible fields of en-deavor come to mind within thisbroad topic, and each is worthy of alengthy article. To begin, virtually allthe security policy issues raised inMatt Bishop’s book, Computer Secu-rity Art and Science,1 apply to networkas well as general computer securityconsiderations. In fact, viewed fromthis perspective, network security isa subset of computer security.
The art and science of cryptogra-phy and its role in providing confiden-tiality, integrity, and authenticationrepresents another distinct focus eventhough it’s an integral feature of net-work security policy. Readers lookingfor a good introduction (and more) tothis area should consider Practical Cryp-tography by Niels Ferguson and BruceSchneier.2
The topic also includes designand configuration issues for bothnetwork-perimeter and computersystem security. References in thisarea include Stephen Northcutt andcolleagues’ Inside Network PerimeterSecurity,3 the classic Firewalls and Net-work Security4 by Steven Bellovin andWilliam Cheswick, and too manyspecific system configuration textsto list. These are merely startingpoints for the interested novice.
The practical networking as-
pects of security include computerintrusion detection, traffic analysis,and network monitoring. This arti-cle focuses on these aspects becausethey principally entail a networkingperspective.
Network trafficTo analyze network traffic, we needa basic understanding of its composi-tion. In this regard, networking peo-ple often speak of flows and formats.Flow is a laconic reference to net-working protocols and the messagesthat travel back and forth betweentheir endpoints. Format refers to thestructure of the cells, frames, packets,datagrams, and segments (the awk-ward generic term is protocol dataunits) that comprise the flow.
The vast majority of networktraffic today uses the Internet Proto-col (IP) as its network-layer proto-col.5 IP addresses represent sourcesand destinations, and IP routerswork together to forward traffic be-tween them. Link-layer protocolssuch as Ethernet (IEEE 802.3),token ring, frame relay, and asyn-chronous transfer mode (ATM) for-ward IP packets, called datagrams,across many types of links.
Networks can be attacked atmultiple layers; here, I focus on thenetwork layer and the layer above it(the transport layer). The Internet
network layer is “unreliable,” mean-ing it doesn’t guarantee end-to-enddata delivery. To get reliable end-to-end service, a user invokes the Trans-port Control Protocol (TCP).
Figure 1 shows the format for anIP datagram; Figure 2 shows the for-mat for a TCP segment, which is theprotocol data unit associated withthe TCP protocol. These formatsare essential for understanding net-work traffic composition and some-thing of the methods that can beused to corrupt them.
TCP/IP traffic accounts formuch of the traffic on the Internet(although TCP isn’t typically usedfor voice or video traffic). Figure 3illustrates how a tool such as Ethereal(www.ethereal.com) can help cap-ture and analyze traffic.
We now have a fairly representa-tive picture of the traffic flowingacross the Internet. It consists of IPdatagrams (which can be carried in-side link-layer frames, for example)carrying higher-layer information,often including TCP segments.
Those with malicious intentcould misuse any of the fields shownin Figures 1 and 2. The attackerswould know the protocol’s intentand the rules to use to interpret theassociated formats and flows. Theycan create a networking attack bychanging values in any of thefields—any ensuing problems con-stitute attacks on the network. Spoof-ing, or changing the source address,lets an attacker disguise malicioustraffic’s origin.
Network intrusionsTypical network traffic consists ofmillions of packets per secondbeing exchanged among hosts on a
GERALD A.MARIN
FloridaInstitute ofTechnology
Writing a basic article on network security is
something like writing a brief introduction
to flying a commercial airliner. Much must
be omitted, and an optimistic goal is to en-
able the reader to appreciate the skills required.
Network Security Basics
68 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY
Basic Training
LAN and between hosts on theLAN and other hosts on the Inter-net that can be reached via routers.Network intrusions consist ofpackets that are introduced specifi-cally to cause problems for any ofthe following reasons:
• to consume resources uselessly,• to interfere with any system re-
source’s intended function, or• to gain system knowledge that can
be exploited in later attacks.
