1 / 67

Introduction to Network/ Linux Security

Introduction to Network/ Linux Security. Debashis Saha MIS Group, IIM Calcutta ds@iimcal.ac.in. Overview. What is network security? Kind of security services one might desire What kind of attacks should we try to protect a network against?

gerd
Télécharger la présentation

Introduction to Network/ Linux Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Network/Linux Security Debashis Saha MIS Group, IIM Calcutta ds@iimcal.ac.in

  2. Overview • What is network security? • Kind of security services one might desire • What kind of attacks should we try to protect a network against? • What are the available protection strategies available? • What support can we expect from LINUX?

  3. What is network security? • A network is secure if you can depend on it and its nodes behave as you expect. • If you do not know what you are protecting, why you are protecting it, and what you are protecting it from, your task will be rather difficult!

  4. Kind of security one might desire • Authentication • Confidentiality (Privacy) • Integrity • Availability • Non-Repudation • Auditing

  5. Authentication • Authentication is the process of reliably verifying the identity of someone (or something) by means of: • A secret (password [one-time], ...) • An object (smart card, ...) • Physical characteristics (fingerprint, retina, ...) • Trust • Do not mistake authentication for authorization!

  6. Integrity Vs Confidentiality • Integrity • Protecting information from being deleted or altered in any way without the permission of the owner of that information. • Confidentiality • Protecting information from being read or copied by anyone who has not been explicitly authorized by the owner of that information.

  7. Availability If the system is unavailable when an authorized user needs it, the result can be as bad as having the information that resides on the system deleted!

  8. Non repudation The ability of the receiver of something to prove to a third party that the sender really did send the message.

  9. Auditing The ability to record events that might have some security relevance. In such cases, you need to determine what was affected. In some cases, the audit trail may be extensive enough to allow “undo” operations to help restore the system to a correct state.

  10. Kind of attacks to a Computer What kind of attacks should we try to protect a computer against ? • Physical Security • Lockers, BIOS, weather, ... • Personnel security • Operating System security • Network security

  11. Some common network services • DNS • Apache • NFS • NIS/NIS+ • Samba • Telnet • FTP • Mail • ... ... ...

  12. Network Security: common attacks • Interception • Modification • Intrusion • Modification, Fabrication • Denial of service • Interruption • Information theft

  13. Security tools • Cryptography • Symmetric Vs Asymmetric (Certificates ...) • Firewalls & Proxyes • Ipchains/Iptable ... • TCP Wrappers + UDP Relayers • Pluggable Authentication Module • It is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users • Kernel Level Security • Log files (/var/log/*)

  14. Cryptography: the solution for privacy The security is based on the secrecy of the key and sometimes of the alghoritms too.

  15. Cryptography Model

  16. Basic Formula

  17. CryptographySymmetric Vs Asymmetric • Symmetric (also called private key algorithms) • The same password is used to both encrypt and decrypt • Faster algorithms • PROBLEM: key management is not easy • Asymmetric (also called pubblic key algorithms) • The password used to encrypt is different from the one needed to decrypt • More secure • It allows to have non-repudiation

  18. Secret Key System

  19. Data Encryption Standard (DES) • It is a symmetric algorithm • Designed by IBM for the U.S. Government in 1977 • It is based on a 128 bit key (earlier 64) • Hardware Vs Software implementation • How secure is DES? • How much would a Des-Breaking engine would cost? • Is it possible to make DES harder to break in? • How does it work?

  20. Public Key System

  21. RSA Algorithm • Rivest, Shamir & Adleman (1978), MIT • Most widely used public key algorithm • Based on principles of number theory • Keys are calculated in the following way:

  22. Example

  23. Digital Signature • An important security strategy for E-Commerce • The receiver can verify the claimed identity of the sender (authenticated) • The sender cannot later repudiate the contents of the message • The message cannot be concocted in transit • Can be implemented using public key cryptography

  24. Public Key Signature

  25. Length of the key on bits (estimated in 1995, Applied Cryptography) Cost 40 56 64 80 112 128 $ 100K 2.00 s. 35 h. 1 y. 70,000 y. 1014 y. 1019 y. $ 1M 0.20 s. 3.5 h 37 d. 7,000 y. 1013 y. 1018 y. $ 10M 0.02 s. 21 min. 4 d. 700 y. 1012 y. 1017 y. Security of cryptographic algorithms • Let us define the lifetime of an information as the amount of time the information should be kept secret. • An encryptioncan cab be considered secure if the time to break it (for ex. with a brute force attack) is reasonably longer than the lifetime of the information contained in the plain text.

  26. Secure Socket Layer (SSL) • It is based on a public encryption algorithm • It is a protocol developed by Netscape for secure transactions across the Web • It is stream-based consisting of three phases • 6In initial handshake phase, secure communications are established • In intermediate data transfer phase, application-to-application dialog (with data encryption) occurs • In closing handshake phase, connection is terminated • There are free SSL implementations

  27. Firewall(Access Control)

  28. What is a Firewall? • A set of related programs that protects the resources of a private network from users from other networks. • A mechanism for filtering network packets based on information contained within the IP header. • Options available • Commercial Firewall Devices (Watchguard, Cisco PIX) • Routers (ACL Lists) • Linux • Software Packages (ZoneAlarm, Black Ice) • Sneaker Net

  29. Firewalls • Routers: easy to say “allow everything but…” • Firewalls: easy to say “allow nothing but…” • This helps because we turn off access to everything, then evaluate which services are mission-critical and have well-understood risks • Note: the only difference between a router and a firewall is the design philosophy: • do we prioritize security, or connectivity ? • configurability, logging

  30. Firewall setup • Firewall ensures that the internal network and the Internet can both talk to the DMZ, but usually not to each other • The DMZ relays services at the application level, e.g. mail forwarding, web proxying • The DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.); • it’s easier to secure 20 machines than 20,000 • Now the internal network is “safe” (but not from internal attacks, modems, etc.)

