1 / 20

Chapters 9 and 8 Samba/SMB, Network Security

Chapters 9 and 8 Samba/SMB, Network Security. Professor Rick Han University of Colorado at Boulder rhan@cs.colorado.edu. Announcements. HW #5 a possibility Programming Assignment #3 due May 2 Lecture slides from last week online after class In Chapter 8, read all sections.

xenos
Télécharger la présentation

Chapters 9 and 8 Samba/SMB, Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapters 9 and 8Samba/SMB, Network Security Professor Rick Han University of Colorado at Boulder rhan@cs.colorado.edu

  2. Announcements • HW #5 a possibility • Programming Assignment #3 due May 2 • Lecture slides from last week online after class • In Chapter 8, read all sections. • Next, Samba/SMB, Network Security Prof. Rick Han, University of Colorado at Boulder

  3. Recap of Previous Lecture • An example caching policy for an HTTP proxy • Conditional GET with If-Modified-Since header • Proxy returns page from its cache only if that page is not expired and its Last-Modified is more recent than If-Modified-Since date • Otherwise, proxy forwards conditional GET to server, who either replies with • New page, or • Status 340 “Not Modified” • Network Address Translation (NAT) • Outbound: Substitute NAT’s IP address and TCP port for the packet’s source IP and source TCP port • Inbound: Substitute NAT’s IP addr and TCP port for packet’s dest IP and dest TCP port Prof. Rick Han, University of Colorado at Boulder

  4. Recap of Previous Lecture (2) • NAT • Static NAT’s map an inbound packet’s dest IP and dest TCP port to a internal host’s fixed IP addr and TCP port • Enables a Web server behind a NAT to serve Web pages to external hosts • Adds security risk • Dynamic NAT’s provide a firewall masquerading capability • In absence of fixed mappings, external hosts can’t make an inbound connection to any internal host • Internal hosts can still make outbound TCP connections Prof. Rick Han, University of Colorado at Boulder

  5. Samba/SMB • Server Message Block (SMB) Protocol • File sharing protocol that ships with Microsoft OS’s • Basis for Network Neighborhood • Application-layer protocol over TCP/UDP/IP • Open-source SAMBA Server suite enables other OS’s such as Linux to speak SMB • Enables an MS client to access files on a UNIX server – very useful! Prof. Rick Han, University of Colorado at Boulder

  6. Samba/SMB (2) • For historical reasons, SMB first ran across the NETBIOS API, which then ran across various network protocols, e.g. TCP/UDP, IPX, SNA, DECnet, etc. • SMB packets can be framed in NETBIOS packets which are encapsulated by TCP/UDP • NETBIOS over TCP/UDP is called NBT SMB NETBIOS TCP/UDP, IPX, SNA or … Prof. Rick Han, University of Colorado at Boulder

  7. Samba/SMB (3) • Newer version of SMB: Windows 2000 now runs SMB natively on top of TCP/UDP • no NETBIOS framing • renamed to Common Internet FileSystem (CIFS) • CIFS actually refers to entire suite of protocols: file/printer-sharing, service announcement, naming, authentication, authorization • Supports older version of SMB too, to maintain compatibility SMB (Windows 2000) TCP/UDP Prof. Rick Han, University of Colorado at Boulder

  8. Samba/SMB (4) • NBT creates an abstraction: a virtual LAN, even if actual nodes are distributed over wide area • NBT provides 3 services over a virtual LAN • Naming Service • Datagram Distribution Service • Session Service • NBT Naming Service • Broadcast: “where’s anchor?” “Here I am” • Point-to-point: required to bridge subnets, because broadcasts are typically confined to a subnet • A NETBIOS Name Server (NBNS) provides name-to-IP mappings for a NETBIOS virtual LAN • Also called WINS in MS terminology Prof. Rick Han, University of Colorado at Boulder

  9. Samba/SMB (5) • NBT Naming Service (cont.) • Runs on UDP port 137: NETBIOS naming queries are encapsulated in UDP then IP • NBT Datagram Service • Runs over UDP port 138 • Point-to-point and multicast are straightforward within a LAN • Multicast across IP subnets requires a bridging agent: a NETBIOS Datagram Distribution Server (NBDD) • Multicast datagrams are sent to NBDD, which gets list of hosts in multicast group from NBNS, then sends point-to-point to each host • WINS messed up its implementation of NBDD (as of May 2001) – some group members won’t receive multicast Prof. Rick Han, University of Colorado at Boulder

  10. Samba/SMB (6) • NBT Session Service • Runs over TCP port 139 • Implements file sharing • Simple sequence of events: • Source X gives NETBIOS name of destination Y to NBT Name Service and gets back IP address of Y • Source X establishes a TCP connection with Y • Source X sends a NETBIOS SESSION SERVICE REQUEST to Y. Y accepts request. • X and Y exchange files via SMB. • SMB packets consist of “0xFF” then the letters “SMB” followed by a command and data • Commands are patterned after DOS I/O commands, and include OPEN, CLOSE, DELETE, etc. Prof. Rick Han, University of Colorado at Boulder

