Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 9 Page 1 CS 136, Spring 2016 Network Security Computer Security Peter Reiher April 26, 2016.

Published byMarcia Sutton Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 9 Page 1 CS 136, Spring 2016 Network Security Computer Security Peter Reiher April 26, 2016."— Presentation transcript:

1 Lecture 9 Page 1 CS 136, Spring 2016 Network Security Computer Security Peter Reiher April 26, 2016

2 Lecture 9 Page 2 CS 136, Spring 2016 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls Encryption for network security & VPNs Wireless security Honeypots and honeynets

3 Lecture 9 Page 3 CS 136, Spring 2016 Some Important Network Characteristics for Security Degree of locality Media used Protocols used

4 Lecture 9 Page 4 CS 136, Spring 2016 Degree of Locality Some networks are very local –E.g., an Ethernet –Benefits from: Physical locality Small number of users and machines Common goals and interests Other networks are very non-local –E.g., the Internet backbone –Many users/sites share bandwidth

5 Lecture 9 Page 5 CS 136, Spring 2016 Network Media Some networks are wires, cables, or over telephone lines –Can be physically protected Other networks are satellite links or other radio links –Physical protection possibilities more limited

6 Lecture 9 Page 6 CS 136, Spring 2016 Protocol Types TCP/IP is the most used –But it only specifies some common intermediate levels –Other protocols exist above and below it In places, other protocols replace TCP/IP And there are lots of supporting protocols –Routing protocols, naming and directory protocols, network management protocols –And security protocols (IPSec, ssh, ssl)

7 Lecture 9 Page 7 CS 136, Spring 2016 Implications of Protocol Type The protocol defines a set of rules that will always be followed –But usually not quite complete –And they assume everyone is at least trying to play by the rules –What if they don’t? Specific attacks exist against specific protocols

8 Lecture 9 Page 8 CS 136, Spring 2016 Threats To Networks Wiretapping Impersonation Attacks on message –Confidentiality –Integrity Denial of service attacks

9 Lecture 9 Page 9 CS 136, Spring 2016 Wiretapping Passive wiretapping is listening in illicitly on conversations Active wiretapping is injecting traffic illicitly Packet sniffers can listen to all traffic on a broadcast medium –Ethernet or 802.11, e.g. Wiretapping on wireless often just a matter of putting up an antenna

10 Lecture 9 Page 10 CS 136, Spring 2016 Impersonation A packet comes in over the network –With some source indicated in its header Often, the action to be taken with the packet depends on the source But attackers may be able to create packets with false sources

11 Lecture 9 Page 11 CS 136, Spring 2016 How Do We Determine Packet “Identity”? Source address –Just bits, therefore spoofable Cryptographic techniques –Possible, but expensive and key issues must be solved Just knowing –Maybe it’s hard to “get into” the medium –Relies on some assumptions

12 Lecture 9 Page 12 CS 136, Spring 2016 Violations of Message Confidentiality Other problems can cause messages to be inappropriately divulged Misdelivery can send a message to the wrong place –Clever attackers can make it happen Message can be read at an intermediate gateway or a router Sometimes an intruder can get useful information just by traffic analysis

13 Lecture 9 Page 13 CS 136, Spring 2016 Message Integrity Even if the attacker can’t create the packets he wants, sometimes he can alter proper packets To change the effect of what they will do Typically requires access to part of the path message takes

14 Lecture 9 Page 14 CS 136, Spring 2016 Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing tables Or flooding routers Or destroying key packets

15 Lecture 9 Page 15 CS 136, Spring 2016 How Do Denial of Service Attacks Occur? Basically, the attacker injects some form of traffic Most current networks aren’t built to throttle uncooperative parties very well All-inclusive nature of the Internet makes basic access trivial Universality of IP makes reaching most of the network easy

16 Lecture 9 Page 16 CS 136, Spring 2016 An Example: SYN Flood Based on vulnerability in TCP Attacker uses initial request/response to start TCP session to fill a table at the server Preventing new real TCP sessions SYN cookies and firewalls with massive tables are possible defenses

