Friday, May 28, 2010

XP TRICKS VIDEO

NETWORK SECURITY


Abstract:
Network security is a complicated subject, historically only tackled by well trained and experienced experts. However as more and more people become "wired" an increasing number of people need to understand the basics of security in a networked world in this document we discuss some of the network security issues in TCP/IP.
The Transmission control protocol/Internet protocol (TCP/IP) suite is a very widely used technique that is employed inter connect computing facilities in modern network environments TCP/IP is the "language" of the internet. Anything that can learn to "Speak TCP/IP" can play on the internet. However , there exist several security vulnerabilities in the TCP specification and additional weaknesses in a number of widely available implementations of TCP. These vulnerabilities may unable an intruder to "attack" TCP - based systems, enabling him or her to "hijack" a TCP connection are cause denial of service to legitimate users. We discuss some of the flaws present in the TCP implementation of many widely used operating system and provide recommendations to improve the security state of a TCP-based system. e.g., incorporation of a "Timer escape route" from every TCP state.
Keywords and phrases:
Network security, TCP, IP, Vulnerability analysis, state transitions
INTRODUCTION:
Internet working is an approach that allows dissimilar computers on dissimilar networks to communicate with one another in seamless fashions by hiding the details of the underlying network hardware. The most widely used form of internet working is provided by the transmission control protocol/Internet protocol (TCP/IP) suite.
There are some inherent security problems in the TCP/IP suite which makes the situation conducive to intruders. TCP sequence numbers prediction, IP address spoofing, misuse of IP's source routing principle, use of internet control message protocol (ICMP) messages denial of service, etc are some methods to exploit the networks vulnerabilities. Considering the fact that most important application programs such as simple mail transfer protocol(SMPP),Telnet-commands(rlogin,rsh,etc),file transfer protocol(FTP),etc. have TCP as their transport layer, security flaws in TCP can prove to be very hazardous for the network.
The objectives of this paper are to identify and analyze the vulnerabilities of TCP/IP and to develop security enhancements to overcome those flaws. Our work is based on analyzing the state transition diagram of TCP and determining the security relevance of some of the “improperly-defined” transitions between different states in the state transition diagram of many widely used TCP code implementations.
BASICS OF TCP/IP:
NETWORKING WITH TCP/IP:
Network protocols employ a structured and layered approach, with each layer performing a separate function. This approach helps in developing individual layers without modifying other adjacent layers. Networking using the TCP/IP suite can be viewed as a combination of four layers. The layers are as below
The lowest layer the data link layer contains the network interface layer, connecting the system with the physical media.
The next layer is the internet layer or the network layer. It assists with the movement of packets in the network.
User processes interact with the network layer through the transport layer. The transmission control protocol is the most common transport layer used in modern networking environments. TCP provides reliable data transfer between different application processes over the network. TCP provides flow control and congestion control as well.
The Application layer handles the details of a particular application. This layer interacts with the user, gets data from the user, and sends the buffered data to the transport layer.
2.2 TRANSPORT LAYER
Among all of the transport layers, TCP is the most popular. Below, we examine the details of the header format of TCP along with the TCP state-transition diagram and TCP timers.
TCP HEADER
The size of the TCP header is 20 bytes, without counting its options, as we observe in figure. Each TCP segment contains the source and destination port number to identify the sending and receiving application programs, respectively. The sequence number is essential to maintain the bytes of data from the sender to the receiver in proper data. By communicating the sequence number and the corresponding acknowledgement number, the sender and the receiver can determine lost or retransmitted data in the connection. There are six flag bits in the TCP header, namely URG, ACK, PSH, RST, SYN and FIN. At any given time, one or more of these bits can be set.
TCP provides flow control by advertising the window size. The checksum covers TCP header and TCP data and assists in determining any error in transmission of TCP header or data. TCP’s urgent mode is a method for the sender to transmit emergency/urgent data. The urgent pointer is valid only if the URG flag is set in the header. It helps to locate the sequence number of the last byte of urgent data. There is an optional options field as well, taking care of vendor specific information.
TCP STATE TRANSITION DIAGRAM
Initiation, establishment, and termination of a connection is governed by the TCP state transition diagram, which consists of well-defined states and transition arcs between these states.
