Download A Hands-On Environment for Teaching Networks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
A Protection
Architecture for Enterprise Networks
Martin Casado
(Stanford)
Tal Garfinkel
(Stanford)
Aditya Akella
(CMU/Stanford)
Michael Freedman (NYU)
Dan Boneh
(Stanford)
Nick McKeown
(Stanford)
Scott Shenker
(ICSI/Berkeley)
2005
Stanford Security Forum 2006
Talk Outline
 Example:
Breaking into an Enterprise network
 Problems
with enterprise security today
 SANE:
2005
rethinking the network architecture
Stanford Security Forum 2006
Enterprise Threat Environment
 Incidental
 External,
attacks (phishing, spam, worms, viruses, kiddies)
Targeted Attacks
 Competitors
(e.g. getloaded.com vs. truckstop.com)
 Idealists (e.g. SCO)
 Insiders
2005
(29% of all attacks?)
Stanford Security Forum 2006
Enterprise Threat Environment
 Incidental
attacks (worms, viruses, kiddies)
 External Targeted Attacks
 More
access to resources
 Ability to hire skilled attacker
 Insiders
(29% of all attacks?)
 Locality
(access to internal network)
 Knowledge of internal workings
2005
Stanford Security Forum 2006
Example: External Targeted
Attack



Target: Large company (Bank.com)
Attacker Profile: Skill-level equivalent to a B.S. in computer
science
Rules of Engagement:



No physical access
Cannot limit availability of network resources
Goals:



Map out operations
Gain access to sensitive information
Ability to disrupt internal communications if needed
2005
Stanford Security Forum 2006
Step 1: Reconnaissance
Netcraft search: bank (find all relevant domains)
Google/groups: @bank.com
“*at*bank*com”
“*bank*com”
“at*bank*”
frufru at media dot bank dot com
lilo [at sign] shingle [dot] bank [dot] com
[email protected]
Dr. HeL Lo at <[email protected] >
Gin ( dot ) H ( dot ) Polka ( at ) bank ( dot ) COM
Car Mc Kubrik · kubik AT NOSPAM bank dot com
Chris Finkledine at [email protected]
David Spade at [email protected]
[email protected]
2005
Stanford Security Forum 2006
Step 1.5: Profiling
Google/groups: “*Alicebob*”
“*alicebob*bank*”
"someone please email me and tell me how to lose the weight? im trying the
atkins but its sooo hard! catie how did you lose 67 lbs? what did you eat??
please email me at [email protected] and tell me ok??"
“You are truly blessed!!! I wish you a happy and healthy 8 more months. If you
don't mind me asking....when was your tr? lengths? Is this your first pregnancy
since your TR? I go for my TR on 10/24/03 so I am just trying to get lots of
info together. Again Congratulations and I will lift you, dh and little one in
prayer!!!”
etc ...
2005
Stanford Security Forum 2006
Step 2: Contact
Post to forum
Establish rapport
Get IM/email
Write custom trojan
Send infected file over IM, email,
etc.

router
Alicebob
2005
Stanford Security Forum 2006
Step 3: Do Bad Stuff
Gather local information
Local network parameters
Email addresses, documents etc.
Gain access to traffic
Sniffing (switches)
Redirection (ARP, DHCP, DNS etc.)
Further attack through
Redirect + proxy
Many vulnerable protocols
router
binary injection
(http, smtp, htp, nfs, SMB)
Determine
DoS attack channels
Alicebob
2005
Stanford Security Forum 2006
Properties of the Attack
 Does
not require elite attacker
 Simple to launch by an insider
 Effective against traditional perimeter security
models


Difficult to stop with signature detection
Weak internal protection allows propagation of attack once inside
2005
Stanford Security Forum 2006
IP vs. Security
 Overly
permissive
(e.g. broadcast on ARP request)
 Many
heavily trusted components
(end-hosts, dhcp, dns, directory service, routers etc.)
 IP
addresses are meaningless
(can be forged, stolen, changed etc.) (NOTE: very weak notion of identity)
 No hiding of info
(reconnaissance is easy)
No formal support for enforcing access
controls
within a network
2005
Stanford Security Forum 2006
Retrofitting Security onto IP
ACLS
Router
2005
or filtering rules at router
Static ARP cache at router
Port security on switch
Static ARP cache on end-hosts
Signature detection
Proxies at choke points (full TCP
termination)
VLANs for isolation
Stanford Security Forum 2006
Common Solutions = Crummy Networks
(and not-great security)
Inflexible
Hard
to move a machine
(yet difficult to know if someone has moved)
Really difficult to deploy a new protocol
Brittle
Change
a firewall rule, break security policy
Add a switch, break security policy
Confusing
Many
disparate point solutions
State = a bunch of soft state
Hard to state meaningful policies
Lose
redundancy
Introduce
choke points
Can't migrate routes b/c of all the soft state
2005
Stanford Security Forum 2006
Strong coupling of
topology and security
policy
Argument Thus Far
 Targeted
attacks can be quite effective
 IP not designed for attack resistance




permissive
Many trusted components
Unauthenticated end-points
No attempt to control access to information
 Attempts
to retrofit access controls have resulted
in less-than-ideal networks
2005
Stanford Security Forum 2006
Our Approach: Start from Scratch
 Secure
by design
 Reduce trusted computing base
 Leverage characteristics unique to Enterprise



Centrally managed
Known users
Structured connectivity
 Simple
policy declaration
 Retain flexibility and redundancy
(decouple topology and security policy)
2005
Stanford Security Forum 2006
SANE
(Secure Architecture for the Networked
Enterprise)
Centrally declared policy defines all connectivity
 Policy declared over users, services, hosts

