Security Mechanisms for a Cooperative Firewall 12/02/14 February 2014 Hammad Kabir Supervisor: Prof. Raimo Kantola Instructor: Jose Costa-Requena.

Slides:

Advertisements

Similar presentations

Lauri Virtanen Supervisor: Professor Raimo Kantola Instructor: Lic.Sc.(Tech.) Nicklas Beijar Faculty of Electronics, Communications and Automation Department.

Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

FIREWALLS Chapter 11.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Computer Security and Penetration Testing

CCNA – Network Fundamentals

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Network Attacks Mark Shtern.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Firewalls and Intrusion Detection Systems

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

Data Security in Local Networks using Distributed Firewalls

Lesson 19: Configuring Windows Firewall

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Unicenter Desktop & Server Management Network Challenges -Latest Revision 11/28/2005.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

FIREWALL Mạng máy tính nâng cao-V1.

Sales Kickoff - ARCserve

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

Multimedia & Mobile Communications Lab.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Interactive Connectivity Establishment : ICE

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

DoS/DDoS attack and defense

MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Establishing BGP Sessions.

© 2002, Cisco Systems, Inc. All rights reserved..

SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.

HIP-Based NAT Traversal in P2P-Environments

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

IT443 – Network Security Administration Instructor: Bo Sheng

Introducing To Networking

* Essential Network Security Book Slides.

Presentation transcript:

Security Mechanisms for a Cooperative Firewall 12/02/14 February 2014 Hammad Kabir Supervisor: Prof. Raimo Kantola Instructor: Jose Costa-Requena

Outline Research Background Research Objectives Conceptual Framework (Customer Edge Switching) Literature Review Circular Pool vulnerabilities CES-to-CES communication vulnerabilities Security Models Results and Discussion Conclusions and Future Work References 12/02/2014 2

Research Background NAT deployment at network edges introduced the reachability problem in the Internet. Various NAT traversal proposals: STUN, TURN and ICE [3] have been proposed, which either had the long connection setup time or keep-alive signaling that depletes the mobile battery. A solution proposed at COMNET department of Aalto University: Customer Edge Switching 3 12/02/2014

Research Problem While the CES architecture solves many of the current Internet issues i.e. reachability problem, IPv4 address space depletion [1] [2], the prototype only offers minimal security through policy based admission control to the communicating end points. Security has generally been considered out of scope. Research Scope To identify the security vulnerabilities present within the CES architecture. Present a security model that secures CES against the attacks launched on these vulnerabilities. Evaluate the security models based on a set of test cases (attacks), to demonstrate their effectiveness. Research Objectives 4 12/02/2014

Customer Edge Switching Customer Edge Traversal Protocol (CETP)

Private Realm Gateway (PRGW) Principle: -A component in CES to support backward compatibility with legacy networks -Outgoing connection is established in a similar manner to NAT -For an inbound connection, the domain in private network is reached through address received from CES, after performing name resolution for the destination domain.

Circular Pool Model When a DNS request is received from a legacy host, the PRGW makes use of circular pool functionality and returns an address from the pool of public IP addresses, towards the sender, in the DNS response. The address returned is marked in the ‘waiting’ state. After a data packet is received at this address, the address is returned to the circular pool for future connection establishments. Since the circular pool only assigns the addresses that are not in ‘waiting’ state to establish a new connection. If all of the circular pool addresses are reserved when a DNS query is received, the circular pool cannot serve the request and the request is dropped. This state of circular pool is called blocking state. This state is not permanent, and it does not affect ongoing connections in CES. An attacker can exploit this vulnerability in different ways, to launch DoS attacks on the circular pool. 7 12/02/2014

Denial of Service (DoS) in CPOOL 8 -An attacker sends DNS queries to different domains behind the CES through various DNS servers to reserve all the circular pool addresses. -Damage: CES reaches the blocking state, and it cannot serve new incoming connection requests. 12/02/2014

Connection Hijacking in CPOOL 9 -Legitimate host reserves an address from the circular pool and a state is created with ‘waiting’ status -Before the legitimate host could return, an attacker sending attack packets can take over the state and hijacks the connection -Results in DoS to the legitimate user. 12/02/2014

CETP connection establishment 10 -After DNS response, the outbound CES (oCES) encodes CETP packet according to the sender policy and forwards it towards the inbound CES (iCES) to negotiate the connection establishment. -The CETP transaction between the oCES and the iCES is uniquely identified with the (SST, DST) pair chosen by the oCES and the iCES, respectively. -The connection establishment succeeds after both end points can successfully fulfill each other requirements, in either 1 RTT or 2 RTT. 12/02/2014

