network management -...

Network Management Functions – Security 1

Network Management

1 19.4.2013

2

Week Topic

Week 1 Computer Networks - Network Management Architectures & Applications

Week 2 Network Management Standards Architectures & Applications

Week 3 Simple Network Management Protocol - SNMP v1, ASN, MIB, BER

Week 4 Network Management Functions - Fault

Week 5 Simple Network Management Protocol - SNMP v2 - Configuration

Week 6 Network Management Functions - Accounting

Week 7 Midterm

Week 8 Simple Network Management Protocol - SNMP v3 - Performance

Week 9 Network Management Functions – Security 1

Week 10 Network Management Functions – Security 2

Week 11 Remote Network Monitoring RMON 1, SLA

Week 12 Remote Network Monitoring RMON 2

Week 13 Management Tools, Systems and Applications

Week 14 NM Project Presentations

Week 15 NM Project Presentations

Lectures Schedule

OSI NM Architecture and Model

3

Netw

ork

Manag

em

ent

Manager

Agent

Object

Structure of Management Information (SMI)

Management Information Base (MIB)

Protocol Data Unit (PDU)

Organization Model

Information Model

Communication Model

Functional Model

Configuration Management (CM)

Fault Management (FM)

Performance Management (PM)

Security Management (SM)a

Accounting Management (AM)

19.4.2013

Corporate

Network

Management

Admini-

stration

Mgmt

Capacity

Mgmt Provisioning

Mgmt

Accounting

Mgmt

Perfor-

mance

Mgmt

Configura-

tion

Mgmt

Fault

Mgmt Security

Mgmt

Network Management Functions

4 19.4.2013

Overview • Network Security Architecture

– Wireless – Security Domains – VPN

• Firewall Technology – Address Translation – Denial of Service attacks

• Intrusion Detection • ISO 27000 information securtiy aspects CIA

– Confidentiality

– Intergrity

– Availability

• + Authenticity • + Non-Repudiaion

19.4.2013 5

802.11 or Wi-Fi

• IEEE standard for wireless communication

– Operates at the physical/data link layer

– Operates at the 2.4 or 5 GHz radio bands

• Wireless Access Point is the radio base station

– The access point acts as a gateway to a wired network e.g., ethernet

– Can advertise Service Set Identifier (SSID) or not

• Doesn't really matter, watcher will learn active SSIDs

• Laptop with wireless card uses 802.11 to communicate with the Access Point

19.4.2013 6

Security Mechanisms

• MAC restrictions at the access point – Protects servers from unexpected clients

– Unacceptable in a dynamic environment

– No identity integrity. You can reprogram your card to pose as an

“accepted” MAC.

• IPSec – To access point or some IPSec gateway beyond

– Protects clients from wireless sniffers

– Used by UIUC wireless networks

• 802.11i – Authentication and integrity integral to the 802.11 framework – WEP, WPA, WPA2

19.4.2013 7

Network Cabling

• Cabling

– Thick Ethernet – 10BASE-5

– Thin Ethernet – 10BASE-2

– Shielded & Unshielded Twisted Pair (STP, UTP) – 10BASE-T (Cat 3) 100BASE-T (Cat 5)

– Fibre Optic – Gigabit Ethernet

– Wireless LAN

• TCP/IP Layer 1

19.4.2013 8

1 Physical

2 DataLink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Cabling in OSI Protocol Stack

Cabling

19.4.2013 9

Cabling Issues

• Physical Environment – Trunking

– Network Closets

– Risers

• Physical Environment - Issues – Single or multi-occupancy

– Access Control to floor building

– Network passes through public areas

– Network infrastructure easily accessible

– Network infrastructure shares facilities

– Electromagnetic environment

19.4.2013 10

Thin Ethernet • Short overall cable runs.

• Vulnerability: information broadcast to all devices. – Threat: Information Leakage, Illegitimate Use

• Vulnerability: One cable fault disables network – Threat: Denial of Service

• Easy to install & attach additional devices – Vulnerability: Anyone can plug into hub.

