CS457/546a 1

Chapter 7 roadmap

7.1 What is network security?7.2 Principles of cryptography7.3 Authentication7.4 Integrity7.5 Key Distribution and certification7.6 Access control: firewalls7.7 Attacks and counter measures7.8 Security in many layers

CS457/546a 2

Firewalls

isolates an organization’s internal network from larger external network, allowing some packets to pass, blocking others

firewall

administerednetwork

externalnetwork

firewall

CS457/546a 3

Firewalls: Why?

Prevent denial of service attacks: SYN flooding: attacker establishes many bogus

TCP connections, no resources left for “real” connections.

Prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with

something elseAllow only authorized access to inside network (set of

authenticated users/hosts)Prevent insider attacks on critical systems:

Critical systems (human resources, payroll, etc.) can be hidden behind their own firewalls to prevent attacks from the inside.

CS457/546a 4

Firewalls: Policies

There are two main approaches to setting firewall policies regulating information flow.

Default Permit: Conditions are specified that will result in data

being blocked; any host or protocol not covered by these conditions will pass through by default.

Simpler to use, easy to configure, and more dangerous.

Default Deny: The particular protocols allowed through and the

hosts that may pass data or be contacted are specified; all others are denied.

Tends to be more secure.

CS457/546a 5

Firewall Components: Chokes/Packet Filters

Computers or devices (such as routers) that restrict the flow of packets between the internal and external networks.

These filter packet-by-packet, making the decision to forward/drop packets based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits

Should arriving packet be allowed

in? Departing packet let out?

CS457/546a 6

Firewall Components: Chokes/Packet Filters

Example 1: Block incoming and outgoing datagrams with IP protocol field = 17 or with either source or destination port = 23. All incoming and outgoing UDP flows and

telnet connections are blocked. Example 2: Block inbound TCP segments with

ACK=0. Prevents external clients from making TCP

connections with internal clients, but allows internal clients to connect to outside.

CS457/546a 7

Firewall Components: Gates/Gateways

Specifically designated programs, devices, or computers within the firewall’s perimeter that receive and handle connections to and from the external network.

For security and reliability, users should not have accounts on a gateway computer.

Several kinds of programs can run on gateways: Network client software such as telnet, ftp and netscape.

Users get external access by logging on to the gateway and using this software. (Again, not recommended!)

Proxy servers that forward requests through the firewall from the internal network to the external one.

Network servers for receiving e-mail, serving web pages, and so on.

CS457/546a 8

Firewall Components: Gates/Gateways

Example: allow select internal users to telnet outside.

host-to-gatewaytelnet session

gateway-to-remote host telnet session

applicationgateway

router and filter

1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet

connection to destination host. Gateway relays data between the 2 connections.

3. Router packet filter blocks all telnet connections not originating from gateway.

CS457/546a 9

Dual-ported Host Firewalls

The first Internet firewalls were Unix hosts with two network ports – one for the internal network, and one for the external network.

In this firewall, the dual-ported host functions as both a choke and a gate. Service is provided to internal users by either

network clients or proxy servers. Packet forwarding between network ports is

disabled to protect the internal network.

internalnetwork

externalnetwork

firewall

CS457/546a 10

Packet Filtering Firewalls

A simple firewall can be built be a single choke, using the packet filtering options on a router to block packets as needed between the external and internal networks.

These firewalls are cheap and simple. Most firewalls built into cable/DSL routers

are of this variety. How powerful are they though?

internalnetwork

externalnetwork

firewall

CS457/546a 11

Screened Host Firewalls This is a more secure firewall built using

a choke and a gateway computer. The gate is a specially chosen computer running

network servers and proxy servers. Only external packets destined for the gateway

are allowed through the choke. All internal packets destined for the external

network must first pass through a proxy server on the gateway, or they are filtered by the choke.

internalnetwork

externalnetwork

firewall

gateway

CS457/546a 12

Screened Subnet Firewalls For even higher security, two chokes and a

gateway can be used to build a firewall. The external choke and gateway are configured

as in a screened host firewall. The second choke is a failsafe – if an attacker

gains access to the gate, the internal choke prevents further attacks against the internal network.

Additional gateways can be added to the perimeter network between the chokes for other services.internal

network

externalnetwork

firewall

gateway

perimeternetwork

CS457/546a 13

Limitations of Firewalls IP spoofing: a firewall

can’t know if data really comes from the claimed source, so intruders maystill be let in.

If multiple applications need special treatment, each has its own gateway.

