Lecture 10 Network Security Protocols and Defensive Mechanisms
Transcript of Lecture 10 Network Security Protocols and Defensive Mechanisms
![Page 1: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/1.jpg)
Lecture 10
Network Security Protocols and Defensive Mechanisms
Thursday 5/5/2016
![Page 2: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/2.jpg)
Agenda • Introduction to Network Protocol Security
– Wireless Access– 802.11i/WPA2
– IPSEC
– BGP Instability and S-BGP
– DNS Rebinding and DNSSEC
• Standard Network Defenses – Firewall
• Packet Filter (stateless, stateful), Application Layer Proxies
– Intrusion detection
• Anomaly and Misuse Detection
• Introduction to Unwanted Traffic
– Denial of Service (DoS) Attacks
• Sample Dos at different layers
• Generic DoS solutions
![Page 3: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/3.jpg)
Topics in Last Lecture
• Basic network protocols
– IP, TCP, UDP, BGP, DNS
• Problems with them
– TCP/IP
• No SRC authentication: can’t tell where packet is from
• Packet sniffing
• Connection spoofing, sequence numbers
– BGP: advertise bad routes or close good ones
– DNS: cache poisoning, rebinding
• Web security mechanisms rely on DNS
![Page 4: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/4.jpg)
Network Protocol Stack
Application
Transport
Network
Link
Application protocol
TCP protocol
IP protocol
Data Link
IP
Network Access
IP protocol
Data Link
Application
Transport
Network
Link
![Page 5: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/5.jpg)
Link-layer Connectivity
802.11i Protocol (2004)
Authentica-tion Server (RADIUS) No Key
Authenticator UnAuth/UnAssoc 802.1X Blocked No Key
Supplicant UnAuth/UnAssoc 802.1X Blocked No Key
Supplicant Auth/Assoc 802.1X Blocked No Key
Authenticator Auth/Assoc 802.1X Blocked No Key
Authentica-tion Server (RADIUS) No Key
802.11 Association
EAP/802.1X/RADIUS Authentication
Supplicant Auth/Assoc 802.1X Blocked MSK
Authenticator Auth/Assoc 802.1X Blocked No Key
Authentica-tion Server (RADIUS) MSK
MSK secure connection
Supplicant Auth/Assoc 802.1X Blocked PMK
Authenticator Auth/Assoc 802.1X Blocked PMK
Authentica-tion Server (RADIUS) No Key
4-Way Handshake
Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK
Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK
Authentica-tion Server (RADIUS) No Key
Group Key Handshake
Supplicant Auth/Assoc 802.1X UnBlocked New GTK
Authenticator Auth/Assoc 802.1X UnBlocked New GTK
Authentica-tion Server (RADIUS) No Key
Data Communication
Supplicant (e.g., PDA, smart phone( Auth/Assoc 802.1X UnBlocked PTK/GTK
Authenticator (Access point) Auth/Assoc 802.1X UnBlocked PTK/GTK
Authentica-tion Server (may be at AP) (RADIUS) No Key
![Page 6: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/6.jpg)
Basic Layer 2-3 Security Problems
• Network packets pass by untrusted hosts
– Eavesdropping, packet sniffing
– Especially easy when attacker controls a machine close to victim
• TCP state can be easy to guess
– Enables spoofing and session hijacking
![Page 7: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/7.jpg)
IPSec • Security extensions for IPv4 and IPv6 • Mutual authentication between agents at the
beginning of the session – Using cryptographic security services
• IPsec uses a set of protocols to perform various functions – IP Authentication Header (AH)
• Authentication and integrity of payload and header
– IP Encapsulating Security Protocol (ESP) • Confidentiality of payload (encryption)
– ESP with optional ICV (integrity check value) • Confidentiality, authentication and integrity of payload
![Page 8: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/8.jpg)
Packet Formats and Layers (Recall)
Application
Transport (TCP, UDP)
Network (IP)
Link Layer
Application message - data
TCP data TCP data TCP data
TCP Header
data TCP IP
IP Header
data TCP IP ETH ETF
Link (Ethernet)
Header
Link (Ethernet)
Trailer
segment
packet
frame
message
![Page 9: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/9.jpg)
IPSec Transport Mode: IPSec instead of IP header
![Page 10: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/10.jpg)
Filtering Network Traffic
Basic Firewall Concept (starting at IP, transport layer …)
• Separate local area net from internet
Router
Firewall
Local network Internet
All packets between LAN and internet routed through firewall
![Page 11: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/11.jpg)
Basic Packet Filtering • Uses information at transport and IP layers
– IP Source Address, Destination Address
– Protocol (TCP, UDP, ICMP, etc)
– TCP or UDP source & destination ports
– TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
– ICMP message type
• Examples – DNS uses port 53
• Block incoming port 53 packets except known trusted servers
• Issues – Stateful filtering (track the state of running protocols (e.g., TCP, UDP)
and related packets)
– Encapsulation: address translation, other complications
– Fragmentation
![Page 12: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/12.jpg)
Source/Destination Address Forgery
![Page 13: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/13.jpg)
More About Networking: Port Numbering
• TCP connection – Server port uses number less than 1024
– Client port uses number between 1024 and 16383
• Permanent assignment – Ports <1024 assigned permanently
• 20,21 for FTP 23 for Telnet
• 25 for server SMTP 80 for HTTP
