1 / 38

G53SEC

G53SEC. Network Security Hijacking, flooding, spoofing and some honey. 1. G53SEC. Overview of Today’s Lecture: Threat Models Communication Models Protocol Design Principles IPSec SSL/TLS DNS Firewalls IDS Honeypots. 2. G53SEC. Introduction : Networks

gstacy
Télécharger la présentation

G53SEC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. G53SEC Network Security Hijacking, flooding, spoofing and some honey 1

  2. G53SEC • Overview of Today’s Lecture: • Threat Models • Communication Models • Protocol Design Principles • IPSec • SSL/TLS • DNS • Firewalls • IDS • Honeypots 2

  3. G53SEC • Introduction: • Networks • Data sent from one node to another • Network protocols - transmission and its problems • OSI security architecture • Security Services, implemented by • Security Mechanisms (mostly cryptography) • Access Control – Firewalls • Intrusion Detection Systems 3

  4. G53SEC • Threat Models: • Passive attackers • - eavesdropping / wiretapping / sniffing • - Traffic Analysis (e.g. linkability) • Active attackers • - Spoofing attacks (MiM, Phishing, e-mail) • - Squatting attacks (Phishing) 4

  5. G53SEC • Communication Models: • In formal models protocol analysis • - internet – cloud • - messages can be seen/modified by anyone • Not best model for all security issues • In security analysis • Adversary can only read messages directly addressed to him/her • can spoof addresses 5

  6. G53SEC • Examples of Security Analysis: • TCP session hijacking • - Due to address based authentication • 3 way handshake protocol • Attacker can't see output of this session • Attacker able to execute commands with another users privileges 6

  7. G53SEC • Examples of Security Analysis: • TCP SYN flooding • - victim stores number sent by user • - attacker never finished 3 way handshake • - attacker initiates large number of SYN requests • - victim reaches its half-open connection limit • - Denial of service • - Prevention – modification to handshake protocol to be stateless 7

  8. G53SEC • Protocol Design Principles: • Open Systems Interconnection model • Framework for layering network protocols • 7 layers 8

  9. G53SEC • IP Security: • IP connectionless and stateless • provides a best-effort service • no guaranteed delivery of packets • no mechanism for maintaining order • NO security protection (IPv4) • In IPv6 – security architecture - IPsec 9

  10. G53SEC • IP Security: • Optional in IPv4 and mandatory for IPv6 • 2 major security mechanisms • - IP Authentication Header • - IP Encapsulation Security Payload • Does not contain mechanism to prevent traffic analysis 10

  11. G53SEC • IP Security – Authentication Header: • Protects the integrity and authentication of IP packets • Does not protect confidentiality • Originally developed due to export restrictions of encryption mechanisms • Restrictions lifted, thus • Encapsulating Security Payloads now preferred to simplify IPsec implementation 11

  12. G53SEC • IP Security – Encapsulating Security Payloads: • Provides: • - confidentiality • - data origin authentication • - some replay protection • - limited traffic flow confidentiality • Achieved by encryption of payload • Encapsulated within original IP packet 12

  13. G53SEC • IP Security – Encapsulating Security Payloads: • transport mode • - a protocol frame is encapsulated • - and encrypted • - provides end-to-end protection of packets • - end hosts need to be IPsec aware 13

  14. G53SEC • IP Security – Encapsulating Security Payloads: • tunnel mode • entire datagram treated as new payload • can be thought of as IP within IP • can be performed at security gateways • host need not be IPsec aware • provides traffic flow confidentiality 14

  15. G53SEC • IP Security: • IPsec services use encryption • But are not tied to one particular key management protocol • Considers possibility of future flaws • Summary • IPsec provides transparent security for everyone using IP, without changing interface of IP • Provides host-to-host security but with an overhead 15

  16. G53SEC • Secure Socket Layer/ Transport Layer Security: • TCP – a stateful connection oriented protocol • Performs address based entity authentication • Vulnerable to attacks – hijacking, flooding • Lacks strong cryptographic mechanisms • These were introduced in SSL by Netscape • TLS identical to SSL v.3 16

  17. G53SEC • Secure Socket Layer/ Transport Layer Security: • SSL • Sits between application layer and TCP • Relies on properties guaranteed by TCP • Stateful and connection oriented • Contains handshake protocol where client and server agree on cipher suite • This is then used for secure transmisison • Most widely used Internet security protocol 17

  18. G53SEC • Domain Name System: • www.nottingham.ac.uk – Domain name • 128.243.40.30 – IP address • Translation of domain name to IP address – DNS • Information maintained by DNS servers • DNS lookup – name -> IP address • DNS reverse lookup – IP address -> name 18

  19. G53SEC • Domain Name System: • Attacker can corrupt DNS information • thus can redirect users to fake sites • or make sites seem unavailable – DoS attack • This gets even worse when corruption is propagated between DNS servers • Work on secure DNS service (DNSEC) underway 19

