1 / 75

CS526: Information Security Chris Clifton

CS526: Information Security Chris Clifton. November 13, 2003 Network Security. Network Security: What is the Problem?. Name examples of security breaches Morris Worm Email viruses (many) …. A. B. Network Security: What is it?. What is the purpose of a network? Move bits from A

urbain
Télécharger la présentation

CS526: Information Security Chris Clifton

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS526: Information SecurityChris Clifton November 13, 2003 Network Security

  2. Network Security:What is the Problem? • Name examples of security breaches • Morris Worm • Email viruses (many) • … CS526, Fall 2003

  3. A B Network Security:What is it? • What is the purpose of a network? • Move bits • from A • to B • Securely… Network CS526, Fall 2003

  4. A B Securely means • Confidentiality • Only A and B see bits • Integrity • Message intact • Really from A • Order? • Availability • B gets it in time Network CS526, Fall 2003

  5. Network Security:What is the Problem? • Were our examples Network security failures? • Morris Worm • Email viruses (many) • … CS526, Fall 2003

  6. Network Security:Mostly Solved! • Confidentiality • Encryption • Integrity • Digital Signatures • Retransmission • Order? • Availability • Quality of Service CS526, Fall 2003

  7. Network Security:What’s all the fuss? • Firewalls • Solve poor internal security using the network • Intrusion Detection • Detect non-network security breaches accomplished via the network • Early start on forensics CS526, Fall 2003

  8. Network Security:What is interesting? • Distributed Authentication • Scaling issues • Autonomy • Distributed Cooperation • Commit • Fault tolerance • Availability • Denial of service But first: State of practice CS526, Fall 2003

  9. “Typical” corporate network Firewall Demilitarized Zone (DMZ) Intranet Mail forwarding DNS (DMZ) File Server Web Server Web Server Mail server DNS (internal) Firewall Internet User machines User machines User machines CS526, Fall 2003

  10. Typical network:Terms • Network Regions • Internet • Intranet • DMZ • Network Boundaries • Firewall • Filtering firewall: Based on packet headers • Audit mechanism • Proxy • Proxy firewall: Gives external view that hides intranet CS526, Fall 2003

  11. Issues • IP: Intranet hidden from outside world • Internal addresses can be real • Proxy maps between real address and firewall • Fake addresses: 10.b.c.d, 172.[16-31].c.d, 192.168.c.d • Network Address Translation Protocol maps internal to assigned address • Mail Forwarding • Hide internal addresses • Map incoming mail to “real” server • Additional incoming/outgoing checks CS526, Fall 2003

  12. Firewalls: Configuration • External Firewall • What traffic allowed • External source: IP restrictions • What type of traffic: Ports (e.g., SMTP, HTTP) • Proxy between DMZ servers and internet • Proxy between inner and outer firewall • Internal Firewall • Traffic restrictions: Ports, From/to IP • Proxy between intranet and outside CS526, Fall 2003

  13. DMZ Administration • Direct console access required? • Real hassle • “Special” access • SSH connections allowed from internal to DMZ “administration” connections • Only from specified internal IPs • Only through internal firewall CS526, Fall 2003

  14. Distributed Authentication • Authentication has been covered • But does it scale? • Scaling Issues: • Repeat authentication • Multiple administrators CS526, Fall 2003

  15. Repeat authentication:Kerberos • Kerberos developed at MIT in the 1980s • Project Athena: clusters of publicly available computers for student/faculty use • Shared file service – log in anywhere • Problem: how to ensure user logging in at A authorized to use resources at B? • Solution: ticket as credential • Ticket server • Client • Client address • Valid time • Session key Encrypted with ticket server’s key CS526, Fall 2003

  16. KerberosAuthentication Example • Client sends to Authentication Server • Client name, Ticket server name • Authentication Server returns • Client: {kclient,ticket server} kclient password, ticketclient, ticket server • Client performs similar exchange with ticket server • Ticket contains session key, only ticket server can decrypt • Now client has session key and ticket for service • Message includes ticket and encrypted generation time as “signature” CS526, Fall 2003

