臺灣學術網路竹苗區域網路中心 89年網際網路教育訓練及 推廣研習課程 網路系統安全 臺灣學術網路竹苗區域網路中心 89年網際網路教育訓練及 推廣研習課程 網路系統安全 交 通 大 學 計 算 機 與網路中 心 陳 昌 盛

課程概要 網路系統安全入門簡介 網路攻擊 電腦病毒 網路認證機制 入侵偵測/攻擊防治 案例 HCRC’2000 網路系統訓練課程 – 網路系統安全

0.1 從何處取得網路安全的相關資訊 ? 關於網路系統安全的網站 http://www.cert.org/ Newsgroups: http://www.cert.org.tw Newsgroups: comp.security.misc, comp.security.unix, ... 技術報導網站 (PC Magazine) http://www.zdnet.com 一般資訊定義 http://www.whatis.com

1. 網路系統安全入門 封包觀測程式 網路入侵攻擊 電腦病毒偵測 存取管制 安全傳送系統 電腦編碼系統 數位認證 數位簽章

Network Packet 觀測程式 NetXray (Windows) Tcp_dump 程式 (Unix)

存取管制 (Access Control) 防火牆 (Firewall) 代理伺服系統 (Proxy Server) 個別系統設 ACL Packet filter 代理伺服系統 (Proxy Server) Application gateway 個別系統設 ACL

Secure Communication Secure Telnet/FTP program suites SNP (Secure Network Programs) SSH Secure HTTP communication SSL/TLS SET CA 第三者認證 digital signature 數位簽章

編碼系統 加密解密方式 Public-key RSA, PGP Private Key DES

編碼系統 (續) Kerberose (Unix) MD5 ( Message-Digest) Digital Signature 數位簽章 Digital Certificate 數位認證 CA 認證單位

2.1 常見的網路攻擊型態 Denial-of-Service Intrusion (電腦與網路入侵) Information Theft ping ( system bug ) SPAM E-mail/NetNews, ... Intrusion (電腦與網路入侵) Trojan Horse ( BO, NetBus, ...) computer virus, worm Information Theft Trojan Horse ( BO, NetBus, … 遙控程式)

幾種常見的網路攻擊模式 Script kiddies (半桶水的小伙子最喜歡的把戲) Web Vandals 透過有問題的 CGI, … 蓋掉某網站的網頁 Internal Intruders password cracker Serious Attacker 透過 DNS 蒐集資料 利用程式全面掃描 入侵有問題的系統

2.2 Server Software Bug 成因: cases: 因應之道: degisn bug - Buffer overflow 問題 cases: BIND, sendmail, imap, … http://www.cert.org 因應之道: 勤作 system patch upgrade 到最新的版本 ( 通常情況)

DNS/BIND Security 問題 BIND 最新的正式版本 8.2.2-P5 BIND/named Security issues 8.2.3 T5b, beta test version BIND/named Security issues Buffer overflow 與　CNAME bug 等嚴重問題 參考 CERT 相關網頁報告 ( CERT Advisory ) http://www.cert.org Upgrade 到最新版本

2.3 denial of service (DoS) attack的定義 On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation..

denial of service (DoS) attack [2] A denial of service attack can also destroy programming and files in a computer system Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss. However, these attacks can cost the target person or company a great deal of time and money.

DoS 意外案例- WINS 與 DNS WINS 設定不當, 導致大量消耗可用頻寬 啟動 Negative Caching 功能 實例,過去 TANet 竹苗區網某一學校, 曾經發生 http://www.edu.tw (MOECC newsletter, 參考 8801-8806 期 ) 儘量避免使用 啟動 Negative Caching 功能 自我保護 避免拖累網路大環境 請Upgrade 到最新版本 ( BIND 8.x 以後) 內建 Negative Caching

SPAM Mail & DNS SPAM Mail <=> UCE/UBE (不請自來) UCE/UBE 散佈途徑 UCE = Unsolicited Commercial E-mail UBE = Unsolicited Bulk E-Mail UCE/UBE 散佈途徑 名單收錄 www homepage, USENET news articles account password files on individual servers 其他不當途徑 ( program bug, 招募會員活動, …) 找尋管理較鬆散的 mail relay Domain Zone scanning ( DNS) URL scanning (web pages )

DDoS 攻擊 Client ( 主控系統) Host (助攻系統) Broadcasters(放大系統) Target(目標網路/站)

2.4 Firewall 的定義與用途 A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.

Firewall 的定義與用途(2) Basically, a firewall, working closely with a router program, filters all network packets to determine whether to forward them toward their destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.

