Jie Wang

Computer Network SecurityTheory and Practice

JieWang

ComputerNetwork Security

Theory and Practice

With 81 figures

- ~~f.t~tilJt&:t±til! HIGHER EDUCATION PRESSf1 Springer

IAlJTHOR'

IProf. Jie Wang

IDepartment of Computer Science

IUnIverslty of Massachusetts

Lowell, MA 01854, USA

IE-mail: wang.uml@gmail.com

IISBN 978-7-04-024162-4 Higher Education Press,Beijing

ISBN 978-3-540-79697-8 Springer Berlin Heidelberg New York

e ISBN 978-3-540-79698-5 Springer Berlin Heidelberg New York

ILlbrary of Congress Control Number: 2008925345This work is subject to copyright. All rights are reserved, whether the whole or part of thematenal IS concerned, speCifically the nghts of translatIOn, repnntmg, reuse of Illustrations,recitation, broadcasting, reproduction on microfilm or in any other way, and storage in databanks. Duplication of this publication or parts thereof is permitted only under the provisionsof the German Copynght Law of September 9, 1965, m ItScurrent version, and permission foruse must always be obtained from Springer-Verlag. Violations are liable to prosecution underItheGerman Copynght Law.

@2009 Higher Education Press, Beijing and Springer-Verlag GmbH Berlin HeidelbergCo-published by Higher Education Press, Beijing and Springer-Verlag GmbH Berlin Hei­~elberg

ISpringer is a part of Springer Science+ Business Mediaspringer.com

The use of general descnptlve names, registered names, trademarks, etc. in thiS pubhcatlOndoes not imply, even in the absence of a specific statement, that such names are exempt fromItherelevant protective laws and regulations and therefore free for general use.

ICoverdeSign: fndo Stemen-Broo, EStudlo Calamar, SpamIPrinted on acid-free paper

Preface

People today are mcreasmgly relymg on pubhc computer networks to conduct bUSI­ness and take care of household needs. However, public networks may be insecurebecause data stored in networked computers or transmitted through networks canbe stolen, modified, or fabricated by malicious users. Thus, it is important to knowwhat securIty measures are aVaIlable and how to use them. Network securIty prac­trees are desIgned to prevent these potentIal problems. Network security, orIgmatedfrom meeting the needs of providing data confidentiality over public networks, hasgrown into a major academic discipline in both computer science and computerengineering, and also an important sector in the information industry.

The goal of network securIty IS to gIve people the hberty of enJoymg computernetworks wIthout fear of compromlsmg theIr rIghts and mterests. Network secu­nty accomphshes thIs goal by provldmg confidentlahty, integrtty, non-repudIatIon,and availability of useful data that are transmitted in open networks or stored innetworked computers.

Network securIty wIll remam an actIve research area for several reasons. FIrst,securIty measures that are effectIve today may no longer be effectIve tomorrowbecause of advancements and breakthroughs in computmg theory, algorIthms, andcomputer technologies. Second, after the known security problems are solved, othersecurity loopholes which were previously unknown may at some point be discov­ered and exploited by attackers. Third, when new applications are developed or newtechnologIes are mvented, new securIty problems may also be created wIth them.Thus, network secunty IS meant to be a long lastmg scuffle between the offendersand the defenders.

Research and development in network security have mainly followed two lines.One line studies computer cryptography and uses it to devise security protocols. Theother lme exammes loopholes and sIde effects of eXlstmg network protocols, soft­ware, and system configuratIOns. It develops firewalls, antl-mahclOus-software soft­ware, intrusion detectIOn systems, and other countermeasures. Interweavmg thesetwo lines together provides the basic building blocks for constructing deep layereddefense systems against network security attacks.

vi Preface

This book is intended to provide a balanced treatment of network security alongthese two lines, with adequate materials and sufficient depth for teaching a one­semester introductory course on network security for graduate and upper-level un­dergraduate students. It is intended to inspire students to think about network secu­rity and prepare them for taking advanced network security courses. This book mayalso be used as a reference for IT professionals.

This book is structured into nine chapters.Chapter 1 presents an overview of network security. It discusses network secu­

rity goals, describes common network attacks, characterizes attackers, and defines abasic network security model.