17 Lecture 9 Page 17 CS 136, Spring 2016 Normal SYN Behavior SYN SYN/ACK ACK Table of open TCP connections

18 Lecture 9 Page 18 CS 136, Spring 2016 A SYN Flood SYN SYN/ACK Table of open TCP connections SYN SYN/ACK SYN Server can’t fill request! SYN

19 Lecture 9 Page 19 CS 136, Spring 2016 SYN Cookies SYN No room in the table, so send back a SYN cookie, instead SYN/ACK SYN/ACK number is secret function of various information ACK Server recalculates cookie to determine if proper response + 1 Client IP address & port, server’s IP address and port, and a timer KEY POINT: Server doesn’t need to save cookie value! And no changes to TCP protocol itself

20 Lecture 9 Page 20 CS 136, Spring 2016 General Network Denial of Service Attacks Need not tickle any particular vulnerability Can achieve success by mere volume of packets If more packets sent than can be handled by target, service is denied A hard problem to solve

21 Lecture 9 Page 21 CS 136, Spring 2016 Distributed Denial of Service Attacks Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?

22 Lecture 9 Page 22 CS 136, Spring 2016 The Problem

23 Lecture 9 Page 23 CS 136, Spring 2016 Why Are These Attacks Made? Generally to annoy Sometimes for extortion Sometimes to prevent adversary from doing something important If directed at infrastructure, might cripple parts of Internet

24 Lecture 9 Page 24 CS 136, Spring 2016 Attack Methods Pure flooding –Of network connection –Or of upstream network Overwhelm some other resource –SYN flood –CPU resources –Memory resources –Application level resource Direct or reflection

25 Lecture 9 Page 25 CS 136, Spring 2016 Why “Distributed”? Targets are often highly provisioned servers A single machine usually cannot overwhelm such a server So harness multiple machines to do so Also makes defenses harder

26 Lecture 9 Page 26 CS 136, Spring 2016 How to Defend? A vital characteristic: –Don’t just stop a flood –ENSURE SERVICE TO LEGITIMATE CLIENTS!!! If you deliver a manageable amount of garbage, you haven’t solved the problem Nor have you if you prevent a flood by dropping all packets

27 Lecture 9 Page 27 CS 136, Spring 2016 Complicating Factors High availability of compromised machines –Millions of zombie machines out there Internet is designed to deliver traffic –Regardless of its value IP spoofing allows easy hiding Distributed nature makes legal approaches hard Attacker can choose all aspects of his attack packets –Can be a lot like good ones

28 Lecture 9 Page 28 CS 136, Spring 2016 Basic Defense Approaches Overprovisioning Dynamic increases in provisioning Hiding Tracking attackers Legal approaches Reducing volume of attack None of these are totally effective

29 Lecture 9 Page 29 CS 136, Spring 2016 Reflection Attacks Attacker doesn’t send packets to the target He sends packets to a third party node –With the target’s IP address spoofed Third party sends response to target If response is much bigger than request, amplifies the attack

30 Lecture 9 Page 30 CS 136, Spring 2016 Traffic Control Mechanisms Filtering –Source address filtering –Other forms of filtering Rate limits Protection against traffic analysis –Padding –Routing control

31 Lecture 9 Page 31 CS 136, Spring 2016 Source Address Filtering Filtering out some packets because of their source address value –Usually because you believe their source address is spoofed Often called ingress filtering –Or egress filtering...

32 Lecture 9 Page 32 CS 136, Spring 2016 Source Address Filtering for Address Assurance Router “knows” what network it sits in front of –In particular, knows IP addresses of machines there Filter outgoing packets with source addresses not in that range Prevents your users from spoofing other nodes’ addresses –But not from spoofing each other’s

33 Lecture 9 Page 33 CS 136, Spring 2016 Source Address Filtering Example 128.171.192.* 95.113.27.1256.29.138.2 My network shouldn’t be creating packets with this source address So drop the packet

34 Lecture 9 Page 34 CS 136, Spring 2016 Source Address Filtering in the Other Direction Often called egress filtering –Or ingress filtering... Occurs as packets leave the Internet and enter a border router –On way to that router’s network What addresses shouldn’t be coming into your local network?

