Network Security

IS250Spring 2010

John Chuang

John Chuang 2

Outline

What is Network Security?- Security properties- Cryptographic techniques

Availability (or lack thereof)- Denial of service (DoS) attacks- DDoS and botnets

Operational security- Firewalls- Intrusion detection systems- Virtual private networks

John Chuang 3

Securing the Network Stack

Application (layer 7): various security protocols

Transport (layer 4): Transport Layer Security (TLS)

Network (layer 3): IPsec Data Link (layer 2): Wired Equivalent Privacy (WEP); 802.11i

Physical (layer 1): control of access to cables; perimeter security; acoustic security; …

IPsec

TLS

HTTPS, SSH, PGP, S-BGP, DNSSEC,…

Physical layer security

WEP; 802.11i; …

Unfortunately, IP address spoofing (forging of source address) is still unsolved, and source of many network security problems.

John Chuang 4

Attacks

Eavesdropping - passwords, credit card

numbers, etc. Data tampering Impersonation

- Replay attack- Man-in-the-middle

attack (e.g., IP address spoofing)

- Phishing attack

Unauthorized access- System vulnerabilities- Password guessing (e.g.,

dictionary attack)- Social engineering (e.g.,

bribe, black-mail) Denial-of-Service attack Spam Malware: Trojan horses,

viruses, worms …

Wide ranging scope Some common attacks:

John Chuang 5

Security Properties “CIA” and “AAA”

Confidentiality- Prevents eavesdropping

Integrity- Prevents modification of data

Authentication- Proves your identity to a third party; prevents impersonation

Accountability (non-repudiation)- Enables failure analysis; serves as deterrent

Authorization- Prevents misuse

Availability- Safeguards against denial-of-service

John Chuang 6

Cryptographic Techniques

Encryption- Symmetric-key (e.g., AES) - Asymmetric-key (e.g., RSA)

Cryptographic hash (message digest)- e.g., MD5, SHA-1

Digital signature

Confidentiality

Authentication

Integrity

Non-Repudiation

John Chuang 11

Outline

What is Network Security?- Security properties- Cryptographic techniques

Availability (or lack thereof)- Denial of service (DoS) attacks- DDoS and botnets

Operational security- Firewalls- Intrusion detection systems- Virtual private networks

John Chuang 12

Availability

Denial-of-Service (DoS) Attack: - Make a computer resource or service unavailable to

users by overwhelming the computational and/or communication resources of the victim system

DoS statistics (Moore et al., Usenix 2001): - Prevalence: 13,000 DoS attacks recorded in 3 weeks- Duration: an attack can last for hours- Intensity: 600,000 packets per second

2008 ISP Infrastructure Security Report (Arbor, 2008)- Largest DDoS attack peak traffic volume of 40Gbps

John Chuang 13

TCP SYN Flood Attack Recall TCP session

establishment- A B: SYN- B A: SYN + ACK- A B: ACK

B has to keep state for every half-open connection, and an idle connection is closed only after long timeout

An attacker sends many SYN messages (with spoofed source IP addresses) to victim B

Legitimate clients cannot establish TCP session with B

John Chuang 14

Smurf Attack

ICMP Echo Request attack Attacker sends ICMP Echo Request (ping) messages to IP broadcast addresses (e.g., 128.32.255.255)

These ping messages have spoofed IP source address of target victim

Hosts receiving the Echo Request messages will respond with Echo Response (pong) messages

Target is flooded with ICMP Echo Response (pong) messages

This is an example of a reflected attack

http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif

John Chuang 15

Distributed DoS (DDoS) Attack

Attacker takes over machines via viruses and launches DoS attacks from these “zombies” or “bots”

Largest botnets can have millions of bots Defensive approaches: filtering, traceback Misaligned incentives an important contributor- Many owners unaware that their machine is a zombie

- Owners not motivated to diligently patch their machines to protect against malware in the absence of perceived harm

John Chuang 16

Botnets

(Application layer overlay) network of bots (Trojan horses) under the command & control of botnet operator

Botnet operators may control millions of machines and use them to launch DDoS attacks, send spam, perform keylogging, commit click fraud,…- Estimate: 70-90% of spam come from botnets

Underground market for botnet service- e.g., $500 for a DDoS attack using 10K bots- e.g., sites asked to pay $10-50k in extortion

Sou

rce:

Cis

co

John Chuang 17

Outline

What is Network Security?- Security properties- Cryptographic techniques

Availability (or lack thereof)- Denial of service (DoS) attacks- DDoS and botnets

Operational security- Firewalls- Intrusion detection systems- Virtual private networks

John Chuang 18

Firewall

A firewall isolates an organization’s internal network from the public Internet- All traffic must pass through firewall- Only authorized traffic, as defined by local security policy, can pass

Two basic types: packet filter, application gateway

http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif

John Chuang 19

Firewall Policy ExamplesPolicy Firewall Setting

No outside web access Drop all outgoing packets to any IP address, destination port 80

No incoming TCP connections, except to public web server at IP address 1.2.3.4

Drop all incoming TCP SYN packets to any IP except 1.2.3.4, port 80

Allow DNS packets to leave network

Allow outgoing UDP packets to any IP address, destination port 53

Prevent your network from being tracerouted

Drop all outgoing ICMP TTL expired traffic

Prevent your network from being used for a Smurf attack

Drop all ICMP ping packets going to a broadcast address

John Chuang 20

Application Gateway

Filters packets on application data as well as on IP/TCP/UDP fields

host-to-gatewaytelnet session

gateway-to-remote host telnet session

applicationgateway

router and filter

Source: Kurose and Ross, Computer Networking, 5th Edition

Example: allow select internal users to telnet outside1. require all telnet users to telnet through gateway2. for authorized users, gateway sets up telnet connection to

destination host. Gateway relays data between 2 connections3. router filter blocks all telnet connections not originating from

gateway

John Chuang 21

Webserver

FTPserver

DNSserver

applicationgateway

Internet

demilitarized zone (DMZ)

internalnetwork

firewall

IDS sensors

Intrusion Detection System Monitors and reports suspicious traffic by performing deep packet inspection- Signature-based or Anomaly-based

Source: Kurose and Ross, Computer Networking, 5th Edition

John Chuang 22

Virtual Private Networks

Problem: - build a corporate intranet for an organization with multiple sites

Solutions:- Public internet connections (low cost)- Private (dedicated) network connections (confidential)

- Virtual Private Network (both confidentiality and low cost)- Implemented in software

John Chuang 23

VPN

VPN software in router at each site gives appearance of a private network

Implementation:- Obtain internet connection for each site- Choose router at each site to run VPN software- Configure VPN software in each router to know about the VPN routers at other sites

- VPN software acts as a packet filter; next hop for outgoing datagram is another VPN router

- Outgoing datagrams encrypted using IPsec

Sou

rce:

Dou

g C

omer

John Chuang 24

IPSec (RFC 2402, 2406)

Transport mode: payload encrypted; not header

Tunneling mode: entire packet encrypted; then encapsulated in separate packet (to keep source/destination addresses confidential)

Example: - Datagram from host x at

site 1 to host y at site 2

- Router R1 on site 1 encrypts, encapsulates in new datagram for transmission to router R2 on site 2

Source: Doug Comer