The simplest example of a networkintrusion is probably the land attack.Some early IP implementations failedto take into account that a data-gram might be generated withidentical source and destination IPaddresses. Some older operatingsystems (and perhaps unpatchedones) simply crashed if they re-ceived such datagrams.
Somewhat more complicated isthe smurf attack in which an attackerspoofs the source address and sets itequal to the targeted machine’s ad-dress. The attacker then broadcastsan echo request to perhaps hun-dreds of machines on distant net-works—a capability provided bythe Internet Control Message Pro-tocol (ICMP). Each distant ma-chine responds to the received echorequest with an echo response mes-sage to the targeted IP address, thusoverwhelming the targeted ma-chine’s resources.
The teardrop attack is somewhatmore sophisticated in its use of theheader fields shown in Figure 1. IPversion 4 (IPv4) can break largedatagrams into sequences of smallerIP datagrams through a process re-ferred to as fragmentation. It uses cer-tain bit flags and the fragmentoffsetfield to ensure that the frag-ments can be reassembled at the des-tination (see Figure 1). In a teardropattack, an attacker sends fragmentsthat are purposely made to overlapso that they don’t fit together prop-erly at the destination. Again, older(or unpatched) operating systems
could have severe problems withsuch fragments.
DDoS attacksIn February 2000, hackers attackedseveral high-profile Web sites, in-cluding Amazon.com, Buy.com,CNN Interactive, and eBay, bysending large numbers of boguspackets with the intent of slowingor interrupting offered services.6
Many articles have since examinedthese attacks and potential de-fenses, and several Web sites offeroverviews, case histories, suggesteddefenses, and other resources. In
spite of all the work done in thisarea, the threat of DoS attacksremains, as high-profile attacks de-scribed periodically in the net-working trade press will attest.
Typically, a hacker launches a dis-tributed denial-of-service (DDoS)attack by issuing commands to “at-tack zombie” computer programsthat have penetrated unsuspectingusers’ machines via the Internet—perhaps propagated by viruses orworms, for example. Once present,the zombies allow hackers to lever-age user machines as part of an attackagainst a given target. Note that the
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 69
Figure 1. Internet datagram header format. As defined in RFC 791, Internet datagramsrunning under version 4 of the Internet Protocol (IPv4) carry most of today’s Internettraffic, although a newer version has been defined as IPv6. (The numbers across thetop indicate bit positions.)
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source address
Destination address
Identification Fragment offsetFlags
Version IHL Type of service Total length
Time to live Header checksumProtocol
Options Padding
Figure 2. Transport Control Protocol header format. As defined in RFC 793, TCPprovides a reliable end-to-end transport service across the unreliable Internet.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Data
Sequence number
Acknowledgment number
Source port Destination port
Checksum Urgent pointer
Options Padding
Data offset WindowReserved| U | A | P | R | S | F || R | C | S | S | Y | I || G | K | H | T | N | N |
Basic Training
generated traffic might seem to benormal Web browser requests andother innocent-looking traffic that,in fact, differs from valid traffic prin-cipally in its intent. This makes iden-tifying such attacks extremelydifficult. For particularly interestingreading, Steve Gibson provides acase history of one of the earlyDDoS attacks.7
Intrusion detection systemsNo single technique is likely to de-tect all possible types of network in-trusions—especially because newintrusion types are still waiting to beexploited. Reviewing the attacksdescribed here, it’s clear that land at-tacks can be discovered by lookingfor arriving packets in which the
source and destination IP addressesare identical. Smurf attacks can’t bedetected on the basis of content fromsingle packets; only the arrival of anunusually large number of ICMPecho requests and responses wouldsignal such an attack’s presence. Wecould respond by killing all echo re-quests at a gateway router, but doingso would interfere with other net-work functions that might be vital tothe organization being protected.We might discover the teardrop at-tack by looking for illegal fragmen-tation in arriving packet trains, butthe router (or firewall) would have tomaintain a significant amount ofstate information.