(e.g. Alice can access internal-web using http)
All communication requires permission (at the flow level)
 Users must authenticate before using network
 Network information is tightly controlled

2005
Stanford Security Forum 2006
SANE:
High-Level Operation
martin.friends.ambient-streams
Authenticate
Publish
Request
hi, I’m tal, my password is
martin.friends.ambient-streams
Authenticate
martin.friends.ambient-streams
2005
allow
sundar,
hi, I’mtal,
martin,
myaditya
password is
Global Network Policy:
(allow all host all)
Stanford Security Forum 2006
SANE:
Component Overview
•Send network topology
information to •Publish
the DC services at the DC
Domain Controller
•Provide default
connectivity
•Specify accesstocontrols
the DC
(export streams.ambient allow tal)
•Enforce paths•Request
created by
DC to services
access
•Handle flow revocation
Switches
•Authenticates switches/end-hosts
•Contains network topology
•Computes routes
•Handles permission checking for all
flows
End-Hosts
2005
Stanford Security Forum 2006
Connectivity to the DC
 Switches
construct spanning tree
Rooted at DC
 Switches don’t learn topology
(just neighbors)
 Provides basic datagram service to DC
2005
Stanford Security Forum 2006
Establishing Shared
Keys
 Switches
authenticate with DC
and establish symmetric key
 Ike2 for key establishment
 All subsequent packets to DC
have “authentication header”
(similar to ipsec esp header)
2005
Stanford Security Forum 2006
Ksw1
Ksw2
Ksw3
Ksw4
Ksw4
Ksw1
Ksw3
Ksw2
Establishing
Topology
generate neighbor lists
during MST algorithm
K
 Send encrypted neighbor-list
to DC
 DC aggregates to full topology
 No switch knows full topology
Ksw1
Ksw2
Ksw3
Ksw4
 Switches
Ksw4
sw1
2005
Stanford Security Forum 2006
Ksw3
Ksw2
User Authentication


DC creates route from itself to authentication
server
Use third-party mechanism for user
authentication






Kerberos
Radius
AD
DC places itself on-route for all authentication
Snoops protocol to determine if authentication
is successful
Identifies user by location + network
identifier (e.g. MAC address)
2005
Stanford Security Forum 2006
Kerberos
DC
Connection Setup




?DC
Switches disallow all Ethernet broadcast
(and respond to ARP for all IPs)
<src,dst,sprt,dprt>
First packet of every new flow is sent
to DC for permission check
<ARP reply>
DC sets up flow at each switch
Packets of established flows are
forwarded using multi-layer
switching
<src,dst,sprt,dprt>
Alice
2005
Stanford Security Forum 2006
Bob
Security Properties
(revisited)
 Permission
check before connectivity
 Simple mechanism
 Users only access resources they have permission to
 Policy enforced at every switch
 Authenticated end hosts (bound to location)
 High level policy declaration
(topology independent)
 Control
information regarding
packet path, topology
2005
Stanford Security Forum 2006
Other Nice Properties
 Central
point for connection logging (DC)
 Addition of switches (redundancy) does not
undermine security policy
 Application-informed routing
 Anti-mobility
2005
Stanford Security Forum 2006
Extensions and
Considerations
 Backwards
compatibility
 Middlebox integration
 Performance
 Fault Tolerance
 Managing
the DC as a single point of failure
 Adaptive routing
2005
Stanford Security Forum 2006
Easing Deployment
 Use
trivial 2-port switches
(bumps)
 On
links between
Ethernet switches
 Can
be enhanced by using
VLAN per port
2005
Stanford Security Forum 2006
Middle Box Integration
 Control
of routes is powerful
 DC
can force routes
through middlebox
based on policy
 E.g.
signature detection for
all flows from laptops and
users in marketing
2005
Stanford Security Forum 2006
Signature
detection
Performance
 Decouple
control and data path in switches
 Software control path (connection setup)
(slightly higher latency)
 Simple, fast, hardware forwarding path
(Gigabits)
2005
Stanford Security Forum 2006
DC: Single Point of
Failure?
 Exists
today (DNS)
 Permission check is fast
 Replicate DC
 Computationally
(multiple servers)
 Topologically (multiple servers in multiple places)
2005
Stanford Security Forum 2006
Status
 Built
software version of similar system
(using capabilities)
 All
components in software
 Ran in group network (7 hosts) 1 month
 Currently
in development of full system
 Switches
in hardware + software
 DC using standard PC
2005
Stanford Security Forum 2006
Questions?
2005
Stanford Security Forum 2006
Related documents
Proposed System Architecture - BMI 205
Proposed System Architecture - BMI 205
Stanford + Connects 16 x 9 PowerPoint template
Stanford + Connects 16 x 9 PowerPoint template
Distributed Cognition
Distributed Cognition
STANFORD UNIVERSITY Department of Chemical Engineering
STANFORD UNIVERSITY Department of Chemical Engineering
Metabolomics Complexity in Forest Trees Expected from Inron
Metabolomics Complexity in Forest Trees Expected from Inron
Connectionism and Artificial Intelligence
Connectionism and Artificial Intelligence
African People`s Forum Dar Es Salaam
African People`s Forum Dar Es Salaam
LinkedIn Experience Sample - Stanford Graduate School of Business
LinkedIn Experience Sample - Stanford Graduate School of Business
Science Matters Posters
Science Matters Posters
How does it get written up?
How does it get written up?