Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security (part 2)

Published byAdelia Burns Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Security (part 2)"— Presentation transcript:

1 Network Security (part 2)

2 Protocols: recap Last time, we saw:
MAC addresses Internet Protocol: IP ARP (to connect them) These were designed before security was even an issue, and hence are fundamentally insecure. Today, we’ll discuss more on how and move up the stack.

3 Last time: Reminder: ARP is the interface between Network and Data
Or internet and network interface on the TCP/IP layers This time, I’d like to: Talk about securing the IP layer Then move up the stack(s)

4 IP Spoofing IP protocol doesn’t prevent anyone from lying about the source address. Simple utilities exist to do this – it is also done for testing and other legitimate purposes. Simple packet filtering is the best defense – outside attacker then can’t spoof an inside address. But IP is just inherently insecure!

5 Ingress filtering Proposal to have every router drop packets with “invalid” IPs Would eliminate spoofing if everyone did it, and is commonly used 2012 report from MIT project studying this claims the latest software is running on 80% of the internet However: Source based No incentives Everyone must deploy Can’t catch everything

6 IPSec Protocol that authenticates and encrypts each IP packet in a communication Host to host or network to network or host to network, depending on setups Provides data integrity, authentication, data confidentiality, and replay protection by using cryptography and a number of other protocols

7 IPSec settings Authentication Header (AH) versus Encapsulating Security Payload (ESP) Either just authenticate source, or encrypt all communication Tunnel versus Transport mode Tunnel encapsulates entire packet and adds new headers, and is usually a key protocol for VPNs Transport only encapsulates (encrypts) the payload, so IP headers stay the same

8 IPSec: AH mode Authentication header:
Protects integrity and data origin authentication Can also defend against replay attacks Important note: incompatable with NAT!

9 AH mode The AH header identifies several key things:
Next hdr: identifies protocol type of payload AH len: length of AH header SPI is an identifier that helps associate a packet with relevant settings for the connection and details (encryption type, etc.) Sequence number: protect against replay attacks Authentication Data: usually a hash of the packet

10 AH transport mode Here, IP packet is modified only to include new header At the destination, the AH header is simply removed after verification, and IP header gets the saved “proto” field put back in

11 AH tunnel mode In tunnel mode:
Entire packet is encapsulated (but not encrypted!) Source and destination can be difference than those inside the packet Hence, a “tunnel” Most implementations treat tunnel mode as a virtual network interface So data can be sent along or delivered locally

12 IPSec: ESP mode Encapsulating security payload
Provides origin authenticity, integrity and confidentiality

13 ESP in transport mode Transport mode again just encapsulates the payload So used for host to host communications IP header is left in place (except for protocol), so source and destination stay the same

14 ESP in tunnel mode In tunnel mode, we encrypt the entire original packet Really close to a VPN (although no authentication in this setup) Note: the fact that we’re in tunnel mode is actually encrypted here also – it’s in the payload (unlike in AH)

15 VPNs and security It’s important to note that ESP in tunnel mode by itself is not up to security standards! There are attacks on IPSec with encryption only (and no integrity protection) Attack essentially calls for the attacker to inject some traffic onto the network and intercept responses, so nothing advanced here Need integrity, so that you will ignore these other packets

16 Other protocols: ICMP The Internet Control Message Protocol exists to provide error reporting and testing to IP. Primarily used by network devices like routers to send error messages. Example: When the TTL field reaches 0, a message is sent to source address. Many common utilities are built on this – traceroute, ping, etc. Often blocked except from certain trusted sources.

17 UDP: User Datagram Protocol
UDP builds on top of IP by supporting port routing: Destination port number gets a UDP data field that adds application process Source port number provides a return address Minimal guarantees – no acknowledgements, flow control, or anything In a sense, not easy to attack, but not reliable anyway!

18 TCP: adding reliability
TCP preserves order and adds reliability: Sender breaks data and attaches number Receiver must acknowledge receipt, so lost packets are resent and packets are reassembled

19 Actually, it’s a bit more complex:

20 Some attacks on TCP TCP states can be easy to guess
And hence spoofed or fooled TCP connection requires state, which means the server has to remember something TCP Syn floods can then overrun memory Denial of service is easy on this protocol! More details…

21 Force TCP Session Closing
Suppose an attacker can guess the sequence number for an existing connection Then send reset packet to close connection (so DOS) Can naively guess (1/232 chance) Most systems allow for some window of sequences, however, so much easier This is especially successful against long lived connections (like BGP, etc.), especially combined with packet sniffing, since this can help narrow the guessing range

22 TCP Spoofing Each connection for TCP has some state associated
Client/server IP and port Sequence numbers Problem: easy to guess this state Ports are standard Sequence numbers stored in predictable way

23 Session Hijacking Need a degree of unpredictability to avoid attacks.
If the attacker knows initial sequence number and rough amount of traffic, easier to guess, and can flood with likely numbers. Some vulnerabilities are unavoidable, but simple randomization can make things harder.

24 SYN flood Attacker sends a ton of syn packets but no acks (or can use falsified IP so response will be ignored) Server must remember all of these connections, so quickly runs out of space

25 SYN cookies Invented by Dan Bernstein, the idea defeat SYN floods is to use “particular choices of initial TCP sequence numbers”. Essentially, the server doesn’t have to remember the connection, but can instead reconstruct the query from the TCP sequence number. Some restrictions – can’t accept some TCP options, and still some limits, but overall fairly successful.

26 Denial of service attacks
“Any attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as CPU, memory, bandwidth, or disk space” Can be local or network based A Distributed DOS attack is a network based attack which uses multiple hosts

27 DDoS Attacker compromises and uses other machines
Can spoof IPs to further complicate Attack network or host resources Long and active history…

28 DDoS reflector attack Put victims IP as source address in many requests The “reflector” machines then flood the victim Advantages: Hides source Amplifies the attack Successfully used many times

29 Smurf DoS attack Attacker sends ICMP packets on broadcast mode with victim’s address as source. On broadcast mode, everyone will then reply to that IP.

30 DDoS defenses Packet filtering and monitoring
Change defaults – no ICMP broadcast anymore (mostly) Incorporate SYN cookies ISP filtering and traffic scrubbing “Overprovision” servers CAPTCHAs:

31 Intrusion detection/prevention
Deeper analysis and monitoring of network traffic, with content analysis Network based Host Based Examples: Snort Verisys Tripwire Etc.

32 Detection methods Misuse signature based detection Anomaly detection
E.g. SNORT rules Anomaly detection Port scan detection Combine well with firewalls, but usually more complex Issues of resources and cost, allocation, separation of resources

33 Evasion techniques Fragmentation: attack will go “under the radar” and bypass detection Avoid defaults: IDS may expect trojans on particular ports, so configure to use different ports Low bandwidth attacks – e.g. stealth port scanning Address spoofing Pattern change and evasion

34 Attacks on NIDS Insertion attacks:
NID systems actually keep “bad” packets that everyone else drops This can actually be a vulnerability!

35 Attacks on NIDS Evasion attacks:
End system can accept a packet that the NIDS rejects.

36 Not quite this simple… In reality, it’s not quite this easy, but these simple ideas have been used in a multitude of ways on different systems. Examples: Bad headers Unusual IP options Even MAC addresses in the local network

37 Next time Higher level protocols and their insecurities: DNS and BGP
Worms and Botnets Onion routing and higher level (newish) constructions

Download ppt "Network Security (part 2)"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google