  20. G53SEC • Firewalls: • Cryptographic mechanisms – confidentiality and integrity • Authentication protocols – verify sources of data • Access control at network level – firewalls • Firewall • “A network device controlling traffic between two parts of a network” 20

  21. G53SEC • Firewalls: • Generally installed between LAN and Internet • or between different LANs • or on individual hosts • Should control traffic to and from a protected network • But ALL traffic has to go through it in order for it to be effective • e.g. issue Dial-in lines and Wifi LANs 21

  22. G53SEC • Firewalls: • Defend a protected network against parties accessing services that should only be available internally • Can also restrict access from inside to outside services (e.g. IRC, P2P) • Virtual Private Network • - A secure connection between two gateways • Network Address Translation • - hides internal machines with private addresses 22

  23. G53SEC • Firewalls: • Packet filters: • Specify which packets are allowed or dropped • Rules based on source and destination IP address • and TCP and UDP port numbers • possible for both inbound and outbound • Can be implemented in a router examining packet headers 23

  24. G53SEC • Firewalls: • Packet filters - Issues: • Only crude rules enforced • Certain common protocols are difficult to handle • We can have blanket rules (e.g. block all port 21 traffic) • We cannot have dynamically defined rules 24

  25. G53SEC • Firewalls: • Stateful Packet filters: • Understand requests and replies • Can support policies for a wider range of protocols than simple packet filters • Again can be done in routers (fast and cheap) • iptables – a Linux implementation 25

  26. G53SEC • Firewalls: • Circuit-Level Proxies: • rules similar to packet filters • allowed connections generate new connections from firewall to destination • rarely used in practice these days • functionally similar to stateful packet filters but with lower performance 26

  27. G53SEC • Firewalls: • Application-Level Proxies: • Client - > Server • Client -> Proxy -> Server-> Proxy -> Client • Another instance of controlled invocation • e.g. Mail proxy – filters emails for spam, viruses, etc… • Proxy server – only entity seen by the outside world • Transparent to users 27

  28. G53SEC • Firewalls: • Application-Level Proxies: • Typically run on a hardened PC • Provide close control over content • Offer high level of security • Issues • Large overhead per connection • More expensive than packet filters • Configuration complex • A separate proxy server required for each service to be protected 28

  29. G53SEC • Firewalls: • Policies: • Permissive – allow everything except dangerous services • easy to make a mistake or forget something • Restrictive – block everything except designated useful services • More secure but if blocked something that is needed – DoS 29

  30. G53SEC • Firewalls: • Location of firewall important • Demilitarised Zone (DMZ) – selective access to services from both inside and outside networks • Firewall issues: • No protection against insider threats • May cause inconvenience • Tunnelling • Encrypted traffic cannot be examined 30

  31. G53SEC • Intrusion Detection Systems: • Cryptographic mechanisms help, but… • Impossible to prevent all attacks • DoS attacks • Insider Attacks • Badly configured firewalls • Already happening attacks not detectable • -> Intrusion Detection Systems 31

  32. G53SEC • Intrusion Detection Systems: • Consists of a number of sensors (network or host) • Sensors collect various data • Data is analysed • Intrusion reported • and possibly reactions triggered 32

  33. G53SEC • Intrusion Detection Systems: • Misuse Detection • - looks for attack signatures • - signatures – patterns of network traffic • - e.g. no. of failed login attempts • - only as good as its database of attack signatures • - new attacks -> signature needs to be created • - IDS needs to update its database 33

  34. G53SEC • Intrusion Detection Systems: • Anomaly Detection • - Statistical / Behaviour-based detection • - uses statistical techniques • - first ‘normal’ behaviour is established as baseline • - during operation if behaviour of monitored system deviates from baseline and exceeds a threshold -> • -> alarm is issued 34

  35. G53SEC • Intrusion Detection Systems: • Anomaly Detection • - Possibility of detecting novel attacks • - However only detects anomalies • - Anomaly is not necessarily an attack • - Attack is not necessarily anomalous • - False positives (false alarm) • - False negatives (attack detected as normal) 35

  36. G53SEC • Intrusion Detection Systems: • Network based IDS • - attack signatures of network traffic • - e.g. SNORT, Firestorm • Host Based IDS • - attack signatures from system activity • Most effective IDS systems to date combine the two. 36

  37. G53SEC • Vulnerability Assessment and Honeypots: • Vulnerability Assessment • - examines the security state of a network or a host • - info on open ports, package version, etc.. • Honeypots • - a resource to track attackers and to learn and gather evidence about their activities • - designed to mimic real systems • - low and high interaction hneypots 37

  38. G53SEC • Summary: • Networking Protocols • Firewalls • Intrusion Detection 38

More Related