35 Lecture 9 Page 35 CS 136, Spring 2016 Filtering Incoming Packets 128.171.192.* 128.171.192.5128.171.192.7 Packets with this source address should be going out, not coming in So drop the packet

36 Lecture 9 Page 36 CS 136, Spring 2016 Other Forms of Filtering One can filter on things other than source address –Such as worm signatures, unknown protocol identifiers, etc. Also, there are unallocated IP addresses in IPv4 space –Can filter for packets going to or coming from those addresses Some source addresses for local use only –Internet routers can drop packets to/from them

37 Lecture 9 Page 37 CS 136, Spring 2016 Realistic Limits on Filtering Little filtering possible in Internet core –Packets being handled too fast –Backbone providers don’t want to filter –Damage great if you screw it up Filtering near edges has its own limits –In what’s possible –In what’s affordable –In what the router owners will do

38 Lecture 9 Page 38 CS 136, Spring 2016 Rate Limits Many routers can place limits on the traffic they send to a destination Ensuring that the destination isn’t overloaded –Popular for denial of service defenses Limits can be defined somewhat flexibly But often not enough flexibility to let the good traffic through and stop the bad

39 Lecture 9 Page 39 CS 136, Spring 2016 Padding Sometimes you don’t want intruders to know what your traffic characteristics are Padding adds extra traffic to hide the real stuff Fake traffic must look like real traffic –Usually means encrypt it all Must be done carefully, or clever attackers can tell the good stuff from the noise

40 Lecture 9 Page 40 CS 136, Spring 2016 Routing Control Use ability to control message routing to conceal the traffic in the network Used in onion routing to hide who is sending traffic to whom –For anonymization purposes Routing control also used in some network defense –To hide real location of a machine –E.g., SOS DDoS defense system

41 Lecture 9 Page 41 CS 136, Spring 2016 Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits between a LAN/WAN and the Internet Running special software to regulate network traffic

42 Lecture 9 Page 42 CS 136, Spring 2016 Typical Use of a Firewall Local Network The Internet ??? Firewall ???

43 Lecture 9 Page 43 CS 136, Spring 2016 Firewalls and Perimeter Defense Firewalls implement a form of security called perimeter defense Protect the inside of something by defending the outside strongly –The firewall machine is often called a bastion host Control the entry and exit points If nothing bad can get in, I’m safe, right?

44 Lecture 9 Page 44 CS 136, Spring 2016 Weaknesses of Perimeter Defense Models Breaching the perimeter compromises all security Windows passwords are a form of perimeter defense –If you get past the password, you can do anything Perimeter defense is part of the solution, not the entire solution

45 Lecture 9 Page 45 CS 136, Spring 2016 Weaknesses of Perimeter Defense

46 Lecture 9 Page 46 CS 136, Spring 2016 Defense in Depth An old principle in warfare Don’t rely on a single defensive mechanism or defense at a single point Combine different defenses Defeating one defense doesn’t defeat your entire plan

47 Lecture 9 Page 47 CS 136, Spring 2016 So What Should Happen?

48 Lecture 9 Page 48 CS 136, Spring 2016 Or, Better

49 Lecture 9 Page 49 CS 136, Spring 2016 Or, Even Better

50 Lecture 9 Page 50 CS 136, Spring 2016 So Are Firewalls Any Use? Definitely! They aren’t the full solution, but they are absolutely part of it Anyone who cares about security needs to run a decent firewall They just have to do other stuff, too

51 Lecture 9 Page 51 CS 136, Spring 2016 The Brass Tacks of Firewalls What do they really do? Examine each incoming packet Decide to let the packet through or drop it –Criteria could be simple or complex Perhaps log the decision Maybe send rejected packets elsewhere Pretty much all there is to it

52 Lecture 9 Page 52 CS 136, Spring 2016 Types of Firewalls Filtering gateways –AKA screening routers Application level gateways –AKA proxy gateways Reverse firewalls

53 Lecture 9 Page 53 CS 136, Spring 2016 Filtering Gateways Based on packet header information –Primarily, IP addresses, port numbers, and protocol numbers Based on that information, either let the packet through or reject it Stateless firewalls

54 Lecture 9 Page 54 CS 136, Spring 2016 Example Use of Filtering Gateways Allow particular external machines to telnet into specific internal machines –Denying telnet to other machines Or allow full access to some external machines And none to others

