network management -...
TRANSCRIPT
2
Week Topic
Week 1 Computer Networks - Network Management Architectures & Applications
Week 2 Network Management Standards Architectures & Applications
Week 3 Simple Network Management Protocol - SNMP v1, ASN, MIB, BER
Week 4 Network Management Functions - Fault
Week 5 Simple Network Management Protocol - SNMP v2 - Configuration
Week 6 Network Management Functions - Accounting
Week 7 Midterm
Week 8 Simple Network Management Protocol - SNMP v3 - Performance
Week 9 Network Management Functions – Security 1
Week 10 Network Management Functions – Security 2
Week 11 Remote Network Monitoring RMON 1, SLA
Week 12 Remote Network Monitoring RMON 2
Week 13 Management Tools, Systems and Applications
Week 14 NM Project Presentations
Week 15 NM Project Presentations
Lectures Schedule
OSI NM Architecture and Model
3
Netw
ork
Manag
em
ent
Manager
Agent
Object
Structure of Management Information (SMI)
Management Information Base (MIB)
Protocol Data Unit (PDU)
Organization Model
Information Model
Communication Model
Functional Model
Configuration Management (CM)
Fault Management (FM)
Performance Management (PM)
Security Management (SM)a
Accounting Management (AM)
19.4.2013
Corporate
Network
Management
Admini-
stration
Mgmt
Capacity
Mgmt Provisioning
Mgmt
Accounting
Mgmt
Perfor-
mance
Mgmt
Configura-
tion
Mgmt
Fault
Mgmt Security
Mgmt
Network Management Functions
4 19.4.2013
Overview • Network Security Architecture
– Wireless – Security Domains – VPN
• Firewall Technology – Address Translation – Denial of Service attacks
• Intrusion Detection • ISO 27000 information securtiy aspects CIA
– Confidentiality
– Intergrity
– Availability
• + Authenticity • + Non-Repudiaion
19.4.2013 5
802.11 or Wi-Fi
• IEEE standard for wireless communication
– Operates at the physical/data link layer
– Operates at the 2.4 or 5 GHz radio bands
• Wireless Access Point is the radio base station
– The access point acts as a gateway to a wired network e.g., ethernet
– Can advertise Service Set Identifier (SSID) or not
• Doesn't really matter, watcher will learn active SSIDs
• Laptop with wireless card uses 802.11 to communicate with the Access Point
19.4.2013 6
Security Mechanisms
• MAC restrictions at the access point – Protects servers from unexpected clients
– Unacceptable in a dynamic environment
– No identity integrity. You can reprogram your card to pose as an
“accepted” MAC.
• IPSec – To access point or some IPSec gateway beyond
– Protects clients from wireless sniffers
– Used by UIUC wireless networks
• 802.11i – Authentication and integrity integral to the 802.11 framework – WEP, WPA, WPA2
19.4.2013 7
Network Cabling
• Cabling
– Thick Ethernet – 10BASE-5
– Thin Ethernet – 10BASE-2
– Shielded & Unshielded Twisted Pair (STP, UTP) – 10BASE-T (Cat 3) 100BASE-T (Cat 5)
– Fibre Optic – Gigabit Ethernet
– Wireless LAN
• TCP/IP Layer 1
19.4.2013 8
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Cabling in OSI Protocol Stack
Cabling
19.4.2013 9
Cabling Issues
• Physical Environment – Trunking
– Network Closets
– Risers
• Physical Environment - Issues – Single or multi-occupancy
– Access Control to floor building
– Network passes through public areas
– Network infrastructure easily accessible
– Network infrastructure shares facilities
– Electromagnetic environment
19.4.2013 10
Thin Ethernet • Short overall cable runs.
• Vulnerability: information broadcast to all devices. – Threat: Information Leakage, Illegitimate Use
• Vulnerability: One cable fault disables network – Threat: Denial of Service
• Easy to install & attach additional devices – Vulnerability: Anyone can plug into hub.
