Ch t 7 N t k S itChapter 7: Network...
Transcript of Ch t 7 N t k S itChapter 7: Network...
Modern Computer NetworksAn Open Source ApproachAn Open Source Approach
Ch t 7 N t k S itChapter 7: Network Security
Chapter 7: Network Security Modern Computer Networks 1
Content
7.1 Issues7.2 Data Securityy7.3 Firewall7 4 Intrusion Detection System7.4 Intrusion Detection SystemPitfalls and misleadingFurther readingsExercisesExercises
Chapter 7: Network Security Modern Computer Networks 2
7.2 Data Securityy
CryptographDigital Signatureg gApplication Layer SecurityN t k L S itNetwork Layer Security
Chapter 7: Network Security Modern Computer Networks 3
Cryptographyp g p
Secret Key AlgorithmPublic Key Algorithmy g
Chapter 7: Network Security Modern Computer Networks 4
Secret Key Algorithmy g
S t i kSymmetric keyEncryption (public) key = Decryption (private) key
Basic elementsBasic elementsP-BOX: Transition cipherS-BOX: Substitution cipherS BOX: Substitution cipher
Product cipher
Encoder,8 to 3
Decoder,3 to 8
P1 P2 P3 P4
S3
S2
S1
S7
S6
S5
S11
S10
S9
P-BOX S-BOX
S4 S8 S12
Product Cipher
Chapter 7: Network Security Modern Computer Networks 5
Data Encryption Standard (DES)yp ( )
O i i ll d l d b IBMOriginally developed by IBM Adopted by the US government in Jan. 1977E t d i bl k f 64 bit ith 56 bit kEncrypted in blocks of 64 bits with 56-bits keyA monoalphabetic substitution cipher using a 64-bit charactercharacter.
Same input produces same outputAlgorithmAlgorithm
Transposition16 iterations (with 56-bit key)16 iterations (with 56 bit key)32-bit swapInverse transposition
Chapter 7: Network Security Modern Computer Networks 6
Encryption Procedure of DESyp64 bits
InputT=t1 t2 ... t64
Initial TranspositionIP
64 bits
L =R
T0
Key16 Iterations 48
64 bits64 bits
Li Ri-1 Ri=Li-1 f(Ri-1,Ki)
KeySelection
16 keys:K1,...,K16
Key48
64 bits
IP-1
64 bits
Output
Chapter 7: Network Security Modern Computer Networks 7
Breaking DESg
56-bit key for international use but 128-bit key within USA56-bit key can be broken
Within 4 hours by super computers (1994)About 22 hours by a network of volunteers and a special purpose computer that was built for less that $250,000 (1999)(1999)Chinese Lottery
SolutionSolutionRun DES couple times, using different keys?Triple DES algorithm
Chapter 7: Network Security Modern Computer Networks 8
Triple DES algorithm
Public Key Algorithmy g
First proposed by W.Diffie and M.E. HellmanAsymmetric keysy y
Encryption (public) key ≠ Decryption (private) key
The encryption algorithm E and theThe encryption algorithm E and the decryption algorithm D should meet the following requirementsfollowing requirements
D(E(P)) = PD(E(P)) = Pff fff fDifficult to deduce D from EDifficult to deduce D from E
E cannot be broken by a chosen plaintext attackE cannot be broken by a chosen plaintext attack
Chapter 7: Network Security Modern Computer Networks 9
RSA Algorithmg
P d b Ri t Sh i d Adl t MIT iProposed by Rivest, Shamir, and Adleman at MIT in 1978RSARSA
Choose two large primes, p and q (> 1010100100))Compute n=p*q and z=(p-1)*(q-1)Compute n p q and z (p 1) (q 1)Choose a number relatively prime to z and call it dFind e such that e*d=1 mod z
Plaintext Plaintext PP, 0 , 0 ≤≤ P P ≤≤ n (664n (664--bit block is n ~ 10bit block is n ~ 10200200))encryption key = (encryption key = (nn,,ee)) decryption key = (decryption key = (nn,,dd))
Based on the difficulty of factoring large numbersBased on the difficulty of factoring large numbers
) (mod P C e n= ) (modC P d n=
Chapter 7: Network Security Modern Computer Networks 10
Based on the difficulty of factoring large numbers.Based on the difficulty of factoring large numbers.
Why does RSA work?y
nn d= mod)) (mod P( PProve e
nPnPnn
qped
edd
=
=−− mod
modmod)) (mod P())1)(1mod((
e
nPnP
zed=
=
modmod
)mod(
PnP
== mod1
P=
Chapter 7: Network Security Modern Computer Networks 11
Authentication
AuthenticationDigital Signatureg gMessage Digest
Chapter 7: Network Security Modern Computer Networks 12
Authentication (cont.)( )
What’s Authentication?An unique digital IDgApplications
E-transaction via networksE-election via networksPrivacy Enhanced Mail (PEM)
Chapter 7: Network Security Modern Computer Networks 13
Digital Signatureg g
3 RequirementsAuthentication
The receiver can verify the claimed identity of the sender. Non repudiationp
The sender cannot later repudiate the contents of the message.
IntegrityThe receiver cannot possibly have concocted the
fmessage itself.