Intrusion detection systems(IDSs) use particular collections ofanalytical techniques to detect at-
tacks, identify their sources, alertnetwork administrators, and possiblymitigate an attack’s effects. An IDSuses one or both of the followingtechniques to detect intrusions:
• Signature detection—the IDSscans packets or audit logs to lookfor specific signatures (sequencesof commands or events) that werepreviously determined to indicatea given attack’s presence.
• Anomaly detection—the IDS usesits knowledge of behavior patternsthat might indicate malicious ac-tivity and analyzes past activities todetermine whether observed be-haviors are normal.
It’s fairly easy to understand howsignature detection can help find
70 IEEE SECURITY & PRIVACY ■ NOVEMBER/DECEMBER 2005
Figure 3. Example traffic-analysis output. This screenshot from the Ethereal tool shows a list of 18 packets. The middlesection describes the highlighted packet; the third section displays the packet in hex format. Ethereal is open-sourcesoftware released under the GNU General Public License.
Basic Training
identifying characteristics in previ-ously observed attacks. This is farfrom simple to accomplish, how-ever, because attackers can changesome identifier (a port number, aparticular sequence number, a par-ticular protocol indicator) that al-ters the signature without affectingthe attack’s fundamental nature.Moreover, someone constructingan alert based on signature detec-tion must be mindful that normaltraffic could have the same charac-teristics. A useful signature must re-flect a reliable attack identifier thatdoesn’t generate many alerts onnonmalicious traffic. With the hugenumber of packets arriving at mostmodern subnets, even a minisculeerror rate could generate tens ofthousands of false alarms within afew minutes.
Several commercial and a fewpublic IDSs are available. The tradepress frequently evaluates them,but research journals generally donot. Early IDSs largely used signa-ture detection. Generally speaking,they detected all the attacks cap-tured in their signature databases,but they suffered from unac-ceptably high false-alarm rates.8
More innovative approaches haveappeared recently, includingbehavior-based modeling.9
To clarify how traffic or behav-ioral anomalies can be used to iden-tify attack traffic for attacks thathaven’t been seen before, considerthe following example. IP addressesgenerally suffice to enable a datagramto reach its intended destination ma-chine, but many processes typicallyrun at once on any given machine.TCP/IP uses port numbers to distin-guish among them. A security ana-lyst might be able to analyze daily orhourly patterns in the use of sourceaddresses, destination addresses, andboth source and destination portnumbers to determine when a pat-tern change suggests possible mali-cious activity. (We must be careful toobserve that “different” doesn’t al-ways imply “evil.”) In Figure 4, for
example, we see port activity dis-played from data produced at theLincoln Labs at the Massachusetts In-stitute of Technology (MIT) for aparticular subnet over a 10-hour pe-riod.10,11 This often-used data set in-cludes data with and without attackspresent, which are difficult to obtainon “live” networks. (Data are fromMonday of week five in the LincolnLab data.) Figure 5 shows the resultwhen we remove all the port activityfound during a similar 10-hour pe-riod from an attack-free data set:three areas clearly represent unusual(or anomalous) port activity. Furtherinvestigation reveals that these are,indeed, attacks—in this case, insertedby MIT researchers.
Researchers have applied manyother techniques to detecting trafficanomalies including data mining,statistical analysis, artificial intelli-gence, neural networks, Markovmodeling, sensor correlation, andanalysis of management information
data. It’s safe to say that the ultimatesolution remains to be found.
A lthough intrusion detection is agood place to start “basic train-
ing,” we should note that networksecurity people are probably moreconcerned about worms, viruses,and spam; they worry at least asmuch about active methods to com-bat these pests as they do about IDSs.Network worms seek to exploitsoftware weaknesses on servers thatmust keep particular ports open toprovide service. If a worm succeedsin penetrating the network perime-ter security, it can introduce Trojancode that changes the target ma-chine in ways that users won’t detect.At present, therefore, detecting thepresence of malicious traffic fromoutside the network probablydoesn’t worry network administra-tors as much as the likelihood thatTrojans and spyware might already
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 71
Figure 4. Port usage at MIT’s Lincoln Lab. This data set illustrates patterns in the use ofsource and destination ports over a 10-hour period. Dots indicate the use of a port at aparticular moment in time.