TCP TIMERS
The TCP state transition diagram is very closely associated with timers. There are various timers associated with connection establishment or termination, flow control, and retransmission of data.
A connection-establishment timer is set when the SYN packet is sent during the connection-establishment phase. If a response is not received with in 75 seconds (in most TCP implementations), the connection establishment is aborted.
A FINJWAIT_2 timer is set to 10 minutes when a connection moves from the FIN_WAIT_I state to the FIN_WAIT_2 state. If the connection does not receive a TCP packet with the FIN bit set with in the stipulated time, the timer expires and is set to 75 seconds. If no FIN packet arrives with in the time, the connection is dropped.
There is a TIME_WAIT timer, often called a 2 MSL (maximum segment lifetime) timer. It is set when a connection enters the TIME_WAIT state. When the timer expires, the kernel data blocks related to that particular connection are deleted, and the connection is terminated.
A keep-alive timer can be set which periodically checks whether the other end of the connection is still active. If the SO_KEEPALIVE socket option is set, and
If the TCP state is either ESTABLISHED or CLOSE_WAIT and the connection is idle, then probes are sent to the other end of the connection once every 2 hours. If the other end does not respond to a fixed number of these probes, the connection is terminated.
Additional TCP timers such as persist timer, delayed ACK timer, and retransmission timer are not relevant for our purposes here and, hence are not discussed.
VULNERABILITIES:
IP SPOOFING:
INSTANCES
The concept of attacks on TCP/IP such as TCP sequence number guessing was first brought to light by Morris. The computer Emergency Response Team (CERT) coordination center received reports of attacks in which intruders created packets with spoofed source IP addresses. These attacks exploit applications that use authentication based on IP address. Intruder activity in spoofing IP addresses can lead to unauthorized remote access to systems behind a filtering router firewall.
On Christmas Day, 1994, Kevin Mitnick broke into the computer of Tsutomo Shimomura, a computational physicist at the San Diego Super Computer center. Prior to this attack, Mitnick had found his way into the well, a small network used mainly by an electric group of about 11,000 computers users in san Francisco Bay. Mitnick had been reading electronic mail of the wells subscribers and using well accounts for remote attacks on computers across the internet. During the attack on Shimomura’s machine, two different intrusion mechanisms were employed. IP source address spoofing and TCP sequence number prediction were used to gain initial access to a diskless work station, being used mostly as an X terminal. After obtaining root access, Mitnick “hijacked” an existing connection to another system by means of a loadable kernel STREAMS module.
METHODOLOGY:
Let us assume that there are three hosts, host A, host B, and the intruder controlled host X. Let us assume that B grants A some special privileges, and thus A can get some actions performed by B. The goal of X is to get the same action done by B for itself. In order to achieve this goal, X has to perform two arithmetic operations: first establish a forged connection with B, and second, prevent A from informing B of any malfunction of the network authentication system. Host X has to spoof the IP address of A in order to make B believe that the packets from X are actually being sent by A.
Let us also assume that the hosts A and B communicate with one another by the following three way handshake mechanism of TCP/IP. The handshake method is depicted below
A􀃆B: SYN (seq no=M)
B􀃆A: SYN (Seq no=N),ACK (Ack no=M+1)
A􀃆B : ACK (Ack no=N+1)
Host X does the following to perform IP spoofing. First, it sends a SYN packet to host B with some random sequence number, posing as host A. Hos B responds to it by sending a SYN+ACK packet back to host A with an acknowledge number which is equal to one added to the original sequence number. At the same time, host B generates its own sequence number and sends it along with the acknowledge number. In order to complete the three way handshake, host X should send an Ack packet back to host B with an acknowledge number which is equal to one added to the sequence number sent by host B to host A. If we assume that the host X is not present in the same subnet as A or B so that it cannot sniff B’s packets, host X has to figure out B’s sequence number in order to create the TCP connection .
These steps are described
X􀃆 B: SYN (seq no=M),SRC=A
B􀃆 A: SYN (Seq no=N),ACK(ack no=M+1)
X􀃆 B: ACK (Ack no=N+!),SRC=A
At the same time, host X should take away the host A’s ability to respond to the packets of host B. To achieve this, X may either wait for host A to go down (for some reason), or block the protocol part of the operating system so that it does not respond to host B, for example by flooding B with incomplete connections.