Chapter 7: Network Security Modern Computer Networks 14
Authentication without Encryptionyp
Authentication only, but without message encryption
e.g., Message broadcast from authorized sourceSolutionSolution
Message Digest (MD)Use a secure (one(one way) hash function Hway) hash function H to compute aUse a secure (one(one--way) hash function Hway) hash function H to compute a fixedfixed--size tag H(M||Ssize tag H(M||SABAB)), called a message digestmessage digest for a given message M concatenated with a shared secret value SAB
For secret-key digital signature
Chapter 7: Network Security Modern Computer Networks 15
MD5 message-digest algorithmg g g
S ifi d i RFC1321 d l d b R Ri t iSpecified in RFC1321, developed by Ron Rivest in 1992.Padded an arbitrary length message to multiples ofPadded an arbitrary length message to multiples of 512 bits, then produce a 128128--bit message digestbit message digestEvery bit of the hash code is a function of every bitEvery bit of the hash code is a function of every bit in the inputRivest’s conjectureRivest s conjecture
The difficulty of coming up with two messages having the same message digest is in the order of 264 operationsThe difficulty of finding a message with a given digest is on the order of 2128 operations
Chapter 7: Network Security Modern Computer Networks 16
Application Layer Securitypp y y
Secure Socket Layer (SSL)Security Electronic Transaction (SET)y ( )
Chapter 7: Network Security Modern Computer Networks 17
Secure Socket Layer (SSL)y ( )
Why SSL?Provide encryption layer between Application and y yTCP layers
ApplicationApplication
SSLSSL
TCPTCP
IPIP
Chapter 7: Network Security Modern Computer Networks 18
What’s SSL?RFC 2246 :Transport Layer Security (TLS) protocol.Original development by Netscape in 1994Encrypt data with various algorithm
DES Triple DES RSA Digital SignatureDES, Triple DES, RSA, Digital SignatureSSL Contents
SSL server authenticationSSL server authenticationSSL client authenticationEncrypted SSL session
Chapter 7: Network Security Modern Computer Networks 19
SSL Handshake
Cli S
SSL Client Hello
SSL Server Hello
Client Server
Server Certification
Request Client CertificationRequest Client Certification
SSL Handshake
Client Certification
ClientKeyExchange (RSA)
Certificate Verify
Ch Ci h S
DigitalSignature
ChangeCipherSpec
Finished
Encrypted data stream (DES)Encrypted Data
Chapter 7: Network Security Modern Computer Networks 20
Security Electronic Transaction (SET)y ( )
Wh SET?Why SET?SSL is only for securing the communication data b t li t dbetween client and serverProblems with SSL
Cli t SSL SClient SSL ServerServer : illegal using the client’s credit cardClient : send un-authorization credit cardClient : send un authorization credit card
SET is a security mechanism for E-transaction via networks
The same procedure as traditional transaction, but with networking
Chapter 7: Network Security Modern Computer Networks 21
Wh t’ SET?What’s SET?Development by VISA, MasterCard, IBM, Microsoft, and HP in 1996HP in 1996.Members
CardholderMerchantIssuer (Credit card bank)Acquirer (Bank)Acquirer (Bank)Certificate Authority , (CA)
Two types of paymentE-walletCredit card
Chapter 7: Network Security Modern Computer Networks 22
SET M h iSET MechanismConfidentialityConfidentiality
Data with DES and RSAAuthenticationAuthentication
Di it l Si t ith RSADigital Signature with RSACardholder, Merchant, and Bank
IntegrityIntegrityIntegrityIntegrityDigital Envelope to exchange DES keyReceiver’s RSA public key(DES key)Receiver s RSA public key(DES key)
Non repudiationNon repudiationDigital Signature with RSA
Chapter 7: Network Security Modern Computer Networks 23
g g
SET Operationp1
2,3
Merchant
MerchantInternet
Cardholder
E-wallet12
5
Merchant Server
CA
4
Internet
6,7 11
Internet
Payment Gateway
P.S 2341Credit Card
9
10
Chapter 7: Network Security Modern Computer Networks 24
Acquirer (Bank)
Issuer/Credit Card Bank
8
Network Layer Securityy y
IP Security (IPSec) Virtual Private Network (VPN)( )
Chapter 7: Network Security Modern Computer Networks 25
IPSec
Why IPSec?Provide interoperable,high quality, g ycryptographically-based security for IPv4 and IPv6 communication
Security servicesAccess controlAccess controlIntegrityAuthenticationAuthenticationConfidentiality
Chapter 7: Network Security Modern Computer Networks 26
Components for IPSecp
Traffic securityAuthentication Header (AH)( )
IntegrityAuthentication
Encapsulation Security Payload (ESP)Confidentiality
Key management and distributionSimple Key-management for IP (SKIP)Simple Key management for IP (SKIP)Internet Key Exchange (IKE)
Chapter 7: Network Security Modern Computer Networks 27
Key Concept: Security Associationy p y
One-way relationship between a sender and a receiver
F t h t it i tiFor two-way secure exchange, two security associations are required.
Uniquely identified by an IP and SPIUniquely identified by an IP and SPISPI: security parameter index
ParametersParametersAuthentication algorithm, mode, key(s)Encryption algorithm, mode, transform, key(s)Encryption algorithm, mode, transform, key(s)Lifetime of the keys, security associationSecurity level, source IP, ...
Chapter 7: Network Security Modern Computer Networks 28
y , ,
Authentication
RFC 1828 ifi th f MD5 fRFC 1828 specifies the use of MD5 for authentication.The MD5 algorithm is performed over the IP packet plus a secret key and then inserted into the IP packet.At the destination, the same calculation is performed on the IP packet plus the secret key and compared to the received value.Provides both authentication and data integrity.
