network security

1. Bishop:Chapter 26 Network Security Based on notes by Prashanth Reddy Pasham

Introduction

Policy Development

Network Organization

Firewalls

Availability and Network Flooding

How to develop a network infrastructure from security requirements?

Know security requirements

it leads to the development of security policy.

which in turn suggests the form of the network

security goalspolicy

network policyfunctionalities

distribution of functionalities to various parts of the networknetwork diagram

Functionality of each parthost configuration

Goals of Dribs Security policy

Data related to company plans is to be kept secret

available only to those who need to know

Customer data should be available only to those who fill the order

Releasing sensitive data requires the consent of the companys officials and lawyers.

Our goal is to design a network infrastructure that will meet these requirements

Policies

Must provide public access to some information

Limit access to other information even within the company.

Drib requires a policy that minimizes the threat or data being leaked to unauthorized entities.

Unauthorized?

Drib has three internal organizations

Customer Service Group(CSG)

Deals with customers

Maintains all customer data

Serves as interface between the other groups and clients of the drib

Development Group(DG)

Develops, modifies, maintains products

Rely on CSG for the description of customer complaints, suggestions, ideas.

No direct talk with customers

Corporate group(CG)

Handles Drib's debentures, lawsuits, patents and other corporate level work.

Policy describes the way information is to flow among these groups

Data Classes

Public Data(PD)

Available to anyone

Includes product specifications, price information and marketing literature.

Development data for existing products(DDEP)

Available only internally

Company lawyers, officers and developers

Development data for future products(DDFP)

Available only to developers

may change, as may various aspects of development.

Corporate data(CoD)

Information about corporate functions

Customer data(CuD)

Credit card information

User Classes

Outsiders

Developers

Corporation executives

Employees

See table on page 776 for user rights

Availability: global, 24/7

Consistency check

Does the policy described above meets the goals of the Drib?

Network Regions

Internet

Internal Network( Intranet)

Network Boundaries

Firewall

Filtering firewall:Based on packet headers

ex: preventing BackOrifice

Proxy firewall:Gives external view that hides intranet

ex: mail proxy

Conceal the addresses of the internal network

Internal addresses can be real

Fake addresses:10.b.c.d, 172.[16-31].c.d, 192.168.c.d

Network Address Translation Protocol mapsinternal to assigned address

Mail Server

Hide internal addresses

Map incoming mail to real server

Additional incoming/outgoing checks

Outer Firewall

What traffic allowed

External source: IP restrictions

What type of traffic:Ports (e.g., SMTP, HTTP)

Proxy between DMZ servers and internet

Internal Firewall

Traffic restrictions:Ports, From/to IP

Proxy between intranet and outside

DMZ Mail Server

performs address and content checking on all electronic mail messages

When it receives a letter from the Internet, it performs the following Steps

reassembles the message into a set of headers, a letter, and any attachments

scans the letter and attachments for any computer virus or malicious logic.

Restore the attachments to transmit

Rescan it for any violation of SMTP specification

Scans the recipient address lines.

Addresses that directed the mail to the drib are rewritten to direct the mail to the internal mail server

DMZ Mail Server

When it receives a outgoing letter from the internal mail server

Steps 1 and 2 are the same

In step 3 the mail proxy scans the header lines.

All lines that mention internal hosts are rewritten to identify the host as drib.org, the name of the outside firewall.

DMZ WWW Server

Identifies itself as www.drib.org and uses IP address of the outside firewall

DMZ DNS Server

It contain entries for

DMZ mail, Web and log hosts

Internal trusted administrative host

Outer firewall

Inner firewall

DMZ Log Server

Flooding

Overwhelm TCP stack on target machine

Prevents legitimate connections

Limit availability by

Overwhelming service

Examples

SYN flood

Overwhelms TCP stack

A form of DOS attack

The attacker initiates large number of TCP SYN packets and refuses to execute the 3 rdpart of the TCP three-way handshake for those packets

If the packets come from multiple sources (the attacking machines) but have the same destination (the victim machine)DDOS

A: the initiator; B: the destination

TCP connection multi-step

A: SYN to initiate

B: SYN+ACK to respond

C: ACK gets agreement

Sequence numbers then incremented for future messages

Ensures message order

Retransmit if lost

Verifies party really initiated connection

Implementation: A, the attacker; B: the victim

Receives SYN

Allocate connection

Acknowledge

Wait for response

See the problem?

What if no response

And many SYNs

All space for connections allocated

None left for legitimate ones

Limit connections from one source?

But source is in packet, can be faked

Ignore connections from illegitimate sources

If you know who is legitimate

Can figure it quickly

And the attacker doesnt know this

Drop oldest connection attempts

Using intermediate hosts to eliminate SYN flood

Relying on TCP state and memory allocations

Basic idea

Using routers to divert or eliminate illegitimate traffic

Resources on the target are not consumed by the attacks.

Approaches

Only legitimate handshakes can reach the firewall.

e.g., Cisco routers TCP intercept mode

Network traffic monitor/tracker

e.g., Synkill [Schuba, etc. 1997]

TCP intercept

Router establishes connection to client

When connected establish with server

If the client never sends the ACK (before timing out), then the initial SYN packet is part of an attack handshake.

The target never sees the illegitimate SYN packets.

The router uses short time-outs to protect itself.

Synkill

An active monitor that analyzes packets being sent to some set of systems (potential victim targets)

Monitor machine as firewall

Classification of IP addresses into classes

Good addresses:history of successful connections

Bad addresses:previous timeout attempt

New addresses

Block and terminate attempts from bad addresses

Dynamically managed classes

Question: How if agoodIP turnsbad?

Problem:Server maintaining state

Runs out of space

Solutions

Dont maintain state on server; let the client track the state.the SYNcookieapproach

Theadaptive time-outapproach

The SYNcookieapproach:

The server does not maintain state of connections

Q: How does the server know the sequence numbers?

Ans: The state is encoded in the initial sequence number of the ACK; the server retrieves this info from the clients ACK packet.

The SYNcookieapproach:

The SYN cookie is encoded in the SYN response

h(source,destination,random)+sequence+time

See p.795 for the formula.

Client increments this and ACKs

Server subtracts h(), time to get sequence

Knows if this is in valid range

Theadaptive time-outapproach

Assumption: There is a fixed amount of space for the state of pending connections

Varies the times before the time-outs, depending on the amount of space available for new pending connections

As the amount of available space decreases, so does the amount of time before the system begins to time out connections.

A brief overview

Many issues and techniques in Network Security

One or more new courses are needed!

network security

Technology

internal mail server

dmz mail server

syn flood

internal network

tcp state

intermediate hosts

customer data

network infrastructure