  17. Kerberos:Problems • Subject to replay attacks • Relies on clock synchronization • “Window of opportunity” based on maximum message delay • Standard password attacks • Password used to decrypt initial authenticator ticket • Some fixed fields enable verifying if password broken CS526, Fall 2003

  18. The Next Problem:Multiple Administration Domains • Problem: Many users • We know how to authenticate • But how to administer? • Solution: Hierarchical directories • X.500, LDAP, Active Directory CS526, Fall 2003

  19. X.500: What is it? • Goal: Global “white pages” • Lookup anyone, anywhere • Developed by Telecommunications Industry • ISO standard directory for OSI networks • Idea: Distributed Directory • Application uses Directory User Agent to access a Directory Access Point CS526, Fall 2003

  20. Issues • How is name used? • Access resource given the name • Build a name to find a resource • Information about resource • Do humans need to use name? • Construct and Recall • Is resource static? • Resource may move • Change in location may change name • Performance requirements • Human-scale CS526, Fall 2003

  21. Directory Information Base(X.501) • Tree structure • Root is entire directory • Levels are “groups” • Country • Organization • Individual • Entry structure • Unique name • Build from tree • Attributes: Type/value pairs • Schema enforces type rules • Alias entries CS526, Fall 2003

  22. Directory Entry • Organization level • CN=Purdue University • L=West Lafayette • … • Person level • CN=Chris Clifton • SN=Clifton • TITLE=Associate Professor • … CS526, Fall 2003

  23. Directory Operations(X.511) • Query: • Read – get selected attributes of an entry • Compare – does an entry match a set of attributes • List – children of an entry • Search – portion of directory for matching entries • Abandon request • Modification – add, remove, modify entry • Modify distinguished name CS526, Fall 2003

  24. Distributed Directory(X.518) • Directory System Agent • May have local data • Can forward requests to other system agents • Can process requests from user agents and other system agents • Referrals • If DSA can’t handle request, can make request to other DSA • Or tell DUA to ask other DSA CS526, Fall 2003

  25. Access Control • Directory information can be protected • Two issues: • Authentication (X.509) • Access control (X.501) • Standards specify basic access control • Individual DSA’s can define their own CS526, Fall 2003

  26. Replication(X.525) • Single entries can be replicated to multiple DSAs • One is “master” for that entry • Two replication schemes: • Cache copies – On demand • Shadow copies – Agreed in advance • Copies required to enforce access control • When entry sent, policy must be sent as well • Modifications at Master only • Copy can be out of date • Each entry must be internally consistent • DSA giving copy must identify as copy CS526, Fall 2003

  27. Protocols(X.519) • Directory Access Protocol • Request/response from DUA to DSA • Directory System Protocol • Request/response between DSAs • Directory Information Shadowing Protocol • DSA-DSA with shadowing agreement • Directory Operational binding management Protocol • Administrative information between DSAs CS526, Fall 2003

  28. Uses • Look-up • Attributes, not just Distinguished Name • Context • Humans can construct likely names • Browsing • Yellow pages • Aliases • Search restriction/relaxation • Groups • Multi-valued “member” attribute • Authentication information contained in directory • E.g., password attribute CS526, Fall 2003

  29. LDAP vs. X.500 • Lightweight Directory Access Protocol • Supports X.500 interface • Doesn’t require OSI protocol • IETF RFC 2251, 2256 X.500 for the internet crowd • Useful as generic addressing interface • Netscape address book • System logon identification/authentication • … CS526, Fall 2003

  30. The Next Problem:Multiple Administration Domains • Problem: Many users • We know how to authenticate • But how to administer? • Solution: Hierarchical directories • X.500, LDAP, Active Directory • Still not enough • Is every administrator in the hierarchy enforcing our policy? • Think this is an interesting area of research? Talk to Prof. Ninghui Li CS526, Fall 2003

  31. CS526: Information SecurityChris Clifton November 18, 2003 Network Security

  32. Attacks and Defense • Confidentiality on the network manageable • Encryption to protect transmission • Public key cryptography / key management to verify recipient • Integrity reducible to single system • Digital signatures verify source • Commit protocols handle network failure • What about Availability? CS526, Fall 2003