Chapter 7: Network Security Modern Computer Networks 29
g y
Authentication (cont.)( )
Two ways in which IP authentication service can be used
End-to-endEnd-to-intermediateEnd to intermediate
Router/End-to-intermediate
Router/FirewallIntranet
InternetInternet
d d h i iChapter 7: Network Security Modern Computer Networks 30
End-to-end authentication
Authentication (cont.)( )
0 8 16 31
Security Parameter Index (SPI)
ReservedLengthNext Header
Security Parameter Index (SPI)
ReservedLengthNext Header
0 8 16 31
Security Parameter Index (SPI)
Sequence Number Field
Security Parameter Index (SPI)
Sequence Number Field
Authentication Data (variable)Authentication Data (variable)
Length : Length of Authentication Data field in 32Length : Length of Authentication Data field in 32--bits words.bits words.i i d d ifi i i ii i d d ifi i i iSecurity Parameters index: Identifies a security association.Security Parameters index: Identifies a security association.
Chapter 7: Network Security Modern Computer Networks 31
Encapsulating Security Payloadp g y y
Provide support for privacy and data integrity for IP packets.Two modes
Transport-mode ESP mechanism encrypts a transport-l tlayer segmentTunnel-mode ESP mechanism encrypts an entire IP packet
ESP HeaderESP HeaderSPIParameters dependent on the encryption algorithmParameters dependent on the encryption algorithm
Chapter 7: Network Security Modern Computer Networks 32
Transport-Mode ESPp
Encrypt the data carried by IPESP header is inserted into the IP packet immediately prior to the transport layer header ( D ti ti O ti h d ito the transport-layer header (or Destination Option header is present)
Suspectable to traffic analysis on the transmittedSuspectable to traffic analysis on the transmitted packets
End-to-end transportEnd to end transport
T t l tIP Header Ext. Header ESP Header Transport layer segment
Unencrypted Encrypted
Chapter 7: Network Security Modern Computer Networks 33
Tunnel-Mode ESP
Encrypt an entire IP packetCounter traffic analysis problemySource sends encrypted IP packet to firewallFirewall sends to destination firewallFirewall sends to destination firewallDestination firewall forwards to destination
IP Header Ext. Header ESP Header IP header + Transport layer segmentUnencrypted Encrypted
Chapter 7: Network Security Modern Computer Networks 34
Authentication Plus Privacyy
Encryption before authenticationTransport-mode ESP
Authentication applies to the entire IP packet delivered to the ultimate destination
Tunnel-Mode ESPAuthentication applies to the entire IP packet delivered t th fi llto the firewall
IP Header Auth Header ESP Header Transport layer segment E-TIP Header Auth. Header ESP Header spo ye seg e
Scope of authenticationE T : Encapsulating Security Payload trailing fields
Chapter 7: Network Security Modern Computer Networks 35
E-T : Encapsulating Security Payload trailing fields
Authentication Plus Privacy (cont.)y ( )
Authentication before encryptionOnly appropriate for tunnel mode ESPyAuthentication before encryption is better
AH is protected by ESPp yMore convenient to perform authentication on unencrypted data, then protected by encryption
IP-H IP-H Transport layer segment E-TESP-H A-H
Scope of authentication
Chapter 7: Network Security Modern Computer Networks 36
Key managementy g
SKIPProposed by Sun Microsystemy yApply Diffie-Hellman key exchange algorithm to share private keyp yFor security, public key is authenticated by Certificate Authority (CA)y ( )
Need Public Key Infrastructure(PKI) support
Chapter 7: Network Security Modern Computer Networks 37
Key management (cont.)y g ( )
ISAKMP/Oakley(IKE)Oakley defines key identificationy yISAKMP defines key distribution
Two phasespPhase 1: ISAKMP SA establishment
The two ISAKMP peer establish a secure, authenticated channel with which to communicateUnlike IPSec SA, ISAKMP SA is bi-directional
Phase 2: use ISAKMP SA to construct AH or ESP SAPhase 2: use ISAKMP SA to construct AH or ESP SA
Chapter 7: Network Security Modern Computer Networks 38
Virtual Private Network (VPN)( )
Why VPN?Private data network for enterprisesLease line
X.25, Frame Relay , and ATM, y ,Custom-made service
Disadvantages of lease linegComplexity configurationHigh cost of network access equipments
Chapter 7: Network Security Modern Computer Networks 39
VPN
What is VPN?Build private network communication on public network
How to implement VPNHow to implement VPNTunnelingEncryption & decryptionEncryption & decryptionKey management
th ti tiauthentication
Chapter 7: Network Security Modern Computer Networks 40
Tunnelingg
L 2 t liLayer 2 tunnelingExtend the PPP model by allowing the L2 and PPP endpoints to reside on different devicesendpoints to reside on different devices
Save the long-term toll chargeUse Internet to transmit PPP frames
S t lti t lSupport multi-protocolIP, IPX, NetBEUI, AppleTalkTake advantage of PPP
PPTPL2TP
L 3 t liLayer 3 tunnelingIPSec
Chapter 7: Network Security Modern Computer Networks 41
PPTP
Microsoft proposed protocolPPP frames are encapsulated in IP packetsTunnel modes
Client-initiatedClient creates PPTP connection to remote PPTP server directly