• Variable use – Ports >1024 must be available for client to make connection
– Limitation for stateless packet filtering • If client wants port 2048, firewall must allow incoming traffic
– Better: stateful filtering knows outgoing requests • Only allow incoming traffic on high port to a machine that has initiated an
outgoing request on low port
![Page 14: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/14.jpg)
Filtering Example: SMTP
Can block external request to internal server based on port number
![Page 15: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/15.jpg)
Stateful or Dynamic Packet Filtering
![Page 16: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/16.jpg)
Telnet
Telnet Client Telnet Server
23
1234
Client opens channel to
server; tells server its port
number. The ACK bit is
not set while establishing
the connection but will be
set on the remaining
packets
Server acknowledges
Stateful filtering can use this pattern to identify legitimate sessions
![Page 17: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/17.jpg)
FTP
FTP Client FTP Server
20
Data
21
Command
5150
5151 Client opens
command channel to
server; tells server
second port number
Server
acknowledges
Server opens data
channel to client’s
second port
Client
acknowledges
![Page 18: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/18.jpg)
Web Traffic Scanning
• Intercept and proxy web traffic
– Can be host-based or application-based
– Usually at enterprise gateway
• Block known bad sites
• Block pages with known attacks
• Scan attachments
– Usually traditional virus scanning methods
![Page 19: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/19.jpg)
Proxy Firewall
Generally, filtering messages at the application layer
• Application-level proxies
– Tailored to HTTP, FTP, SMTP, etc.
– Some protocols easier to proxy than others
• Policy embedded in proxy programs
– Proxies filter incoming, outgoing packets
– Reconstruct application-layer messages
– Can filter specific application-layer commands, etc.
• Example: only allow specific FTP commands
![Page 20: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/20.jpg)
Firewall with Application Proxies
• Enforce policy for specific protocols
– E.g., Virus scanning for SMTP
Network Connection
Telnet daemon
SMTP daemon
FTP daemon
Telnet proxy
FTP proxy SMTP
proxy
![Page 21: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/21.jpg)
BGP Security Issues
• BGP is used for all inter-ISP routing
• Benign configuration errors affect about 1% of all routing table entries at any time
• Highly vulnerable to human errors, malicious attacks
– Actual routing policies can be very complicated
• MD5 MAC is rarely used, perhaps due to lack of automated key management, addresses only one class of attacks (targeting data integrity)
![Page 22: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/22.jpg)
SBGP Design Overview • IPSec: secure point-to-point router communication
• Public Key Infrastructure: authorization for all SBGP entities
• Attestations: digitally-signed authorizations – Address: authorization to advertise specified address blocks (verifying
the authenticity and authorization of BGP control traffic)
– Route: Validation of UPDATEs based on a new path attribute, using PKI certificates and attestations (sign every hop of a path advertisement)
• Repositories for distribution of certificates, certificate revocation lists (CRLs), and address attestations
• Tools for ISPs to manage address attestations, process certificates & CRLs, etc.
![Page 23: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/23.jpg)
Address Attestation
• Indicates that the final autonomous system (AS) listed in the UPDATE is authorized by the owner of those address blocks to advertise the address blocks in the UPDATE
• Includes identification of: – owner’s certificate
– AS to be advertising the address blocks
– address blocks
– expiration date
• Digitally signed by owner of the address blocks
• Used to protect BGP from erroneous UPDATEs (authenticated but
misbehaving or misconfigured BGP speakers)
![Page 24: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/24.jpg)
Route Attestation • Indicates that the speaker or its AS authorizes the listener’s AS
to use the route in the UPDATE
• Includes identification of: – AS’s or BGP speaker’s certificate issued by owner of the AS
– the address blocks and the list of ASes in the UPDATE
– the neighbor
– expiration date
• Digitally signed by owner of the AS (or BGP speaker) distributing the UPDATE, ...
• Used to protect BGP from erroneous UPDATEs (authenticated but
misbehaving or misconfigured BGP speakers)
![Page 25: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/25.jpg)
BGP Example
3 4
6 5 7
1
8 2
7 7
2 7
2 7
2 7
Host1 Host2
… Hostn
AS
Address blocks
![Page 26: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/26.jpg)
Recall: DNS Lookup Query: "www.example.com A?“
Local recursive resolver caches these for TTL specified by RR
Reply Resource Records in Reply
3
5
7
8
"com. NS a.gtld.net" "a.gtld.net A 192.5.6.30"
"example.com. NS a.iana.net" "a.iana.net A 192.0.34.43"
"www.example.com A 1.2.3.4"
"www.example.com A 1.2.3.4"
![Page 27: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/27.jpg)
DNS-SEC Goal
“The Domain Name System (DNS) security extensions provide origin authentication and integrity assurance services for DNS data, including mechanisms for authenticated denial of existence of DNS data.”