• Threat: Illegitimate Use.
• Rarely seen now.
Thin Ethernet
19.4.2013 11
UTP and Hub • Cable between hub and device is a single entity
• Only connectors are at the cable ends
• Additional devices can only be added at the hub
• Disconnection/cable break rarely affects other devices
• Easy to install
hub
10/100BASE-T
UTP
19.4.2013 12
Other Layer 1 options
• Fibre Optic – Cable between hub and device is a single entity
– Tapping or altering the cable is difficult
– Installation is more difficult
– Much higher speeds
• Wireless LAN – Popular where building restrictions apply.
– Several disadvantages
• Radio signals are subject to interference, interception, and alteration.
• Difficult to restrict to building perimeter.
– Security must be built in from initial network design.
19.4.2013 13
Hubs
• Data is broadcast to everyone on the hub – Vulnerability: information broadcast to all devices.
• Threat: Information Leakage, Illegitimate Use
– Vulnerability: Anyone can plug into hub.
• Threat: Illegitimate Use.
• TCP/IP Layer 1
• Intelligent Hubs – Signal regeneration.
– Traffic monitoring.
– Can be configured remotely.
19.4.2013 14
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Hubs in OSI Protocol Stack
Cabling, Hubs
19.4.2013 15
Ethernet Addressing
• Address of Network Interface Card
• Unique 48 bit value
– first 24 bits indicate vendor .
• For example, 00:E0:81:10:19:FC
– 00:E0:81 indicates Tyan Corporation
– 10:19:FC indicates 1,055,228th NIC
• Media Access Control (MAC) address
19.4.2013 16
IP Addressing
• IP address is 32 bits long
• Usually expressed as 4 octets separated by dots • 62.49.67.170
• RFC 1918 specifies reserved addresses for use on private networks.
– 10.0.0.0 to 10.255.255.255
– 172.16.0.0 to 172.31.255.255
– 192.168.0.0 to 192.168.255.255
• Many large ranges assigned – 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck
19.4.2013 17
IP address to Ethernet address
• Address Resolution Protocol (ARP) – Layer 3 protocol – Maps IP address to MAC address
• ARP Query – Who has 192.168.0.40? Tell 192.168.0.20
• ARP Reply – 192.168.0.40 is at 00:0e:81:10:19:FC
• ARP caches for speed – Records previous ARP replies – Entries are aged and eventually discarded
19.4.2013 18
ARP Query & ARP Reply
Web Browser IP 192.168.0.20
MAC 00:0e:81:10:17:D1
Web Server IP 192.168.0.40
MAC 00:0e:81:10:19:FC
(1) ARP Query Who has
192.168.0.40?
(2) ARP Reply 192.168.0.40 is at 00:0e:81:10:19:FC
hub
10/100BASE-T
19.4.2013 19
Switches • Switches only send data to the intended
receiver.
• Builds an index of which device has which MAC address.
switch
10/100BASE-T
00:0e:81:10:19:FC
MAC address
2 00:0e:81:32:96:af
Device
1
3 00:0e:81:31:2f:d7
4 00:0e:81:97:03:05
8 00:0e:81:10:17:d1
19.4.2013 20
Switch Operation
• When a frame arrives at switch
– Switch looks up destination MAC address in index.
– Sends the frame to the device in the index that owns that MAC address.
• Switches are often intelligent:
– Traffic monitoring, remotely configurable.
• Switches operate at Layer 2.