ISP initiatedISP-initiatedClient creates PPP session with access server of ISPAccess server of ISP make tunnel with remote PPTP serverccess se e o S a e tu e t e ote se e
MultiplexingCall ID
Chapter 7: Network Security Modern Computer Networks 42
Call ID
L2TP
Combine Cisco proposed L2F and PPTPMessage types
Control messageEstablishment, maintenance and clearing of tunnels and callsT itt d li bl t l h lTransmitted on reliable control channel
Data messageEncapsulate PPP frames being carried over the tunnelEncapsulate PPP frames being carried over the tunnelTransmitted on unreliable data channel
MultiplexingMultiplexingCall ID
Chapter 7: Network Security Modern Computer Networks 43
Other issues
E ti d d tiEncryption and decryptionPreviously described
Key managementDescribed in IPsec section
AuthenticationUser authenticationUser authentication
Password,ID cardPAP, CHAP in PPP
Equipment authenticationX.509 certificate
Chapter 7: Network Security Modern Computer Networks 44
VPN typesyp
Virtual Leased Line (VLL)Simplest type of VPNy
Virtual Private Routed Networks (VPRN)Works on network layerWorks on network layer
Virtual Private Dial Networks (VPDN)Virtual Private LAN Segment (VPLS)
Works on link layery
Chapter 7: Network Security Modern Computer Networks 45
Virtual Leased Line (VLL)( )
Two CPE devices are connected by point to point link
CPE connects to ISP node via link layer connectionIP tunnels are set up between ISP nodes
Li k l tLink layer typeATM VCCF l i itFrame relay circuit
To a customer, it looks like if a single ATM VCC or F R l i it d t i t t thFrame Relay circuit were used to interconnect the CPE devices
Chapter 7: Network Security Modern Computer Networks 46
VLL examplep
IPFrameRelay
Circuit
FrameRelay
Circuit
CPE
10.2.3.5ISP edge node
Backbone CPEISP edge node
10.2.3.610.2.3.5
IP tunnel
10.2.3.6
subnet = 10.2.3.4/30
Chapter 7: Network Security Modern Computer Networks 47
Virtual Private Routed Network (VPRN)( )
P k t f di i i d t t th t k lPacket forwarding is carried out at the network layerA VPRN consists
A h f IP t l b t ISP tA mesh of IP tunnels between ISP routersRouting capabilities needed to forward site
A VPRN specific forwarding table is located at each ISP routerp g
BenefitMinimum complexity and configuration of CPE outers
Heavy works are done by ISP edge router
Disadvantagel bilitpoor scalability
Full mesh topology are not appropriate in the case of large number of ISP routers
Chapter 7: Network Security Modern Computer Networks 48
ISPedge
router10.5.5.0/30
ISPedge
router
CPE CPE
10.6.6.0/30router router10.11.11.1/30
IPBackboneBackbone
ISPedge
t
VPRN example
router
10.11.11.4/30 10.11.11.7/30
CPE CPE 10.8.8.0/3010.7.7.0/30
IP tunnelstub link
Chapter 7: Network Security Modern Computer Networks 49
backdoor link
Virtual Private Routed Network (VPRN)( )
Backup link is used in the case of failure of primary linkBackdoor link refers to a link between two customer sites that does not traverse the ISPcustomer sites that does not traverse the ISP network
Chapter 7: Network Security Modern Computer Networks 50
Virtual Private Dial Network (VPDN) ( )
Remote user connect through an ad hoc tunnel into another site
User us connected to a public IP network via a dial-up PSTN or ISDN link
L2TP allows for the extension of user PPP session from an L2TP Access Concentratorsession from an L2TP Access Concentrator (LAC) to a remote L2TP Network Server (LNS)(LNS)
Chapter 7: Network Security Modern Computer Networks 51
Tunneling mechanismsg
Compulsory tunnelingLAC extends a PPP session across a backbone using L2TP to a remote LNS
Dial and network access server act as LAC
Voluntary tunnelingAn individual host connects to a remote site usingAn individual host connects to a remote site using a tunnel originating on the host, with no involvement from intermediate network nodes
Chapter 7: Network Security Modern Computer Networks 52
Compulsory tunneling examplep y g p
IPdial
ti
HOST
10 2 3 5NAS (LAC)
IPBackbone Corp. Network
GW (LNS)
connection
10 2 3 610.2.3.5 10.2.3.6
L2TP Tunnel
PPP session
Chapter 7: Network Security Modern Computer Networks 53
Voluntary tunneling exampley g p
dial
HOST (LAC)NAS
IPBackbone Corp. Network
GW (LNS)
connection
10.2.3.5( )
10.2.3.6L2TP Tunnel with PPP session
ororIPSec Tunnel
Chapter 7: Network Security Modern Computer Networks 54
Virtual Private LAN Segment (VPLS)g ( )
Emulation of a LAN segment using Internet facilitiesDifference from VPRN
Each VPLS edge node implements link layerEach VPLS edge node implements link layer bridging rather than network forwarding
Chapter 7: Network Security Modern Computer Networks 55
VPLS examplepISPedgenode
ISPedgenode
10.5.5.1/24 10.5.5.2/24
CPE CPE
IPBackbone
ISPedgenode
10.5.5.3/24
CPE
IP tunnelstub link
Chapter 7: Network Security Modern Computer Networks 56
stub link
Open Source Implementationp p
Frees/WanMain components
KLIPS (KerneL IP Security)kernel IPSECWork as a module in Linux kernelimplements AH, ESP, and packet handling within the kernel
PlutoPlutoIKE daemonimplements IKE, negotiating connections with otherimplements IKE, negotiating connections with other systems