• Threat: Illegitimate Use.

• Rarely seen now.

Thin Ethernet

19.4.2013 11

UTP and Hub • Cable between hub and device is a single entity

• Only connectors are at the cable ends

• Additional devices can only be added at the hub

• Disconnection/cable break rarely affects other devices

• Easy to install

hub

10/100BASE-T

UTP

19.4.2013 12

Other Layer 1 options

• Fibre Optic – Cable between hub and device is a single entity

– Tapping or altering the cable is difficult

– Installation is more difficult

– Much higher speeds

• Wireless LAN – Popular where building restrictions apply.

– Several disadvantages

• Radio signals are subject to interference, interception, and alteration.

• Difficult to restrict to building perimeter.

– Security must be built in from initial network design.

19.4.2013 13

Hubs

• Data is broadcast to everyone on the hub – Vulnerability: information broadcast to all devices.

• Threat: Information Leakage, Illegitimate Use

– Vulnerability: Anyone can plug into hub.

• Threat: Illegitimate Use.

• TCP/IP Layer 1

• Intelligent Hubs – Signal regeneration.

– Traffic monitoring.

– Can be configured remotely.

19.4.2013 14

1 Physical

2 DataLink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Hubs in OSI Protocol Stack

Cabling, Hubs

19.4.2013 15

Ethernet Addressing

• Address of Network Interface Card

• Unique 48 bit value

– first 24 bits indicate vendor .

• For example, 00:E0:81:10:19:FC

– 00:E0:81 indicates Tyan Corporation

– 10:19:FC indicates 1,055,228th NIC

• Media Access Control (MAC) address

19.4.2013 16

IP Addressing

• IP address is 32 bits long

• Usually expressed as 4 octets separated by dots • 62.49.67.170

• RFC 1918 specifies reserved addresses for use on private networks.

– 10.0.0.0 to 10.255.255.255

– 172.16.0.0 to 172.31.255.255

– 192.168.0.0 to 192.168.255.255

• Many large ranges assigned – 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck

19.4.2013 17

IP address to Ethernet address

• Address Resolution Protocol (ARP) – Layer 3 protocol – Maps IP address to MAC address

• ARP Query – Who has 192.168.0.40? Tell 192.168.0.20

• ARP Reply – 192.168.0.40 is at 00:0e:81:10:19:FC

• ARP caches for speed – Records previous ARP replies – Entries are aged and eventually discarded

19.4.2013 18

ARP Query & ARP Reply

Web Browser IP 192.168.0.20

MAC 00:0e:81:10:17:D1

Web Server IP 192.168.0.40

MAC 00:0e:81:10:19:FC

(1) ARP Query Who has

192.168.0.40?

(2) ARP Reply 192.168.0.40 is at 00:0e:81:10:19:FC

hub

10/100BASE-T

19.4.2013 19

Switches • Switches only send data to the intended

receiver.

• Builds an index of which device has which MAC address.

switch

10/100BASE-T

00:0e:81:10:19:FC

MAC address

2 00:0e:81:32:96:af

Device

1

3 00:0e:81:31:2f:d7

4 00:0e:81:97:03:05

8 00:0e:81:10:17:d1

19.4.2013 20

Switch Operation

• When a frame arrives at switch

– Switch looks up destination MAC address in index.

– Sends the frame to the device in the index that owns that MAC address.

• Switches are often intelligent:

– Traffic monitoring, remotely configurable.

• Switches operate at Layer 2.

