network security7-1 firewalls isolates organization’s internal net from larger internet, allowing...
TRANSCRIPT
Network Security 7-1
Firewalls
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.
firewall
administerednetwork
publicInternet
firewall
Network Security 7-2
Firewalls: WhyPrevent denial of service attacks:
Denial-of-Service (DoS) attack:• Send many fake requests to congest link or
consume server resource (CPU, memory) SYN flooding:
• attacker sends many SYNs to victim; victim has to allocate connection resource; victim has no resource left for real connection requests any more.
• Usually with spoofed source IP address
Prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with
something else
Network Security 7-3
Firewalls: Why
Allow only authorized access to inside network Set of authenticated users Set of authorized IP addresses
Two types of firewalls: application-level
• Checking application level data packet-filtering
• Checking TCP or IP packets only
Network Security 7-4
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in? Departing packet let out?
Network Security 7-5
Packet Filtering
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and
telnet connections are blocked. Example 2: Block inbound TCP segments with
SYN=1. Prevents external clients from making TCP
connections with internal clients, but allows internal clients to connect to outside.
Example of Windows XP service pack 2 firewall
Network Security 7-6
Application gateways
Filters packets on application data as well as on IP/TCP/UDP fields.
Example: allow select internal users to telnet outside.
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet
connection to dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating from gateway. Example: block user access to know porn websites Check if the Web URL is in a “black-list”
Network Security 7-7
Limitations of firewalls and gateways
IP spoofing: router can’t know if data “really” comes from claimed source SYN flood attack UDP traffic
client software must know how to contact application gateway. e.g., must set IP
address of proxy in Web browser
Speed constraint on high-bandwidth link Application-level firewall
is time consuming
filters often use all or nothing policy for UDP Usually most incoming
UDP ports are blocked The trouble caused to
real-time Internet video
Network Security 7-8
Limitations of firewalls and gateways
tradeoff: degree of communication with outside world, level of security
Trend --- remote office Blurred boundary between inside <->
outside Employee laptop threat
many highly protected sites still suffer from attacks
Network Security 7-9
Internet security threatsMapping:
before attacking: “case the joint” – find out what services are implemented on network
Use ping to determine what hosts have addresses on network
Port-scanning: try to establish TCP connection to each port in sequence (see what happens)
nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing”
Countermeasures?
Network Security 7-10
Internet security threats
Mapping: countermeasures record traffic entering network look for suspicious activity (IP addresses,
pots being scanned sequentially) Firewall to block incoming TCP/SYN to ports
or computers not providing the services Block ping traffic
Network Security 7-11
Internet security threatsPacket sniffing:
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets
A
B
C
src:B dest:A payload
Countermeasures?
Network Security 7-12
Internet security threatsPacket sniffing: countermeasures
all hosts in orgnization run software that checks periodically if host interface in promiscuous mode.
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
src:B dest:A payload
Network Security 7-13
Internet security threatsIP Spoofing:
can generate “raw” IP packets directly from application, putting any value into IP source address field
receiver can’t tell if source is spoofed e.g.: C pretends to be B
A
B
C
src:B dest:A payload
Countermeasures?
Network Security 7-14
Internet security threatsIP Spoofing: egress filtering
routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network)
great, but egress filtering can not be mandated for all networks
A
B
C
src:B dest:A payload
Network Security 7-15
Internet security threatsDenial of service (DOS):
flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp
receiver e.g., C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures?
Network Security 7-16
Internet security threatsDenial of service (DOS): countermeasures
filter out flooded packets (e.g., SYN) before reaaching host• Cooperation with source routers• Detect spoofed SYN based on TTL values
traceback to source of floods (most likely an innocent, compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Network Security 7-17
Secure e-mail (suppose K+B
known)
Alice: generates random symmetric private key, KS. encrypts message with KS (for efficiency) also encrypts KS with Bob’s public key. sends both KS(m) and KB(KS) to Bob.
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+
KS(m
)
KB(KS )+
m
KS
KB+
Internet
KS
Network Security 7-18
Secure e-mail (suppose K+B
known)
Bob: uses his private key to decrypt and recover KS
uses KS to decrypt KS(m) to recover m
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+ -
KS(m
)
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m
)
KB(KS )+
Network Security 7-19
Secure e-mail (continued)
• Alice wants to provide sender authentication message integrity.
• Alice digitally signs message.• sends both message (in the clear) and digital signature.