Administrator interface
Chapter 7: Network Security Modern Computer Networks 57
Main flowchart of Frees/Wan/
START
init_module()
ipsec init()ipsec_init()
cleanup_module()
Chapter 7: Network Security Modern Computer Networks 58
ipsec_tdbinit()
ipsec_radijinit()
pfkey_init()
register_netdevice_notifier()
Flowchart of ipsec_init( )ESP
NO
YES
inet add protocol
( )
Part I
AH
inet_add_protocol(&esp_protocol)
YES
i dd l
IPCOMP
NO
YES
inet_add_protocol(&ah_protocol)
inet_add_protocol(&comp_protocol)
Chapter 7: Network Security Modern Computer Networks 59
ipsec tunnel init
Flowchart of ipsec_init( )
Part II
ipsec_tunnel_init_device()
Part II
SYSCTL YESSYSCTL YES
ipsec_sysctl_register( )NO
RETURN
Chapter 7: Network Security Modern Computer Networks 60
Function descriptionp
ipsec_tdbinit( )Initailize tunnel description blockTDB is used for record information of communication
Source IP, destination IP, error message, current t tstatus…
ipsec_radijinit( )Initialize a radix tree structure for routing table of IPSec
pfkey_init( )Key distribution and management for two communication endpoints
Chapter 7: Network Security Modern Computer Networks 61
Function descriptionp
i t td i tifi ( )register_netdevice_notifier( )Register ipsec as a virtual network interface
Should be mapped to a physical interfaceShould be mapped to a physical interface
inet_add_protocol ( )Register protocol to inetd depends on the command given g p p gby administrator
ipsec_rev( )Protocol handler
ipsec_tunnel_init_device( )U d t d fi ti f i d iUsed to define operations of ipsec devices
ipsec_sysctl_register( )Used if sysctl command is received
Chapter 7: Network Security Modern Computer Networks 62
Used if sysctl command is received
Flowchart of PlutoSTART
initialization
wait for eventwait for event
timertimer event?
YES
NO
invoke packet
invoke timer handler
invoke packet handler
Chapter 7: Network Security Modern Computer Networks 63
7.3 Firewall
IntroductionNetwork layer: packet filtery pApplication layer: TIS—Trusted Information SystemSystem
Chapter 7: Network Security Modern Computer Networks 64
Introduction of Firewall
A system or group of systems that enforces an access control policy between two networks
Redirects request to actual serverqHide intranet servers from internetAccess logs invasion detection and alarmsAccess logs, invasion detection and alarms
Chapter 7: Network Security Modern Computer Networks 65
What can a firewall protect against?p g
Protect against unauthenticated interactive logins from the “outside” worldRecord and monitor status of the protected networknetwork
suspicious data accessM it b l i t ti f th t t dMonitor abnormal instruction of the protected network
Intrusion detectionAgainst network-borne attack
Chapter 7: Network Security Modern Computer Networks 66
Firewall categoriesg
Network layer firewallApplication layer firewallpp y
Chapter 7: Network Security Modern Computer Networks 67
Network layer firewally
W k th t k l f OSI d lWorks on the network layer of OSI modelPacket filter
Based on the header of the IP packet and rules defined by administratorFields checked
Protocol IDSource IP addressDestination IP addressSource TCP/UDP portDestination TCP/UDP port
Chapter 7: Network Security Modern Computer Networks 68
Screened Host Firewall
i
allow
Internet
Baston HostIP filtering router
Private Network
disallow
Chapter 7: Network Security Modern Computer Networks 69
Screened host firewall
B ti h tBastion hostA exposed gateway machine
highly defended and secured strong point thathighly-defended and secured strong point that can resist attack
Router operationRouter operationTraffic from Internet to bastion host is permittedAll traffic from inside to Internet are rejected unless itAll traffic from inside to Internet are rejected unless it comes from bastion host
AdvantageSimple router filtering rules
Disadvantage
Chapter 7: Network Security Modern Computer Networks 70
Packet can go inside directly
Screened subnet Firewall
Baston Host
Internet PrivateN t kInternet
IP filtering router IP filtering routerNetworkDMZ
Chapter 7: Network Security Modern Computer Networks 71
Screened subnet firewall
DMZ (demilitarized zone)An area between inside firewall and outside firewall
Inside firewall refers to router located in private networkOutside firewall refers to Internet access router
Hosts in private network are protected by two or more firewallsfirewalls
Create private network and DMZ by two routersAd tAdvantage
No site in private network is exposed to InternetR t l d t i t t k h b tt ti
Chapter 7: Network Security Modern Computer Networks 72
Router closed to private network has better routing performance than bastion host
Application layer firewallpp y
Works on the application layer of OSI modelProxy serverProxy server
Chapter 7: Network Security Modern Computer Networks 73
Dual-Homed gatewayg y
Internet Private NetworkInternet
Dual-Homed Gateway
Private Network
IP routing andforwarding disabled
Chapter 7: Network Security Modern Computer Networks 74
Dual - Homed gatewayg y