THE ATTACK:
During the Christmas Day,1994 attack shimomura observed a sequence of packets that were generated to perform IP spoofing.Let us continue with the previous example with X as the intruder
controlled system and observe the actions performed by the intruder.
X sends a number of probe packets to B and A,trying to determine whether there exists any kind of trust relationship among hosts A and B. Commands such as showmount, RPCINFO and finger were utilized for this purpose.
X sends a number of TCP SYN packets i.e., packets containing the SYN flag set with some arbitrary initial sequence numbers to host A. however the source IP address of these packets have been forged, so that they appear to be coming from some host which does not exist in the network. Host A responds to these packets by sending corresponding SYN-ACK packets to the non-existent hosts. As there are no corresponding ACK packets to the packets sent by A, the three way hand-shake is never complete. The connection queue for port 513(login port) of A are filled up with connection setup requests. Thus the port willnot be able to generate RST packets in response to unexpected SYN-ACK packets.
X sends a number of connection request packets (SYN packets) to host B. when host B responds to them by sending corresponding SYN-ACIK packets to X, X sends RST packets to B. Thus the three-way handshake is not completed and TCP connections are never established between B and X. the purpose of this step is to determine the behavior of B’s TCP sequence number generator. The sequence numbers obtained from B for each new connection are analyzed by X. the periodicity of these numbers is determined and this data will be used X in the next step to generate and send a forged packet to B with a forged sequence number.
X creates a forged SYN packet with the source IP address same as that of host A. X sends this packet to B. B sends a corresponding SYN-ACK packet to A. However, A is ignoring all of the new packets coming to its loging port; it will not send any RST packet to B in response to the unexpected SYN-ACK packets from B.
X does not receive the SYN-ACK packet sent by B to A ( assuming X is present in a different subnet ). However , X is in a position to predict the sequence number present in B’s SYN-ACK packet. X generates and sends a forged ACK packet to B with the source host address same as that of A and an acknowledgement number corresponding to the sequence number in B’s SYN-ACK packet. B assumes that the three-way handshake is successfully performed. Hence, there is a one-way TCP connection established from X to B.
Host X is now in a position to commands to B. B will perform these commands, assuming that they are being sent by the trusted host A.
Problems with TCP state Transitions :
Let us take a closer look at Step2. The intruder- controlled host X is able to stall the loging-port of host A by sending a series of SYN packets but not sending ACK packets corresponding to the SYN-ACK packets from A to X. As we have observed before, TCP maintains a connection establishment timer. If a connection does not get established within a stipulated time ( typically 75 seconds), CP resets the connection. Thus, in our previous example, the server port will not be able to respond for duration of 75 seconds.
Extraneous State Transitions :
Consire a sequence of packets between hosts X and A. X sends a packet to A, with both SYN and FIN flags set. A responds by sending an ACK packet back to X, as illustrated below.
X 􀃆 A : SYN FIN ( Seq. no. = M)
A-􀃆X: ACK ( ack no. = M+ 1 )
Examining the state – transition diagram in the figure, we observer that A is initially in state LISTEN. When it receives the packets from X, starts processing the packets. It processes the SYN flag first, then transitions to the SYN_RCVD state. Then it processes FIN flag and performs a transition to the state CLOSE_WAIT. Had the previous state been ESTABLISHED, this transition to the CLOSE_WAIT state would have been a (normal) transition. However, a transition from SYN_RCVD state to the CLOSE_WAIT, state is not defined in the TCP specifications. This phenomenon occurs in several TCP implementations, such as those in the Operating systems SUNOS 4.1.3.SVR 4.and UL-TRIX 4.3. Thus, contrary to specifications, there exists in several TCP implementations a transition arc from the state SYN_RCVD to the state CLOSE_WAIT, as shown in fig.