  11. Samba/SMB (7) • SMB • Several dialects of SMB, so there is always a negotiation phase to make sure SMB client speaks the same dialect as SMB server • Network Neighborhood is supported by a “Browsing” Service • Browsing is organized in terms of IP subnets and Workgroups. • A "Workgroup" is a set of NBT nodes on an IP subnet that shares the same Workgroup name. • On each subnet, the Workgroup members hold an "election," which involves sending group datagrams via the NBT Datagram Service. • A Domain Master Browser enables browsing across subnets Prof. Rick Han, University of Colorado at Boulder

  12. Samba/SMB (8) • CIFS • Removes NETBIOS/NBT • Also, replaces NETBIOS services with standard-based services • Example: NBNS is replaced with Dynamic DNS • SAMBA • Racing to stay compatible with latest MS twist on CIFS, e.g. Windows 2000 • See www.samba.org for more info Prof. Rick Han, University of Colorado at Boulder

  13. Network Security • Classic properties of secure systems: • Confidentiality • Encrypt message so only sender and receiver can understand it. • Authentication • Both sender and receiver need to verify the identity of the other party in a communication: are you really who you claim to be? • Authorization • Does a party with a verified identity have permission to access (r/w/x/…) information? Gets into access control policies. Prof. Rick Han, University of Colorado at Boulder

  14. Network Security (2) • Classic properties of secure systems: (cont.) • Integrity • During a communication, can both sender and receiver detect whether a message has been altered? • Non-Repudiation • Originator of a communication can’t deny later that the communication never took place • Availability • Guaranteeing access to legitimate users. Prevention of Denial-of-Service (DOS) attacks. Prof. Rick Han, University of Colorado at Boulder

  15. Encryption Decryption Encryption Decryption Cryptography plaintext ciphertext plaintext • Encryption algorithm also called a cipher • Cryptography has evolved so that modern encryption and decryption use secret keys • Only have to protect the keys! => Key distribution problem • Cryptographic algorithms can be openly published plaintext ciphertext plaintext Key KA Key KB Prof. Rick Han, University of Colorado at Boulder

  16. Cryptography (2) • Cryptography throughout history: • Julius Caesar cipher: replaced each character by a character cyclically shifted to the left. Weakness? • Easy to attack by looking at frequency of characters • Mary Queen of Scots: put to death for treason after Queen Elizabeth’s I’s spymaster cracked her encryption code • WWII: Allies break German Enigma code and Japanese naval code • Enigma code machine (right) Prof. Rick Han, University of Colorado at Boulder

  17. Cryptography (3) • Cryptanalysis – Type of attacks: • Brute force: try every key • Ciphertext-only attack: • Attacker knows ciphertext of several messages encrypted with same key (but doesn’t know plaintext). • Possible to recover plaintext (also possible to deduce key) by looking at frequency of ciphertext letters • Known-plaintext attack: • Attackers observes pairs of plaintext/ciphertext encrypted with same key. • Possible to deduce key and/or devise algorithm to decrypt ciphertext. Prof. Rick Han, University of Colorado at Boulder

  18. Cryptography (4) • Cryptanalysis – Type of attacks: • Chosen-plaintext attack: • Attacker can choose the plaintext and look at the paired ciphertext. • Attacker has more control than known-plaintext attack and may be able to gain more info about key • Adaptive Chosen-Plaintext attack: • Attacker chooses a series of plaintexts, basing the next plaintext on the result of previous encryption • Differential cryptanalysis – very powerful attacking tool • But DES is resistant to it • Cryptanalysis attacks often exploit the redundancy of natural language • Lossless compression before encryption removes redundancy Prof. Rick Han, University of Colorado at Boulder

  19. Cryptography (5) • Symmetric or Secret-Key Cryptography • Both sender and receiver keys are the same: KA=KB • Data Encryption Standard (DES) • Encodes plaintext in 64-bit chunks using a 64-bit key (56 bits + 8 bits parity) • Uses permutation or transposition of characters: • abcd  dbac • Was cracked in 1997 • Triple-DES: put the output of DES back as input into DES again, loop again Prof. Rick Han, University of Colorado at Boulder

  20. Cryptography (6) • Public-Key Cryptography • Host who wants data sent to it advertises a public encryption key Kpublic • Decryption algorithm has the property that only a private key Kprivate can decrypt the ciphertext • Based on the difficulty of factoring the product of two prime #’s • Even though attacker knows the public key Kpublic and the encryption algorithm, the attacker still does not know the private key Kprivate • Example: RSA encryption algorithm Prof. Rick Han, University of Colorado at Boulder

More Related