10,000 20,000 30,000
Seconds
0
20,000
40,000
60,000
Port
reside in internal machines that ac-cess sensitive data.
Techniques for detecting mali-cious code bring us back to generalcomputer security issues and meth-ods. Analysis of network activity as-sociated with problems such asworm infections could complementother system security work in deter-mining which machines are in-fected. Based on both traffic analysisand system behavioral analysis, forexample, sufficiently suspicious ma-chines might be isolated from theirpeers via (perhaps new) security pro-tocols until administrators took stepsto secure them. Whether such isola-tion can be accomplished before acritical subset of the Internet be-comes infected is one concern ofcurrent and future research. Thereare others, and they also depend, tosome extent, on the basics covered inthis article.
References1. M. Bishop, Computer Security Art and
Science, Pearson Education, 2003.2. N. Ferguson and B. Schneier, Prac-
tical Cryptography, John Wiley &Sons, 2003.
3. S. Northcutt et al., Inside NetworkPerimeter Security, New RidersPublishing, 2003.
4. S. Bellovin and R.W. Cheswick,Firewalls and Internet Security:Repelling the Wily Hacker, PearsonEducation, 1994.
5. Internet Protocol, RFC 791, Sept.1981; www.ietf.org/rfc/rfc791.txt.
6. S. Bonisteel, “Yahoo DoS AttackWas Sophisticated,” ComputerUser.com, 4 April 2003; www.computeruser.com/news/00/02/14/news1.html.
7. S. Gibson, “The Strange Tale ofthe Denial of Service AttacksAgainst grc.com,” GibsonResearch, 2002; http://grc.com/dos/grcdos.htm.
8. D. Newman, J. Snyder, and R.Thayer, “Crying Wolf: FalseAlarms Hide Attacks,” NetworkWorld, 24 June 2002; www.networkworld.com/techinsider/2002/0624security1.html.
9. R. Thayer, “Intrusion DetectionSystems,” Network World, 31 Jan.2005; www.networkworld.com/reviews/2005/013105rev.html.
10. J. Haines et al., 1999 DARPAIntrusion Detection Evaluation: Designand Procedures, Lincoln Lab tech.report 1062, Massachusetts Inst.Technology, 2001.
11. J. Haines, L. Rossey, and R.Lippman, “Extending the DARPAOff-Line Intrusion Detection Eval-uations,” Proc. IEEE/DARPA Infor-mation Survivability Conf. andExposition (DISCEXII), vol. I, vol.1, IEEE CS Press, 2001, p. 0035.
Gerald A. Marin is a professor at theFlorida Institute of Technology. Hisresearch interests include computer com-munication networks, system and net-work performance, system and networksecurity, and simulation modeling. Marinhas a PhD in mathematics from NorthCarolina State University. He has severalyears of industry experience, both withIBM and the Center for Naval Analyses.Contact him at [email protected].
Basic Training
72 IEEE SECURITY & PRIVACY ■ NOVEMBER/DECEMBER 2005
Figure 5. Anomalous port activity on the Lincoln Lab machines. Subtracting all(time,port) pairs that were active during the base comparison period in Figure 4shows three areas that represent unusual port activity, which could be attacks.
10,000 20,000 30,000
Seconds
0
20,000
40,000
60,000
Port
Documented attacks
Peer-Reviewed Theme & Feature Articles2 0 0 6
Special-Purpose Computing
Monte Carlo Method
Noise and Signal Interaction
Computing in Anatomic Rendering
Multigrid Computing
Mechanical Engineering Design and Tools
Jan/Feb
Mar/Apr
May/Jun
Jul/Aug
Sep/Oct
Nov/Dec
Subscribe to CiSE online athttp://cise.aip.org andwww.computer.org/cise
The magazine that helps scientists to apply high-end softwarein their research!