  31. Typical firewall setup evil Internet DMZ internal network

  32. Downside of firewalls • single point of failure • difficult to integrate into a mesh network • highlights flaws in network architecture • can focus politics on the firewall administrator

  33. Firewall using Packet Filtering

  34. Packet Filters .. “Firewalls” • A “Firewall” can be at any layer between 3-5 • Application-level gateways work at the application layer • Packet-filters work at the network layer

  35. Why Filter? • Packets that are filtered increase security. • Prevent ousiders from using services on a system. • Prevent malicious attacks such as Denial of Service (DoS) and ping flood attacks. • Control the flow of information. • Prevent internal system users from using certain sites or types of protocols.

  36. TCP DPort TCP SPort TCP Hdr Eth Dest Eth Src Eth Hdr IP Dest IP Src IP Hdr Data Packet Filtering • Should arriving packet be allowed in? Should a departing packet be let out? • Filter packet-by-packet, making decisions to forward/drop a packet based on: • source IP address, destination IP address • TCP/UDP source and destination port numbers • ICMP message type • TCP SYN and ACK bits • ...

  37. Packet “filtering” • Packet filtering is not just “filtering” • Changing Packets: Filters often able to rewrite packet headers • Examine/modify IP packet contents only? Or entire Ethernet frames? • Monitor TCP state?

  38. Packet Filtering Limitations • Cannot Do: Allow only certain users in (requires application-specific information) • Can do: Allow or deny entire services (protocols) • Cannot Do: Allow, e.g., only certain files to be ftp’ed

  39. Packet Filtering in Linux History • 1st generation: ipfw (from BSD) • 2nd generation: ipfwadm (Linux 2.0) • 3rd generation: ipchains (Linux 2.2) • 4th generation: iptable (Linux 2.4, 2.6)

  40. Pre- Routing Forward Post- Routing Routing Decision Packet Traversal in Linux Input Output Local Processes

  41. The Rules Chain Concept • The most common method used by packet filtering for the organization of the filters is the rules chain. A rule chain contains a listing of each filter, or rule, that has been configured on the local system. • Linux uses four main chains: • Input – packets traveling to the host • Output – packets leaving from the host • Forward – packets received by the host and will be forwarded by the host • User Defined – special type of chain created by the user that receives packets from the three main chains for processing • Rules chains allow for complex filtering of data entering or leaving a system while making it easy to install and maintain the rules.

  42. Linux Iptables/Netfilter • In Linux kernel 2.4 and 2.6, we use the netfilter package with iptables commands to setup the firewall. • The old package called IPchains is deprecated. • http://www.netfilter.org/

  43. Iptables: http://www.netfilter.org/ • What is iptables? • iptables is the building block of a framework inside the Linux kernel. This framework enables packet filtering, network address translation (NAT), network port translation (NPT), and other packet mangling. • iptables is a generic table structure for the definition of rulesets. Each rule with an IP table consists of a number of classifiers (iptables matches) and one connection action (iptable target). • What can I do with iptables? • build internet firewalls based on stateless and stateful packet filtering • use NAT and masquerading for sharing internet access • use NAT to implement transparent proxies • do further packet manipulation (mangling) like altering the bits of the IP header

  44. iptables - Features (1) • Stateful filtering of TCP & UDP traffic • Ports opened & closed as clients use the Internet • Presents a (mostly) “blank wall” to attackers • “Related” option for complex applications • Active mode FTP • Multimedia applications (Real Audio, etc.) • Can filter on fragments

  45. iptables - Features (2) • Improved logging options • User-defined logging prefixes • Log selected packets (e.g., handshake packets) • Port Address Translation (PAT) • Network Address Translation (NAT) • Inbound • Redirect to DMZ web server, mail server, etc. • Outbound • Group outbound traffic and/or use static assignment

  46. iPtables “chains” • A chain is a sequence of filtering rules. • Rules are checked in order. First match wins. Every chain has a default rule. • If no rules match the packet, chain policy is applied. • Chains are dynamically inserted/ deleted.

  47. Built-in chains • INPUT: packets for local processes • No output interface • OUTPUT: packets produced by local processes • No input interface • All packets to and from lo (loopback) interface traverse input and output chains • FORWARD: for all transiting packets • Do not traverse INPUT or OUTPUT • Has input and output interface • PREROUTING • POSTROUTING

  48. Network Address Translation (NAT)

  49. Private Network • Private IP network is an IP network that is not directly connected to the Internet • IP addresses in a private network can be assigned arbitrarily. • Not registered and not guaranteed to be globally unique • Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): • 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0 – 192.168.255.255

  50. Private Addresses

More Related