CNS2009handout 17 :: network protocols II1 computer and network security matt barrie.

Slides:



Advertisements
Similar presentations
Computer Networks TCP/IP Protocol Suite.
Advertisements

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)
Secure Mobile IP Communication
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
ARP Spoofing.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ITIS 6167/8167: Network and Information Security Weichao Wang.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
K. Salah1 Security Protocols in the Internet IPSec.
COEN 252: Computer Forensics Router Investigation.
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
Security Data Transmission and Authentication
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
Chapter 6: Packet Filtering
Chapter 13 – Network Security
Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCE 715: Network Systems Security
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Internet Protocols. ICMP ICMP – Internet Control Message Protocol Each ICMP message is encapsulated in an IP packet – Treated like any other datagram,
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Security Data Transmission and Authentication Lesson 9.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
An Introduction To ARP Spoofing & Other Attacks
IPSecurity.
Chapter 18 IP Security  IP Security (IPSec)
SECURING NETWORK TRAFFIC WITH IPSEC
IT443 – Network Security Administration Instructor: Bo Sheng
ICMP ICMP – Internet Control Message Protocol
Presentation transcript:

CNS2009handout 17 :: network protocols II1 computer and network security matt barrie

CNS2009handout 17 :: network protocols II2 source routing Both IPv4 and IPv6 allow the sender (rather than routers) to specify routes that packets take through a feature known as source routing. In strict source routing, the sender specifies each hop that the packet takes through the network. In loose source routing, the sender only specifies a group of hosts the packet must transit through. This allows a remote attacker to facilitate non-blind attacks (whereas they previously could only mount blind attacks as they do not receive reply packets). Source routing can be turned off in the kernel.

CNS2009handout 17 :: network protocols II3 source routing Many kernels are configured to ignore source routing. Many firewalls/routers block source routed packets and may optionally trigger alarms.

CNS2009handout 17 :: network protocols II4 port scanning Port scanning is the process of sending packets to all ports on a machine (or range of machines) to audit available (open) services. # nmap Starting nmap V. 2.3BETA14 by ( ) Interesting ports on cosmic.spectre.net ( ): Port State Protocol Service 22 open tcp ssh 139 open tcp netbios-ssn Interesting ports on orbital.spectre.net ( ): Port State Protocol Service 7 open tcp echo 9 open tcp discard 21 open tcp ftp 25 open tcp smtp 42 open tcp nameserver 53 open tcp domain 80 open tcp http Nmap run completed IP addresses (2 hosts up) scanned in 10 seconds

CNS2009handout 17 :: network protocols II5 OS fingerprinting OS fingerprinting is the process of scanning machines using peculiarities in the IP stack in order to identify the vendor and operating system version. # nmap -O Starting nmap V. 2.3BETA14 by ( ) Interesting ports on orbital.spectre.net ( ): Port State Protocol Service 7 open tcp echo 9 open tcp discard 13 open tcp daytime TCP Sequence Prediction: Class=random positive increments Difficulty=10629 (Worthy challenge) Remote operating system guess: Windows 2000 RC1-RC3 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

CNS2009handout 17 :: network protocols II6 firewalls A firewall is a packet filtering gateway which aims to limit the number of exposed services on a connection (aka a wall with holes in it): –Static packet filtering gateways look at a set of static rules known as access control lists (ACLs). Static packet filters are fast but reasonably weak (and difficult to maintain). –Dynamic packet filtering gateways aims being more intelligent about what packets to allow (e.g. by stateful inspection of packet headers). –Application level gateways attempt to enhance the security further through acting as a proxy (allowing user authentication and not allowing direct IP connections between the inside and the outside) but are more complicated still and don’t support all services (hence aren’t used that often).

CNS2009handout 17 :: network protocols II7 ftp bounce attacks FTP servers can be used to launch “bounce” attacks. An example of an attack a firewall doesn’t help against. Take the following example: –Attacker finds FTP server located behind a firewall, allowing connections with writeable directory. –Attacker logs in and uploads a file containing SMTP commands for a spoofed mail message. –Attacker then uses PORT command to point to a victim’s mail port. –Attacker then uses RETR command to initiate file transfer. –The FTP server will then connect to the victim’s mail port, uploading valid mail commands (and, for example, can send mail pretending to be the FTP server).

CNS2009handout 17 :: network protocols II8 ftp bounce attacks AttackerFTP server victim firewall Attacker uploads SMTP dialog: hello pizza.com mail from: server.goodguy.com rcpt to: victim.goodguy.com data hello there!. end Attacker tells FTP server to open a data connection to the victim’s SMTP port and “upload” the file. Victim gets (believable) spoofed

CNS2009handout 17 :: network protocols II9 traceroute Traceroute is a network debugging utility designed to map out the pathway between two hosts over IP by monotonically increasing the time-to-live (TTL) field in the IP header. The TTL field is used to limit the number of hops a packet may across the network before it expires. On expiry, a ICMP error message is generated (time to live exceeded in transit). By monotonically increasing the TTL field we will receive such an error message from every host along the path the packet takes to the destination (and hence a route).