Chapter 2 presents standard symmetric-key encryption algorithms, includingDES, AES, and RC4. It discusses their strength and weaknesses. It also describescommon block-cipher modes of operations and presents key generation algorithms.

Chapter 3 presents standard public-key encryption algorithms and key-exchangealgorithms, including Diffie-Hellman key exchange, RSA public-key cryptosystem,and elliptic-curve cryptography. It also discusses how to transmit and manage keys.

Chapter 4 presents secure hash functIOns and message authentIcatIOn code algo­rithms for the purpose of authenticating data, including the SHA-512 secure hashfunctIOn, the WHIRLPOOL hash algonthm, cryptographIc checksums, and the stan­dard hash message authentication codes. It also presents the block-cipher offset­codebook mode of operations for producing ciphertext and message authenticationcode. It then dIscusses bIrthday attacks on secure hash functIOns, and descnbes thedIgItal sIgnature standard. Fmally, thIS chapter mtroduces a dual sIgnature schemeused for electromc transactions and a blmd signature scheme used for producmgelectronic cash.

Chapter 5 presents several network security protocols commonly used in prac­tice. It first describes a standard public-key infrastructure for managing public-keycertIficates. It then presents IPsec, a network-layer secunty protocol; SSLlTLS, atransport-layer security protocol; and several applIcatIOn-layer security protocols,including POP and S/MIME for sending secure email messages, Kerberos for au­thenticating users in local area networks, and SSH for protecting remote logins.

Chapter 6 presents common security protocols for wireless local-area networksat the data-Imk layer, mcludmg WEP for provldmg WIred-eqUIvalent pnvacy, WPAand IEEE 802. I l1IWPA2for provldmg WIreless protected access, and IEEE 802.1Xfor authentlcatmg WIreless users. It then presents the Bluetooth security protocolfor wireless personal-area networks. Finally, it discusses security issues in wirelessmesh networks.

Chapter 7 presents firewall technologIes and basIc structures, mcludmg network­layer packet fiJtenng, transport-layer stateful mspectlOns, transport-layer gateways,applIcatIOn-layer proxies, trusted systems and bastIOnhosts, firewall configuratIOnsand screened subnets, and network address translations.

Chapter 8 describes malicious software, such as viruses, worms, and Trojanhorses, and introduces countermeasures. It also covers Web security and discussesmechamsms agamst demal of service attacks.

Preface vii

Chapter 9 presents intrusion detection technologies, including intrusion detec­tion system architecture and common intrusion detection methods. It also discussesevent signatures, statistical analysis, and data mining methods. Finally, it introduceshoneypot technologies.

To get the most out of this book, readers are assumed to have taken undergraduatecourses on discrete mathematics, algorithms, data communications, and networkprogramming; or have equivalent preparations. For convenience, Chapter 3 includesa section reviewing basic concepts and results of number theory used in public-keycryptography. While it does not introduce socket programming, the book containssocket API client-server programming exercises. These exercises are designed forcomputer science and computer engineering students. Readers who do not wish todo them or simply do not have time to write code may skip them. Doing so wouldnot affect learning the materials presented in the book.

Exercise problems are designed to have three levels of difficulty: regular, diffi­cult (designated with "), and challenging (designated with **). This book contains anumber of hands-on drills, presented as exercise problems. Readers are encouragedto try them all.

I have taught network secunty courses to graduate and senIor undergraduatestudents for over ten years. And I have longed for a concise textbook WIth a bal­anced treatment of network security and sufficient depth suitable for teaching a one­semester introductory course for my students. This book is the result of this quest.It was wntten based on what I learned and expenenced from teachIng these coursesand on student feedbacks accumulated over the years. In partIcular, I used an earlydraft of this book to teach a graduate network security course in 2006 and 2008 atUniversity of Massachusetts Lowell, which helped me revise and enhance the ma­terials presented in this book. Powerpoint slides of these lectures can be found athttp://www.cs.uml.edu/~wanq/NetSec.

Due to space lImItatIOns, some InterestIng tOpICS and matenals are not presentedIn thIS book. After all, one book can only accomplIsh one book's mISSIOn. I onlyhope that this book can achieve its objective. Of course, only you, the reader, can bethe judge of it. I will be grateful if you can please offer your comments, suggestions,and corrections to me at wang@cs.um1.edu.