2.5 What is Back Office ? Back Orifice is a new Trojan Horse virus-- a program that delivers a nasty surprise if someone tricks you into installing it. A group of hackers derived it from the French version of a program called Control, which allows someone to control other people's computers remotely. Back Orifice, a pun on Microsoft's Back Office, must be installed on your computer before it can do any harm. It works like an invisible server that allows anyone who has your IP address to access your computer. Of course, that means that the would-be hacker needs your IP address, as well.

3.電腦病毒概念簡介 什麼是 “電腦病毒” ? 電腦病毒的傳染途徑. 電腦病毒的簡單分類. 如何防範電腦病毒.

virus 的基本定義 A virus is a piece of programming code usually disguised as something else that causes some unexpected and, for the victim, usually undesirable event and which is often designed so that it is automatically spread to other computer users. Viruses can be transmitted by sending them as attachments to an e-mail note, by downloading infected programming from other sites, or be present on a diskette or CD. The source of the e-mail note, downloaded file, or diskette you've received is often unaware of the virus.

3.1電腦病毒入侵的途徑 三大途徑 經由軟碟磁片或抽取可攜式硬碟 經由網際網路的下載區 經由 e-mail 的夾帶檔 (attachment)

3.2電腦病毒感染的癥候 不正常的訊息, 顯示在電腦螢幕上 不定期, 出現不正常的聲響或音樂 系統上可用的記憶體, 突然變少 硬碟的名稱, 突然變掉了

Virus 感染後的影響 Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are playful in intent and effect ("Happy Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard disk to require reformatting.

3.3 電腦病毒的分類 電腦病毒大略可分成 4 類 磁片開機磁區 (boot sector) 病毒 檔案或程式 (file or program)病毒 巨集 (macro)病毒 多種混合型 (multipartite)病毒

3.4其他惡意程式 worm Trojan horse (特洛伊木馬) 程式 以上這兩類, 不論 Unix 或一般的 Windows 都有 會自我複製, 但不一定會傳染給其他程式 近期知名例子, 經由 MS-Outlook 這個 e-mail 系統的 address book 散播 Melissa, ILOVEYOU Trojan horse (特洛伊木馬) 程式 平時隱藏在某一些看起來無害的程式中, 等到某一些特殊情況, 再起來作怪. 以上這兩類, 不論 Unix 或一般的 Windows 都有

Trojan Horse Programs In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan horse was a program that was supposed to find and destroy computer viruses. A Trojan horse can be considered a virus if it is widely redistributed.

4. 網路認證機制 認證單位- CA (Certification Authority) 數位電子證書 ( digital certificate) 數位簽章 (digital signature) SSL/TLS SET 安全電子交易

SSL (Secure Sockets Layer) SSL (Secure Sockets Layer) is a program layer created by Netscape for managing the security of message transmissions in a network. Netscape's idea is that the programming for keeping your messages confidential ought to be contained in a program layer between an application (such as your Web browser or HTTP) and the Internet's TCP/IP layers. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer.

SSL (Secure Sockets Layer) [2] Netscape's SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate. Netscape has offered SSL as a proposed standard protocol to the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) as a standard security approach for Web browsers and servers.

CA (certificate authority) A CA is an authority in a network that issues and manages security credentials and public keys for message encryption and decryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate. Depending on the public key infrastructure implementation, the certificate includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.

SET-Secure Electronic Transaction Short for Secure Electronic Transaction, a new standard that will enable secure credit card transactions on the Internet. SET has been endorsed by virtually all the major players in the electronic commerce arena, including Microsoft, Netscape, Visa, and Mastercard. By employing digital signatures, SET will enable merchants to verify that buyers are who they claim to be. And it will protect buyers by providing a mechanism for their credit card number to be transferred directly to the credit card issuer for verification and billing without the merchant being able to see the number.

SSL 的運作機制 SSL 是設計來讓 www 用戶,與想要連線的www server, 透過加密的方式, 真正達到溝通交換資料的方式. 必須確保, 用戶的瀏覽程式(browser), 是真正的連到想要連的 www server (而不是其他冒充的 server. ) 加密, 以確保資料不至於外洩給不相干的第三者.

SSL 的運作流程如下 當用戶的 瀏覽程式, 初次使用 SSL, 連上某 secure www server 時, 該 server 必須提示, 其經由第三者( CA 提供者)發出的認證, 以供查驗. 接著, 用戶的瀏覽程式, 必須檢查該認證是否合乎底下三條件. 該認證, 是否由信譽卓著的認證機構發出. 該認證, 應該還在有效期間. 該認證, 的確是發給你正在連的 www server. 上述檢查, 必須完全合格, 否則用戶的瀏覽程式, 必須發出警告訊息, 通知使用者.