Dual – Homed gatewayA highly secured host that runs proxy softwareg y yBlock all IP traffic between two networkRouting and forwarding capability are disabledRouting and forwarding capability are disabled
Chapter 7: Network Security Modern Computer Networks 75
Open Source Implementation- Netfilterp p
What is netfilter?A set of checkpoints in the packet’s traversal of the protocol stackstack
The checkpoints are called hooks
Actions taken on hooksActions taken on hooksNF_ACCEPTNF DROPNF_DROPNF_STOLENNF QUEUE_QNF_REPEAT
Packet selection is done by IP Tables
Chapter 7: Network Security Modern Computer Networks 76
y
Open Source Implementation- Netfilterp p
Hooks in packet traversalNF_IP_PRE_ROUTING ROUTEA C D
NF_IP_LOCAL_INNF IP FORWARD ROUTENF_IP_FORWARDNF_IP_POST_ROUTINGNF IP LOCAL OUT
ROUTE
NF_IP_LOCAL_OUT B E
Local Process
Chapter 7: Network Security Modern Computer Networks 77
Open Source Implementation - iptablesp p p
Rule structureStruct ipt_entryy
struct ipt_ipnf-cachetarget_offsetnext_offsetcomefromstruct ipt_counters
Strcut ipt_entry_matchStruct ipt_entry_target
Chapter 7: Network Security Modern Computer Networks 78
Open Source Implementation- TISp p
Set of programs to facilitate the network firewallSoftware components
SmapSmapSMTP service
NetaclNetaclTELNET service, finger, and Access control list
ftp gw http gw rlogin gw telnet gwftp-gw, http-gw, rlogin-gw,telnet-gwProxy server for FTP,http,rlogin, and telnet
Chapter 7: Network Security Modern Computer Networks 79
Http-Gwp
A proxy server with proxy capability for http,gopher,and ftpMay cooperate with squid
http-gw has no caching capabilityhttp-gw has no caching capabilitySquid act as a caching Web proxy
M filt ifi URL itMay filter specific URLs or sites
Chapter 7: Network Security Modern Computer Networks 80
Netperm-tablep
Common configuration file for TISRule matching is from top to bottom, left to g p ,rightExample of http gw part of Netperm tableExample of http-gw part of Netperm-tablehttp-gw: userid roothttp-gw: directory /www_datahttp-gw: timeout 60p ghttp-gw: permit-hosts 177.3.4.* http-gw: deny-hosts *
Chapter 7: Network Security Modern Computer Networks 81
http-gw: deny-hosts
STARTbind listen
YES
- DAEMON accept
NO(inetd) NO(parent)
ReadConfiguration
Get user's http
fork=0YES(child)
http example of
Trusted information system (TIS)
Get user s httprequest
Forward httprequest Trusted information system (TIS)request
Receive httpresponse
text/htmlBlock transfer
betweenconnections
NO
Content filterwith FSM
YES
Chapter 7: Network Security Modern Computer Networks 82
END
7.4 Intrusion Detection Systemy
IntroductionIntrusionProtectionO S I l t ti S tOpen Source Implementation- Snort
Chapter 7: Network Security Modern Computer Networks 83
Network Intrusion
What’s network intrusion?Intrude a system via networks such as, Internet yand Intranet
===== Welcome ======Login: Unsafe
Server
Login: UnsafePassword: HereYouAre
Chapter 7: Network Security Modern Computer Networks 84
Why network intrusion?For funGather information or resource of the target systemyDamage data and filesCrash target systemCrash target system
Chapter 7: Network Security Modern Computer Networks 85
Intrusion Procedure
GatherGatherInformation
GatherInformation
IntrudeIntrude
Crack targetCrack target
Get InformationGet InformationEmbed backdoor
for next coming
Embed backdoorfor next comingfor next coming
Clear logClear log
Chapter 7: Network Security Modern Computer Networks 86
Intrusion Waysy
MonitoringPassword CrackinggSecurity HolesM li i C dMalicious CodeDenial of ServiceScanning
Chapter 7: Network Security Modern Computer Networks 87
Monitoringg
Wh t’ M it i ?What’s Monitoring?Monitor the MAC frame, IP packet, and
li ti l i f ti f th t t tapplication layer information of the target systemTo get MAC addressTo get TCP/IP informationTo get TCP/IP informationTo get username and passwordTo get some useful informationg
ToolsSniffitSniffit, http://reptile.rug.ac.be/~coder/sniffit/sniffit.htmlNetXray,
Chapter 7: Network Security Modern Computer Networks 88
y,
Password Crackingg
H t k dHow to crack passwordGuessBrute force with dictionary file
Unix, /etc/passwd and /etc/shadow , pfilesWindows 2000 SAM fileWindows 2000, SAM file
Plain text transmission without encryptionTools
Netcat, http://www.atstake.com/research/tools/nc11nt.zipWWWHack http://packetstorm securify com/Crackers/wwwhack zip
Chapter 7: Network Security Modern Computer Networks 89
WWWHack, http://packetstorm.securify.com/Crackers/wwwhack.zipL0phtCrack, http://www.l0pht.com/l0phtcrack/dist/l0phtcrack25.exeJohn-16d.zip, http://www.openwall.com/john
Security Holesy
What’s security hole?Bugs of systems, applications, or protocols g y
Types of security holeBuffer overflowBuffer overflowInput Validation ErrorC fi ti EConfiguration ErrorSystem bugSoftware bugProtocol bug
Chapter 7: Network Security Modern Computer Networks 90
Buffer overflow
Put more data to the specified bufferPut more data to the specified bufferCause buffer overflowP i t t th k d fil // t th k d filPoint to the cracked file //execute the cracked file
Put more data to buffer
void called(){
Put more data to bufferthen cause buffer overflowand point to the crackedfile address
. . . char buffer[200]; . . .