I have benefited a great deal from numerous dISCUSSIons over the years WIthmy colleagues and teachIng aSSIstants, as well as current and former students. Iam full of gratItude to them. I am grateful to Sarah Agha, Samip Banker, StephenBrinton, Jeff Brown, William Brown, Jason Chan, Guanling Chen, Michael Court,Chunyan Du, Paul Duvall, Adam Elbirt, Zheng Fang, Jami Foran, Swati Gupta,Llwu Hao, Qlang Hou, Bel Huang, Jared Karro, MInghm (Mark) LI, Benyuan LIU,Yan (Jenny) LIU, WenJIng Lou, Jle Lu, DaVId MartIn, Paul Nelson, Alexander Pen­nace, Sandeep Sahu, Blake SkInner, Hengky Susanto, NathanIel Tuck, Tao Wang,Christopher Woodard, Fang Wu, Jianhui Xie, Jie (Jane) Yang, Zhijun Yu, and NingZhong for their help. In particular, I thank Jared Karro for reading the early draft ofthis book, Stephen Brinton for reading Chapters 1-5 and 7-8, Guanling Chen forreading Chapter 6, and Wenjing Lou for reading Chapters 1-2 and 6. Their com­ments have helped Improve thIS book In many ways.

viii Preface

I thank Ying Liu at the Higher Education Press for initiating this book projectand editing this book.

lowe more than I can express to my wife Helen, my son Jesse, and my daughterSharon for their understanding that I needed to spend long hours working on thisproject.

Lowell, MassachusettsJune 2008

lie Wang

About the Author

lIe Wang IS Professor and Chair of Computer SCIence at the University of Mas­sachusetts Lowell (UML). He is also Director of the Center for Network and Infor­mation Security of UML. His first name "lie" in Mandarin is pronounced similarto "led." He received Ph.D. degree in Computer Science from Boston University in1990, M.S. degree in Computer Science from Zhongshan University in 1985, andB.S. degree In ComputatIOnal MathematIcs from Zhongshan University In 1982. Hehas over 18 years of teaching and research experience and is equipped with networksecurity consulting experience in financial industry. His research interests includenetwork security, algorithms and computational optimization, computational com­plexIty theory, and wIreless sensor networks. HIS research has been funded contin­uously by the NatIOnal SCIenceFoundatIon since 1991 and has also been funded byIBM, Intel, and the Natural Science Foundation of China. He has published over 95journal and conference papers, two books and three edited books. He is active inprofessional service, including chairing conference program committees and orga­rnzmg workshops.

Contents

1 Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 MISSIOn and DefimtlOns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Common Attacks and Defense Mechamsms 3

1.2.1 Eavesdroppmg.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2.2 Cryptanalysis....................................... 41.2.3 Password Pilfering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.4 IdentIty Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 121.2.5 Buffer-Overflow Exploitations . . . . . . . . . . . . . . . . . . . . . . . .. 161.2.6 Repudiation......................................... 171.2.7 Intrusion........................................... 181.2.8 Traffic Analysis 181.2.9 Denial of Service Attacks 191.2.10 MahclOus Software 22

1.3 Attacker Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 251.3.1 Hackers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 251.3.2 Script Kiddies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 271.3.3 Cyber Spies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 271.3.4 VICIOUS Employees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 281.3.5 Cyber Terrorists 281.3.6 Hypothetical Attackers 28

1.4 Basic Security Model .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 281.5 Security Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 301.6 Closmg Remarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 311.7 ExercIses................................................. 31

2 Data Encryption Algorithms 392.1 Data EncryptIOn Algonthm DeSIgn Cntena . . . . . . . . . . . . . . . . . . . .. 40

2.1.1 ASCII Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 402.1.2 XOR Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 412.1.3 Criteria of Data Encryptions. . . . . . . . . . . . . . . . . . . . . . . . . .. 42

xii Contents

2.1.4 Implementation Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 452.2 Data Encryption Standard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 45

2.2.1 Feistel's Cipher Scheme 452.2.2 DES Subkeys 482.2.3 DES Substitution Boxes 492.2.4 DES Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 512.2.5 DES Decryption and Correctness Proof. . . . . . . . . . . . . . . . .. 532.2.6 DES Security Strength. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 54

