network security is250 spring 2010 john chuang. 2 outline what is network security? -security...
TRANSCRIPT
Network Security
IS250Spring 2010
John Chuang
John Chuang 2
Outline
What is Network Security?- Security properties- Cryptographic techniques
Availability (or lack thereof)- Denial of service (DoS) attacks- DDoS and botnets
Operational security- Firewalls- Intrusion detection systems- Virtual private networks
John Chuang 3
Securing the Network Stack
Application (layer 7): various security protocols
Transport (layer 4): Transport Layer Security (TLS)
Network (layer 3): IPsec Data Link (layer 2): Wired Equivalent Privacy (WEP); 802.11i
Physical (layer 1): control of access to cables; perimeter security; acoustic security; …
IPsec
TLS
HTTPS, SSH, PGP, S-BGP, DNSSEC,…
Physical layer security
WEP; 802.11i; …
Unfortunately, IP address spoofing (forging of source address) is still unsolved, and source of many network security problems.
John Chuang 4
Attacks
Eavesdropping - passwords, credit card
numbers, etc. Data tampering Impersonation
- Replay attack- Man-in-the-middle
attack (e.g., IP address spoofing)
- Phishing attack
Unauthorized access- System vulnerabilities- Password guessing (e.g.,
dictionary attack)- Social engineering (e.g.,
bribe, black-mail) Denial-of-Service attack Spam Malware: Trojan horses,
viruses, worms …
Wide ranging scope Some common attacks:
John Chuang 5
Security Properties “CIA” and “AAA”
Confidentiality- Prevents eavesdropping
Integrity- Prevents modification of data
Authentication- Proves your identity to a third party; prevents impersonation
Accountability (non-repudiation)- Enables failure analysis; serves as deterrent
Authorization- Prevents misuse
Availability- Safeguards against denial-of-service
John Chuang 6
Cryptographic Techniques
Encryption- Symmetric-key (e.g., AES) - Asymmetric-key (e.g., RSA)
Cryptographic hash (message digest)- e.g., MD5, SHA-1
Digital signature
Confidentiality
Authentication
Integrity
Non-Repudiation
John Chuang 11
Outline
What is Network Security?- Security properties- Cryptographic techniques
Availability (or lack thereof)- Denial of service (DoS) attacks- DDoS and botnets
Operational security- Firewalls- Intrusion detection systems- Virtual private networks
John Chuang 12
Availability
Denial-of-Service (DoS) Attack: - Make a computer resource or service unavailable to
users by overwhelming the computational and/or communication resources of the victim system
DoS statistics (Moore et al., Usenix 2001): - Prevalence: 13,000 DoS attacks recorded in 3 weeks- Duration: an attack can last for hours- Intensity: 600,000 packets per second
2008 ISP Infrastructure Security Report (Arbor, 2008)- Largest DDoS attack peak traffic volume of 40Gbps
John Chuang 13
TCP SYN Flood Attack Recall TCP session
establishment- A B: SYN- B A: SYN + ACK- A B: ACK
B has to keep state for every half-open connection, and an idle connection is closed only after long timeout
An attacker sends many SYN messages (with spoofed source IP addresses) to victim B
Legitimate clients cannot establish TCP session with B
John Chuang 14
Smurf Attack
ICMP Echo Request attack Attacker sends ICMP Echo Request (ping) messages to IP broadcast addresses (e.g., 128.32.255.255)
These ping messages have spoofed IP source address of target victim
Hosts receiving the Echo Request messages will respond with Echo Response (pong) messages
Target is flooded with ICMP Echo Response (pong) messages
This is an example of a reflected attack
http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif
John Chuang 15
Distributed DoS (DDoS) Attack
Attacker takes over machines via viruses and launches DoS attacks from these “zombies” or “bots”
Largest botnets can have millions of bots Defensive approaches: filtering, traceback Misaligned incentives an important contributor- Many owners unaware that their machine is a zombie
- Owners not motivated to diligently patch their machines to protect against malware in the absence of perceived harm
John Chuang 16
Botnets
(Application layer overlay) network of bots (Trojan horses) under the command & control of botnet operator
Botnet operators may control millions of machines and use them to launch DDoS attacks, send spam, perform keylogging, commit click fraud,…- Estimate: 70-90% of spam come from botnets
Underground market for botnet service- e.g., $500 for a DDoS attack using 10K bots- e.g., sites asked to pay $10-50k in extortion
Sou
rce:
Cis
co
John Chuang 17
Outline
What is Network Security?- Security properties- Cryptographic techniques
Availability (or lack thereof)- Denial of service (DoS) attacks- DDoS and botnets
Operational security- Firewalls- Intrusion detection systems- Virtual private networks
John Chuang 18
Firewall
A firewall isolates an organization’s internal network from the public Internet- All traffic must pass through firewall- Only authorized traffic, as defined by local security policy, can pass
Two basic types: packet filter, application gateway
http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif
John Chuang 19
Firewall Policy ExamplesPolicy Firewall Setting
No outside web access Drop all outgoing packets to any IP address, destination port 80
No incoming TCP connections, except to public web server at IP address 1.2.3.4
Drop all incoming TCP SYN packets to any IP except 1.2.3.4, port 80
Allow DNS packets to leave network
Allow outgoing UDP packets to any IP address, destination port 53
Prevent your network from being tracerouted
Drop all outgoing ICMP TTL expired traffic
Prevent your network from being used for a Smurf attack
Drop all ICMP ping packets going to a broadcast address
John Chuang 20
Application Gateway
Filters packets on application data as well as on IP/TCP/UDP fields
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
Source: Kurose and Ross, Computer Networking, 5th Edition
Example: allow select internal users to telnet outside1. require all telnet users to telnet through gateway2. for authorized users, gateway sets up telnet connection to
destination host. Gateway relays data between 2 connections3. router filter blocks all telnet connections not originating from
gateway
John Chuang 21
Webserver
FTPserver
DNSserver
applicationgateway
Internet
demilitarized zone (DMZ)
internalnetwork
firewall
IDS sensors
Intrusion Detection System Monitors and reports suspicious traffic by performing deep packet inspection- Signature-based or Anomaly-based
Source: Kurose and Ross, Computer Networking, 5th Edition
John Chuang 22
Virtual Private Networks
Problem: - build a corporate intranet for an organization with multiple sites
Solutions:- Public internet connections (low cost)- Private (dedicated) network connections (confidential)
- Virtual Private Network (both confidentiality and low cost)- Implemented in software
John Chuang 23
VPN
VPN software in router at each site gives appearance of a private network
Implementation:- Obtain internet connection for each site- Choose router at each site to run VPN software- Configure VPN software in each router to know about the VPN routers at other sites
- VPN software acts as a packet filter; next hop for outgoing datagram is another VPN router
- Outgoing datagrams encrypted using IPsec
Sou
rce:
Dou
g C
omer
John Chuang 24
IPSec (RFC 2402, 2406)
Transport mode: payload encrypted; not header
Tunneling mode: entire packet encrypted; then encapsulated in separate packet (to keep source/destination addresses confidential)
Example: - Datagram from host x at
site 1 to host y at site 2
- Router R1 on site 1 encrypts, encapsulates in new datagram for transmission to router R2 on site 2
Source: Doug Comer