Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11 Page 1 CS 136, Spring 2009 Network Security CS 136 Computer Security Peter Reiher May 7, 2009.

Published byDiane Anthony Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 11 Page 1 CS 136, Spring 2009 Network Security CS 136 Computer Security Peter Reiher May 7, 2009."— Presentation transcript:

1 Lecture 11 Page 1 CS 136, Spring 2009 Network Security CS 136 Computer Security Peter Reiher May 7, 2009

2 Lecture 11 Page 2 CS 136, Spring 2009 Outline Basics of network security Definitions Sample attacks Defense mechanisms

3 Lecture 11 Page 3 CS 136, Spring 2009 Some Important Network Characteristics for Security Degree of locality Media used Protocols used

4 Lecture 11 Page 4 CS 136, Spring 2009 Degree of Locality Some networks are very local –E.g., an Ethernet –Only handles a few machines –Benefits from: Physical locality Small number of users Common goals and interests Other networks are very non-local –E.g., the Internet backbone –Vast numbers of users/sites share bandwidth

5 Lecture 11 Page 5 CS 136, Spring 2009 Network Media Some networks are wires, cables, or over telephone lines –Can be physically protected Other networks are satellite links or other radio links –Physical protection possibilities more limited

6 Lecture 11 Page 6 CS 136, Spring 2009 Protocol Types TCP/IP is the most used –But it only specifies some common intermediate levels –Other protocols exist above and below it In places, other protocols replace TCP/IP And there are lots of supporting protocols –Routing protocols, naming and directory protocols, network management protocols –And security protocols (IPSec, ssh, ssl)

7 Lecture 11 Page 7 CS 136, Spring 2009 Implications of Protocol Type The protocol defines a set of rules that will always be followed –But usually not quite complete –And they assume everyone is at least trying to play by the rules –What if they don’t? Specific attacks exist against specific protocols

8 Lecture 11 Page 8 CS 136, Spring 2009 Why Are Networks Especially Threatened? Many “moving parts” Many different administrative domains Everyone can get some access In some cases, trivial for attacker to get a foothold on the network Networks encourage sharing Networks often allow anonymity

9 Lecture 11 Page 9 CS 136, Spring 2009 What Can Attackers Attack? The media connecting the nodes Nodes that are connected to them Routers that control the traffic The protocols that set the rules for communications

10 Lecture 11 Page 10 CS 136, Spring 2009 Wiretapping Passive wiretapping is listening in illicitly on conversations Active wiretapping is injecting traffic illicitly Packet sniffers can listen to all traffic on a broadcast medium –Ethernet or 802.11, e.g. Wiretapping on wireless often just a matter of putting up an antenna

11 Lecture 11 Page 11 CS 136, Spring 2009 Impersonation A packet comes in over the network –With some source indicated in its header Often, the action to be taken with the packet depends on the source But attackers may be able to create packets with false sources

12 Lecture 11 Page 12 CS 136, Spring 2009 Violations of Message Confidentiality Other problems can cause messages to be inappropriately divulged Misdelivery can send a message to the wrong place –Clever attackers can make it happen Message can be read at an intermediate gateway or a router Sometimes an intruder can get useful information just by traffic analysis

13 Lecture 11 Page 13 CS 136, Spring 2009 Message Integrity Even if the attacker can’t create the packets he wants, sometimes he can alter proper packets To change the effect of what they will do Typically requires access to part of the path message takes

14 Lecture 11 Page 14 CS 136, Spring 2009 Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing tables Or flooding routers Or destroying key packets

15 Lecture 11 Page 15 CS 136, Spring 2009 How Do Denial of Service Attacks Occur? Basically, the attacker injects some form of traffic Most current networks aren’t built to throttle uncooperative parties very well All-inclusive nature of the Internet makes basic access trivial Universality of IP makes reaching most of the network easy

16 Lecture 11 Page 16 CS 136, Spring 2009 Example DoS Attack: Smurf Attacks Attack on vulnerability in IP broadcasting Send a ping packet to IP broadcast address –With forged “from” header of your target Resulting in a flood of replies from the sources to the target Easy to fix at the intermediary –Don’t allow IP broadcasts to originate outside your network No good solutions for victim