2.3 Multiple DES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 542.3.1 Triple-DES with Two Keys. . . . . . . . . . . . . . . . . . . . . . . . . . .. 552 3 2 2DES and 3DESL3 55

2.3.3 Meet-in-the-Middle Attacks on 2DES . . . . . . . . . . . . . . . . . .. 562.4 Advanced Encryption Standard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 57

2.4.1 AES Basic Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 572.4.2 AES S-Boxes 602.4.3 AES-128 Round Keys .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 612.4.4 Add Round Keys 622.4.5 Substitute-Bytes..................................... 632.4.6 Shift-Rows......................................... 632.4.7 Mix-Columns....................................... 642.4.8 AES-128 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 652.4.9 AES-128 Decryption and Correctness Proof. . . . . . . . . . . . .. 652.4.10 Galois Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 672.4.11 Construction of the AES S-Box and Its Inverse ..... . . . . .. 702.4.12 AES Security Strength. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 7l

2.5 Standard Block-Cipher Modes of Operations. . . . . . . . . . . . . . . . . . .. 712.5.1 Electronic-Codebook Mode 722.5.2 Cipher-Block-Chaining Mode. . . . . . . . . . . . . . . . . . . . . . . . .. 722.5.3 Cipher-Feedback Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 732.5.4 Output-Feedback Mode 742.5.5 Counter Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 74

2.6 Stream Ciphers 752.6.1 RC4 Stream Cipher 752.6.2 RC4 Security Weaknesses. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 76

2.7 Key Generattons 782.7.1 ANSI X9.17 PRNG 782.7.2 BBS Pseudorandom Bit Generator 79

2.8 ClOSIng Remarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 802.9 ExercIses................................................. 81

3 Public-Key Cryptography and Key Management. . . . . . . . . .. . . . . . .. 893.1 Concepts of Public-Key Cryptography. . . . . . . . . . . . . . . . . . . . . . . .. 893.2 Elementary Concepts and Theorems In Number Theory 92

3.2.1 Modular Anthmetlc and Congruence Re1attons . . . . . . . . . .. 923 2 2 Modular Inverse 93

Contents xiii

3 2 3 Primitive Roots 943.2.4 Fast Modular Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . .. 953.2.5 Finding Large Prime Numbers. . . . . . . . . . . . . . . . . . . . . . . .. 963.2.6 The Chinese Remainder Theorem 983.2.7 Finite Continued Fractions. . . . . . . . . . . . . . . . . . . . . . . . . . .. 99

3.3 Diffie-Hellman Key Exchange 1003.3.1 Key Exchange Protocol 1013.3.2 Man-in-the-Middle Attacks 1013.3.3 Elgamal PKC 102

3.4 RSA Cryptosystem 1043.4.1 RSA Key Pairs, Encryptions, and Decryptions 1043.4.2 RSA Parameter Attacks 1073.4.3 RSA Challenge Numbers 111

3.5 Elliptic-Curve Cryptography 1123.5.1 Commutative Groups on Elliptic Curves 1123.5.2 Discrete Elliptic Curves 1133.5.3 ECC Encodings 1143.5.4 ECC Encryption and Decryption 1163.5.5 ECC Key Exchange 1173.5.6 ECC Strength 117

3.6 Key Distributions and Management 1173.6.1 Master Keys and Session Keys 1183.6.2 Public-Key Certificates 1183.6.3 CA Networks 1203.6.4 Key Rings 122

3.7 Closing Remarks 1233.8 Exercises 123

4 Data Authentication 1294.1 Cryptographic Hash Functions 130

4.1.1 DeSIgnCrIterIa of CryptographIC Hash FunctIOns 1304.1.2 Quest for CryptographIC Hash FunctIOns 1314.1.3 BaSIC Structure of Standard Hash Functions 1324.1.4 SHA-512 1334.1.5 WHIRLPOOL 136

4.2 Cryptographic Checksums 1404.2.1 ExclUSIve-OR CryptographIC Checksums 1404.2.2 Design Criteria of MAC AlgOrIthms 1414.2.3 Data Authentication Algorithm 142

