CSCE 1811 CSCE 181 A Brief History of Computer Science Jinxiang Chai.
CSCE 522 - Farkas1 CSCE 522 Network Security. Reading Pfleeger and Pfleeger: Chapter 6 CSCE 522 -...
-
Upload
marion-chase -
Category
Documents
-
view
243 -
download
0
Transcript of CSCE 522 - Farkas1 CSCE 522 Network Security. Reading Pfleeger and Pfleeger: Chapter 6 CSCE 522 -...
CSCE 522 - Farkas 1
CSCE 522CSCE 522Network SecurityNetwork Security
ReadingReading
Pfleeger and Pfleeger: Chapter 6
CSCE 522 - Farkas 2
Overview of TCP/IPOverview of TCP/IPLayersLayers
CSCE 522 - Farkas 3
CSCE 522 - Farkas 4
Internet ChallengeInternet Challenge Interconnected networks differ (protocols,
interfaces, services, etc.) Solutions:
1. Reengineer and develop one global packet switching network standard: not economically feasible
2. Have every host implement the protocols of every network it wants to communicate with: too complex, very high engineering cost
3. Add an extra layer: internetworking layer Hosts: one higher-level protocol Connecting networks use the same protocol Interface between the new protocol and network
CSCE 522 - Farkas 5
LayeringLayering
Organize a network system into logically distinct entities– the service provided by one entity is based only
on the service provided by the lower level entity
CSCE 522 - Farkas 6
TCP/IP Protocol StackTCP/IP Protocol Stack
Application Layer
Transport Layer
Internetwork Layer
Network Access Layer
• Each layer interacts with neighboring layers above and below• Each layer can be defined independently• Complexity of the networking is hidden from the application
CSCE 522 - Farkas 7
LayeringLayering
Advantages– Modularity – protocols easier to manage and maintain– Abstract functionality –lower layers can be changed
without affecting the upper layers– Reuse – upper layers can reuse the functionality
provided by lower layers
Disadvantages– Information hiding – inefficient implementations
CSCE 522 - Farkas 8
ISO OSI Reference ISO OSI Reference ModelModel
ISO – International Standard OrganizationOSI – Open System InterconnectionGoal: a general open standard
– allow vendors to enter the market by using their own implementation and protocols
CSCE 522 - Farkas 9
OSI vs. TCP/IPOSI vs. TCP/IP OSI: conceptually define: service, interface, protocol Internet: provide a successful implementation
Application
Presentation
Session
Transport
Network
Datalink
Physical
Internet
NetworkAccess
Transport
Application
IP
LAN Packetradio
TCP UDP
Telnet FTP DNS
CSCE 522 - Farkas 10
Network AccessNetwork Access Layer Layer
Responsible for packet transmission on the physical media
Transmission between two devices that are physically connected
The goal of the physical layer is to move information across one “hop”
For example: Ethernet, token ring, Asynchronous Transfer Mode (ATM)
CSCE 522 - Farkas 11
NNetwork Layeretwork Layer
Provides connectionless and unreliable serviceRouting (routers): determine the path a path
has to traverse to reach its destinationDefines addressing mechanism
– Identify each destination unambiguously– Hosts should conform to the addressing
mechanism
CSCE 522 - Farkas 12
IP Addresses – Network layerIP Addresses – Network layerIP provides logical address space and a corresponding
addressing schemaIP address is a globally unique or private number
associated with a host network interfaceEvery system which will send packets directly out across
the Internet must have a unique IP addressIP addresses are based on where the hosts are connectedIP addresses are controlled by a single organization -
address ranges are assignedThey are running out of space!
CSCE 522 - Farkas 13
Routing ProtocolsRouting Protocols
• Enable routing decisions to be made• Manage and periodically update routing tables, stored at each router •Router : “which way” to send the packet •Protocol types:
•Reachability•Distance vector
CSCE 522 - Farkas 14
The Domain Name The Domain Name SystemSystem
Each system connected to the Internet also has one or more logical addresses.
Unlike IP addresses, the domain address have no routing information - they are organized based on administrative units
There are no limitations on the mapping from domain addresses to IP addresses
CSCE 522 - Farkas 15
Domain Name Domain Name ResolutionResolution
Domain Name Resolution: looking up a logical name and finding a physical IP address
There is a hierarchy of domain name serversEach client system uses one domain name server
which in turn queries up and down the hierarchy to find the address
If your server does not know the address, it goes up the hierarchy possibly to the top and works its way back down
CSCE 522 - Farkas 16
Transport LayerTransport Layer Provides services to the application layer Services:
– Connection-oriented or connectionless transport– Reliable or unreliable transport– Security : new compared to the other two services.