17 Lecture 11 Page 17 CS 136, Spring 2009 Another Example: SYN Flood Based on vulnerability in TCP Attacker uses initial request/response to start TCP session to fill a table at the server Preventing new real TCP sessions SYN cookies and firewalls with massive tables are possible defenses

18 Lecture 11 Page 18 CS 136, Spring 2009 Normal SYN Behavior SYN SYN/ACK ACK Table of open TCP connections

19 Lecture 11 Page 19 CS 136, Spring 2009 A SYN Flood SYN SYN/ACK Table of open TCP connections SYN SYN/ACK SYN Server can’t fill request! SYN

20 Lecture 11 Page 20 CS 136, Spring 2009 SYN Cookies SYN No room in the table, so send back a SYN cookie, instead SYN/ACK SYN/ACK number is secret function of various information ACK Server recalculates cookie to determine if proper response + 1 Client IP address & port, server’s IP address and port, and a timer KEY POINT: Server doesn’t need to save cookie value! And no changes to TCP protocol itself

21 Lecture 11 Page 21 CS 136, Spring 2009 General Network Denial of Service Attacks Need not tickle any particular vulnerability Can achieve success by mere volume of packets If more packets sent than can be handled by target, service is denied A hard problem to solve

22 Lecture 11 Page 22 CS 136, Spring 2009 Distributed Denial of Service Attacks Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?

23 Lecture 11 Page 23 CS 136, Spring 2009 The Problem

24 Lecture 11 Page 24 CS 136, Spring 2009 Why Are These Attacks Made? Generally to annoy Sometimes for extortion If directed at infrastructure, might cripple parts of Internet

25 Lecture 11 Page 25 CS 136, Spring 2009 Attack Methods Pure flooding –Of network connection –Or of upstream network Overwhelm some other resource –SYN flood –CPU resources –Memory resources –Application level resource Direct or reflection

26 Lecture 11 Page 26 CS 136, Spring 2009 Why “Distributed”? Targets are often highly provisioned servers A single machine usually cannot overwhelm such a server So harness multiple machines to do so Also makes defenses harder

27 Lecture 11 Page 27 CS 136, Spring 2009 How to Defend? A vital characteristic: –Don’t just stop a flood –ENSURE SERVICE TO LEGITIMATE CLIENTS!!! If you deliver a manageable amount of garbage, you haven’t solved the problem

28 Lecture 11 Page 28 CS 136, Spring 2009 Complicating Factors High availability of compromised machines –At least tens of thousands of zombie machines out there Internet is designed to deliver traffic –Regardless of its value IP spoofing allows easy hiding Distributed nature makes legal approaches hard Attacker can choose all aspects of his attack packets –Can be a lot like good ones

29 Lecture 11 Page 29 CS 136, Spring 2009 Basic Defense Approaches Overprovisioning Dynamic increases in provisioning Hiding Tracking attackers Legal approaches Reducing volume of attack None of these are totally effective

30 Lecture 11 Page 30 CS 136, Spring 2009 Network Security Mechanisms Again, the usual suspects - –Encryption –Authentication –Access control –Data integrity mechanisms –Traffic control

31 Lecture 11 Page 31 CS 136, Spring 2009 Encryption for Network Security Relies on the kinds of encryption algorithms and protocols discussed previously Can be applied at different places in the network stack With different effects and costs

32 Lecture 11 Page 32 CS 136, Spring 2009 Link Level Encryption SourceDestination plaintext Let’s say we want to send a message using encryption ciphertext plaintextciphertext plaintextciphertext plaintextciphertext plaintext Different keys (maybe even different ciphers) used at each hop

33 Lecture 11 Page 33 CS 136, Spring 2009 End-to-End Encryption SourceDestination plaintextciphertext plaintext Cryptography only at the end points Only the end points see the plaintext Normal way network cryptography done When would link encryption be better?

