Download
1 / 20
280 likes | 545 Vues
Network Security. IS250 Spring 2010 John Chuang. Outline. What is Network Security? Security properties Cryptographic techniques Availability (or lack thereof) Denial of service (DoS) attacks DDoS and botnets Operational security Firewalls Intrusion detection systems
E N D
Network Security IS250 Spring 2010 John Chuang
Outline • What is Network Security? • Security properties • Cryptographic techniques • Availability (or lack thereof) • Denial of service (DoS) attacks • DDoS and botnets • Operational security • Firewalls • Intrusion detection systems • Virtual private networks John Chuang
Securing the Network Stack • Application (layer 7):various security protocols • Transport (layer 4):Transport Layer Security (TLS) • Network (layer 3):IPsec • Data Link (layer 2): Wired Equivalent Privacy (WEP); 802.11i • Physical (layer 1): control of access to cables; perimeter security; acoustic security; … HTTPS, SSH, PGP, S-BGP, DNSSEC,… TLS IPsec WEP; 802.11i; … Physical layer security Unfortunately, IP address spoofing (forging of source address) is still unsolved, and source of many network security problems. John Chuang
Eavesdropping passwords, credit card numbers, etc. Data tampering Impersonation Replay attack Man-in-the-middle attack (e.g., IP address spoofing) Phishing attack Unauthorized access System vulnerabilities Password guessing (e.g., dictionary attack) Social engineering (e.g., bribe, black-mail) Denial-of-Service attack Spam Malware: Trojan horses, viruses, worms … Attacks • Wide ranging scope • Some common attacks: John Chuang
Security Properties “CIA” and “AAA” • Confidentiality • Prevents eavesdropping • Integrity • Prevents modification of data • Authentication • Proves your identity to a third party; prevents impersonation • Accountability (non-repudiation) • Enables failure analysis; serves as deterrent • Authorization • Prevents misuse • Availability • Safeguards against denial-of-service John Chuang
Encryption Symmetric-key (e.g., AES) Asymmetric-key (e.g., RSA) Cryptographic hash (message digest) e.g., MD5, SHA-1 Digital signature Confidentiality Authentication Integrity Non-Repudiation Cryptographic Techniques John Chuang
Outline • What is Network Security? • Security properties • Cryptographic techniques • Availability (or lack thereof) • Denial of service (DoS) attacks • DDoS and botnets • Operational security • Firewalls • Intrusion detection systems • Virtual private networks John Chuang
Availability • Denial-of-Service (DoS) Attack: • Make a computer resource or service unavailable to users by overwhelming the computational and/or communication resources of the victim system • DoS statistics (Moore et al., Usenix 2001): • Prevalence: 13,000 DoS attacks recorded in 3 weeks • Duration: an attack can last for hours • Intensity: 600,000 packets per second • 2008 ISP Infrastructure Security Report (Arbor, 2008) • Largest DDoS attack peak traffic volume of 40Gbps John Chuang
TCP SYN Flood Attack • Recall TCP session establishment • A B: SYN • B A: SYN + ACK • A B: ACK • B has to keep state for every half-open connection, and an idle connection is closed only after long timeout • An attacker sends many SYN messages (with spoofed source IP addresses) to victim B • Legitimate clients cannot establish TCP session with B John Chuang
http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gifhttp://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif Smurf Attack • ICMP Echo Request attack • Attacker sends ICMP Echo Request (ping) messages to IP broadcast addresses (e.g., 128.32.255.255) • These ping messages have spoofed IP source address of target victim • Hosts receiving the Echo Request messages will respond with Echo Response (pong) messages • Target is flooded with ICMP Echo Response (pong) messages • This is an example of a reflected attack John Chuang
Distributed DoS (DDoS) Attack • Attacker takes over machines via viruses and launches DoS attacks from these “zombies” or “bots” • Largest botnets can have millions of bots • Defensive approaches: filtering, traceback • Misaligned incentives an important contributor • Many owners unaware that their machine is a zombie • Owners not motivated to diligently patch their machines to protect against malware in the absence of perceived harm John Chuang
Botnets Source: Cisco • (Application layer overlay) network of bots (Trojan horses) under the command & control of botnet operator • Botnet operators may control millions of machines and use them to launch DDoS attacks, send spam, perform keylogging, commit click fraud,… • Estimate: 70-90% of spam come from botnets • Underground market for botnet service • e.g., $500 for a DDoS attack using 10K bots • e.g., sites asked to pay $10-50k in extortion John Chuang
Outline • What is Network Security? • Security properties • Cryptographic techniques • Availability (or lack thereof) • Denial of service (DoS) attacks • DDoS and botnets • Operational security • Firewalls • Intrusion detection systems • Virtual private networks John Chuang
http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gifhttp://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif Firewall • A firewall isolates an organization’s internal network from the public Internet • All traffic must pass through firewall • Only authorized traffic, as defined by local security policy, can pass • Two basic types: packet filter, application gateway John Chuang
Firewall Policy Examples John Chuang
Filters packets on application data as well as on IP/TCP/UDP fields Example: allow select internal users to telnet outside require all telnet users to telnet through gateway for authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections router filter blocks all telnet connections not originating from gateway Application Gateway gateway-to-remote host telnet session host-to-gateway telnet session application gateway router and filter Source: Kurose and Ross, Computer Networking, 5th Edition John Chuang
Intrusion Detection System Monitors and reports suspicious traffic by performing deep packet inspection Signature-based or Anomaly-based application gateway firewall Internet internal network IDS sensors Web server DNS server FTP server demilitarized zone (DMZ) John Chuang Source: Kurose and Ross, Computer Networking, 5th Edition
Virtual Private Networks • Problem: • build a corporate intranet for an organization with multiple sites • Solutions: • Public internet connections (low cost) • Private (dedicated) network connections (confidential) • Virtual Private Network (both confidentiality and low cost) • Implemented in software John Chuang
VPN Source: Doug Comer • VPN software in router at each site gives appearance of a private network • Implementation: • Obtain internet connection for each site • Choose router at each site to run VPN software • Configure VPN software in each router to know about the VPN routers at other sites • VPN software acts as a packet filter; next hop for outgoing datagram is another VPN router • Outgoing datagrams encrypted using IPsec John Chuang
IPSec (RFC 2402, 2406) • Transport mode: payload encrypted; not header • Tunneling mode: entire packet encrypted; then encapsulated in separate packet (to keep source/destination addresses confidential) • Example: • Datagram from host x at site 1 to host y at site 2 • Router R1 on site 1 encrypts, encapsulates in new datagram for transmission to router R2on site 2 John Chuang Source: Doug Comer
