Presentation is loading. Please wait.

Presentation is loading. Please wait.

INF526: Secure Systems Administration

Similar presentations


Presentation on theme: "INF526: Secure Systems Administration"— Presentation transcript:

1 INF526: Secure Systems Administration
Second Quiz / Mid-term Prof. Clifford Neuman Lecture 9 8 March 2017 OHE100C

2 INF526: Secure Systems Administration
MID-TERM IN PROGRESS Prof. Clifford Neuman Lecture 9 8 March 2017 OHE100C

3 INF526: Secure Systems Administration
Network Security Components Prof. Clifford Neuman Lecture 9 8 March 2017 OHE100C

4 Secure Network Administration
Secure Host Administration provides fine-grained control of access to a hosts resources. Secure Network administration assists in controlling access at a coarse level of granularity Not to records or files, but to computers and subnets. At most, limits access to services (by port) Confines access to zones Is a second line of defense, and useful as stop-gap when vulnerabilities in host infrastructure are discovered.

5 Elements of Secure Network Administration
Policy Tells you what access is authorized Should follow analysis of application information flow requirements. Can also specify specific flows that are disallowed. Containment Many tools to contain information. Not all effective. Most available tools support DAC, but MAC is more effective. Monitoring Important to discover unintended paths that are exploited Important to discover insider threats

6 Network Containment Tools
Firewall Network, Host, Embedded, Application Virtual Private Network Encrypted Tunnels between zones IPSec Encryption and Integrity between hosts Virtual LANS Layer 2 separation Encryption Supports other forms of containment

7 Firewalls Network Based Host Based Embedded Distributed Application
Protects (or not) entire network. Chewy on inside. Statefull vs stateless Limited basis on which to make decisions. Host Based Controls access to resources on single host Embedded On interface card, but managed separately Distributed Single policy (next) implemented at multiple PEP Application No routing of packets, just recreation of application messages. Examples: DNS, Web, – configuration.

8 Virtual Private Networks
Interconnects two LANs across unprotected network segment. Creates a secure tunnel connecting to segments. One segment can be a single host – which is how many of you use a VPN. Important tool to extend secure perimeter Allows remote device to operate within your secure environment. Downside is that the remote device is now on the inside. Examples: Smartphone, Laptop, Employee Home Machines. Must apply controls to the device Need policies for users – That is polices to which users must conform.

9 IPSec and IPv6 Security IP Security (IPsec) and the security features in IPv6 essentially move VPN support into the operating system and lower layers of the protocol stack. Security is host to host, or host to network, or network to network as with VPN’s Actually, VPN’s are rarely used host to host, but if the network had a single host, then it is equivalent. IPSec Implementations also implement a Host Based firewall (Policies on acceptable connections) 16

10 IPSec Goals Authentication of hosts Verify integrity of packets
Verify the source of IP packets Prevention of replays Verify integrity of packets Through use of hashes and cryptography Ensure confidentiality of packets Protect the payload Enforce Policy on communication of endpoints.

11 The IPSec Security Model
Secure Insecure

12 IPSec Architecture ESP AH Authentication Header IKE
Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange

13 IPSec Architecture IPSec provides security in three situations:
Host-to-host, host-to-gateway and gateway-to-gateway IPSec operates in two modes: Transport mode (for end-to-end) Tunnel mode (for VPN)

14 IPsec Architecture Transport Mode Router Router Tunnel Mode

15 Various Packet Formats
Original IP header TCP header data Transport mode Tunnel TCP header data IP header IPSec header Tunnel mode IP header TCP header data IPSec header

16 Authentication Header (AH)
Provides source authentication Protects against source spoofing Provides data integrity Protects against replay attacks Use monotonically increasing sequence numbers Helps Protect against dos attacks NO protection for confidentiality!

17 AH Details Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) Use symmetric key cryptography HMAC-SHA-96, HMAC-MD5-96

18 Security Parameters Index (SPI)
AH Packet Details New IP header Next header Payload length Reserved Security Parameters Index (SPI) Authenticated Sequence Number Encapsulated TCP or IP packet Old IP header (only in Tunnel mode) TCP header Hash of everything else Data Authentication Data

19 Encapsulating Security Payload (ESP)
Provides all that AH offers, and in addition provides data confidentiality Uses symmetric key encryption

20 ESP Details Same as AH: Only in ESP:
Use 32-bit sequence number to counter replaying attacks Use integrity check algorithms Only in ESP: Data confidentiality: Uses symmetric key encryption algorithms to encrypt packets

21 ESP Packet Details IP header Next header Payload length Reserved
Security Parameters Index (SPI) Sequence Number Authenticated Initialization vector TCP header Data Encrypted TCP packet Pad Pad length Next Authentication Data

22 Internet Key Exchange (IKE)
Exchange and negotiate security policies Establish security sessions Identified as Security Associations Key exchange Key management Can be used outside IPsec as well

23 IPsec/IKE Acronyms Security Association (SA)
Collection of attribute associated with a connection Is asymmetric! One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) A database of SAs