34 Lecture 11 Page 34 CS 136, Spring 2009 IPSec Standard for applying cryptography at the network layer of IP stack Provides various options for encrypting and authenticating packets –On end-to-end basis –Without concern for transport layer (or higher)

35 Lecture 11 Page 35 CS 136, Spring 2009 What IPSec Covers Message integrity Message authentication Message confidentiality

36 Lecture 11 Page 36 CS 136, Spring 2009 What Isn’t Covered Non-repudiation Digital signatures Key distribution Traffic analysis Handling of security associations Some of these covered in related standards

37 Lecture 11 Page 37 CS 136, Spring 2009 Some Important Terms for IPsec Security Association - “ A Security Association (SA) is a simplex "connection" that affords security services to the traffic carried by it. –Basically, a secure one-way channel SPI (Security Parameters Index) – Combined with destination IP address and IPsec protocol type, uniquely identifies an SA

38 Lecture 11 Page 38 CS 136, Spring 2009 General Structure of IPsec Really designed for end-to-end encryption –Though could do link level Designed to operate with either IPv4 or IPv6 Meant to operate with a variety of different encryption protocols And to be neutral to key distribution methods Has sub-protocols –E.g., Encapsulating Security Payload

39 Lecture 11 Page 39 CS 136, Spring 2009 Encapsulating Security Payload (ESP) Protocol Encrypt the data and place it within the ESP The ESP has normal IP headers Can be used to encrypt just the payload of the packet Or the entire IP packet

40 Lecture 11 Page 40 CS 136, Spring 2009 ESP Modes Transport mode –Encrypt just the transport-level data in the original packet –No IP headers encrypted Tunnel mode –Original IP datagram is encrypted and placed in ESP –Unencrypted headers wrapped around ESP

41 Lecture 11 Page 41 CS 136, Spring 2009 ESP in Transport Mode Extract the transport-layer frame –E.g., TCP, UDP, etc. Encapsulate it in an ESP Encrypt it The encrypted data is now the last payload of a cleartext IP datagram

42 Lecture 11 Page 42 CS 136, Spring 2009 ESP Transport Mode Original IP header ESP Hdr Normal Packet Payload ESP Trlr ESP Auth Encrypted Authenticated

43 Lecture 11 Page 43 CS 136, Spring 2009 Using ESP in Tunnel Mode Encrypt the IP datagram –The entire datagram Encapsulate it in a cleartext IP datagram Routers not understanding IPsec can still handle it Receiver reverses the process

44 Lecture 11 Page 44 CS 136, Spring 2009 ESP Tunnel Mode New IP hdr ESP Hdr Original Packet Payload ESP Trlr ESP Auth Orig. IP hdr Encrypted Authenticated

45 Lecture 11 Page 45 CS 136, Spring 2009 Uses and Implications of Tunnel Mode Typically used when there are security gateways between sender and receiver –And/or sender and receiver don’t speak IPsec Outer header shows security gateway identities –Not identities of real parties Can thus be used to hide some traffic patterns

46 Lecture 11 Page 46 CS 136, Spring 2009 What IPsec Requires Protocol standards –To allow messages to move securely between nodes Supporting mechanisms at hosts running IPsec –E.g., a Security Association Database Lots of plug-in stuff to do the cryptographic heavy lifting

47 Lecture 11 Page 47 CS 136, Spring 2009 The Protocol Components Pretty simple Necessary to interoperate with non-IPsec equipment So everything important is inside an individual IP packet’s payload No inter-message components to protocol –Though some security modes enforce inter-message invariants

48 Lecture 11 Page 48 CS 136, Spring 2009 The Supporting Mechanisms Methods of defining security associations Databases for keeping track of what’s going on with other IPsec nodes –To know what processing to apply to outgoing packets –To know what processing to apply to incoming packets

49 Lecture 11 Page 49 CS 136, Spring 2009 Plug-In Mechanisms Designed for high degree of generality So easy to plug in: –Different crypto algorithms –Different hashing/signature schemes –Different key management mechanisms

