Networking Security

1. Networking Security Maurizio Dècina Politecnico di Milano/CEFRIEL decina@cefriel.it http://www.cefriel.it/~decina Ordine degli Ingegneri di Milano, Cefriel, Clusit e Cisco Systems LA SICUREZZA DELLE RETI Milano, 8 Aprile 2003, Politecnico di Milano

2. Generalized Moore’s Law • Most Important Information Technology Growth Parameters double every 2 – 3 Years • Number of Transistors in a Chip • Computation Cycles • Memory Size, Magnetic/Optical Disks • Devices Feature Size • Backbone Bandwidth, • ....... • The Power of Exponential Growth! Networking Security - Milano, 8 Aprile 2003

3. 1018 Muro di Moore 295°K 1016 1014 77°K Era Quantica Era Classica 1012 4°K 2010 2005 Numero di componenti per chip 1010 2000 1995 108 1990 106 1980 104 1970 102 101 100 10-1 10-2 10-3 Dimensione del circuito (micron) Fonte: Joel Birnbaum, 1999 Il calcolo quantico secondo Biernbaum Networking Security - Milano, 8 Aprile 2003

4. Internet Domain Survey Host CountJanuary 2003, ISC Jan 2003 - Total Host Count 171,638,297 Networking Security - Milano, 8 Aprile 2003

5. Top Domain Names by Host CountISC, January 2003 DOMAINS HOST Jan.'99 HOST Jan.'00 HOST Jan.'01 HOSTS Jan.’ 02 HOSTS Jan.’03 com - Commercial 12.140.747 24.863.331 36.352.243 44.520.209 40.555.072 net - Networks 8.856.687 16.853.655 30.885.116 47.761.383 61.945.611 edu - Educational 5.022.815 6.085.137 7.106.062 7.754.038 7.459.219 jp - Japan 1.687.534 2.636.541 4.640.863 7.118.333 9.260.117 ca - Canada 1.119.172 1.669.664 2.364.014 2.890.273 2.993.982 uk - United Kingdom 1.423.804 1.901.812 2.291.369 2.462.215 2.583.753 us - United States 1.562.391 1.751.866 2.267.089 2.125.624 1.735.734 de - Germany 1.316.893 1.702.486 2.163.326 2.681.325 2.891.407 mil - US Military 1.510.440 1.875.663 1.844.369 1.906.902 1.880.903 69% growth it - Italy 338.822 658.307 1.630.526 2.282.457 3.864.315 au - Australia 192.351 1.090.468 1.615.939 2.288.584 2.564.339 nl - Netherlands 564.129 820.944 1.309.911 1.983.102 2.415.286 org - Organizations 744.285 959.827 1.267.662 1.321.104 1.116.311 fr - France 488.043 779.879 1.229.763 1.670.694 2.157.628 tw - Taiwan 308.676 597.036 1.095.718 1.712.539 2.170.233 br - Brazil 215.086 446.444 876.596 1.644.757 2.237.527 gov - Government 651.200 777.750 834.971 793.031 607.514 fi - Finland 546.244 631.248 771.725 944.670 1.140.838 se - Sweden 431.809 594.627 764.011 1.141.093 1.209.266 es - Spain 264.245 415.641 663.553 1.497.450 1.694.601 17% growth tw - Taiwan 308.676 597.036 1.095.718 1.712.539 1.712.539 171.638.297 TOTAL 43.230.000 72.398.000 109.575.000 147.344.723 Internet Domain Survey di Internet Software Consortium (http://www.isc.org/ds/) Networking Security - Milano, 8 Aprile 2003

6. 100 EB 10 EB 1EB New Measurements 100 PB 10 PB 1 PB 100 TB 10 TB ARPA & NSF Data to ’95 1 TB 100 GB 10 GB 1 GB 100 MB 10 MB 1 MB Total U.S. Internet Traffic Over Time Historical and forecasted U.S. Internet Traffic Future GrowthProjected at 2–3/year TDM Voice Traffic Bytes per Month April 2002 Internet Traffic now 80% of all traffic and 10% of Revenue Double, or more, every year 1970 1980 1990 2000 2010 Source: Larry Roberts – May 2002 Networking Security - Milano, 8 Aprile 2003

