Presentation is loading. Please wait.

Presentation is loading. Please wait.

8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;

Published byDamon Elliott Modified over 8 years ago

Similar presentations

Presentation on theme: "8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;"— Presentation transcript:

1 8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments; ICMP and SNMP messages. r network-layer authentication m destination host can authenticate source IP address r two principal protocols: m authentication header (AH) protocol m encapsulation security payload (ESP) protocol r for both AH and ESP, source, destination handshake: m create network-layer logical channel called a security association (SA) r each SA unidirectional. r uniquely determined by: m security protocol (AH or ESP) m source IP address m 32-bit connection ID

2 8: Network Security 8-2 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall administered network public Internet firewall

3 8: Network Security 8-3 Firewalls: Why prevent denial of service attacks: m SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data. m e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) three types of firewalls: m stateless packet filters m stateful packet filters m application gateways

4 8: Network Security 8-4 Stateless packet filtering r internal network connected to Internet via router firewall r router filters packet-by-packet, decision to forward/drop packet based on: m source IP address, destination IP address m TCP/UDP source and destination port numbers m ICMP message type m TCP SYN and ACK bits Should arriving packet be allowed in? Departing packet let out?

5 8: Network Security 8-5 Stateless packet filtering: example r example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m all incoming, outgoing UDP flows and telnet connections are blocked. r example 2: Block inbound TCP segments with ACK=0. m prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

6 8: Network Security 8-6 Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg 130.207.255.255). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Stateless packet filtering: more examples

7 8: Network Security 8-7 action source address dest address protocol source port dest port flag bit allow222.22/16 outside of 222.22/16 TCP> 102380 any allowoutside of 222.22/16 TCP80> 1023ACK allow222.22/16 outside of 222.22/16 UDP> 102353--- allowoutside of 222.22/16 UDP53> 1023---- denyall Access Control Lists r ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs

8 8: Network Security 8-8 Stateful packet filtering r stateless packet filter: heavy handed tool m admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allowoutside of 222.22/16 TCP80> 1023ACK r stateful packet filter: track status of every TCP connection m track connection setup (SYN), teardown (FIN): can determine whether incoming, outgoing packets “makes sense” m timeout inactive connections at firewall: no longer admit packets

9 8: Network Security 8-9 action source address dest address proto source port dest port flag bit check conxion allow222.22/16 outside of 222.22/16 TCP> 102380 any allowoutside of 222.22/16 TCP80> 1023ACK x allow222.22/16 outside of 222.22/16 UDP> 102353--- allowoutside of 222.22/16 UDP53> 1023---- x denyall Stateful packet filtering r ACL augmented to indicate need to check connection state table before admitting packet

10 8: Network Security 8-10 Application gateways r filters packets on application data as well as on IP/TCP/UDP fields. r example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway.

11 8: Network Security 8-11 Limitations of firewalls and gateways r IP spoofing: router can’t know if data “really” comes from claimed source r if multiple app’s. need special treatment, each has own app. gateway. r client software must know how to contact gateway. m e.g., must set IP address of proxy in Web browser r filters often use all or nothing policy for UDP. r tradeoff: degree of communication with outside world, level of security r many highly protected sites still suffer from attacks.

12 8: Network Security 8-12 Intrusion detection systems r packet filtering: m operates on TCP/IP headers only m no correlation check among sessions r IDS: intrusion detection system m deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) m examine correlation among multiple packets port scanning network mapping DoS attack

13 8: Network Security 8-13 Web server FTP server DNS server application gateway Internet demilitarized zone internal network firewall IDS sensors Intrusion detection systems r multiple IDSs: different types of checking at different locations

14 8: Network Security 8-14 Network Security (summary) Basic techniques…... m cryptography (symmetric and public) m message integrity m end-point authentication …. used in many different security scenarios m secure email m secure transport (SSL) m IP sec m 802.11 Operational Security: firewalls and IDS

15 Availability r Access over Internet must be unimpeded m Context: flooding attacks, in which attackers try to overwhelm system resources r Denial of service (DoS) attacks disrupt availability m Distributed DoS is a coordinated attack from multiple attackers r Example: SYN flood m Problem: server cannot distinguish legitimate handshake from one that is part of this attack Only difference is whether third part of TCP handshake is sent m Flood can overwhelm communication medium Can’t do anything about this (except buy a bigger pipe) m Flood can overwhelm resources on legitimate system

16 Regular TCP handshake

17 Too many half-opened TCP connections at server creates a DoS attack Server is waiting client to finish the connection Buffer space is full and legitimate connection cannot be completed

18 Flooding DoS attack

19 Prevention of SYN flood: SYN Cookies r Server no longer keeps the client’s state m Embed the state in the sequence number m When SYN received, server computes a sequence number to be function of source, destination, counter, and a secret The function may be one-way hash function The secret is known only by the server Use as reply SYN sequence number When reply ACK arrives, validate it m The sequence number must be hard to guess

20 SYN Cookie y = H(source, destination, secret, counter) computed by server s is secret known only by server H is a one-way hash function Server no longer keeps client’s state Server verifies sequence number with s Client cannot forge a sequence number without actually engaging in handshake

21 Alternative prevention to SYN flood: adaptive Time-Out r Change time-out time as space available for pending connections decreases r Example: modified SunOS kernel m Time-out period shortened from 75 to 15 sec m Formula for queueing pending connections changed: Process allows up to b pending connections on port a number of completed connections but awaiting process p total number of pending connections c tunable parameter Whenever a + p > cb, drop current SYN message

22 ICMP: Internet Control Message Protocol r used by hosts & routers to communicate network-level information m error reporting: unreachable host, network, port, protocol m echo request/reply (used by ping) r network-layer “above” IP: m ICMP msgs carried in IP datagrams r ICMP message: type, code plus first 8 bytes of IP datagram causing error Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header

23 Flooding DoS attacks

24 2: Application Layer 24 Slides credits r J.F Kurose and K.W. Ross

Download ppt "8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Network Layer4-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley,

Network Layer4-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley,
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
ICMP: Internet Control Message Protocol used by hosts, routers, gateways to communication network-level information –error reporting: unreachable host,

ICMP: Internet Control Message Protocol used by hosts, routers, gateways to communication network-level information –error reporting: unreachable host,
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Similar presentations

Ads by Google