4.3 HMAC 1424.3.1 Design Criteria of HMAC 1424.3.2 HMAC AlgorIthm 143

4.4 Offset Codebook Mode of OperatIOns 1434.4.1 BaSIC Operations 1434.4.2 OCB Encryption and Tag Generation 145

xiv Contents

4.4.3 aCB Decryption and Tag Verification 1464.5 Birthday Attacks 146

4.5.1 Complexity Upper Bound of Breaking Strong CollisionResistance 147

4.5.2 Set Intersection Attack 1494.6 Digital Signature Standard 1504.7 Dual Signatures and Electronic Transactions 153

4.7.1 Dual Signature Applications 1544.7.2 Dual Signatures and Electronic Transactions 154

4.8 Blind Signatures and Electronic Cash 1554.8.1 RSA Blind Signatures 1564.8.2 Electronic Cash 156

4.9 Closing Remarks 1584.10 Exercises 158

5 Network Security Protocols in Practice 1655.1 Crypto Placements in Networks 165

5.1.1 Crypto Placement at the Application Layer 1685.1.2 Crypto Placement at the Transport Layer 1685.1.3 Crypto Placement at the Network Layer 1695.1.4 Crypto Placement at the Data-Link Layer 1695.1.5 Hardware versus Software Implementations of

Cryptographic Algorithms 1705.2 Public-Key Infrastructure 170

5.2.1 X.509 Public-Key Infrastructure 1705.2.2 X.509 Certificate Formats 172

5.3 IPsec: A Security Protocol at the Network Layer 1735.3.1 Security Association 1745.3.2 Application Modes and Security Associations 1755.3.3 AH Format 1775.3.4 ESP Format 1795.3.5 Secret Key Determination and Distribution 180

5.4 SSLlTLS: Security Protocols at the Transport Layer 1845.4.1 SSL Handshake Protocol 1855.4.2 SSL Record Protocol 189

5.5 PGP and SIMIME: Email Security Protocols 1905.5.1 Basic Email Security Mechanisms 1915.5.2 PGP 1925.5.3 S/MIME 193

5 6 Kerberos' An Authentication Protocol 1945 6 1 Basic Ideas 1945.6.2 Smgle-Realm Kerberos 1955.6.3 Multiple-Realm Kerberos 198

5.7 SSH: Secunty Protocols for Remote Logms 2005.8 Closing Remarks 201

Contents

5 9 Exercises

xv

201

6 Wireless Network Security 2076 1 Wireless Communications and 802 11 WLAN Standards 207

6.1.1 WLAN Architecture 2086.1.2 802.11 Essentials 2106.1.3 Wireless Security Vulnerabilities 211

62 WEP 2116 2 1 Device Authentication and Access Control 2126.2.2 Data Integrity Check 2126.2.3 LLC Frame Encryption 2146.2.4 Security Flaws of WEP 215

63 WPA 2186.3.1 Device Authentication and Access Controls 2196.3.2 TKIP Key Generations 2196.3.3 TKIP Message Integrity Code 2226.3.4 TKIP Key Mixing 2246.3.5 WPA Encryption and Decryption 2276.3.6 WPA Security Strength and Weaknesses 229

6.4 IEEE 802.11 i/wPA2 2296.4.1 Key Generations 2306.4.2 CCMP Encryptions and MIC 2306.4.3 802.11 i Security Strength and Weaknesses 231

6.5 Bluetooth Security 2326.5.1 Piconets 2326.5.2 Secure Pairings 2336.5.3 SAFER+ Block Ciphers 2346.5.4 Bluetooth Algorithms E1, E2l, and E22 2386.5.5 Bluetooth Authentication 2396.5.6 A PIN Cracking Attack 2406.5.7 Bluetooth Secure Simple Pairing 242

6.6 Wireless Mesh Network Security 2426.7 Closing Remarks 2456.8 Exercises 245

7 Network Perimeter Security 2497.1 General Framework 2507.2 Packet Filters 251

7.2.1 Stateless Filtering 2527.2.2 Stateful FJltenng 254

7.3 CIrCUIt Gateways 2557.3.1 Basic Structures 2557.3.2 SOCKS 257

7.4 Application Gateways 2577.4.1 Cache Gateways 258

xvi Contents

7.4.2 Stateful Packet Inspections 2597.5 Trusted Systems and Bastion Hosts 259

7.5.1 Trusted Operating Systems 2597.5.2 Bastion hosts and Gateways 260

7.6 Firewall Configurations 2617.6.1 Single-Homed Bastion Host System 2617.6.2 Dual-Homed Bastion Host System 2627.6.3 Screened Subnets 2637 6 4 Demilitarized Zones 2647.6.5 Network Security Topology 265