19.4.2013 21
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Switches in OSI Protocol Stack
Cabling,Hubs
Switches
19.4.2013 22
ARP Vulnerability
• ARP spoofing
– Masquerade threat
– Gratuitous ARP
– ARP replies have no proof of origin
– A malicious device can claim any MAC address
– Enables all fundamental threats
19.4.2013 23
Before ARP spoofing
IP 192.168.0.20 MAC 00:0e:81:10:17:d1
IP 192.168.0.40 MAC 00:0e:81:10:19:FC
Attacker IP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC address IP address
00:0e:81:10:19:FC 192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC address IP address
00:0e:81:10:17:d1 192.168.0.20
192.168.0.1 00:1f:42:12:04:72
19.4.2013 24
After ARP spoofing
IP 192.168.0.20 MAC 00:0e:81:10:17:d1
IP 192.168.0.40 MAC 00:0e:81:10:19:FC
Attacker IP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC address IP address
192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC address IP address
192.168.0.20
192.168.0.1 00:1f:42:12:04:72
(2) Gratuitious ARP 192.168.0.20 is at 00:1f:42:12:04:72
(1) Gratuitious ARP 192.168.0.40 is at 00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
19.4.2013 25
Effect of ARP spoofing
IP 192.168.0.20 MAC 00:0e:81:10:17:d1
IP 192.168.0.40 MAC 00:0e:81:10:19:FC
Attacker IP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC address IP address
192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC address IP address
192.168.0.20
192.168.0.1 00:1f:42:12:04:72
IP datagram Dest: 192.168.0.40
MAC: 00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
MAC address IP address
Attackers relay index
00:0e:81:10:19:FC 192.168.0.40
192.168.0.20 00:0e:81:10:17:d1 19.4.2013 26
Switch Vulnerability • MAC Flooding
– Malicious device connected to switch – Sends multiple Gratuitous ARPs – Each ARP claims a different MAC address – When index fills, some switches revert to hub
behaviour
switch
00:0e:81:10:19:FC
MAC address
4 00:0e:81:32:96:af
Device
1
4 00:0e:81:32:96:b1
… …
4 00:0e:81:32:97:a4
1
2
4
9999
4
4 00:0e:81:32:96:b0 3 4
19.4.2013 27
Safeguards?
• Physically secure the switch
• Switches should failsafe when flooded
– Threat: Denial of Service
• Arpwatch: monitors MAC to IP address mappings
• Switch port locking of MAC addresses
– Prevents ARP spoofing
– Reduces flexibility
19.4.2013 28
Denial of Service
• Example attacks
– Smurf Attack
– TCP SYN Attack
– Teardrop
• DoS general exploits resource limitations
– Denial by Consumption
– Denial by Disruption
– Denial by Reservation
19.4.2013 29
TCP handshaking
• Each TCP connection begins with three packets:
– A SYN packet from sender to receiver.
• “Can we talk?”
– An SYN/ACK packet from receiver to sender.
• “Fine – ready to start?”
– An ACK packet from sender to receiver.
• “OK, start”
19.4.2013 30
TCP Handshaking TCP Packet
SYN flag
IP datagram Src: 192.168.0.20
Dest: 192.168.0.40
TCP Packet SYN & ACK flag
IP datagram Src: 192.168.0.40
Dest: 192.168.0.20
TCP Packet ACK flag
IP datagram Src: 192.168.0.20
Dest: 192.168.0.40
192.168.0.20
192.168.0.40
19.4.2013 31
Tracking TCP handshakes
• The destination machine has to track which machines it has sent a “SYN+ACK” to
• Keeps a list of TCP SYN packets that have had a SYN+ACK returned.
• When ACK is received, packet removed from list as connection is open.
19.4.2013 32
TCP SYN Attack
• Exploits the three-way handshake
S D
SYNx LISTEN
SYNy , ACKx+1
SYN_RECIEVED
ACKy+1
CONNECTED
Figure 1. Three-way Handshake
S D
Nonexistent (spoofed) SYN LISTEN
SYN
SYN SYN_RECEIVED
SYN+ACK
Figure 2. SYN Flooding Attack
19.4.2013 33
TCP Denial Of Service • What if the sender doesn’t answer with an ACK?
– A SYN packet from sender to receiver.
• “Can we talk?”
– An SYN/ACK packet from receiver to sender.
• “Fine – ready to start?”
– ………………..nothing…………..……
• If the sender sends 100 SYN packets per second – Eventually receiver runs out of room to track the SYN+ACK replies
– SYN flooding.