7. 200,000 180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 2000 2002 2004 2006 2008 2010 2012 IP and Voice U.S. Backbone Revenue IP revenue per bit is decreasing at 2:1 per year This means IP revenue is increasing at 50% / year IP Revenue Of Total Voice & IP IP Revenue is 12% IP traffic is 91% $M/yr TDM Voice Revenue Source: Larry Roberts – May 2002 Networking Security - Milano, 8 Aprile 2003

8. End User Applications Video VoIP SMTP Telnet FTP HTTP Application RTSP RTP/RTCP SIP Network Management & Control Applications SNMP DNS DHCP RIPv1 RIPv2 OSPF RSVP BGP Transport UDP TCP NAPT MobileIP IPSec IGMP ICMP Internet IPv4 NAT IPv6 ARP/RARP Data Link & Physical Some Internet protocols & their dependencies Some links represent mostly used configuration Data Link IEEE 802, PPP Physical Layer Twisted Pairs, Coax, Fiber, Radio, Powerline, .. Source: M. Dècina, 2001 Alcuni Protocolli per Internete le loro dipendenze ICMPv6 Networking Security - Milano, 8 Aprile 2003

9. Sicurezza e Protocolli Internetalcune dipendenze SET PGP S/MIME End User Applications Video VoIP SMTP Telnet FTP HTTP SMTP Application Kerberos SSH IKE RTSP RTP/RTCP SIP Network Management & Control Applications SNMP DNS DHCP RIPv1 RIPv2 OSPF RSVP BGP SSL/TLS Transport PAT UDP TCP IPSec IGMP ICMP MobileIP Internet IPv4 NAT IPv6 ICMPv6 ARP/RARP All Internet Protocols will soon include Security The red ones are Security Protocols PAP/CHAP Data Link & Physical Data Link IEEE 802, PPP Physical Layer Twisted Pairs, Coax, Fiber, Radio, Powerline, .. Source: M. Dècina, 2003 Networking Security - Milano, 8 Aprile 2003

10. A Taxonomy of Security Solutions Security Management • Intelligence & Incident Response • Intrusion Detection, Monitoring • Risk Assessment, Auditing • Vulnerability Assessment, Penetration Testing Application Security • Secure Electronic Transaction • Secure WEB Server, SSL/TSL • Secure Mail, S/MIME Content Security • Digital Rights Management • Content Filtering • Managed Antivirus Communication Security • Managed Virtual Private Network • Encryption Access Security • Biometrics • Authentication/Authorization/Accounting • Certification Authority/Public Key Infrastructure • Managed Firewall System Security • Disaster Recovery, Business Continuity • BackUp and Remote BackUp Connectivity Source: M. Dècina, 2002 Networking Security - Milano, 8 Aprile 2003

11. Security Lyfe Cycle Protection Recovery/ Audit Information Assurance Detection Policies, Procedures, User Awareness, Security Team Response Networking Security - Milano, 8 Aprile 2003

12. Crystal clear situation • Management & maintenance rationalization • Band optimization • Secure and fast engineering & deployment • Security level enhancement • Savings in: • Incident recovery • Business continuity • Downtime recovery • Reduced data losses • Business image damages avoided • Downtime reduced Security Benefits Benefits by product A B to reach a crystal clear situation equals to add “organization” to an enterprise Networking Security - Milano, 8 Aprile 2003

13. ‘Trusted Third Party’ Principal Principal “Alice” “Bob” Message Message Secret Info Secret Info Security-related transformation Security-related transformation Opponent “Oscar”, “Trudy”, “Eve”, “Mallory”... Security Scenario “Trent” Networking Security - Milano, 8 Aprile 2003

14. Meccanismi di sicurezza • Prevenzione: politiche, procedure, risk assessment, vulnerability assesment, progetto di reti sicure con meccanismi di protezione e rivelazione, rafforzamento dei sistemi informativi (hardening), audit, ... • Protezione • Encryption • Firewall • Nat/Pat • Virtual Private Network, Tunneling • Access Control • Antivirus • Honeypot • ... • Rivelazione • Vulnerability Assessment, Penetration Test • Intrusion Detection Systems • Monitoring, ... • Reazione: emergency response, intelligence, patch, restore, audit,.. Networking Security - Milano, 8 Aprile 2003