May provide: authenticity, confidentiality, integrity Application has to choose the services it requires
from the transport layer Limitations of combinations, e.g., connectionless
and reliable transport is invalid
CSCE 522 - Farkas 17
Application LayerApplication Layer
Provides services for an application to send and recieve data over the network, e.g., telnet (port 23), mail (port 25), finger (port 79)
Interface to the transport layer – Operating system dependent– Socket interface – most popular
CSCE 522 - Farkas 18
Communication Between Communication Between LayersLayers
Transport layer
Network layer
Data Link layer
Network layer
Data Link layer
Network layer
Data Link layer Data Link layer
Network layer
Transport layer
Application layerApplication layerApplication Data
Transport payload
NetworkPayload
Data LinkPayload
Host A Router Router Host B
Networks ThreatsNetworks Threats
CSCE 522 - Farkas 19
Network Threats 1.Network Threats 1.
Reconnaissance– Port scan: which ports and services are running,
which OS is installed, applications and their versions
– Social engineering: can access sensitive information up to login credentials
– Intelligence: open source vs. espionage– Bulletin boards, chats, documentations, etc.
CSCE 522 - Farkas 20
Threats in TransitThreats in Transit
Passive attacks: wiretap, traffic monitoring, packet sniffer, etc.
Protocol Flaws: RFC number used to report new vulnerabilities
Impersonation– Nonexistent authentication, guessing authentication
information, well-known authentication– Eavesdropping and wiretapping– Spoofing and masquerading– Session hijacking, man-in-the-middle
CSCE 522 - Farkas 21
Message Confidentiality Message Confidentiality ThreatsThreats
Mis-delivery– Target not available, promiscuous-mode
Exposure – Eavesdropping– Traffic analysis
CSCE 522 - Farkas 22
Message Integrity ThreatsMessage Integrity Threats
Falsification of MessagesNoiseMalformed PacketsProtocol failures
CSCE 522 - Farkas 23
Denial of Service ThreatsDenial of Service Threats
Transmission failure– Multiple reasons, intentional accidental
Connection flooding: attacker sends as much data as the victim can handle, preventing other from acess– E.g., ping of death, smurf, syn flooding, etc.
Traffic redirection: routers forward packets to wrong address– Corrupted router, incorrect DNS entry, etc.
CSCE 522 - Farkas 24
How to address these threats?How to address these threats?
CSCE 522 - Farkas 25
CSCE 522 - Farkas 26
Security -- At What Level?Security -- At What Level?
Secure traffic at various levels in the network Where to implement security? -- Depends on the
security requirements of the application and the user
Basic services that need to be implemented: Key management Confidentiality Nonrepudiation Integrity/authentication Authorization
CSCE 522 - Farkas 27
Network Access Layer (Data Link) Network Access Layer (Data Link) SecuritySecurity
Dedicated link between hosts/routers hardware devices for encryption
Advantages: – Speed
Disadvantages:– Not scaelable– Works well only on dedicates links– Two hardware devices need to be physically connected
CSCE 522 - Farkas 28
InternInternetwork Layer Securityetwork Layer SecurityIP Security (IPSec) Advantages:
– Overhead involved with key negotiation decreases <-- multiple protocols can share the same key management infrastructure
– Ability to build VPN and intranet– Provides per flow or per connection security
Disadvantages:– Difficult to handle low granularity security, e.g.,
nonrepudation, user-based security,
CSCE 522 - Farkas 29
Transport Layer SecurityTransport Layer Security Advantages:
– Does not require enhancement to each application Disadvantages:
– Difficult to obtain user context– Implemented on an end system (Transport Layer
Security)– Protocol specific
Implemented for each protocol Must maintain context for a connection
CSCE 522 - Farkas 30
Application Layer Application Layer SecuritySecurity
Advantages:– Executing in the context of the user --> easy access to user’s
credentials– Complete access to data --> easier to ensure nonrepudation– Application can be extended to provide security (do not depend on
the operating system)– Application understand data --> fine tune security
Disadvantages:– Implemented in end hosts– Security mechanisms have to be implemented for each application
--> – expensive– greated probability of making mistake
CSCE 522 - Farkas 31
Application ExampleApplication Example
E-mail client using PGPExtended capabilities
– Ability to look up public keys of the users– Ability to provide securiy services such as
encryption/decrytion, nonrepudation, and authentication for e-mail messages