7 7 Network Address Translations 2657.7.1 Dynamic NAT 2667.7.2 Virtual Local-Area Networks 2677.7.3 Small Office and Home Office Firewalls 267

7.8 Setting Up Firewalls 2687.8.1 Security Policy 2687.8.2 Building A Linux Stateless Packet Filter 269

7.9 Closmg Remarks 2707.10 Exercises 270

8 The Art of Anti Malicious Software 2778.1 VIruses 277

8.1.1 Virus Types 2788.1.2 Virus Infection Schemes 2808.1.3 Virus Structures 2828.1.4 Compressor VIruses 2838.1.5 Virus Disseminations 2848.1.6 Win32 Virus Infection Dissection 2858.1.7 Virus Creation Toolkits 287

8.2 Worms 2878.2.1 Common Worm Types 2888.2.2 The Morns Worm 2888.2.3 The Mehssa Worm 2898.2.4 Email Attachments 2908.2.5 The Code Red Worm 2928.2.6 Other Worms Targeted at Microsoft Products 293

8.3 VIrus Defense 2948.3.1 Standard Scannmg Methods 2958.3.2 Anti-Virus Software Products 2968 3 3 Virus Emulator 297

8.4 Trojan Horses 2988.5 Hoaxes 2988.6 Peer-to-Peer Secunty 299

8.6.1 P2P Secunty Yulnerablhtles 3018.6.2 P2P Security Measures 301

Contents xvii

8.6.3 Instant Messaging 3018.7 Web Security 302

8.7.1 Basic Types of Web Documents 3038.7.2 Security of Web Documents 3048 7 3 ActiveX 3058.7.4 Cookies 3068.7.5 Spyware 3078.7.6 AJAX Security 3088.7.7 Safe Web Surfing 309

8 8 Distributed Denial of Service Attacks 3108 8 1 Master-Slave DDoS Attacks 3108.8.2 Master-Slave-Reflector DDoS Attacks 3108.8.3 DDoS Attacks Countermeasures 311

8.9 Closing Remarks 3138.10 Exercises 313

9 The Art of Intrusion Detection 3179.1 Basic Ideas of Intrusion Detection 317

9.1.1 Basic Methodology 3189.1.2 Auditing 3199.1.3 IDS Components 3209.1.4 IDS ArchItecture 3229.1.5 Intrusion Detection Policies 3249.1.6 Unacceptable Behaviors 325

9.2 Network-Based Detections and Host-Based Detections 3259.2.1 Network-Based Detections 3269.2.2 Host-Based Detections 328

9.3 SIgnature Detections 3299.3.1 Network Signatures 3299.3.2 Host-Based Signatures 3309.3.3 OutSIder BehaVIOrs and InSIder MIsuses 3329.3.4 SIgnature Detection Systems 333

9.4 StatIstIcal AnalySIS 3349.4.1 Event Counter 3349.4.2 Event Gauge 3359.4.3 Event Timer 3359.4.4 Resource UtIlIzatIOn 3359.4.5 StatIstIcal Techmques 336

9.5 Behavioral Data Forensics 3369.5.1 Data Mining Techniques 3379.5.2 A Behavioral Data Forensic Example 337

9.6 Honeypots 3389.6.1 Types of Honeypots 3389.6.2 Honeyd 3409.6.3 MWCollect Projects 343

xviii Contents

9.6.4 Honeynet Projects 3439.7 Closing Remarks 3449 8 Exercises 344

A 7-bit ASCII code 349

B SHA-512 Constants (in hexadecimal) 351

C Data Compression using ZIP 353

D Base64 Encoding 355

E Cracking WEP Keys using WEPCrack 357E.l System Setup 357E.2 Experiment Details 358E.3 Sample Code 360

F Acronyms 365

References 371

Index 377