  33. Network Attacks • Flooding • Overwhelm TCP stack on target machine • Prevents legitimate connections • Routing • Misdirect traffic • Spoofing • Imitate legitimate source • But we know how to handle this! CS526, Fall 2003

  34. What is a Flood attack? • Limit availability by • Overwhelming service • by following service’s protocol • Perhaps not exactly • Examples • SYN flood • Overwhelms TCP stack • Email attacks CS526, Fall 2003

  35. Syn Flood • TCP connection multi-step • SYN to initiate • SYN+ACK to respond • ACK gets agreement • Sequence numbers then incremented for future messages • Ensures message order • Retransmit if lost • Verifies party really initiated connection • We’ll get back to this CS526, Fall 2003

  36. Syn Flood • Implementation • Receive SYN • Allocate connection • Acknowledge • Wait for response • See the problem? • What if no response • And many SYNs • All space for connections allocated • None for legitimate ones Time? CS526, Fall 2003

  37. Solution Ideas • Limit connections from one source? • But source is in packet, can be faked • Ignore connections from illegitimate sources • If you know who is legitimate • Can figure it quickly • And the attacker doesn’t know this • Drop oldest connection attempts • Adaptive timeout CS526, Fall 2003

  38. Network Solutions • TCP intercept • Router establishes connection to client • When connected establish with server • Synkill • Monitor machine as “firewall” • Good addresses: history of successful connections • Bad addresses: previous timeout attempt • Block and terminate attempts from bad addresses CS526, Fall 2003

  39. Protocol solutions • Problem: Server maintaining state • Runs out of space • Solution: Don’t maintain state on server • How does it know sequence numbers? • Encrypt in SYN response • h(source,destination,random)+sequence+time • Client increments this and ACKs • Server subtracts h(), time to get sequence • Knows if this is in valid range CS526, Fall 2003

  40. Service-Level Flooding • Overload server • Processing • Storage • Typically “garbage” requests using legitimate protocol • Large emails to victim • Many http connections • Heavy use of scripts • Often exploit flaws in service implementation • Self-replicating attacks CS526, Fall 2003

  41. Solutions • Limit traffic from any source • Still open to distributed attacks • Quality of Service • Guarantee service to known good sites • Careful Programming • Don’t allow service to defeat itself • Throttling • Limit traffic to any service • Protects other services on same host CS526, Fall 2003

  42. IP-Spoofing • Start with SYN flood to spoofed client • Open connection from spoofing client to server • Real client fails to respond • Should terminate • Spoofing client sends ACK • Must guess Sequence Number S CS526, Fall 2003

  43. CS526: Information SecurityChris Clifton November 18, 2003 Network Security (slides courtesy Wenke Lee)

  44. Note to 1st year SFS students(only) • Interested in Summer internship? • Independent study or thesis next year? • Did the ITSEC/Common Criteria lectures interest you? • If so, please talk to me after class CS526, Fall 2003

  45. Routing Routers/ Switches SRC DST I want to know the shortest path So, the routers must exchange local information! CS526, Fall 2003

  46. IP Routing • Routing is based on network addresses • Routers use forwarding table • Destination, next hop, network interface, metric • Table look-up for each packet • Need to recognize address structure • Routing information exchange allows computation of new routes, which is used to update the forwarding table CS526, Fall 2003

  47. Routing Protocol Framework - Information Model OSPF RIPv2 BGP4 RIB RIB RIB Forwarding Information Base (Dest, NextHop, Routing Metrics) FIB FIB Forwarding Algorithm Forwarding Decision NPDU Header (Network Protocol Data Unit) CS526, Fall 2003

  48. Routing Information • Link State: I have these links to XYZ (routers or networks); their current status is … (e.g., delay) • Distance Vector: I can get to XYZ (networks) in m hops CS526, Fall 2003

  49. Distribution of Routes - Distance Vector Every node sends its neighbor a vector: the # of hops of reaching each other node. B A C CS526, Fall 2003

  50. Link State A node sends to its neighbors the state of its directly connected links: up/down and costs. Each node that receives the information forwards it to all its neighbors. CS526, Fall 2003

More Related