Client software must know how to contact the gateway. For example, users must

set the IP address of a proxy in their web browsers.

Filters often use an all or nothing policy for UDP.

Tradeoff: degree of communication with outside world, level of security

The more exceptions and specializations needed for a firewall, the harder it is to configure and get to work properly … big troubles!

Many highly protected sites still suffer from attacks, so are firewalls really the solution?

CS457/546a 14

Chapter 7 roadmap

7.1 What is network security?7.2 Principles of cryptography7.3 Authentication7.4 Integrity7.5 Key Distribution and certification7.6 Access control: firewalls7.7 Attacks and counter measures7.8 Security in many layers

CS457/546a 15

Internet Security Threats

Mapping: Before attacking: you “case the joint” – find

out what services are implemented on network.

Use ping to determine what hosts have addresses on network.

Port-scanning: try to establish TCP connection to each port in sequence (see what happens).

nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing”.

Countermeasures?

CS457/546a 16

Mapping: countermeasures Record and log traffic entering network. Look for suspicious activity (IP addresses,

pots being scanned sequentially). A lot of network equipment can do this automatically now.

Have firewalls block ICMP packets and ping no longer works.

Put a default deny policy in place on all firewalls. If port numbers are blocked there, the network cannot be mapped from the outside.

Internet Security Threats

CS457/546a 17

Internet Security ThreatsPacket sniffing:

A problem for broadcast media. Promiscuous NIC reads all packets passing by. Can read all unencrypted data (e.g. passwords). e.g.: C sniffs B’s packets

A

B

C

src:B dest:A payload

Countermeasures?

CS457/546a 18

Internet Security ThreatsPacket sniffing: countermeasures

All hosts in organization run software that checks periodically if host interface is in promiscuous mode.

Ensure all hosts in network require super-user privileges to put an interface in promiscuous mode. Place one host per segment of broadcast media (switched Ethernet at hub). Encrypt all sensitive data (use ssh for remote logins).

A

B

C

src:B dest:A payload

CS457/546a 19

Internet Security ThreatsTraffic analysis:

An attacker acquires sensitive information without learning message content or sniffing whole packets.

Bad things can come from innocent-looking information. e.g.: C can learn what B’s work patterns are, that B is carrying out transactions with A, and

so on.

A

B

C

src:B dest:A payload

Countermeasures?

CS457/546a 20

Internet Security ThreatsTraffic analysis: countermeasures

Use some form of traffic padding. Fake traffic is inserted into the network to mask the real traffic.

If you have spare network capacity, why not use it? Traffic padding can make other attacks harder too … how can you tell which data to

attack and attempt to compromise when it is not all real?

A

B

C

src:B dest:A payload

CS457/546a 21

Internet Security ThreatsIP Spoofing:

Can generate “raw” IP packets directly from an application, putting any value into an IP packet’s source address field.

Receiver can’t tell if source is spoofed. e.g.: C pretends to be B

A

B

C

src:B dest:A payload

Countermeasures?

CS457/546a 22

Internet Security ThreatsIP Spoofing: ingress filtering

Routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network).

Great, but ingress filtering can not be mandated for all networks.

A

B

C

src:B dest:A payload

CS457/546a 23

Internet Security ThreatsDenial of service (DOS):

A flood of maliciously generated packets “swamp” receiver. Distributed DOS (DDOS): multiple coordinated sources swamp

receiver. e.g., C and remote host SYN-attack A.

A

B

C

SYN

SYNSYNSYN

SYN

SYN

SYN

Countermeasures?

CS457/546a 24

Internet Security ThreatsDenial of service (DOS): countermeasures

filter out flooded packets (e.g., SYN) before reaching host: throw out good with bad traceback to source of floods (most likely an innocent, compromised machine) use a dedicated hardware appliance to filter excessive packets or process

connection attempts

A

B

C

SYN

SYNSYNSYN

SYN

SYN

SYN

CS457/546a 25

Backups and Comparison Copies Making copies of data being transmitted or stored

can be very useful for security purposes. If data is damaged or destroyed, it can be restored. If data is modified, a comparison copy can detect

when and how it was changed, and restore it as well.

Backups can be to disk, tape, CD, DVD, or even paper.

Backups can be either full or incremental. The backup copies themselves must be secured!

• Protect them from overwriting.• Store them safely off-site under lock and key to

prevent theft and possible damage.• Encrypt them to protect the contents.• Verify that the backups actually work properly!

Other Good Ideas

CS457/546a 26

Auditing and Logging Auditing refers to the process of monitoring to

ensure that security mechanisms in place work and that any indications of misbehaviour are recorded.