19.4.2013 21

1 Physical

2 DataLink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Switches in OSI Protocol Stack

Cabling,Hubs

Switches

19.4.2013 22

ARP Vulnerability

• ARP spoofing

– Masquerade threat

– Gratuitous ARP

– ARP replies have no proof of origin

– A malicious device can claim any MAC address

– Enables all fundamental threats

19.4.2013 23

Before ARP spoofing

IP 192.168.0.20 MAC 00:0e:81:10:17:d1

IP 192.168.0.40 MAC 00:0e:81:10:19:FC

Attacker IP 192.168.0.1

MAC 00:1f:42:12:04:72

switch

MAC address IP address

00:0e:81:10:19:FC 192.168.0.40

192.168.0.1 00:1f:42:12:04:72


00:0e:81:10:17:d1 192.168.0.20

192.168.0.1 00:1f:42:12:04:72

19.4.2013 24

After ARP spoofing

IP 192.168.0.20 MAC 00:0e:81:10:17:d1

IP 192.168.0.40 MAC 00:0e:81:10:19:FC


MAC 00:1f:42:12:04:72

switch


192.168.0.40

192.168.0.1 00:1f:42:12:04:72


192.168.0.20

192.168.0.1 00:1f:42:12:04:72

(2) Gratuitious ARP 192.168.0.20 is at 00:1f:42:12:04:72

(1) Gratuitious ARP 192.168.0.40 is at 00:1f:42:12:04:72

00:1f:42:12:04:72

00:1f:42:12:04:72

19.4.2013 25

Effect of ARP spoofing

IP 192.168.0.20 MAC 00:0e:81:10:17:d1

IP 192.168.0.40 MAC 00:0e:81:10:19:FC


MAC 00:1f:42:12:04:72

switch


192.168.0.40

192.168.0.1 00:1f:42:12:04:72


192.168.0.20

192.168.0.1 00:1f:42:12:04:72

IP datagram Dest: 192.168.0.40

MAC: 00:1f:42:12:04:72

00:1f:42:12:04:72

00:1f:42:12:04:72


Attackers relay index

00:0e:81:10:19:FC 192.168.0.40

192.168.0.20 00:0e:81:10:17:d1 19.4.2013 26

Switch Vulnerability • MAC Flooding

– Malicious device connected to switch – Sends multiple Gratuitous ARPs – Each ARP claims a different MAC address – When index fills, some switches revert to hub

behaviour

switch

00:0e:81:10:19:FC

MAC address

4 00:0e:81:32:96:af

Device

1

4 00:0e:81:32:96:b1

… …

4 00:0e:81:32:97:a4

1

2

4

9999

4

4 00:0e:81:32:96:b0 3 4

19.4.2013 27

Safeguards?

• Physically secure the switch

• Switches should failsafe when flooded

– Threat: Denial of Service

• Arpwatch: monitors MAC to IP address mappings

• Switch port locking of MAC addresses

– Prevents ARP spoofing

– Reduces flexibility

19.4.2013 28

Denial of Service

• Example attacks

– Smurf Attack

– TCP SYN Attack

– Teardrop

• DoS general exploits resource limitations

– Denial by Consumption

– Denial by Disruption

– Denial by Reservation

19.4.2013 29

TCP handshaking

• Each TCP connection begins with three packets:

– A SYN packet from sender to receiver.

• “Can we talk?”

– An SYN/ACK packet from receiver to sender.

• “Fine – ready to start?”

– An ACK packet from sender to receiver.

• “OK, start”

19.4.2013 30

TCP Handshaking TCP Packet

SYN flag

IP datagram Src: 192.168.0.20

Dest: 192.168.0.40

TCP Packet SYN & ACK flag


Dest: 192.168.0.20

TCP Packet ACK flag


Dest: 192.168.0.40

192.168.0.20

192.168.0.40

19.4.2013 31

Tracking TCP handshakes

• The destination machine has to track which machines it has sent a “SYN+ACK” to

• Keeps a list of TCP SYN packets that have had a SYN+ACK returned.

• When ACK is received, packet removed from list as connection is open.