19.4.2013 34
TCP Denial of Service
TCP Packet SYN flag
IP datagram Src: 62.49.10.1
Dest: 192.168.0.40
TCP Packet SYN & ACK flag
IP datagram Src: 192.168.0.20 Dest: 62.49.10.1
192.168.0.20
192.168.0.40
TCP Packet SYN flag
IP datagram Src: 62.49.10.1
Dest: 192.168.0.40
TCP Packet SYN flag
IP datagram Src: 62.49.10.1
Dest: 192.168.0.40
TCP Packet SYN flag
IP datagram Src: 62.49.10.1
Dest: 192.168.0.40
TCP Packet SYN & ACK flag
IP datagram Src: 192.168.0.20 Dest: 62.49.10.1
TCP Packet SYN & ACK flag
IP datagram Src: 192.168.0.20 Dest: 62.49.10.1
TCP Packet SYN & ACK flag
IP datagram Src: 192.168.0.20 Dest: 62.49.10.1
19.4.2013 35
TCP SYN Attack Solutions
• Intermediate Firewall/Router – Limit number of half open connections
• Ingress and egress filtering to reduce spoofed addresses – Does not help against DDoS bot networks
• Reactively block attacking addresses – Generally expensive to acquire technology to do
fast enough
• Fix Protocol - IPv6
19.4.2013 36
“Smurf”
Internet
Perpetrator Victim
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
ICMP echo reply
19.4.2013 37
Smurf Issues
• Amplification attack
– Small effort on attacker results in big impact on victim
• Victim fails unexpectedly under high load
– May just stop responding
– May stop performing normal security checks
• Exploiting protocol failure
– Fixed in IPv6
• Old attack
– Blocked by most firewalls
19.4.2013 38
Teardrop Attack
• Send series of fragments that don't fit together – Poor stack implementations would crash – Early windows stacks
Offset 0, len 60
Offset 30, len 90
Offset 41, len 173
19.4.2013 39
IP Spoofing
• A machine can place any IP address in the source address of an IP datagram.
• Disadvantage: Any reply packet will return to the wrong place.
• Advantage (to an attacker): No-one knows who sent the packet.
• If the sender sends 100 SYN packets per second with spoofed source addresses….
19.4.2013 40
TCP/IP Ports
• Many processes on a single machine may be waiting for network traffic.
• When a packet arrives, how does the transport layer know which process it is for?
• The port allows the transport layer to deliver the packet to the application layer.
• Packets have source and destination port. – Source port is used by receiver as destination of replies.
19.4.2013 41
Port Assignments
• Well known ports from 0 to 1023 – http=port 80
– smtp=port 25
– syslog=port 514
– telnet=23
– ssh=22
– ftp=21 + more…
• Registered ports from 1024 to 49151
• Dynamic or private ports from 49152 to 65535
19.4.2013 42
Port Multiplexing
putty
Transport Layer
Internet Layer
Network Layer
Physical Network
telnet
Transport Layer
Internet Layer
Network Layer
Message
Packet
Datagram
Frame
Host A Host B
ie net
scape apache
Port 80 Port 23 Port
2077
Port 2076 Port
2078
19.4.2013 43
Ports in Action
switch
HTTP message GET index.html
www.localserver.org
TCP Packet Src Port: 2076 Dest Port: 80
IP datagram Src: 192.168.0.20
Dest: 192.168.0.40
HTTP message Contents of index.html
TCP Packet Src Port: 80
Dest Port: 2076
IP datagram Src: 192.168.0.40
Dest: 192.168.0.20
192.168.0.20 192.168.0.40
TELNET message
TCP Packet Src Port: 2077 Dest Port: 23
IP datagram Src: 192.168.0.20
Dest: 192.168.0.40
TELNET message
TCP Packet Src Port: 23
Dest Port: 2077
IP datagram Src: 192.168.0.40
Dest: 192.168.0.20 19.4.2013 44