CNS2009handout 17 :: network protocols II10 traceroute # traceroute cassius.ee.usyd.edu.au traceroute to cassius.ee.usyd.edu.au ( ), 30 hops max, 40 byte packets 1 * * * 2 sydney-atm.vic-remote.bigpond.net.au ( ) ms ms ms ( ) ms ms ms 4 fastethernet4-1-0.win4.Melbourne.telstra.net ( ) ms ms ms 5 FastEthernet0-0-0.lon20.Melbourne.telstra.net ( ) ms ms ms 6 optvs.lnk.telstra.net ( ) ms ms ms 7 GigEth1-0-0.sn2.optus.net.au ( ) ms ms ms 8 NSW-RNO-Dom.sn2.optus.net.au ( ) ms ms ms 9 usyd-atm-chippendale.nswrno.net.au ( ) ms ms ms 10 su-ti.gw.usyd.edu.au ( ) ms ms ms 11 * * * 12 * * * 13 cassius.ee.usyd.edu.au ( ) ms ms *

CNS2009handout 17 :: network protocols II11 firewalking Firewalking is the process of determining the access control lists (ACLs) of packet filtering gateways (e.g. firewalls, routers, etc.) similar to traceroute. The firewalk scan works by sending out packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit a TTL exceeded in transit message (which we get back). If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response. Through such scanning ACLs on a gateway or firewall can be determined.

CNS2009handout 17 :: network protocols II12 firewalking

CNS2009handout 17 :: network protocols II13 IPsec IPsec is the working group on security aiming at securing the Internet architecture (both IPv4 and IPv6). The two main features of IPsec are: –Authentication Header (AH) Authentication and integrity –Encapsulated Security Payload (ESP) For confidentiality and sometimes authentication or integrity Packets can use AH and/or ESP Algorithm independent IPsec does not protect against –Traffic analysis –Non-repudiation –Denial-of-service IPsec is used to set up virtual private networks (VPNs)

CNS2009handout 17 :: network protocols II14 authentication header The Authentication Header (AH) provides authentication (and possibly integrity) only. –Transport mode is applicable only to host implementations and provides protection for upper layer protocols, in addition to selected IP header fields. –Tunnel mode is where it protects the entire inner IP packet, including the entire inner IP header. The authentication algorithm used is defined by a security association. Suitable authentication algorithms include keyed Message Authentication Codes (MACs) based on symmetric encryption algorithms (e.g., DES) or one-way hash functions (e.g., MD5 or SHA-1).

CNS2009handout 17 :: network protocols II15 encapsulating security payload The Encapsulating Security Payload (ESP) provides confidentiality for packets. Likewise to the AH, it can be used in both transport (between two hosts) and tunnel (an IP tunnel between two gateways) modes. ESP is algorithm independent. Common cyphers used include 3DES, DES, CAST128 and Blowfish.

CNS2009handout 17 :: network protocols II16 security association The Authentication Header defines a Security Association to use for a particular link (or connection: UDP/TCP): –Authentication algorithm and mode –Authentication key(s) –Encryption algorithm and mode –Encryption key(s) –Presence / absence of a crypto synchronisation/IV –Lifetime of a key or when key change should occur –Lifetime of the security association –Source address of the security association –Sensitivity level (SECRET / CLASSIFIED etc) Again the issue here is key distribution & management.

CNS2009handout 17 :: network protocols II17 ike The Internet Key Exchange (IKE) is a hybrid protocol which uses parts of the following to obtain authenticated keying material for security associations: –ISAKMP (Internet security architecture key management protocol), a framework for authentication and key exchange. ISAKMP is designed to be key exchange independent; that is, it is designed to support many different key exchanges. –Oakley, which describes a series of key exchanges, known as "modes", and details the services provided by each (e.g. perfect forward secrecy for keys, identity protection, and authentication). –SKEME, which describes a key exchange technique which provides anonymity, reputability and quick key refreshment.

CNS2009handout 17 :: network protocols II18 isakmp/oakley ISAKMP/Oakley provides a way to –Perform key exchange between IPsec parties. –Negotiate the protocols, algorithms and keying material to be used between two IPSec parties. –Update and re-negotiate the SAs after they have expired. ISAKMP/Oakley works in phases: –The hosts establish a secure channel between themselves by creating a bi- directional ISAKMP SA. –This channel is used for to negotiate the required IPSec SAs. –IPSec then provides services with the established SAs. –When the SAs expire, ISAKMP/Oakley can be used to re-negotiate new ones.

CNS2009handout 17 :: network protocols II19 address resolution protocol ARP (Address Resolution Protocol) is used to map IP addresses to hardware addresses. A table called the ARP cache is used to store each MAC address and its corresponding IP address. When a packet sent to a host machine on a network arrives at a router, it asks queries via ARP the MAC address that matches the destination IP address. The ARP program looks this up in the ARP cache: –If it finds the address the ARP program provides it –If no entry is found for the IP address, ARP broadcasts a request packet to all the machines on the network based on that IP address. A machine that recognizes the IP address as its own replies. ARP updates the ARP cache for future reference and then sends the packet to that MAC address.