15. Managed Security Services Vulnerability Assessment Monitoring Detection Detection + Response Event Info. Firewall, Content Filtering, VPN Intrusion Detection System (IDS) Protection Detection Response Time Networking Security - Milano, 8 Aprile 2003

16. Internet VPN FW FW IDS Client A AV Client C VPN FW Client B CPE Managed Security • Protection and detection tools at customer premises SOC Response team Security Management/ Monitoring System Managing Perimeter Security Monitoring Internal and External Attacks Networking Security - Milano, 8 Aprile 2003

17. Security, VPN, Routing, and QoS • VPN Gateway Server (Voice & Data VPN) Router Intrisically Secure Network Element Firewall Bandwidth Manager IPSec & VPN Server NAPT/ALG SSL/TSL Accelerator Networking Security - Milano, 8 Aprile 2003

18. Wireless Access NetworksThere is a Local Hero: Wireless-Fidelity! Applications VIDEO STREAMING VIDEO ON DEM E-MAIL WEB ACCESS VOIP DOWNLOAD SMS Bluetooth Ultra Wide Band CABLE REPLACEMENT 802.11a/g HiperLan/2 Wi-Fi HOME, OFFICE, PUBLIC ACCESS Range UMTS CITY, SUBURBS GPRS COUNTRY WIDE GSM 10 kbit/s 100 kbit/s 1 Mbit/s 10 Mbit/s 100 Mbit/s 1 Gbit/s Bandwidth Source: Re:Think!, revised by M. Dècina, 2002 Networking Security - Milano, 8 Aprile 2003

19. Wi-Fi Security Solutions Auth. Server + VPN Public Access VPN 802.1x + WEP/WPA 802.1x Auth. Server Large Enterprise SSID MAC Filter. WPA WEP WEP2 Small Enterprise Home/SOHO Authentication Encryption Networking Security - Milano, 8 Aprile 2003

20. RSU RSU BTS AP Full IP Network Network Environment InternetApplication Servers Wired Access Internet Application Platforms Mobility, Location, Connection & Control Servers FTTx Broadband Gateway xDSL Service Environment LRE Wireless Access Internet 2G/3G IP Backbone Mobility Gateway Intelligent Edge PSTN/ISDN Media Gateway Wi-Fi Networking Security - Milano, 8 Aprile 2003

21. 3GPP2 All IP Advertising Agent Service Application EIR DSI Subscription Profile Policy Rules Databases Network Capability Gateway Subscription QoS Manager Roaming Signaling Gateway MAP Position Server Trunk Signaling Gateway Session Control Manager AAA Core QoS Manager Position Determining Entity Media GW Control Function Access Gateway Media Gateway Cdma 2000 Access Network Media Resource Function GSTN BSC/RSC + PCF BTS MM Mobile IP Home Agent FA/ Attendant Border Router Other Access Networks Legacy MS Domain Support Mobile Station Internet Networking Security - Milano, 8 Aprile 2003

22. Emerging Web Services Standards BusinessSemantics Standard ebXML, RosettaNet Liberty, Passport Identifying Emerging WS-Security, SAML, XRML Building trust Web Services for Remote Portals (WSRP) Web Services User Interface (WSUI) User interface Busin. Proc. Execution Lang. (BPEL4WS), BPML, WSCI Workflow/BPM UDDI - Universal Description, Discovery & Integration Search & find Established Description WDSL - Web Services Description Language In place Message SOAP - Simple Object Access Protocol Extensible Markup Language (XML) Format Common Internet protcls. (e.g., TCP/IP, HTTP) Transport Source: Gartner Group, 2002 Networking Security - Milano, 8 Aprile 2003