24 IPsec/IKE Acronyms Security Parameter Index (SPI)
A unique index for each entry in the SADB Identifies the SA associated with a packet Security Policy Database (SPD) Store policies used to establish SAs

25 How They Fit Together SPD SA-1 SA-2 SADB SPI SPI

26 SPD and SADB Example A’s SPD A B C D A’s SADB C’s SPD Asub Bsub
Transport Mode A’s SPD From To Protocol Port Policy A B Any AH[HMAC-MD5] A B C D Tunnel Mode From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key A’s SADB From To Protocol Port Policy Tunnel Dest Any ESP[3DES] D C’s SPD Asub Bsub From To Protocol SPI SA Record ESP 14 3DES key C’s SADB Asub Bsub

27 IPsec Policy Phase 1 policies are defined in terms of protection suites Each protection suite Must contain the following: Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group May optionally contain the following: Lifetime

28 IPSec Policy Phase 2 policies are defined in terms of proposals
Each proposal: May contain one or more of the following AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as Key length, life time, etc

29 IPSec Policy Example In English: In IPSec:
All traffic to /24 must be: Use pre-hashed key authentication DH group is MODP with 1024-bit modulus Hash algorithm is HMAC-SHA (128 bit key) Encryption using 3DES In IPSec: [Auth=Pre-Hash; DH=MODP(1024-bit); HASH=HMAC-SHA; ENC=3DES]

30 IPsec Policy Example In English: In IPsec:
All traffic to /24 must use one of the following: AH with HMAC-SHA or, ESP with 3DES as encryption algorithm and (HMAC-MD5 or HMAC-SHA as hashing algorithm) In IPsec: [AH: HMAC-SHA] or, [ESP: (3DES and HMAC-MD5) or (3DES and HMAC-SHA)]

31 Virtual LANS (VLANS) Basic discussion that follows is from Gregory Laffoon at Purdue University.

32 Configuring your VLAN Presented by Gregory Laffoon

33 What is a VLAN? A virtual local area network (VLAN) is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain regardless of their physical location.

34 Traditional LAN A traditional LAN would require all users of the same IP subnet (broadcast domain) be connected to the same equipment.

35 VLAN-based LAN By utilizing VLANs, the same users can be spread out over various geographical locations and still remain in their same IP subnet (broadcast domain).

36 How VLANs Work? VLANs are identified by a number
Valid ranges On a VLAN-capable switch, you assign ports with the appropriate VLAN number The switch then only allows data to be sent between ports with the same VLAN

37 How VLANs Work? Since almost every network is larger than a single switch, there needs to be a way to have traffic sent between two different switches One way to do it is to assign a port on each switch with a VLAN and run a cable between the switches Not very feasible or cost effective

38 How VLANs work? For example, if there were 6 hosts on each switch on 6 different vlans, you would need 6 ports on each switch to connect the switches together. This would mean that if you had 24 different vlans you could only have 24 hosts on a 48 port switch

39 How VLANs work? A single connection between two switches can be used to send traffic for all vlans 802.1q – Provides a VLAN tag in front of the Layer 2 frame

40 How VLANs work? You enable 802.1q tagging (trunking) on the ports between the switches The switch receives the frame with the 802.1q header and strips it off It determines what VLAN and sends the data to the appropriate port

41 Benefits of VLANs Geographically separated users on the same IP subnet (broadcast domain) Limit the size of broadcast domains and limit broadcast activity Security benefits by keep hosts separated by VLAN and limiting what devices can talk to those hosts

42 Benefits of VLANs Cost savings as you don’t need additional hardware and cabling Operational benefits because changing a user’s IP subnet (Broadcast Domain) is in software

43 Drawbacks of VLANs VLANs work at Layer 2 and that layer doesn’t handle redundancy in an efficient manner So when the network becomes mission critical, it is hard to provide fast convergence times for users when utilizing VLANs that span across multiple buildings

44 Network Policy Management
Telling containment technologies what to allow Coordinated policy management is important Commercial Tools to Manage Multiple Firewalls E.g. Redseal Networks Many other Tools Distributed Firewalls Distributed Embedded Firewalls Adventium Labs One PAP and PSP, but multiple PEPs and PDPs Firewall on network cards, but not managed by host, instead managed centrally.

45 Network Monitoring Taps for Intrusion Detection Systems
Provides high bandwidth feed of all data flowing through a router or firewall. Data analytics may be applied or simple high bandwidth pattern recognition. Deep Packet Inspection Required knowledge of protocols and applications. What makes monitoring more difficult Encryption False Positives Filtering out expected traffic

46 Local Network Monitoring
Linux Kernel Firewall and ipTables Also an example of minimization NTOP – Network Monitoring Can be run on host or guest OS It is a major CPU hog but a useful tool Shows all network flows in real time Useful to find flows used by applications Which can then be restricted in ipTables


Download ppt "INF526: Secure Systems Administration"

Similar presentations


Ads by Google