Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapters 9 and 8 Samba/SMB, Network Security Professor Rick Han University of Colorado at Boulder

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapters 9 and 8 Samba/SMB, Network Security Professor Rick Han University of Colorado at Boulder"— Presentation transcript:

1 Chapters 9 and 8 Samba/SMB, Network Security Professor Rick Han University of Colorado at Boulder rhan@cs.colorado.edu

2 Prof. Rick Han, University of Colorado at Boulder Announcements HW #5 a possibility Programming Assignment #3 due May 2 Lecture slides from last week online after class In Chapter 8, read all sections. Next, Samba/SMB, Network Security

3 Prof. Rick Han, University of Colorado at Boulder Recap of Previous Lecture An example caching policy for an HTTP proxy Conditional GET with If-Modified-Since header Proxy returns page from its cache only if that page is not expired and its Last-Modified is more recent than If-Modified-Since date Otherwise, proxy forwards conditional GET to server, who either replies with New page, or Status 340 “Not Modified” Network Address Translation (NAT) Outbound: Substitute NAT’s IP address and TCP port for the packet’s source IP and source TCP port Inbound: Substitute NAT’s IP addr and TCP port for packet’s dest IP and dest TCP port

4 Prof. Rick Han, University of Colorado at Boulder Recap of Previous Lecture (2) NAT Static NAT’s map an inbound packet’s dest IP and dest TCP port to a internal host’s fixed IP addr and TCP port Enables a Web server behind a NAT to serve Web pages to external hosts Adds security risk Dynamic NAT’s provide a firewall masquerading capability In absence of fixed mappings, external hosts can’t make an inbound connection to any internal host Internal hosts can still make outbound TCP connections

5 Prof. Rick Han, University of Colorado at Boulder Samba/SMB Server Message Block (SMB) Protocol File sharing protocol that ships with Microsoft OS’s Basis for Network Neighborhood Application-layer protocol over TCP/UDP/IP Open-source SAMBA Server suite enables other OS’s such as Linux to speak SMB Enables an MS client to access files on a UNIX server – very useful!

6 Prof. Rick Han, University of Colorado at Boulder Samba/SMB (2) For historical reasons, SMB first ran across the NETBIOS API, which then ran across various network protocols, e.g. TCP/UDP, IPX, SNA, DECnet, etc. SMB packets can be framed in NETBIOS packets which are encapsulated by TCP/UDP NETBIOS over TCP/UDP is called NBT SMB NETBIOS TCP/UDP, IPX, SNA or …

7 Prof. Rick Han, University of Colorado at Boulder Samba/SMB (3) Newer version of SMB: Windows 2000 now runs SMB natively on top of TCP/UDP no NETBIOS framing renamed to Common Internet FileSystem (CIFS) CIFS actually refers to entire suite of protocols: file/printer-sharing, service announcement, naming, authentication, authorization Supports older version of SMB too, to maintain compatibility SMB (Windows 2000) TCP/UDP

8 Prof. Rick Han, University of Colorado at Boulder Samba/SMB (4) NBT creates an abstraction: a virtual LAN, even if actual nodes are distributed over wide area NBT provides 3 services over a virtual LAN Naming Service Datagram Distribution Service Session Service NBT Naming Service Broadcast: “where’s anchor?” “Here I am” Point-to-point: required to bridge subnets, because broadcasts are typically confined to a subnet A NETBIOS Name Server (NBNS) provides name-to- IP mappings for a NETBIOS virtual LAN Also called WINS in MS terminology

9 Prof. Rick Han, University of Colorado at Boulder Samba/SMB (5) NBT Naming Service (cont.) Runs on UDP port 137: NETBIOS naming queries are encapsulated in UDP then IP NBT Datagram Service Runs over UDP port 138 Point-to-point and multicast are straightforward within a LAN Multicast across IP subnets requires a bridging agent: a NETBIOS Datagram Distribution Server (NBDD) Multicast datagrams are sent to NBDD, which gets list of hosts in multicast group from NBNS, then sends point-to-point to each host WINS messed up its implementation of NBDD (as of May 2001) – some group members won’t receive multicast

10 Prof. Rick Han, University of Colorado at Boulder Samba/SMB (6) NBT Session Service Runs over TCP port 139 Implements file sharing Simple sequence of events: 1.Source X gives NETBIOS name of destination Y to NBT Name Service and gets back IP address of Y 2.Source X establishes a TCP connection with Y 3.Source X sends a NETBIOS SESSION SERVICE REQUEST to Y. Y accepts request. 4.X and Y exchange files via SMB. SMB packets consist of “0xFF” then the letters “SMB” followed by a command and data Commands are patterned after DOS I/O commands, and include OPEN, CLOSE, DELETE, etc.