Logging is used to record what is happening:• User activity (logging in, logging out, unsuccessful login

attempts, commands executed, and so on).• Use of administrator or super-user privileges (e.g. su).• Network traffic of various protocols at different periods.

Logging can be used to produce audit trails tracing the history of the network or individuals using it.

Logs are susceptible to modification attacks (to cover up attacks, falsely implicate others, and so on).

• Record logs to different physically secure machines or possibly even printers.

• Encrypt logs as they are written.

Other Good Ideas

CS457/546a 27

Chapter 7 roadmap

7.1 What is network security?7.2 Principles of cryptography7.3 Authentication7.4 Integrity7.5 Key Distribution and certification7.6 Access control: firewalls7.7 Attacks and counter measures

7.8 Security in many layers7.8.1. Secure email7.8.2. Secure sockets7.8.3. IPsec8.8.4. 802.11 WEP

CS457/546a 28

Secure E-Mail

Alice: Generates random symmetric private key, KS. Encrypts message with KS (for efficiency, as discussed before). Also encrypts KS with Bob’s public key. Sends both KS(m) and KB(KS) to Bob.

Alice wants to send confidential e-mail, m, to Bob.

KS( ).

KB( ).+

+ -

KS(m

)

KB(KS )+

m

KS

KS

KB+

Internet

KS( ).

KB( ).-

KB-

KS

mKS(m

)

KB(KS )+

CS457/546a 29

Secure E-Mail

Bob: Uses his private key to decrypt and recover KS. Uses KS to decrypt KS(m) to recover his message m.

Alice wants to send confidential e-mail, m, to Bob.

KS( ).

KB( ).+

+ -

KS(m

)

KB(KS )+

m

KS

KS

KB+

Internet

KS( ).

KB( ).-

KB-

KS

mKS(m

)

KB(KS )+

CS457/546a 30

Secure E-Mail (Continued)

Alice wants to provide sender authentication and message integrity.

Alice digitally signs a digest of the message. Sends both message (in the clear) and the digitally signed digest.

H( ). KA( ).-

+ -

H(m )KA(H(m))-

m

KA-

Internet

m

KA( ).+

KA+

KA(H(m))-

mH( ). H(m )

compare

CS457/546a 31

Secure E-Mail (Continued)

Alice wants to provide secrecy, sender authentication, and message integrity.

Alice uses three keys: her private key, Bob’s public key, and the newly created symmetric key.

H( ). KA( ).-

+

KA(H(m))-

m

KA-

m

KS( ).

KB( ).+

+

KB(KS )+

KS

KB+

Internet

KS

CS457/546a 32

Pretty Good Privacy (PGP)

Internet e-mail encryption scheme, de-facto standard.

Uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.

Provides secrecy, sender authentication, integrity.

Inventor Phil Zimmerman, was the target of a 3-year federal investigation for violating U.S. export restrictions on cryptographic software.

---BEGIN PGP SIGNED MESSAGE---Hash: SHA1

Bob:My husband is out of town tonight. Passionately yours, Alice

---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/

12EpJ+lo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2

---END PGP SIGNATURE---

A PGP signed message:

CS457/546a 33

Secure Sockets Layer (SSL)

Transport layer security to any TCP-based application using SSL services.

Used between Web browsers, servers for e-commerce (shttp).

Security services: Server authentication. Data encryption. Client authentication

(optional).

Server authentication: SSL-enabled browser

includes public keys for trusted CAs.

Browser requests server certificate, issued by trusted CA.

Browser uses CA’s public key to extract server’s public key from certificate.

Check your browser’s security menu to see its trusted CAs.

CS457/546a 34

SSL (Continued)

Encrypted SSL session: Browser generates

symmetric session key, encrypts it with server’s public key, sends encrypted key to server.

Using private key, server decrypts session key.

Only the browser and server know session key. All data sent into TCP

socket (by client or server) encrypted with session key.

SSL: basis of IETF Transport Layer Security (TLS).

SSL can be used for non-Web applications, e.g., IMAP.

Client authentication can be done with client certificates which have also been issued by CAs.

CS457/546a 35

IPsec: Network Layer Security

Network-layer secrecy: Sending host encrypts the

data in IP datagram. TCP and UDP segments;

ICMP and SNMP messages. Network-layer authentication

Destination host can authenticate source IP addresses.

Two principle protocols: Authentication header

(AH) protocol Encapsulation security

payload (ESP) protocol

For both AH and ESP protocols, the source and destination handshake: Create network-layer

logical channel called a security association (SA).