-RFC 4033
![Page 28: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/28.jpg)
Comparison
![Page 29: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/29.jpg)
![Page 30: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/30.jpg)
DNS-SEC
• Basically no change to packet format – Goal is security of DNS data, not channel security
• New Resource Records (RRs) – RRSIG : signature of RR by private zone key
– DNSKEY : public zone key
– DS : crypto digest of child zone key
– NSEC / NSEC3 authenticated denial of existence
• Lookup referral chain (unsigned)
• Origin attestation chain (PKI) (signed) – Start at pre-configured trust anchors
• DS/DNSKEY of zone (should include root)
– DS → DNSKEY → DS forms a link
![Page 31: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/31.jpg)
Query: "www.example.com A?"
3
5
7
8
Reply
"com. NS a.gtld.net" "a.gtld.net A 192.5.6.30"
"example.com. NS a.iana.net" "a.iana.net A 192.0.34.43"
"www.example.com A 1.2.3.4"
"www.example.com A 1.2.3.4"
RRs in DNS Reply Added by DNS-SEC
"com. DS" "RRSIG(DS) by ."
"com. DNSKEY" "RRSIG(DNSKEY) by com."
"example.com. DS" "RRSIG(DS) by com."
"example.com DNSKEY" "RRSIG(DNSKEY) by example.com."
"RRSIG(A) by example.com."
Last Hop?
DNS-SEC Lookup
![Page 32: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/32.jpg)
Intrusion Detection • Many intrusion detection systems
– Network-based (network interface card in promiscuous mode to capture network traffic packets)
– Host-based ( monitors and analyzes the internals of a computing system)
– Combination
• Two basic models – Misuse detection model (signature-based model)
• Maintain data on known attacks • Look for activity with corresponding signatures
– Anomaly detection model (probabilistic-based model) • Try to figure out what is “normal” • Report anomalous behavior
• Fundamental problem: too many false alarms (positive or negative)
![Page 33: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/33.jpg)
Intrusion Detection • Example: Snort (network-based ID)
http://www.snort.org/
detect anomalies in packet headers
applies rules to packets
e.g., input from Ethernet
![Page 34: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/34.jpg)
Snort Detection Rules Example
Alert will be generated if criteria met
Apply to all ip packets
Source ip address
Source port #
destination ip address
Destination port
Rule options
![Page 35: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/35.jpg)
Snort Challenges
• Misuse detection – avoid known intrusions
– Database size continues to grow
• Snort version 2.3.2 had 2,600 rules
– Snort spends 80% of time doing string match
• Anomaly detection – identify new attacks
– Probability of detection is low
![Page 36: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/36.jpg)
Difficulties in Anomaly-based Intrusion Detection
• Lack of training data – Lots of “normal” network – Little data containing realistic attacks, anomalies
• Data drift – Statistical methods detect changes in behavior – Attacker can attack gradually and incrementally
• Main characteristics not well understood – By many measures, attack may be within bounds of
“normal” range of activities
• False identifications are very costly – Sys Admin spend many hours examining evidence
![Page 37: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/37.jpg)
UNWANTED COMPUTER NETWORK TRAFFIC
![Page 38: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/38.jpg)
Denial of Service (DoS) Attacks
• What is network DoS? – Goal: with little computing work
• Deteriorate QoS of running applications
• Take out a large site from service
• Consume resources
• etc.
– How: Amplification (magnifying the negative effects) • Examples:
– Generation of huge number of redundant packets in a distributed way (DDoS)
– Dropping all incoming packets
![Page 39: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/39.jpg)
Denial of Service (DoS) Attacks
Network DoS
• Two types of amplification-related attacks:
– DoS bug:
• Design flaw allowing one machine to disrupt a service
– DoS flood:
• Command Botnet to generate flood of requests
![Page 40: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/40.jpg)
DoS at Network Layers
• DoS can happen at any layer
– Link layer
– TCP/UDP (Transport layer)
– Application layer
![Page 41: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/41.jpg)
DoS at Link Layer
• 802.11b DoS bugs
– Radio jamming attacks
– Protocol DoS bugs
• NAV (Network Allocation Vector): – 15-bit field. Max value: 32767
– Any node can reserve channel for NAV seconds
– No one else should transmit during NAV period
– but not followed by most 802.11b cards
• De-authentication bug (WiFi jamming): – Any node can send de-auth packet to AP
– De-auth packet unauthenticated
– attacker can repeatedly de-auth anyone
![Page 42: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/42.jpg)
DoS at IP Layer
Smurf amplification DoS attack
• Send ping request to broadcast addr (ICMP Echo Req)
• Lots of responses:
– Every host on target network generates a ping
– reply (ICMP Echo Reply) to victim
![Page 43: Lecture 10 Network Security Protocols and Defensive Mechanisms](https://reader034.fdocuments.net/reader034/viewer/2022042710/6266ba5ecf3def03367e24d4/html5/thumbnails/43.jpg)
DoS at Application Layer DNS Amplification attack ( ×50 amplification )
In March 2013: DDoS attack generating 309 Gbps for 28 mins.