Lec21 22
-
Upload
namishmaheshwari -
Category
Documents
-
view
141 -
download
1
description
Transcript of Lec21 22
![Page 1: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/1.jpg)
Security - Systems
Design Considerations
![Page 2: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/2.jpg)
Layer 2 DesignL2 Control protocols - 802.1q, STP and ARP802.1q
for Ethernet switches to exchange VLAN infoPrimary Issues: VLAN hopping
Spanning Tree Protocolfor L2 loop avoidancePrimary Issues: No authentication on bridge PDUsAttacks: Cause link failure; pretend to be root of tree.Defense: Control participation in STP (switch level)
![Page 3: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/3.jpg)
Layer 2 DesignARP
for MAC <-- IP mappingPrimary Issues: gARP messages for high availabilityDefense: VLANs, static ARP entries
DHCPfor IP allocationIssues: MAC Spoofing, rogue DHCP serverallow/deny for specific ports to respond to DHCP requests
![Page 4: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/4.jpg)
Layer 2 Design
Wireless Networks – Medium Access
Boundary is diffused (not hard)
Intruders do not have to intercept wires – all messages are broadcast (in a shared medium)
Unauthenticated access modes may cause problems
Contention resolution – Fairness issues
Easy to limit / eliminate availability
![Page 5: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/5.jpg)
IP Addressing DesignSubnetting
Administrative / Physical separation Primary Issues: Access ControlDefense: VLANs, Level 3 ACLs (Access Control Lists)
![Page 6: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/6.jpg)
Ingress / Egress FilteringPrivate address traffic not seen outside.Incoming traffic only from outside worldFiltering at edge or close to edge - not necessarily only at the firewall.
![Page 7: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/7.jpg)
NATPrivate addresses translated to public addressesIncoming traffic - reverse translationstatic, 1-1, many-1avoid using NAT (many-1) for security
![Page 8: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/8.jpg)
ICMP Design Issuesping messages
essential for admin. - turning off is not a solution except in specific cases.
Primary issue - Echo request/reply messages - variable length data field
ping-of-death attacks, DoS attacks, buffer overflows
covert channels (w/ software on host)
Solutions: “Explicitly permit - implicitly deny”
Permit ICMP echo request/reply messages w/ networks of necessity and for required users
Deny all other echo messages
![Page 9: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/9.jpg)
ICMP - Design Issues
Other required ICMP messages
(some types of ) Destination Unreachable messages
TTL 0 messages needed by traceroute
lCMP filtering
ACLs for permitting specific messages (seen above) and for denying all others
![Page 10: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/10.jpg)
Routing - Issues
Possible attacks:
Traffic Redirection
Traffic sent to a black-hole
Router DoS (Denial of Service) - Attack on Availability
Routing protocol DoS
Unauthorized router prefix origination
![Page 11: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/11.jpg)
Routing - IssuesAttack methods & possible solutions:
Configuration modification of routers
Secure routers - Device Hardening
Rogue Router Introduction
Add message authentication to routing protocol
Use ACLs to block routing protocol message types from unwanted networks
Spoofing / Modifying of routing messages
Message authentication; TCP seq. #s help;
Sending malformed or excess packets
DoS mitigation for excess; no easy soln. for malformed packets
![Page 12: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/12.jpg)
Router - Device hardeningDisable Unneeded Services
No DNS lookup for router
no echo or fingering services
no bootp service (if not needed)
no source routing and directed broadcast
no ICMP redirects
Password Encryption
Authentication
Use hashed passwords
Use secure protocols (say SSH) for line access
Setup usernames and access controls
![Page 13: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/13.jpg)
Routing Protocol - Message
Auth.Passwords with routing update messages
MD5 digest authentication with secret keying
Protocol Specific:
Avoid RIP v1. - has no auth. mechanism
OSPF (widely userd for interior gateways) - supports keyed MD5
BGP (widely used for cross-domain routing) - supports keyed MD5 through TCP option
![Page 14: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/14.jpg)
Routing - IssuesAsymmetric Routing & State-Aware Security
Asymetric traffic - different paths for request and return; per packet routing
Can happen at switches, over the Internet or at ISP.
Causes problems for state-aware security devices and mechanisms - Firewalls, IDS etc.
![Page 15: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/15.jpg)
Routing - Issues
Asymmetric Routing - Solutions
Use Symmetric Routing
hard to do and impractical
Load balance per flow (rather than per packet)
cannot avoid request-return asymmetry.
Manipulate flows using NAT or routing
Use state-sharing security devices - e.g exchange info. bet. firewalls
significant traffic overhead
Use stateless security features - e.g. ACLs
works only for easy situations - simple traffic categorizations
![Page 16: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/16.jpg)
Transport Protocol - Design Issues
Denial Of Service attacks
easy to launch and cannot be completely stopped.
network flooding (consume bw) vs. transport flooding (consume host resources)
Network Flooding
Detection: thru’ Network Intrusion Detection, routers and firewalls (i.e. their log data)
Stopping: often thru’ Service provider only; stops good as well as bad traffic
![Page 17: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/17.jpg)
Transport Protocol - Design Issues
Stopping Network Flooding
Basic ACL: drop all traffic destined for an IP address; configure this throughout the ISP’s network.
Black Hole Filtering: Propagate static routes to divert traffic to a black hole. Faster than basic ACL approach; much less CPU impact.
Sinkhole Routing: Traffic diverted to a specific location so that it can be studied.
![Page 18: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/18.jpg)
Transport Protocol - Design Issues
Trace Back (DoS)
Manual ACL trace back : create an ACL with broad permits that are made more specific as more information about attack is gained.
Backscatter Trace back :
combine black hole and sinkhole routingblack hole routing results in ICMP unreachable messages use a chunk of unallocated IP addresses for internal routing within ISP to forward to a sinkhole.
Tracebacks are useless if the attacker is spoofing a legitimately allocated address.
![Page 19: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/19.jpg)
Transport Protocol - Design Issues
DoS Mitigation
QoS techniques -
limit traffic by type (UDP 10 Mbps, ICMP 200Kbps etc.) ; use token system for traffic to limit it;
application specific filtering
(e.g. in ecommerce scenarios UDP traffic is needed)
use a distributed design
content delivery networks
![Page 20: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/20.jpg)
Transport Protocol - Design Issues
(back to) Denial Of Service attacks
easy to launch and cannot be completely stopped.
network flooding (consume bw) vs. transport flooding (consume host resources)
Transport Flooding
TCP SYN flooding - use a SYN packet (part of a 3-way handshake) but never respond to the acknowledgment; TCP is connection oriented : connections kept open for a time; connection queues overflow;
![Page 21: Lec21 22](https://reader036.fdocuments.net/reader036/viewer/2022070302/548d237cb4795949118b47b4/html5/thumbnails/21.jpg)
Transport Protocol - Design Issues
SYN cookies
host specific method of mitigating SYN flooding attacks;
avoid storing SYN packets in queue; use challenge-response model for handshake.
TCP intercept
network-level protection for SYN floods
intercept connection requests at an intermediate node which transparently forwards TCP packets to server; SYN packets are acked ASAP; if client does not respond use a backoff protocol; (e.g PIX firewalls)