Each SA unidirectional. Uniquely determined by:

Security protocol (AH or ESP).

Source IP address. 32-bit connection ID.

CS457/546a 36

Authentication Header (AH) Protocol

Provides source authentication, data integrity, but not confidentiality.

AH header inserted between IP header, data field.

IP protocol field: 51 Intermediate routers

process datagrams as usual.

AH header includes: Connection identifier. Authentication data:

source-signed message digest calculated over original IP datagram.

Next header field: specifies type of data (e.g., TCP, UDP, ICMP).

Sequence number to prevent playback attacks.

IP header data (e.g., TCP, UDP segment)AH header

CS457/546a 37

Encapsulation Security Payload (ESP) Protocol

Provides secrecy, host authentication, and data integrity.

Packet data and the ESP trailer are encrypted.

Next header field is in the ESP trailer.

Sequence number and connection identifier are in the ESP header.

ESP authentication field is similar to AH authentication field.

IP protocol field: 50.

IP header TCP/UDP segmentESP

headerESP

trailerESP

authent.

encryptedauthenticated

CS457/546a 38

IPsec: SA and Key Management

To successfully deploy IPsec, a scalable and automated SA and key management scheme is needed.

Several protocols have been defined. The Internet Key Exchange (IKE) algorithm,

which is the default key management protocol for IPsec.

The Internet Security Association and Key Management Protocol (ISKMP) defines procedures for setting up and tearing down SAs and working with keys.

CS457/546a 39

IEEE 802.11 Security

War-driving: drive around the community and see what 802.11 wireless networks are available. In 2001, in the San Francisco Bay area alone,

more than 9000 were accessible from public roadways.

85% used no encryption/authentication! Packet-sniffing and various attacks would be easy!

Wired Equivalent Privacy (WEP): authentication as in protocol ap4.0 Host requests authentication from access point. Access point sends 128 bit nonce. Host encrypts nonce using shared symmetric key. Access point decrypts nonce, authenticates host.

CS457/546a 40

IEEE 802.11 Security

Wired Equivalent Privacy (WEP): data encryption Host and access point share 40 bit symmetric

key (semi-permanent). Host appends 24-bit initialization vector (IV) to

create 64-bit key. 64 bit key used to generate stream of keys, ki

IV.

kiIV used to encrypt ith byte, di, in frame:

ci = di XOR kiIV

IV and encrypted bytes, ci sent in frame.

CS457/546a 41

802.11 WEP Encryption

IV (per frame)

KS: 40-bit secret

symmetric key k1

IV k2IV k3

IV … kNIV kN+1

IV… kN+1IV

d1 d2 d3 … dN

CRC1 … CRC4

c1 c2 c3 … cN

cN+1 … cN+4

plaintext frame data

plus CRC

key sequence generator ( for given KS, IV)

802.11 header IV

WEP-encrypted data plus CRC

Figure 7.8-new1: 802.11 WEP protocol Sender-side WEP encryption

CS457/546a 42

Breaking 802.11 WEP Encryption

Security Hole: 24-bit IV, one IV per frame, -> IV’s eventually reused IV transmitted in plaintext -> IV reuse detected Attack:

Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 …

Trudy sees: ci = di XOR kiIV

Trudy knows ci di, so can compute kiIV

Trudy knows encrypting key sequence k1IV k2

IV k3IV …

Next time IV is used, Trudy can decrypt!

CS457/546a 43

802.11b Security At Western Wireless users at Western are forced to

authenticate themselves securely before accessing the network. This prevents outsiders from easily getting “inside”

access to the campus network. Once a wireless device contacts an access

point, access is restricted until a web browser is opened and redirected to a secure login page. You can then provide your UWO user id and

password to authenticate with the network. Once authenticated, access is opened up and

you are allowed fuller access of network services.

CS457/546a 44

802.11b Security At Western

Western does not currently use WEP-based encryption, and does not plan to. How could you safely share a secret WEP key

between 20,000-30,000 users? You can’t! Besides, as we just saw, WEP might not be very

safe. Western is looking at more advanced wireless

encryption protocols under development, and will be rolling them out soon.

In the mean time, use higher-level security protocols as much as possible (such as SSL, SSH, and so on). Many insecure unencrypted protocols are blocked,

so you cannot use them anyways!

CS457/546a 45

Network Security Summary

Basic techniques…... cryptography (symmetric and public) authentication message integrity key distribution

…. used in many different security scenarios secure email secure transport (SSL) IPsec 802.11 WEP