H( ). KA( ).-
+ -
H(m )KA(H(m))-
m
KA-
Internet
m
KA( ).+
KA+
KA(H(m))-
mH( ). H(m )
compare
Network Security 7-20
Secure e-mail (continued)
• Alice wants to provide secrecy, sender authentication, message integrity.
Alice uses three keys: her private key, Bob’s public key, newly created symmetric key
H( ). KA( ).-
+
KA(H(m))-
m
KA-
m
KS( ).
KB( ).+
+
KB(KS )+
KS
KB+
Internet
KS
Network Security 7-21
Pretty good privacy (PGP)
Internet e-mail encryption scheme, de-facto standard.
uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.
provides secrecy, sender authentication, integrity.
inventor, Phil Zimmerman, was target of 3-year federal investigation.
---BEGIN PGP SIGNED MESSAGE---Hash: SHA1
Bob:My husband is out of town tonight.Passionately yours, Alice
---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/
12EpJ+lo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2
---END PGP SIGNATURE---
A PGP signed message:
Network Security 7-22
Secure sockets layer (SSL)
transport layer security to any TCP-based app using SSL services.
used between Web browsers, servers for e-commerce (https).
security services: server authentication data encryption client authentication
(optional)
server authentication: SSL-enabled browser
includes public keys for trusted CAs.
Browser requests server certificate, issued by trusted CA.
Browser uses CA’s public key to extract server’s public key from certificate.
check your browser’s security menu to see its trusted CAs.
Network Security 7-23
SSL (continued)
Encrypted SSL session: Browser generates
symmetric session key, encrypts it with server’s public key, sends encrypted key to server.
Using private key, server decrypts session key.
Browser, server know session key All data sent into TCP
socket (by client or server) encrypted with session key.
SSL: basis of IETF Transport Layer Security (TLS).
SSL can be used for non-Web applications, e.g., IMAP.
Client authentication can be done with client certificates. Not widely used since
too many clients
Network Security 7-24
How SSL works?
K B+
ClientServer B
time
Three-way handshake
Request server certificate
K-CA(K+
B)
K+B(KA-B)
KA-B(m)
Symmetric session key
Certificate from CA
Network Security 7-25
IPsec: Network Layer Security Network-layer secrecy:
sending host encrypts the data in IP datagram Applicable toTCP and UDP segments; ICMP and SNMP
messages. IP header in clear text, the other is in encrypted text
Network-layer authentication destination host can authenticate source IP address Also use a similar public key authority for public key
distribution
Network Security 7-26
IEEE 802.11 security
Packet sniffing is unavoidable War-driving: drive around Bay area, see what 802.11
networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy!
Wired Equivalent Privacy (WEP): authentication as in protocol ap4.0 (require shared symmetric key) host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host
Network Security 7-27
802.11 WEP Security Concern
40 bits in encryption is too short RC4 is not properly used in 802.11 A more sure protocol is just
standardized, 802.11i
Network Security 7-28
Internet Worm propagation
Find new targets IP random scanning
Compromise targets Exploit
vulnerability
Newly infected join infection army
Network Security 7-29
Worm Infection Incidents
Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes
Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected
DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour
Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days
Infection faster than human response !
Network Security 7-30
Email Virus and Attacks
Email Viruses: Executable code in email attachment Social engineering trick to fool users to click
attachment• Sender is your friend (faked email header information)• Email appears to come from security, failed report, etc
Infection procedure: Set up SMTP engine Find all email addresses to send email to
• Avoid some email domains
Network Security 7-31
Email Spam
You know how easy to fake sender info Money is the driving force
Sending millions of spam email costs pennies Using many compromised machines sending spam
Defense is not perfect Most email servers have spam filters
• Check your cs.ucf email header! Email users do not tolerate false alarms 10% going through will be good enough for
spammers!
Network Security 7-32
Honeypot and HoneyNet
Honeypot: A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited and compromised Attract attack Analyze attacking code, attacking behavior Find out how to defend
HoneyNet: a network (physical/virtual) of honeypots Covering a large number of IP addresses Monitor more attacking incidents
Network Security 7-33
New Attack Trend --- Botnet
Botnet: a network of infected hosts controlled by an attacker Each host is installed with “bot” Hosts can be compromised by any mechansims
• Email, worm scan, network share, malicious web… Attacks: DDoS (extortion), spam, phishing, ads abuse, new attack
bot bot
controller controller
attacker
bot