Download ppt - Courses

Network Security
IS250
Spring 2010
John Chuang
Outline
 What is Network Security?
- Security properties
- Cryptographic techniques
 Availability (or lack thereof)
- Denial of service (DoS) attacks
- DDoS and botnets
 Operational security
- Firewalls
- Intrusion detection systems
- Virtual private networks
John Chuang
2
Securing the Network Stack
 Application (layer 7): various
security protocols
 Transport (layer 4): Transport
Layer Security (TLS)
 Network (layer 3): IPsec
 Data Link (layer 2): Wired
Equivalent Privacy (WEP); 802.11i
 Physical (layer 1): control of
access to cables; perimeter
security; acoustic security; …
HTTPS, SSH, PGP, S-BGP,
DNSSEC,…
TLS
IPsec
WEP; 802.11i; …
Physical layer security
Unfortunately, IP address spoofing (forging of source address) is still
unsolved, and source of many network security problems.
John Chuang
3
Attacks
 Wide ranging scope
 Some common attacks:
 Eavesdropping
- passwords, credit card
numbers, etc.
 Data tampering
 Impersonation
- Replay attack
- Man-in-the-middle attack
(e.g., IP address spoofing)
- Phishing attack
John Chuang
 Unauthorized access
- System vulnerabilities
- Password guessing (e.g.,
dictionary attack)
- Social engineering (e.g.,
bribe, black-mail)
 Denial-of-Service attack
 Spam
 Malware: Trojan horses,
viruses, worms
 …
4
Security Properties
“CIA” and “AAA”
 Confidentiality
- Prevents eavesdropping
 Integrity
- Prevents modification of data
 Authentication
- Proves your identity to a third party; prevents impersonation
 Accountability (non-repudiation)
- Enables failure analysis; serves as deterrent
 Authorization
- Prevents misuse
 Availability
- Safeguards against denial-of-service
John Chuang
5
Cryptographic Techniques
 Encryption
- Symmetric-key (e.g., AES)
- Asymmetric-key (e.g., RSA)
 Cryptographic hash
(message digest)
 Confidentiality
 Authentication
 Integrity
- e.g., MD5, SHA-1
 Digital signature
John Chuang
 Non-Repudiation
6
Outline
 What is Network Security?
- Security properties
- Cryptographic techniques
 Availability (or lack thereof)
- Denial of service (DoS) attacks
- DDoS and botnets
 Operational security
- Firewalls
- Intrusion detection systems
- Virtual private networks
John Chuang
11
Availability
 Denial-of-Service (DoS) Attack:
- Make a computer resource or service unavailable to users by
overwhelming the computational and/or communication resources of
the victim system
 DoS statistics (Moore et al., Usenix 2001):
- Prevalence: 13,000 DoS attacks recorded in 3 weeks
- Duration: an attack can last for hours
- Intensity: 600,000 packets per second
 2008 ISP Infrastructure Security Report (Arbor, 2008)
- Largest DDoS attack peak traffic volume of 40Gbps
John Chuang
12
TCP SYN Flood Attack
 Recall TCP session establishment
- A  B: SYN
- B  A: SYN + ACK
- A  B: ACK
 B has to keep state for every
half-open connection, and an idle
connection is closed only after
long timeout
 An attacker sends many SYN
messages (with spoofed source
IP addresses) to victim B
 Legitimate clients cannot
establish TCP session with B
John Chuang
13
http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif
Smurf Attack
 ICMP Echo Request attack
 Attacker sends ICMP Echo
Request (ping) messages to
IP broadcast addresses
(e.g., 128.32.255.255)
 These ping messages have spoofed IP source address of
target victim
 Hosts receiving the Echo Request messages will respond
with Echo Response (pong) messages
 Target is flooded with ICMP Echo Response (pong)
messages
 This is an example of a reflected attack
John Chuang
14
Distributed DoS
(DDoS) Attack
 Attacker takes over
machines via viruses
and launches DoS
attacks from these “zombies” or “bots”
 Largest botnets can have millions of bots
 Defensive approaches: filtering, traceback
 Misaligned incentives an important contributor
- Many owners unaware that their machine is a zombie
- Owners not motivated to diligently patch their
machines to protect against malware in the absence
of perceived harm
John Chuang
15
Botnets
 (Application layer overlay) network of bots (Trojan
horses) under the command & control of botnet
operator
 Botnet operators may control millions of machines and
use them to launch DDoS attacks, send spam, perform
keylogging, commit click fraud,…
- Estimate: 70-90% of spam come from botnets
 Underground market for botnet service
- e.g., $500 for a DDoS attack using 10K bots
- e.g., sites asked to pay $10-50k in extortion
John Chuang
16
Outline
 What is Network Security?