認證漏洞的案例 http://www.cert.org IE 5.0 也有類似的問題 Netscape 4.7.3 以前的版本, 被發現在某一些特殊的情況下, 會發生 SSL 認證有漏洞. ==> upgrade 到 4.7.3 2000/5/12 , CERT-2000-08 號報告. IE 5.0 也有類似的問題 2000/06/CERT Advisory CA-2000-10 Inconsistent Warning Messages in Internet Explorer http://www.cert.org

5. 入侵偵測與攻擊防治 系統入侵偵測 病毒防治 Anti-SPAM & Anti-virus mail 問題處理與追蹤

5.1. Generic Access Control Issues 分層負責 Router ACL DNS server ACL 個別 server 的 ACL SMTP - sendmail http proxy - squid NNTP - inn

5.1.1 DNS 設定與入侵嘗試 特定對象的入侵 尋找不特定的入侵對象 DNS zone transfer 設限 buffer overflow 等系統問題 尋找不特定的入侵對象 forward & reverse domain zone scanning DNS zone transfer 設限 阻擋不特定的目標搜索

5.1.2 DNS server 設限 BIND 8.x /etc/named.conf 的相關片段 // 省略 options { directory /var/named; allow-transfer { none; // 原則上, 阻擋所有 不相干的 zone transfer }; allow-query { Trusted-IP}; // 僅允許鄰近地區的使用者 // 省略 zone “nctu.edu.tw” { type master ; file “Zone-NCTU” ; allow-query { any; }; allow-transfer { 140.113.1.1; 140.113.6.2; // 允許 slave/secondary server zone “113.140.in-addr.arpa” { ….

DoS Network Attack via DNS DNS 放大攻擊 ( DNS ACL) 假造 IP 封包 ( Router ACL) http://dnsrd.nctu.edu.tw/Tech/cert.html 紓緩之道 個別 DNS 設限 http://dnsrd.nctu.edu.tw/Named-Conf/named.conf-c

Fig 2 經由 DNS 的網路流量放大攻擊 Q: zone transfer Dn: n 是一個很大數目 A: 攻擊者 ( Attacker) Q(1) Q(n) D1 D2 Dn R(1) R(2) R(n) V: 被攻擊者 ( Victum)

5.1.3 FreeBSD 的 firewall - IPfilter ipfw show 00100 1057 62180 deny tcp from 210.209.33.176 to 163.28.64.246 25 00200 1488 65232 deny tcp from 210.209.33.188 to 163.28.64.246 25 65535 2387573165 1175186687077 allow ip from any to any ipfw add deny tcp from 210.59.168.2

5.1.4 Unix 系統上-簡易的 firewall tcp_wrapper hosts.allow+host.deny telnet, ftp, … block mail spam hosts.allow+host.deny

/etc/hosts.allow in.rlogind: 140.113.1.,140.113.6.: severity local3.info: allow in.ftpd:140.113.1.1,KNOWN@140.113.4.120:severityocal3.info: allow in.telnetd:140.113.1.,KNOWN@140.113.4.120:severity local3.info: allow imapd: 140.113.1.,.ras.nctu.edu.tw: severity local3.info: allow # Deny all Without FQDN sendmail:ALL EXCEPT KNOWN: deny sendmail: all: allow

5.2 Anti-SPAM & Anti-virus Mail SPAM Mail 防治 Mail Server 端, 進行掃毒 Cf. 用戶端掃毒 (安裝 anti-virus 軟體 ) Mail Server 進行 SPAM-mail 防治 Cf. 用戶端, anti-spam mail ( 使用過濾程式)

5.2.1 Anti SPAM Mail & DNS ACL SMTP server upgrade/patch DNS 設ACL 限定 mail relaying 對象 DNS 設ACL 可相當程度阻擋不特定的 relay 嘗試 系統管理人員介入 聯絡相關系統的管理人員 rbl 建立 (Real-time Block List )

5.2.3 Mail Server 端掃毒 Sendmail 與電腦病毒防治 配合 procmail , 掃描信件的 header 可局部對付 iloveyou 之類的 script 型態的 worm/virus procmail 是 delivery agent, 可適度進行 filtering 使用 queuing mode, 搭配掃毒軟體, 進行病毒掃描偵測任務