Security Relevance
In our example attack scenario, the TCP connection is not yet fully established since the 3-way handshake is not completed; thus, the corresponding network application never got the connection from the kernel. However, host A’s TCP “machine” is in CLOSE_WAIT state and is expecting the application to send a close signal so that it can send a FIN packet to X and terminate the connection. This half-open connection does not send any message to help TCP perform any state transition. Thus, A’s TCP “machine” gets stuck in the CLOSE_WAIT state. If the keep-alive timer feature is enabled, TCP will be able to reset the connection and perform a transition to the CLOSED state after a period of usually two hours.
Intruder – controlled host X needs to perform the following steps to wedge A’s operating steps so that it cannot respond to unexpected SYN-ACKs from other hosts for as long as two hours.
• X sends a packet to host A with SYN and FIN flags set. A responds with an ACK packet. A changes its state from CLOSED/LISTEN to SYN_RCVD and then to CLOSE.WAIT.
• X does not send any more packet to A, thus preventing any TCP state-transition in A.
Thus , we observe that extraneous state-transitions exist in several implementations of TCP and these may lead to severe violations of the system.
Experiments and Results
Assume that there are two hosts, host A, host B, and the intruder-controlled host X. We will see what happens in IP spoofing attack and extraneous state transitions.
Stalling a port
• A ftp connection is initialized from the “intruder” machine X to A.
• The tcp device of X sends a SYN packet to A. A responds by sending a SYN-ACK packet, and performs a state-transition to the SYN-RCVD state.
• X does not send any other packet to A. A remains in the SYN_RCVD state until the connection – establishment timer expires,\.
The sequence of packets, as observed by the output of tcpdump[10] is as follows:
23:26:51.475103 X.32781 > A.ftp:
S 4188491776:4188449776(0) win 8760 (DF)
23:26:51.477716 A.ftp > X2.32781
S 1382592000:1382592000(0) ack4188491777 win 4096
We observe that port 32781 of X sends a SYN packet to the “ftp” port of A with an initial sequence number of 4188491776, initial window advertisement of 8760 at time 23:26:51.475103. A, in turn, responds back with a SYACK packet , with an initial number of 1382592000 and an acknowledgement number of 4188491777 at a time 23:26:51.477716.
However, X did not send any other packet and so A gets stuck in the SYN_RCVD state for around 75 seconds.
Spurious state transition
To generate the spurious state-transition from the SYN_RCVD state to the CLOSE_WAIT state, we employed the following steps:
• We start a ftp connection from X to A.
• In order to start the connection, X sends a SYN-FIN TCP packet t A.
• A responds back with an ACK packet.
• X does not send any other packet to A.
Using tcp dump, we observed the following sequence of packets in the network
21:41:05.177249 X.32780 > ftp:
SF 1550373888:1550373888(0) win 8760
21:41:05.177606 A.ftp>X.32780:.ack 1550373890 win
21:41:05. 177606 A .ftp> X. 32780: Aack 1550373890 win 4096
Had there been no spurious state- trantion from SYN_RCVD to the CLOSE_WAIT state in TCP implementations in the OS of A, the TCP “machine” of A would have waited in the SYN_RCVD state until the connection- establishment expired. However, netstat command in A gave us the following output.
Tcp 0 0 A.ftp X. 32780 CLOSE_WAIT
This clearly indicates that there exists a TCP connection between the “ftp” port of A and port 32780 of X, and the connection exists in the CLOSE_WAIT state. The connection remains in this state in A long after the peer host closed the connection on its side.
We obtain similar results with TCP implementation of ULTRIX 4.3OS as well.
Recommendations
There is no way easy to prevent IP spoofing. We may perform the following tasks to protect our systems from this sort of attack. First, we may configure the routers and the gateways in our networks such that they do not allow connections from outside with a source IP address the same as that of any of the systems within the local subnet. Also, they should not route packets from a host in the local subnet to the outside when the source IP address of the packet is something not present in the local subnet. Second, encrypt the packets before sending them to the network. Though this process requires extensive change in the present networking environment, it will ensure the integrity and authencity of data.
To prevent the spurious state-trantion from SYN_RCVD state to CLOSE_WAIT state, we should request the OS vendors to modify the relevant part of the source code in their TCP implementation. In other words, when the TCP”machine” is in SYN_RCVD state, it should neglect any FIN packets that it might receive from a peer host

DATA WARE HOUSING


DATA WARE HOUSING
A data warehouse is a store of information organized in a unified data model.