19.4.2013 32

TCP SYN Attack

• Exploits the three-way handshake

S D

SYNx LISTEN

SYNy , ACKx+1

SYN_RECIEVED

ACKy+1

CONNECTED

Figure 1. Three-way Handshake

S D

Nonexistent (spoofed) SYN LISTEN

SYN

SYN SYN_RECEIVED

SYN+ACK

Figure 2. SYN Flooding Attack

19.4.2013 33

TCP Denial Of Service • What if the sender doesn’t answer with an ACK?

– A SYN packet from sender to receiver.

• “Can we talk?”

– An SYN/ACK packet from receiver to sender.

• “Fine – ready to start?”

– ………………..nothing…………..……

• If the sender sends 100 SYN packets per second – Eventually receiver runs out of room to track the SYN+ACK replies

– SYN flooding.

19.4.2013 34

TCP Denial of Service

TCP Packet SYN flag


Dest: 192.168.0.40


IP datagram Src: 192.168.0.20 Dest: 62.49.10.1

192.168.0.20

192.168.0.40

TCP Packet SYN flag


Dest: 192.168.0.40

TCP Packet SYN flag


Dest: 192.168.0.40

TCP Packet SYN flag


Dest: 192.168.0.40







19.4.2013 35

TCP SYN Attack Solutions

• Intermediate Firewall/Router – Limit number of half open connections

• Ingress and egress filtering to reduce spoofed addresses – Does not help against DDoS bot networks

• Reactively block attacking addresses – Generally expensive to acquire technology to do

fast enough

• Fix Protocol - IPv6

19.4.2013 36

“Smurf”

Internet

Perpetrator Victim

ICMP echo (spoofed source address of victim)

Sent to IP broadcast address

ICMP echo reply

19.4.2013 37

Smurf Issues

• Amplification attack

– Small effort on attacker results in big impact on victim

• Victim fails unexpectedly under high load

– May just stop responding

– May stop performing normal security checks

• Exploiting protocol failure

– Fixed in IPv6

• Old attack

– Blocked by most firewalls

19.4.2013 38

Teardrop Attack

• Send series of fragments that don't fit together – Poor stack implementations would crash – Early windows stacks

Offset 0, len 60

Offset 30, len 90

Offset 41, len 173

19.4.2013 39

IP Spoofing

• A machine can place any IP address in the source address of an IP datagram.

• Disadvantage: Any reply packet will return to the wrong place.

• Advantage (to an attacker): No-one knows who sent the packet.

• If the sender sends 100 SYN packets per second with spoofed source addresses….

19.4.2013 40

TCP/IP Ports

• Many processes on a single machine may be waiting for network traffic.

• When a packet arrives, how does the transport layer know which process it is for?

• The port allows the transport layer to deliver the packet to the application layer.

• Packets have source and destination port. – Source port is used by receiver as destination of replies.

19.4.2013 41

Port Assignments

• Well known ports from 0 to 1023 – http=port 80

– smtp=port 25

– syslog=port 514

– telnet=23

– ssh=22

– ftp=21 + more…

• Registered ports from 1024 to 49151

• Dynamic or private ports from 49152 to 65535

19.4.2013 42

Port Multiplexing

putty

Transport Layer

Internet Layer

Network Layer

Physical Network

telnet

Transport Layer

Internet Layer

Network Layer

Message

Packet

Datagram

Frame

Host A Host B

ie net

scape apache

Port 80 Port 23 Port

2077

Port 2076 Port

2078

19.4.2013 43

Ports in Action

switch

HTTP message GET index.html

www.localserver.org

TCP Packet Src Port: 2076 Dest Port: 80


Dest: 192.168.0.40

HTTP message Contents of index.html

TCP Packet Src Port: 80

Dest Port: 2076


Dest: 192.168.0.20

192.168.0.20 192.168.0.40

TELNET message

TCP Packet Src Port: 2077 Dest Port: 23


Dest: 192.168.0.40

TELNET message

TCP Packet Src Port: 23

Dest Port: 2077


Dest: 192.168.0.20 19.4.2013 44

Questions?

19.4.2013 45

network management -...

Documents