}
stack pointer
buffer (200 bytes)
stack pointer
buffer (200 bytes). . .. . .
. . .
. . .
return address cracked file address
. . . . . .
Chapter 7: Network Security Modern Computer Networks 91
Malicious Code
What’s Malicious Code?Computer programs are written specifically to g ycause mischief or, worse, cause damage to infected computersTwo types of Malicious Code
BackdoorBackdoor (i.e., Trojan Horses)VirusVirus
Chapter 7: Network Security Modern Computer Networks 92
Backdoor, i.e.,Trojan Horses Unlike a virus, but Trojan horse does not replicate jitself.Stay in the target systemy g y
Masquerade as a legitimate programInflict damageReport information to the remote attackerAllow remote attacker takes control of the target
Chapter 7: Network Security Modern Computer Networks 93
ViVirusSelf-replicatingDestructType of virus
Marco virusCOM and EXE virusBoot virusBoot virusJoke virus Java Malicious CodeJava Malicious CodeActiveX Malicious Code VBScript、JavaScript and HTML virus.
Chapter 7: Network Security Modern Computer Networks 94
Examples:First Internet Virus
“I W ” b R b T M i J 1988“Internet Worm” by Robert T. Morris Jr., 1988.Famous virus via email
“I love you” 2000I love you , 2000. Attack Microsoft IIS
“Code Red”, 2001.Code Red , 2001.“Nimda”, 2001.
Virus listhttp://www.wildlist.org/
Chapter 7: Network Security Modern Computer Networks 95
Denial of Service
What’s DoS?Not a intrusion attack, but deny services of target y gsystemExhaust target resourcesgStop providing services
Chapter 7: Network Security Modern Computer Networks 96
How does DoS do?TCP SYN flood with IP spoofing attackgICMP reply flood attackPing of DeathPing of DeathTeardrop attackUDP flood attackUDP flood attackDDoS – Distributed DoS
Hi h f tt k t li t d t tHierarchy of attacker, master, client, and target
Chapter 7: Network Security Modern Computer Networks 97
DD SDD S Di t ib t d D SDi t ib t d D SDDoS DDoS –– Distributed DoSDistributed DoSLaunch coordinated UDP flood DoS attacks from many sourcesHierarchy of attacker, master, client, and target
Att k th I t dAttacker, the IntruderA small number of servers, or mastersA large number of clients or daemonsA large number of clients, or daemonsTarget, the victim
Two of the tools have seen are known as Trinoo (or trin00)Tribe Flood Network (or TFN), and TFN2K
Chapter 7: Network Security Modern Computer Networks 98
Attacker
commandport 27665/TCP
command commandrequest: port 27444/UDPreply: port 31335/UDP
MasterMaster
p y p
1 UDP flood attack
attack attack
1. UDP flood attack2. TCP SYN flood attack3. ICMP echo request flood attack4. M attack5. Targa3 attack
AgentAgentAgent
Target Target Target Target
Chapter 7: Network Security Modern Computer Networks 99
Scanningg
What’s scanning?Dawn of attackingScanning services and security holes of the target only, but not real attackingScanning typesScanning types
Local scanningCOPSTIGER
R t iRemote scanningSATAN (Security Administrator’s Tool for Analyzing Networks)SAINT (S it Ad i i t t ’ I t t d N t k T l)
Chapter 7: Network Security Modern Computer Networks 100
SAINT (Security Administrator’s Integrated Network Tool)Fluxay
Examples of attackingp g
Security Hole Attack Type
sendmail Failure to Handle DoSExceptional Conditions
Wu-ftpd 2.6 Buffer overflow Remote exploit
Group Apache 1 3 12
Design error Remote and local exploits1.3.12 exploits
Piranha with Redhat 6.2
Configuration error Remote exploit
Linux “man” Malicious
Access validation error Local exploit
Chapter 7: Network Security Modern Computer Networks 101
Protection
Prevent (Encryption, Authentication)Refer to 7.2.1 and 7.2.2
Access control (firewall)Refer to 7 3Refer to 7.3
Detection (monitoring, scanning)Audit (Auditing)
Chapter 7: Network Security Modern Computer Networks 102
Detection
D t ti tDetection typesMonitoring
N t k b d itNetwork-based monitorDetection of DoS attack
H b d iHost-based monitorTools
Tripwire http://www tripwiresecurity comTripwire, http://www.tripwiresecurity.comRealSecure, http://www.iss.net
Scanning
Scanning for known patternsPrevent virus and backdoor
Chapter 7: Network Security Modern Computer Networks 103
Prevent virus and backdoor programs
Audit
R di t l i d it l t d tRecording system login and security related eventPrevent intrusionTrace intrusionTrace intrusion
Audit records operationsAnalyzingMaintenanceBackup
ToolsToolsStalker, http://www.haystack.comIDES/NIDES, http://www.sri.comUnix’s Syslog Watchdog, http://www.infstream.com/var/adm/sulog file
Chapter 7: Network Security Modern Computer Networks 104
/var/adm/sulog file
Open Source Implementation- Snortp p
Three modesSniffer
Read and decode network packets Packet loggergg
Log packets to diskIntrusion detection systemy
Analyze traffic based on pre-defined rulesPerform actions based upon what it sees
Chapter 7: Network Security Modern Computer Networks 105
Snort Commands
C d liCommand line :snort -[options] <filters>
SnifferSniffer./snort -v
R n snort and sho IP andRun snort and show IP and TCP/UDP/ICMP headers
Packet logger./snort -dev -l ./log
Collect packets and places it in log deirctory
Chapter 7: Network Security Modern Computer Networks 106
deirctoryIntrusion detection system
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
Snort Rules
A powerful description languageSnort takes action based upon rule typeyDivide into two sections :
Rule headeraction, protocol source and destination IP address, port information
Rule optionAlert messageWhich part of packet should be inspectedWhich part of packet should be inspected
Chapter 7: Network Security Modern Computer Networks 107
Writing Snort Rulesg
Rule headeralert tcp any any - > 192.168.1.0/24 111
action protocol Source address and port number
destination address and port number
Rule option
and port number and port number
Rule option(content : “|00 01 86 a5|” ; msg : “mounted access” ;)
alert messageinspective part
Chapter 7: Network Security Modern Computer Networks 108
Open Source Implementation- Snort p p(cont.)