A data warehouse is a relational database that is designed for query and analysis rather than for transaction processing. It usually contains historical data derived from transaction data, but it can include data from other sources. It separates analysis workload from transaction workload and enables an organization to consolidate data from several sources.
In this paper we tried to explain the characteristics, architectures and processes involved in data warehousing.
Characteristics of a data warehouse are
• Subject oriented
• Integrated
• Non volatile
• Time variant
Common architectures involved in data warehousing are of three types.Data warehouses and their architectures vary depending upon the specifics of an organization's situation. Three common architectures are:
• Data warehouse Architecture (Basic)
• Data warehouse Architecture (With a staging area)
• Data warehouse Architecture (With a staging area and Data Marts)
Data warehousing involves data pre-processing. All those methods are explained in this paper. Thus this paper includes gives the overview of data warehousing concepts.
Introduction
A data warehouse is a collection of data gathered and organized so that it can easily by analyzed, extracted, synthesized, and otherwise be used for the purposes of further understanding the data. It may be contrasted with data that is gathered to meet immediate business objectives such as order and payment transactions, although this data would also usually become part of a data warehouse.
A data warehouse is, primarily, a record of an enterprise's past transactional and operational information, stored in a database designed to favour efficient data analysis and reporting (especially OLAP). Data warehousing is not meant for current, "live" data.
Characteristics of a data warehouse:
• Subject oriented
• Integrated
• Non volatile
• Time variant
Subject Oriented
Data warehouses are designed to help you analyze data. For example, to learn more about your company's sales data, you can build a warehouse that concentrates on sales. Using this warehouse, you can answer questions like "Who was our best customer for this item last year?"
This ability to define a data warehouse by subject matter, sales in this case, makes the data warehouse subject oriented.
Integrated
Integration is closely related to subject orientation. Data warehouses must put data from disparate sources into a consistent format. They must resolve such problems as naming conflicts and inconsistencies among units of measure. When they achieve this, they are said to be integrated.
Nonvolatile
Nonvolatile means that, once entered into the warehouse, data should not change. This is logical because the purpose of a warehouse is to enable you to analyze what has occurred.
Time Variant
In order to discover trends in business, analysts need large amounts of data. This is very much in contrast to online transaction processing (OLTP) systems, where performance requirements demand that historical data be moved to an archive. A data warehouse's focus on change over time is what is meant by the term time variant
Data warehouse architecture:
Data warehouse architecture is a description of the elements and services of the warehouse, with details showing how the components will fit together and how the system will grow over time. Data warehouse Architecture (Basic)
• Data warehouse Architecture (With a staging area)
• Data warehouse Architecture (With a staging area and Data Marts)

Data from the operational systems are
• Extracted
• Cleansed
• Transformed
• Loaded & Propagated
Extraction
Data Warehouse Manager supports standard SQL-style inner, outer and exception file joins, as well as joins based on derived fields, one-to-many relationships, file members, unique key fields, and file unions. You may extract data from both local and distributed databases when OS/400 Distributed Data Base Management (DDM) is in use.
Record selection and new field calculation criteria may be defined in the extraction object or left for ad hoc entry at run-time. CL programs may also be used to pass ad hoc criteria into the extraction object. NGS provides sample CL source programs to illustrate this capability. Data Warehouse Manager also supports full Boolean selection logic and a timesaving
Transformation
The data transformation capabilities of Data Warehouse Manager convert numeric codes for inventory items, employees, departments and other business terms into meaningful, descriptive values. You can also convert dates into consistent formats and generate summary fields such as gross-to-net, gross margin and more. Other transformation functions allow you to create fields representing items such as integer keys, elapsed days and time, absolute values, remainders, etc
Also convert dates into consistent formats and generate summary fields such as gross-to-net, gross margin and more. Other transformation functions allow you to create fields representing items such as integer keys, elapsed days and time, absolute values, remainders, etc.
Cleansing
Data Warehouse Manager can handle many data cleansing requirements and provide Application Program Interfaces (API’s) for custom cleansing programs or third-party tools copy the entry of complex selection criteria.
Loading and Propagation
Data Warehouse Manager builds DB2 UDB for I-Series 400 database files, which may be accessed by numerous IBM and third-party software tools.