11 Prof. Rick Han, University of Colorado at Boulder Samba/SMB (7) SMB Several dialects of SMB, so there is always a negotiation phase to make sure SMB client speaks the same dialect as SMB server Network Neighborhood is supported by a “Browsing” Service Browsing is organized in terms of IP subnets and Workgroups. A "Workgroup" is a set of NBT nodes on an IP subnet that shares the same Workgroup name. On each subnet, the Workgroup members hold an "election," which involves sending group datagrams via the NBT Datagram Service. A Domain Master Browser enables browsing across subnets

12 Prof. Rick Han, University of Colorado at Boulder Samba/SMB (8) CIFS Removes NETBIOS/NBT Also, replaces NETBIOS services with standard- based services Example: NBNS is replaced with Dynamic DNS SAMBA Racing to stay compatible with latest MS twist on CIFS, e.g. Windows 2000 See www.samba.org for more info

13 Prof. Rick Han, University of Colorado at Boulder Network Security Classic properties of secure systems: Confidentiality Encrypt message so only sender and receiver can understand it. Authentication Both sender and receiver need to verify the identity of the other party in a communication: are you really who you claim to be? Authorization Does a party with a verified identity have permission to access (r/w/x/…) information? Gets into access control policies.

14 Prof. Rick Han, University of Colorado at Boulder Network Security (2) Classic properties of secure systems: (cont.) Integrity During a communication, can both sender and receiver detect whether a message has been altered? Non-Repudiation Originator of a communication can’t deny later that the communication never took place Availability Guaranteeing access to legitimate users. Prevention of Denial-of-Service (DOS) attacks.

15 Prof. Rick Han, University of Colorado at Boulder Cryptography Encryption algorithm also called a cipher Cryptography has evolved so that modern encryption and decryption use secret keys Only have to protect the keys! => Key distribution problem Cryptographic algorithms can be openly published EncryptionDecryption plaintextciphertextplaintext EncryptionDecryption plaintextciphertextplaintext Key K A Key K B

16 Prof. Rick Han, University of Colorado at Boulder Cryptography (2) Cryptography throughout history: Julius Caesar cipher: replaced each character by a character cyclically shifted to the left. Weakness? Easy to attack by looking at frequency of characters Mary Queen of Scots: put to death for treason after Queen Elizabeth’s I’s spymaster cracked her encryption code WWII: Allies break German Enigma code and Japanese naval code Enigma code machine (right)

17 Prof. Rick Han, University of Colorado at Boulder Cryptography (3) Cryptanalysis – Type of attacks: Brute force: try every key Ciphertext-only attack: Attacker knows ciphertext of several messages encrypted with same key (but doesn’t know plaintext). Possible to recover plaintext (also possible to deduce key) by looking at frequency of ciphertext letters Known-plaintext attack: Attackers observes pairs of plaintext/ciphertext encrypted with same key. Possible to deduce key and/or devise algorithm to decrypt ciphertext.

18 Prof. Rick Han, University of Colorado at Boulder Cryptography (4) Cryptanalysis – Type of attacks: Chosen-plaintext attack: Attacker can choose the plaintext and look at the paired ciphertext. Attacker has more control than known-plaintext attack and may be able to gain more info about key Adaptive Chosen-Plaintext attack: Attacker chooses a series of plaintexts, basing the next plaintext on the result of previous encryption Differential cryptanalysis – very powerful attacking tool But DES is resistant to it Cryptanalysis attacks often exploit the redundancy of natural language Lossless compression before encryption removes redundancy

19 Prof. Rick Han, University of Colorado at Boulder Cryptography (5) Symmetric or Secret-Key Cryptography Both sender and receiver keys are the same: K A =K B Data Encryption Standard (DES) Encodes plaintext in 64-bit chunks using a 64- bit key (56 bits + 8 bits parity) Uses permutation or transposition of characters: abcd  dbac Was cracked in 1997 Triple-DES: put the output of DES back as input into DES again, loop again

20 Prof. Rick Han, University of Colorado at Boulder Cryptography (6) Public-Key Cryptography Host who wants data sent to it advertises a public encryption key K public Decryption algorithm has the property that only a private key K private can decrypt the ciphertext Based on the difficulty of factoring the product of two prime #’s Even though attacker knows the public key K public and the encryption algorithm, the attacker still does not know the private key K private Example: RSA encryption algorithm

Download ppt "Chapters 9 and 8 Samba/SMB, Network Security Professor Rick Han University of Colorado at Boulder"

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder

Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Chapter 8 Network Security Principles, Symmetric Key Cryptography, Public Key Cryptography Professor Rick Han University of Colorado at Boulder

Chapter 8 Network Security Principles, Symmetric Key Cryptography, Public Key Cryptography Professor Rick Han University of Colorado at Boulder
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Network Security – Part 1 Spring 2005 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 1 Spring 2005 V.T. Raja, Ph.D., Oregon State University.
Chapters 8 Network Security

Chapters 8 Network Security
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Chapter 9 Caching, NAT Professor Rick Han University of Colorado at Boulder

Chapter 9 Caching, NAT Professor Rick Han University of Colorado at Boulder
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University.

Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Similar presentations

Ads by Google