- Security properties
- Cryptographic techniques
 Availability (or lack thereof)
- Denial of service (DoS) attacks
- DDoS and botnets
 Operational security
- Firewalls
- Intrusion detection systems
- Virtual private networks
John Chuang
17
http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif
Firewall
 A firewall isolates an organization’s internal network from
the public Internet
- All traffic must pass through firewall
- Only authorized traffic, as defined by local security policy, can
pass
 Two basic types: packet filter, application gateway
John Chuang
18
Firewall Policy Examples
Policy
Firewall Setting
No outside web access
Drop all outgoing packets to any
IP address, destination port 80
No incoming TCP connections,
except to public web server at IP
address 1.2.3.4
Drop all incoming TCP SYN
packets to any IP except 1.2.3.4,
port 80
Allow DNS packets to leave
network
Allow outgoing UDP packets to
any IP address, destination port
53
Prevent your network from being
tracerouted
Drop all outgoing ICMP TTL
expired traffic
Prevent your network from being
used for a Smurf attack
Drop all ICMP ping packets going
to a broadcast address
John Chuang
19
Application Gateway
 Filters packets on
application data as
well as on
IP/TCP/UDP fields
host-to-gateway
telnet session
application
gateway
gateway-to-remote
host telnet session
router and filter
Source: Kurose and Ross, Computer Networking, 5th Edition

Example: allow select internal users to telnet outside
1.
2.
3.
require all telnet users to telnet through gateway
for authorized users, gateway sets up telnet connection to destination host.
Gateway relays data between 2 connections
router filter blocks all telnet connections not originating from gateway
John Chuang
20
Intrusion Detection System
 Monitors and reports suspicious traffic by
performing deep packet inspection
- Signature-based or Anomaly-based
application
gateway
firewall
Internet
internal
network
IDS
sensors
Web
server
FTP
server
John Chuang
DNS
server
demilitarized zone (DMZ)
Source: Kurose and Ross, Computer Networking, 5th Edition
21
Virtual Private Networks
 Problem:
- build a corporate intranet for an organization with multiple
sites
 Solutions:
- Public internet connections (low cost)
- Private (dedicated) network connections (confidential)
- Virtual Private Network (both confidentiality and low cost)
- Implemented in software
John Chuang
22
VPN
 VPN software in router at each site gives
appearance of a private network
 Implementation:
- Obtain internet connection for each site
- Choose router at each site to run VPN software
- Configure VPN software in each router to know about
the VPN routers at other sites
- VPN software acts as a packet filter; next hop for
outgoing datagram is another VPN router
- Outgoing datagrams encrypted using IPsec
John Chuang
23
IPSec (RFC 2402, 2406)
 Transport mode: payload encrypted; not header
 Tunneling mode: entire packet encrypted; then
encapsulated in separate packet (to keep
source/destination addresses confidential)
 Example:
- Datagram from host x at
site 1 to host y at site 2
- Router R1 on site 1 encrypts,
encapsulates in new datagram
for transmission to router R2
on site 2
John Chuang
Source: Doug Comer
24