23. Registration VPNs Certification Users Distribution Time/Date Stamp Escrowing Encrypt Files Managed PKI • Cifratura e firma digitale (a valore legale) • La Certification Authority ha un ruolo centrale di garante • Problematiche di interoperabilità • Difficoltà di introduzione nelle applicazioni Authorization Privileges and SSO Identify Users and Servers Session Confidence (SSL) Message Integrity (Signature) Certificate Authority Functions Version • Key Recovery • Register Users • Generate Key Pairs • Confidentially Exchange Keys • Grant and Archive Certificates • Generate/Verify Digital Signatures • Act as Trusted Third Party (Optional) • Revoke Certificates • Approve and Coordinate Policies • Operate Secure Servers • and Agents Serial Number • Signature Algorithm • EncryptE-Mail (S/MIME) Issuer (CA) • Validity (to, from) • Subject (End-entity) • Subject Public Key Info • (ver. 3 only) (solo ver. 3) Extensions • CA signature Fonte: Gartner Group, 2002 Networking Security - Milano, 8 Aprile 2003

24. Loosely-coupled,Dynamic exterior Tightly-coupled,Persistent interior Extranets Internal Systems & Data The Internet Employees Partner or xSP Less-known Customers Unknown Future Application Immediate Application Outward-facing e-Commerce Value Delivered • Real-time B2B negotiations and transactions • Consumer single sign-on • Shared security infrastructure • Transaction context sharing Partner Community • Supply chain integration • Shared leads – CRM • Inventory and fulfillment • Channel optimization Within the Enterprise • Cost savings • Ease of use/efficiency Adoption Timeline Fonte: Burton Group e RSA, 2002 Identità DigitaleA Network Perspective Networking Security - Milano, 8 Aprile 2003

25. SSO User Internet SSO Modules Browser E-Commerce Sites Authentication Identity Providers SSO Modules SSO Modules Exchange of Identity and Profile Information Trust Domain 1 Trust Domain 2 Fonte: HP, 2002 Trusted Third Parties, Trust Services, ... Progetto Liberty Alliance Networking Security - Milano, 8 Aprile 2003

26. WLAN 1000 Ultrawideband Smart antennas Reconfigurable radio Space/time coding Piconets Scatternets 100 Hiperlan2/802.11a Maximum Data Rate, Mbit/s 10 802.11b HomeRF PAN 1 Bluetooth UMTS CELLULAR GPRS 0.1 GSM 0.01 1998 2000 2002 2004 2006 2008 Year A short term perspective Networking Security - Milano, 8 Aprile 2003

27. New Services Class Version Flow Label Router Alert = 1 (RSVP) = 2 (AN) = 0 (MLD) Payload Length Hop Limit N. H. QoS } Active Networks Source Address Multicast Destination Address Optimizing MAC Hop-by-hop Options Extension Header (Jumbo Patyload Length Option) (Router Alert Option) ICMP v6 Plug-n-Play Destination Options Header Route Optimize Binding Update (Piggybacking) Routing Header Mobility Fragment Header } Authentication Header ESP Header Security Destination Options Header IPv6 Features Networking Security - Milano, 8 Aprile 2003

28. Small, lightweight, cheap, mobile processors in almost all everyday objects („embedded computing“) on human body („wearable computing“) embedded in the environment („ambient intelligence“) A world of “smart objects” Smart objects Can remember pertinent events they have memory Show context-sensitive behavior they have sensors Are responsive they communicate with their environment they are networked with other smart objects Ubiquitous and Pervasive Computing Networking Security - Milano, 8 Aprile 2003

29. Mobile User Devices Wireless Routers & Access Points Peer-to-Peer Wireless Networks Meshnetworks Backbone To Internet & Telephone Networks Ad-Hoc, Peer-to-Peer Wireless Network Distributed Networking Networking Security - Milano, 8 Aprile 2003

30. Privacy and Pervasive Computing • Privacy is already a concern with the Internet • Use of personal data (e-mail address, …) • Use of personal web browsing data (page views, clicks,..) • More dramatic concern in a Pervasive Computing world • many more events of very elementary actions are registered • can be assembled to perfect profiles Source: F. Mattern, 2001 Networking Security - Milano, 8 Aprile 2003