50 Lecture 11 Page 50 CS 136, Spring 2009 Status of IPsec Accepted Internet standard Widely implemented and used –Supported in Windows 2000, XP, and Vista –In Linux 2.6 kernel The architecture doesn’t require everyone to use it RFC 3602 on using AES in IPsec still listed as “proposed” Expected that AES will become default for ESP in IPsec

51 Lecture 11 Page 51 CS 136, Spring 2009 Traffic Control Mechanisms Filtering –Source address filtering –Other forms of filtering Rate limits Protection against traffic analysis –Padding –Routing control

52 Lecture 11 Page 52 CS 136, Spring 2009 Source Address Filtering Filtering out some packets because of their source address value –Usually because you believe their source address is spoofed Often called ingress filtering –Or egress filtering...

53 Lecture 11 Page 53 CS 136, Spring 2009 Source Address Filtering for Address Assurance Router “knows” what network it sits in front of –In particular, knows IP addresses of machines there Filter outgoing packets with source addresses not in that range Prevents your users from spoofing other nodes’ addresses –But not from spoofing each other’s

54 Lecture 11 Page 54 CS 136, Spring 2009 Source Address Filtering Example 128.171.192.* 95.113.27.1256.29.138.2 My network shouldn’t be creating packets with this source address So drop the packet

55 Lecture 11 Page 55 CS 136, Spring 2009 Source Address Filtering in the Other Direction Often called egress filtering –Or ingress filtering... Occurs as packets leave the Internet and enter a border router –On way to that router’s network What addresses shouldn’t be coming into your local network?

56 Lecture 11 Page 56 CS 136, Spring 2009 Filtering Incoming Packets 128.171.192.* 128.171.192.5128.171.192.7 Packets with this source address should be going out, not coming in So drop the packet

57 Lecture 11 Page 57 CS 136, Spring 2009 Other Forms of Filtering One can filter on things other than source address –Such as worm signatures, unknown protocol identifiers, etc. Also, there are unallocated IP addresses in IPv4 space –Can filter for packets going to or coming from those addresses Also, certain source addresses are for local use only –Internet routers can drop packets to/from them

58 Lecture 11 Page 58 CS 136, Spring 2009 Rate Limits Many routers can place limits on the traffic they send to a destination Ensuring that the destination isn’t overloaded –Popular for denial of service defenses Limits can be defined somewhat flexibly But often not enough flexibility to let the good traffic through and stop the bad

59 Lecture 11 Page 59 CS 136, Spring 2009 Padding Sometimes you don’t want intruders to know what your traffic characteristics are Padding adds extra traffic to hide the real stuff Fake traffic must look like real traffic –Usually means encrypt it all Must be done carefully, or clever attackers can tell the good stuff from the noise

60 Lecture 11 Page 60 CS 136, Spring 2009 Routing Control Use ability to control message routing to conceal the traffic in the network Used in onion routing to hide who is sending traffic to whom –For anonymization purposes Routing control also used in some network defense –To hide real location of a machine –E.g., SOS DDoS defense system

61 Lecture 11 Page 61 CS 136, Spring 2009 Onion Routing Meant to hide source and destination of traffic Encrypt real packet Wrap it in another packet –With intermediate receiver –Who actively participates Generally, do it multiple times

62 Lecture 11 Page 62 CS 136, Spring 2009 The Effect of Onion Routing Lots of packets with encrypted payloads flow around At each step, one layer of encryption peeled off None of the intermediate routers are sure when real delivery occurs –Last layer also encrypted

63 Lecture 11 Page 63 CS 136, Spring 2009 Costs of Onion Routing Multiple encryptions per packet Packet travels further Decryption done at app level –So multiple trips up and down the network stack Unless carefully done, observers can deduce who’s sending to whom

Download ppt "Lecture 11 Page 1 CS 136, Spring 2009 Network Security CS 136 Computer Security Peter Reiher May 7, 2009."

Similar presentations

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014.

Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Similar presentations

Ads by Google