Fig.3 Anti-SPAM & Anti-virus Mail 流程示意(一) Internet Mail Server sendmail procmail POP3/IMAP server Mail spool 用戶 PC Netscape/MS-IE 用戶 Mail 存放區 掃毒軟體

Fig.4 Anti-SPAM & Anti-virus Mail 流程示意(二) Mail Server Internet Mail 暫存區 sendmail 掃毒軟體 POP3/IMAP server Mail spool 用戶 PC Netscape/MS-IE 用戶 Mail 存放區 掃毒軟體

5.3 如何因應 BO 之類的程式攻擊 Basically, Back Orifice serves as a reminder to use safe computing practices: -- Don't run programs from sources you don't trust. -- Keep your anti-virus program definitions up-to-date. -- Run anti-virus scans regularly, preferably daily.

5.3.1 安裝入侵偵測程式 入侵偵測程式(Intrusion Detection System) ZoneAlarm ( Free, 個人) http://www.zonealarm.com BlackICE defender http://www.networkice.com AtGuard NIS( Norton Internet Security) ...

5.3.2 安裝防毒軟體 常見防毒軟體 ... Symantec Anti-virus (Norton) McAfee PC-Cillin [ Trend Micro ;趨勢科技 ] ...

6. 問題處理與追蹤 Security 問題回報及反應 各單位聯絡 e-mail address (Internet 慣例) 向相關單位報備及追蹤問題 向相關 CERT 報備及追蹤問題 各單位聯絡 e-mail address (Internet 慣例) postmaster@your-domain-zone abuse@your-organization,security@your-organization 例如, postmaster@nctu.edu.tw, abuse@seed.net.tw 案例剖析 (Case Study)

6.1 Case Study mbox@xyz.com.tw 轉到 德國某公司 網路攻擊的中途站(1999.08) 本地公司設定錯誤 回報到該公司, 該國的 CERT, 以及TWNIC 網路攻擊的中途站(1999.08) TANet 竹苗區網某校的 DNS server 被入侵 參考 http://dnsrd.nctu.edu.tw

6.2.1 DNS & Mail - 烏龍事件 成因 舊版 BIND/named 有 bug 系統管理人員觀念不夠清楚 前幾年,有德國X公司反應, 持續不斷接收到, 許多應該是寄往台灣Y公司的 e-mail, 卻一直被轉往該公司. 因為收信的帳號不存在, 系統於是一直產生, user 不在的退信, 持續往系統管理信箱塞, 信件越累積越多, 導致server performance 大受影響. 由於該公司並無台灣分公司, 也找不出合理的解釋, 於是開始擔心有台灣的競爭對手, 想癱瘓他們網路的正常運作, 接下來只好採取正式的防衛行動, 透過正式的 CERT 向相關單位反應, ... 成因 舊版 BIND/named 有　bug 系統管理人員觀念不夠清楚 系統管理人員輸入資料時, IP address 打錯

6.2.1 DNS & Mail - 烏龍事件(續) 示意範例 $origin xyz.com.tw. 底下 IP address 與 domain name 都是隨意假定 這個 server 上的 BIND/named 有 bug $origin xyz.com.tw. Xyz.com.tw. IN MX 10 mail.xyz.com.tw. Xyz.com.tw. IN MX 10 mail.ABC.net.tw. ; 錯誤 Mail.xyz.com.tw. In A 192.168.123.45 mail.ABC.net.tw. IN A 139.75.6.78 ; 設定錯誤 ;mail.ABC.net.tw. IN A 139.175.6.78 ;台灣 ;mserver.ZYX.de IN A 139.75.6.78 ;德國

6.2.2 竹苗區網 DNS server 入侵事件 某校在區網的網域, 登錄有兩個 DNS server 該 server-A 有 security hole, 被外來者闖入 入侵者, 持續透過該 server-A, 嘗試入侵國外網站 網域上層, 持續收到國外不同地方轉來的抱怨與求助 e-mail 電話通知該校管理者處理. 後來轉維護廠家工程師. 將近一週, 仍無改善. 區網接手, 協助處理. 設 tcp_wrapper, 擋掉不明來源的連線.

6.3 相關系統管理 結論 各單位, 最好設立兩段式 Mail 組合系統 重要 server 勤作 security patch DNS 設 ACL, 限制 zone transfer 委外廠商維護能力, 意願與合約

參考資料 Why Firewalls Are Not Enough Bruce, Stewart, “How to protect Against Computer Viruses”,... http://www.zdnet.com Why Firewalls Are Not Enough http://www.networkice.com/html/wp_firewalls.html Bradley Shimmin, “Deconstructing Denial of Service Attacks”