CETP Attack-1 11 Vulnerability: -A legacy host with CETP attack module forwards spoofed CETP packets towards CES-B. Damage: -The attacker opens a connection in the iCES by sending a spoofed CETP packet. -For a bot-controlled legacy host, this can result in a DoS attack on the inbound CES. 12/02/2014

CETP Attack Vulnerability: -A non-spoofing legacy host can imitate as a legitimate CES, if the sender legitimacy is not determined Damage: -The attacker successfully establishes a connection with the victim behind CES-B 12/02/2014

CETP Attack Vulnerability: -The attack can affect all the communications for which the routing infrastructure is compromised. Damage: -A successful MITM attack can compromise the integrity of the messages exchanged. -A MITM attacker can either passively eavesdrop on a communication -It can masquerade as a legitimate source and steal the victim’s information. 12/02/2014

Principle of Security Mechanisms A light weight attack should consume minimal processing at an inbound CES. Heavy verification mechanisms on attack packets generated with minimal processing give the attacker an advantage, where the attacker can flood the CES with huge attack volumes and force the CES into a denial-of-service (DoS) state. The CES architecture must eliminate source address spoofing before admitting a packet for connection establishment. Heavy verification mechanisms executed, after eliminating spoofing, must guarantee the legitimacy of the CETP packet source. With spoofing eliminated, a failure in heavy verification mechanisms must enable the CES to attribute an attack to the packet source. The response to light weight received packets should be small, to prevent network traffic amplification. The detailed response can be sent after spoofing has been eliminated /02/2014

Inbound CES Security Model 15 Cookie mechanism -Protects against spoofing attacks -Protects against replay attacks Signature Verification -Protects against MITM attacks -Authenticates the sender Based on the certificate from a CA HSS verification -Authenticates the sender A connection succeeds only if -the sender is a non-spoofing source -And, the sender is authenticated as a legitimate CES -It fulfills all the policy requirements of the destination 12/02/2014

Outbound CES Security Model 16 A connection succeeds only if the inbound packet matches -(SST, DST=0) pair in the oCES -And, the sender is authenticated as a legitimate CES 12/02/2014

Consequence of security 17 12/02/2014

Performance Analysis 18 Before Security (msec)After Security (msec) CETP connection delay – 1RTT CETP connection delay – 2RTT /02/2014

Circular Pool security 19 Protects against DoS attacks -Upper limit on ‘waiting’ connection requests to a destination -Upper limit on ‘waiting’ connection requests from a source -Greylisting a DNS source generating attack traffic -A dedicated set of resource for whitelisted sources -Resources for whitelisted DNS sources, even under DDoS 12/02/2014

Circular Pool security 20 Protections against Connection Hijacking attempts -Drop a UDP packet received for claiming a ‘waiting’ connection state -A UDP packet must be accepted after prior secure signaling i.e. SIP, from the source -Since it is difficult to eliminate spoofing on a received UDP packet -Blacklisting an IP source generating the attack traffic -TCP-relay to eliminate spoofing on the inbound traffic [4]. -Bot-detection method, to spot a non-spoofing legacy host generating the attack traffic 12/02/2014

Circular Pool Evaluation 21 Before security, -all the offered traffic was carried in to the CPOOL and processed for connection establishment. After the security: -SYN segments accepted for connection establishment reduce drastically once the bot-controlled host is identified. -Test case with a legitimate host and an attacker generating SYN segments at average 20 connection/sec. -Reduction in the volume of the carried traffic, after the security. 12/02/2014

Conclusion and Future work 22 Conclusion: -Security vulnerabilities have been identified -Security models proposed to secure the CES architecture have been evaluated -The performance analysis indicates that CES is secured against network attacks without introducing significant delay Future Work: -Implementation of TCP-Relay method to eliminate spoofing on the received packets -Exploring DNS/TCP to avoid spoofing in the received DNS requests -Faster Control plane/Data plane using C/C++, to further reduce the connection setup delay -Secure signaling for UDP flows 12/02/2014

References [1] J. S. Llorente, "Private Realm Gateway," Master Thesis, Aalto University, School of Electrical Engineering, [2] M. Pahlevan, "Signalling and Policy Enforcement for Cooperative Firewalls," Aalto University, School of Electrical Engineering Thesis, [3] N. Beijar, Z. Yan, M. Pahlavan, and R. Kantola. (2012, Mar.) Customer Edge Traversal Protocol. [Online]. [4] W. Eddy, "TCP SYN Flooding Attacks and Common Mitigations," RFC 4987, /02/2014

24 12/02/2014