CNS2009handout 17 :: network protocols II20 spoofing ARP ARP is one of the simplest but most fundamental protocols on the Internet. Lack of strong authentication means manipulating ARP is trivial, and allows many powerful attacks to be accomplished, including many on higher level secure protocols (e.g. ssh, ssl) –Poisoning the ARP cache of targets –MAC flooding –Man in the middle –Connection hijacking –Denial-of-service –Cloning

CNS2009handout 17 :: network protocols II21 ARP attacks As time passes, networks are migrating towards being fully switched. This is where each host is on a separate network cable so the number of machines sharing a particular connection are minimised. –Increases network performance –Increases security as sniffing a particular link will yield traffic only to/from that host, not all hosts on the local network router shared segment fully switched

CNS2009handout 17 :: network protocols II22 ARP attacks ARP facilitates Mallory to trivially launch man-in-the-middle attacks against Alice and Bob: –Mallory poisons the ARP cache of Alice and Bob –Alice associates Bob’s IP with Mallory’s MAC –Bob associates Alice’s IP with Mallory’s MAC –All of Alice and Bob’s traffic will now go through Mallory This works even if the network is fully switched. What if Bob is a gateway or router? –All traffic flowing through that router goes via Mallory.

CNS2009handout 17 :: network protocols II23 other ARP attacks MAC flooding where an attacker sends spoofed ARP replies at a high rate to the switch, eventually overflowing the port/MAC table. Most switches then revert back to “full broadcast” mode (i.e. forwarding all traffic on all ports). Denial-of-service attacks where ARP caches are updates with non-existant MAC addresses, causing valid frames to be dropped. Connection hijacking Cloning

CNS2009handout 17 :: network protocols II24 preventing arp spoofing ARP spoofing is difficult to prevent: –enabling MAC binding at a switch –implementing static ARP tables MAC binding makes it so that once an address is assigned to an adapter it cannot be changed without authorisation. Static ARP management is only realistically achieved in a very small network. In a large dynamic network, it would be impossible to manage the task of keeping the entries updated. arpwatch for Unix based systems monitors changes to the ARP cache and alerts administrator as to the changes.

CNS2009handout 17 :: network protocols II25 the domain name service (dns) Many of the earlier problems we have discussed are a result of authentication through source IP address (and the ability of an attacker to spoof it). Many other applications also extend trust to other hosts based on their names (known as name addresses) e.g. cassius.ee.usyd.edu.au. The domain name service (DNS) performs the mapping between IP address and name address.

CNS2009handout 17 :: network protocols II26 attacks on DNS Similar to ARP, DNS by default does not have any form of authentication. The ability to subvert DNS through hacking the nameserver or poisoning the cache leads to many potential attacks: –subversion of r* commands, NFS (file sharing), /etc/hosts.equiv and other transitive trust relationships. –impersonation attacks (e.g. webserver) –denial-of-service

CNS2009handout 17 :: network protocols II27 Infrastructure attacks The Internet Control Message Protocol (ICMP) is used to communicate error messages and network conditions across IP. Like other infrastructure protocols, strong authentication is absent –ICMP Redirect messages can be spoofed “redirecting” traffic –ICMP error messages can be spoofed telling target hosts that a victim is unavailable (hence knocking the victim off the air). Most firewalls block ICMP into and out of the network properly. Since “ping” uses ICMP echo this means that sometimes all ICMP is allowed to pass (or ping is broken).

CNS2009handout 17 :: network protocols II28 other infrastructure attacks Likewise all other infrastructure protocols (e.g. RIP, EGRP, BGP, OSPF) are open. Other common attacks involving domain names involve subverting the process of domain name registrars (e.g. social engineering Verisign) in order to change root nameserver records.

CNS2009handout 17 :: network protocols II29 it’s going to get worse Stealthy, anonymous, encrypted, one-way communications difficult to detect or trace. Collaboration: master nodes communicate and act together forming a global attack network or “uebernet”. The “uebernets”: many subliminal crypto-Internets. Mobility: steal credentials, exploit & spread. Decoys, deliberate flooding of IDSs Automated agents pretending to be humans Software to confuse biometric forensics (e.g. keystroke analysis). Attacks crossing to mobile phones, palm tops, VoIP communications, internet-capable devices.

CNS2009handout 17 :: network protocols II30 what do we need to do? Rebuild the Internet from the ground up, using strong building blocks. Build strong authentication into every component. Audit trails and authentication for packets. A global network for co-operation. Out-of-band network control. Stronger languages, better programming practices, better network design, better quality control. Secure default configurations out of the box. An Internet police force. Everyone playing their part.

CNS2009handout 17 :: network protocols II31 references Papers –Read Security Problems in the TCP/IP suite (Bellovin) Protocol Tools –Dsniff, ettercap, nmap, arpwatch, fragrouter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.