These files may be generated in summary or detail as required. Key fields may be assigned to the designated support star schema warehouse architectures. Depending on the object’s attributes, the output may create, replace or append DB2 UDB file
Data pre processing.
Data processing is necessary because
Real world data is dirty
Data is in consistent.
Data preprocessing tasks:
• Data cleaning
• Data integration and transformation
• Data reduction
• Discretization and concept hierarchy generation
• Concept hierarchy generation for numeric data
Data cleaning:
Data cleaning, also called data cleansing or scrubbing deals with detecting and removing errors and inconsistencies from data in order to improve the quality of data
Data Quality Problems:
Misspellings during data entry, missing information or other invalid data
Present in single collections such as files and databases
Problems increase when multiple sources need to be integrated
Data cleaning is important because,
• Poor data quality can result in loss of money
$2 billion of U.S. federal loan money has been lost due to poor data quality at a single agency.
• Data warehouses must provide high-level quality of data and service as decision support information systems.
• Probability of dirty data high.
Significant portion of cleaning and transformation work done manually or by low level programs that are difficult to maintain.
Data Cleaning Approach:
• Detect and remove all major errors and inconsistencies in individual and multiple data sources
• Inspection Supported by tools to limit manual and programming effort
• Should not be performed in isolation but with schema-related data transformations based on comprehensive metadata
• Mapping functions for data cleaning and other data transformations should be reusable for other data sources
Tools:
ETL (Extraction, Transformation, Loading) Tool:
• Typically support the ETL process for data warehouses in a comprehensive way
• Typically have little built-in data cleaning capabilities but allow the user to specify cleaning functionality via a proprietary API
• There is usually no data analysis support to automatically detect data errors and inconsistencies.
• Provide transformation libraries that cover many data transformation and cleaning needs
• Such as data type conversions (e.g., date reformatting)
• String functions (e.g., split, merge, replace, sub-string search)
• Arithmetic, scientific and statistical functions
• Typically covers if-then and case constructs that help handling exceptions in data values, such as misspellings, abbreviations, missing or cryptic values, and values outside of range
• These problems are also addressed by using a table lookup construct and join functionality
Examples of these tools include:
• Copy manager (Information Builders)
• Data stage (Informix/Ardent)
• Extract (ETI), Power mart (Informatics)
• Decision base (CA/Platinum)
• Data transformation service (Microsoft)
• Metasuite 11 (Minerva/Carleton)
• Sagent solution platform (Sagent)
• Warehouse administrator (SAS).
Data integration and transformation:
This includes:
Schema integration
Redundancy
Schema integration:
Multiple data sources may provide data on the same entity types.
For example, Meta data from two music
Servers.
Approach to data integration:
• Use mapping rules to handle structural differences
• Ambient contains a mapping rule
Manager capable of:
– Finding appropriate sets of mapping rules
– Rewriting queries based on a set of mapping
– Handling different versions of mapping rules Rules
Redundancy:
Redundancy, in general terms, refers to the quality or state of being redundant, that is: exceeding what is necessary or normal; or duplication. This can have a negative connotation, especially in
rhetoric: superfluous or repetitive; or a positive implication, especially in engineering: serving as a duplicate for preventing failure of an entire system.
Data reduction:
• Data warehouse may store terabytes of data.
Complex data analysis/mining may take a very long time to run on the complete data set
Obtain a reduced representation of the data set that is much smaller in volume but yet produce the same (or almost the same) analytical results.
Data cube aggregation:
• The lowest level of a data cube
o The aggregated data for an individual entity of interest
o e.g., a customer in a phone calling data warehouse
• Multiple levels of aggregation in data space
o Further reduce the size of data
• Reference appropriate levels
Use the smallest representation which is enough to solve the task
• Queries regarding aggregated information should be answered using data when possible
Purpose:
The main purpose of a data warehouse is to support decision-making.
• Data is collected from a number of different sources.
• It is made is to perform advanced analysis
The main goal of data warehousing is to generate front-end analytics that will support business executives and operational managers.
References:
• The Data Warehouse Toolkit by Ralph Kimball
• Building the Data Warehouse by William Inmon