Parse command initial programline
p gvariable
initial specifiedinterface
If not specifyconfig data
Set log directory
no rules,iffi l i exitsniffing or logging
i f f
Chapter 7: Network Security Modern Computer Networks 109
Open interface for reading packets
Open Source Implementation- Snort p p(cont.)
set packet processorprocessor
initial allIf using initial all plugin modules
If using rule systems
set safe UID and GID
set default alert function
Specify commandline alertalert function
i h
line alert
Chapter 7: Network Security Modern Computer Networks 110
assign each interface a thread
Attack vs. ProtectProtection
Encryption Authentication Access control
Audit Monitor Scan
Monitoring preventMonitoring prevent
Password crackS it t D R d D t tSecurity holes
prevent Decrease Record Detect
Scanning Prevent Record Detect
Atta
Malicious Code
Record Detect Detect
DoS Decrease Record Detect
ck
DoS Decrease Record Detect
Social Engineering
Chapter 7: Network Security Modern Computer Networks 111
Pitfalls and misleadingg
Private key vs. public keyWhy RSA works?ySecurity of DES and Triple DESSSL SETSSL vs. SETHigh-level firewall vs. low-level firewallg
Chapter 7: Network Security Modern Computer Networks 112
Further readingsg
[1] Dorothy E Denning Peter J Denning "Internet Besieged" Addison Wesley Oct[1] Dorothy E. Denning, Peter J. Denning, "Internet Besieged", Addison Wesley, Oct 1997[2] SecurityFocus, "SecurityFocus.com", http://www.securityfocus.com[3] Cryptographic Algorithms, "DES",[3] Cryptographic Algorithms, DES , http://www.ssh.fi/tech/crypto/algorithms.html#DES[4] Cryptographic Algorithms, "IDEA", http://www.ssh.fi/tech/crypto/algorithms.html#IDEA[5] C t hi Al ith "RSA"[5] Cryptographic Algorithms, "RSA", http://www.ssh.fi/tech/crypto/algorithms.html#RSA[6] Cryptographic Algorithms, "Diffie-Hellman", http://www.ssh.fi/tech/crypto/algorithms.html#Diffie-Hellmanp yp g[7] MIT distribution site for PGP, "Welcome to the MIT Distribution Center for PGP (Pretty Good Privacy)", http://web.mit.edu/network/pgp.html[8] The Secure Shell Community Site, "The Secure Shell Community Site", http://www ssh orghttp://www.ssh.org[9] R. Rivest, "The MD5 Message-Digest Algorithm", Apr 1992, http://sunsite.auc.dk/RFC/rfc/rfc1321.html
Chapter 7: Network Security Modern Computer Networks 113
Further readingsg
[10] S K t d R Atki “S it A hit t f th I t t P t l ”[10] S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol,” IETF RFC 2401,November 1998[11] B. Gleeson, A. Lin, J. Heinanen, G. Armitage and A. Malis, “ A Framework for IP Based Virtual Private Networks,” IETF RFC 2764, February 2000[12] M. Curtin and M.J Ranum, ”Internet Firewalls: Frequently Asked Questions,” http://www.interhack.net/pubs/fwfaq/
Chapter 7: Network Security Modern Computer Networks 114
Exercises
Wh t’ th i ti f ti f h it ti f DES t ?What’s the primary encryption function of each iteration of DES system?Figure out the breaking time of key size 32, 56, 128, and 168 bits, if single decryption time are 1 us and 10-6 us, respectively.In a p blic ke s stem sing RSA ith p blic ke is e 5 n 35 The tr dIn a public key system using RSA with public key is e=5, n=35. The trudy intercepts the ciphertext C=10. What’s the plaintext M?The encryption scheme used for UNIX passwords is one way, it is not possible to reverse it Therefore would it be accurate to say that this is inpossible to reverse it. Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption of the password?What’s requirements of digital signature?What’s the difference between network and application layer firewall?What s the difference between network and application layer firewall?What’s the differences between virtual lease line,virtual private routed network, virtual private dial network, and virtual private LAN segment?How to achieve authentication and privacy simultaneously by usingHow to achieve authentication and privacy simultaneously by using authentication header and encapsulation security payload in IPSec? What’s the procedure of DDoS attack? What’s the attack procedure of “Nimda” virus in October 2001?
Chapter 7: Network Security Modern Computer Networks 115