55 Lecture 9 Page 55 CS 136, Spring 2016 A Fundamental Problem IP addresses can be spoofed If your filtering firewall trusts packet headers, it offers little protection Situation may be improved by IPsec –But hasn’t been yet Firewalls can perform the ingress/egress filtering discussed earlier

56 Lecture 9 Page 56 CS 136, Spring 2016 Filtering Based on Ports Most incoming traffic is destined for a particular machine and port –Which can be derived from the IP and TCP headers Only let through packets to select machines at specific ports Makes it impossible to externally exploit flaws in little-used ports –If you configure the firewall right...

57 Lecture 9 Page 57 CS 136, Spring 2016 Pros and Cons of Filtering Gateways +Fast +Cheap +Flexible +Transparent –Limited capabilities –Dependent on header authentication –Generally poor logging –May rely on router security

58 Lecture 9 Page 58 CS 136, Spring 2016 Application Level Gateways Also known as proxy gateways Firewalls that understand the application- level details of network traffic –To some degree Traffic is accepted or rejected based on the probable results of accepting it Stateful firewalls

59 Lecture 9 Page 59 CS 136, Spring 2016 How Application Level Gateways Work Firewall treats packets as part of flows Either configured to handle common types of traffic –Like TCP, HTTP, etc. –Or proxies are plugged into a framework Incoming packets handled by type of flow –Typically determined by protocol type and port Firewall typically accepts or rejects them

60 Lecture 9 Page 60 CS 136, Spring 2016 Deep Packet Inspection What the proxies do, when used Looking into packets beyond their headers –Especially the IP header “Deep” sometimes also means deeper understanding of what’s going on –Though not always

61 Lecture 9 Page 61 CS 136, Spring 2016 Firewall Proxies Programs capable of understanding particular kinds of traffic –E.g., FTP, HTTP, videoconferencing Proxies are specialized A good proxy has deep understanding of the network application Typically limited by complexity and performance issues

62 Lecture 9 Page 62 CS 136, Spring 2016 Pros and Cons of Application Level Gateways +Highly flexible +Good logging +Content-based filtering possible +Potentially transparent –Slower –More complex and expensive –Highly dependent on sophistication

63 Lecture 9 Page 63 CS 136, Spring 2016 Reverse Firewalls Normal firewalls keep stuff from the outside from getting inside Reverse firewalls keep stuff from the insider from getting outside Often colocated with regular firewalls Why do we need them?

64 Lecture 9 Page 64 CS 136, Spring 2016 Possible Uses of Reverse Firewalls Concealing details of your network from attackers Preventing compromised machines from sending things out –E.g., intercepting bot communications or stopping DDoS –Preventing data exfiltration

65 Lecture 9 Page 65 CS 136, Spring 2016 Firewall Characteristics Statefulness Transparency Handling authentication Handling encryption

66 Lecture 9 Page 66 CS 136, Spring 2016 Stateful Firewalls Much network traffic is connection- oriented –E.g., telnet and videoconferencing Proper handling of that traffic requires the firewall to maintain state But handling information about connections is more complex

67 Lecture 9 Page 67 CS 136, Spring 2016 Firewalls and Transparency Ideally, the firewall should be invisible –Except when it vetoes access Users inside should be able to communicate outside without knowing about the firewall External users should be able to invoke internal services transparently

68 Lecture 9 Page 68 CS 136, Spring 2016 Firewalls and Authentication Many systems want to give special privileges to specific sites or users Firewalls can only support that to the extent that strong authentication is available –At the granularity required For general use, may not be possible –In current systems

69 Lecture 9 Page 69 CS 136, Spring 2016 Firewalls and Encryption Firewalls provide no confidentiality Unless the data is encrypted But if the data is encrypted, the firewall can’t examine it So typically the firewall must be able to decrypt –Or only work on unencrypted parts of packets Can decrypt, analyze, and re-encrypt

Download ppt "Lecture 9 Page 1 CS 136, Spring 2016 Network Security Computer Security Peter Reiher April 26, 2016."

Similar presentations

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.

Similar presentations

Ads by Google