Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline Network characteristics that affect security

Published byCatherine Lawson Modified over 5 years ago

Similar presentations

Presentation on theme: "Outline Network characteristics that affect security"— Presentation transcript:

1 Security and Networks Advanced Network Security Peter Reiher August, 2014

2 Outline Network characteristics that affect security
Threats to network security

3 Some Important Network Characteristics for Security
Degree of locality Media used Protocols used

4 Degree of Locality Some networks are very local E.g., an Ethernet
Benefits from: Physical locality Small number of users and machines Common goals and interests Other networks are very non-local E.g., the Internet backbone Many users/sites share bandwidth

5 Network Media Some networks are wires, cables, or over telephone lines
Can be physically protected Other networks are satellite links or other radio links Physical protection possibilities more limited

6 Protocol Types TCP/IP is the most used
But it only specifies some common intermediate levels Other protocols exist above and below it In places, other protocols replace TCP/IP And there are lots of supporting protocols Routing protocols, naming and directory protocols, network management protocols And security protocols (IPSec, ssh, ssl)

7 Implications of Protocol Type
The protocol defines a set of rules that will always be followed But usually not quite complete And they assume everyone is at least trying to play by the rules What if they don’t? Specific attacks exist against specific protocols

8 Threats To Networks Wiretapping Impersonation Attacks on message
Confidentiality Integrity Denial of service attacks

9 Wiretapping Passive wiretapping is listening in illicitly on conversations Active wiretapping is injecting traffic illicitly Packet sniffers can listen to all traffic on a broadcast medium Ethernet or , e.g.

10 Requirements for Wiretapping
The wiretapper must get access to the network data Either by listening on one of the network links (or routers, switches, etc.) Or by rerouting the data through something he controls Wiretapping on wireless often just a matter of putting up an antenna If you are in the right physical place

11 Impersonation A packet comes in over the network
With some source indicated in its header Often, the action to be taken with the packet depends on the source But attackers may be able to create packets with false sources

12 Levels of Impersonation
Layered protocols imply multiple identities for a packet Its incoming link Its original source node The connection it is part of The user who sent it Different techniques used to authenticate each layer

13 Link Authentication Usually trivial
Receiving machine gets reliable local information about what interface got it That interface is usually connected to one link Nearly impossible to fake Though wireless “links” are not very exclusive

14 Source Node Authentication
IP packets contain source node identity In typical IP, it’s not authenticated Attacker can fill in any address he wants Commonly called IP spoofing The Internet doesn’t check No authentication information typically tied to an IP address

15 Connection Authentication
Depends on protocol Typical TCP connections not formally authenticated Some weak authentication possible E.g., evidence that sender saw the last response packet Other protocols can be better (TLS) or worse (UDP)

16 User Authentication Authenticated the session/user/application layers
Usually done cryptographically Most commonly leveraging PK But only for setup Proper use of ongoing symmetric crypto regarded as later authentication I.e., if I know the right symmetric key, I must have the right private key, too

17 Violations of Message Confidentiality
Other problems can cause messages to be inappropriately divulged Misdelivery can send a message to the wrong place Clever attackers can make it happen Message can be read at an intermediate gateway or a router Sometimes an intruder can get useful information just by traffic analysis

18 Message Integrity Even if the attacker can’t create the packets he wants, sometimes he can alter proper packets To change the effect of what they will do Typically requires access to part of the path message takes

19 Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing tables Or flooding routers Or destroying key packets

20 How Do Denial of Service Attacks Occur?
Basically, the attacker injects some form of traffic Most current networks aren’t built to throttle uncooperative parties very well All-inclusive nature of the Internet makes basic access trivial Universality of IP makes reaching most of the network easy

21 Basic Defensive Mechanisms
Cryptography Filtering Rate limits Padding Routing control

22 Cryptography Obvious values in maintaining message confidentiality
Also value for integrity and authentication Some limitations based on performance costs We’ll discuss this in more detail later

23 Filtering Selectively dropping some packets
Either to get rid of stuff that is likely to cause problems Or to reduce the overall rate of traffic flowing through a point Basic approach – examine each packet and drop those with some characteristic

24 What Do We Filter On? Packet header information
Like source or destination address Or protocol Packet content signatures Requires deep packet inspection Key issue with filtering is speed Fast filtering usually limited in sophistication

25 Where Do You Filter? Near edges of the network, typically
E.g., firewalls Many practical limits on what can be done here Typically little or no filtering is done by core routers Packets being handled too fast Backbone providers don’t want to filter Damage great if you screw it up

26 Rate Limits Many routers can place limits on the traffic they send to a destination Ensuring that the destination isn’t overloaded Popular for denial of service defenses Limits can be defined somewhat flexibly Related approaches: Priority queuing Traffic shaping

27 Shortcomings of Rate Limits
Rate limiting does not imply intelligence in what gets dropped At the speeds it’s working at, not really possible Rate limits based on IP addresses can be cheated on by spoofing

28 Padding Sometimes you don’t want intruders to know what your traffic characteristics are Padding adds extra traffic to hide the real stuff Fake traffic must look like real traffic Usually means encrypt it all Must be done carefully, or clever attackers can tell the good stuff from the noise

29 Routing Control Use ability to route messages to obtain security effects Route questionable messages to defensive sites Don’t route sensitive messages through “unsafe” parts of the network

30 Routing Control For Privacy
Use ability to control message routing to conceal the traffic in the network Used in onion routing to hide who is sending traffic to whom For anonymization purposes Routing control also used in some network defense To hide real location of a machine E.g., SOS DDoS defense system

Download ppt "Outline Network characteristics that affect security"

Similar presentations

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Network Topologies.

Network Topologies.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.

NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.

NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.

Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.

Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.
Lecture 9 Page 1 CS 136, Fall 2014 Network Security Computer Security Peter Reiher November 4, 2014.

Lecture 9 Page 1 CS 136, Fall 2014 Network Security Computer Security Peter Reiher November 4, 2014.

Similar presentations

Ads by Google