* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Network Management - Department of Computer Science, HKBU
TCP congestion control wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer security wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Remote Desktop Services wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Internet protocol suite wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wireless security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
Chapter 7 Telecommunications, Network, and Internet Security COMP4690, HKBU 1 Data Networks Data network structures Local area network Wide area networks Internet Intranet: refers to the application of Internet technologies within an organization Extranet: to differentiate between the external Internet and the internal intranet World Wide Web: a set of services on the Internet that provides archives of information accessible via browsers and search engines COMP4690, HKBU 2 Local Area Network LAN transmission methods LAN media access methods LAN implementations Ethernet (802.3) Token Ring Wireless LAN (802.11) COMP4690, HKBU 3 Wide Area Network Modems dial-up ISDN: integrated services digital network Point-to-point links xDSL Cable modem X.25 Frame Relay ATM COMP4690, HKBU 4 Network Threats and Attacks Lots of research have been done by intelligent attackers and security practitioners to probe systems, understand their intricacies, and find new vulnerabilities or attack methods The results are usually implemented into a program or script With the predominance of WWW and search engine, any person interested in launching an attack can find the tools and information on how to do it easily A less experienced attacker (script kiddy) can launch comprehensive and detailed attacks without understanding the intricacies of how the attack works COMP4690, HKBU 5 Network Mapping and Port Scanning Network mapper To identify the target’s operating systems E.g., nmap: http://www.insecure.org/nmap/ Port scanner To identify the listening ports on a target system By conducting a port scan, an attacker can identify the services running on the target system and then determine how best to attack it E.g., strobe, udp_scan, netcat, portpro, portscan COMP4690, HKBU 6 Vulnerability Scanning After identifying the target’s system and services, the attacker can research what vulnerabilities are likely for the system and services, using some scanning tools. Some tools are open source, some are highquality commercial tools for analyzing system vulnerabilities. COMP4690, HKBU 7 War dialing Attackers use tools called wardialers to find modems connected to systems using the telephone network. Wardialers dial telephone numbers in a defined block of numbers looking for computer modem tones. In some situations, the modem will not require a password to connect and the attacker will have access to the system. COMP4690, HKBU 8 Network Exploits: (I) Sniffing Sniffers are useful tools for both the network manager and the attacker. A sniffer can be a hardware, or software running on a computer. It accepts all packets received on the network interface(s). When a network interface operates in this manner, it is configured for “promiscuous mode” Normally, it will drop those packets that are not destined for the local computer. Defenses Data encryption: SSH, SSL Use Ethernet switches, and binding the port with IP addresses to avoid ARP spoofing. COMP4690, HKBU 9 Network Exploits: (II) IP Spoofing IP spoofing is a process to alter the source destination of an IP packet to make it appear that the packet originated at another system. This can be used to initiate denial-of-service attack. IP spoofing makes it difficult to identify the real attacker. Defense: Use anti-spoofing configuration on routers COMP4690, HKBU 10 Network Exploits: (III) Session Hijacking Session hijacking (or TCP hijacking) allows the attacker to assume control over a network connection while kicking off the legitimate user. Usually need to monitor the TCP sequence number E.g., Hunt (by [email protected]) Session hijacking tools are used against applications with persistent connections, such as Telnet, rlogin, or FTP. For more details, pls check: http://www.csn.ul.ie/~syfer/tutorials/sessionhijacking.htm COMP4690, HKBU 11 Denial-of-Service Attack An attack against the availability of a service Malformed Packet Attacks Prevent legitimate users from being able to access the service A few packets that are formatted in an unexpected manner Ping of death, WinNuke, Land, NewTear, etc. Packet Flood Attacks Send large number of packets to the target until it cannot respond to requests any longer SYN floods Smurf DDoS COMP4690, HKBU 12 TCP SYN Flooding Read http://www.cert.org/advisories/CA-1996-21.html (required!) Normal TCP connection setup: Half-open TCP connection: The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. Attack by creating TCP "half-open" connections The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. The final ACK message will never be sent to the victim server system. The half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections. COMP4690, HKBU 13 Smurf Denial-of-Service Attack Read http://www.cert.org/advisories/CA-1998-01.html (required!) Two components: On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. When a packet is sent to that IP broadcast address from a machine outside of the local network, it is broadcast to all machines on the target network (as long as routers are configured to pass along that traffic). In the "smurf" attack, attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. the use of forged ICMP echo request packets (IP Spoofing) the direction of packets to IP broadcast addresses Three parties: the attacker, the intermediary, and the victim The attacker creates forged packets (ICMP echo request) that contain the spoofed source address of the attacker's intended victim. The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. They send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable. Solutions: Disable IP-directed broadcasts at the routers. Configure the operating system to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. COMP4690, HKBU 14 DDoS Early DoS attack technology involved simple tools that generated and sent packets from a single source aimed at a single destination. Today, the most common DoS attack type involves sending a large number of packets to a destination causing excessive amounts of endpoint, and possibly transit, network bandwidth to be consumed. Such attacks are commonly referred to as packet flooding attacks. From 1999, multiple source DoS, or DDoS, tools began to be deployed: trinoo, TFN2K, mstream, t0rnkit, carko, Code Red II, Nimda worm TCP floods – A stream of TCP packets with various flags set are sent to the victim IP address. The SYN, ACK, and RST flags are commonly used. ICMP echo request/reply (e.g., ping floods) – A stream of ICMP packets are sent to a victim IP address. UDP floods – A stream of UDP packets are sent to the victim IP address. Distributed Denial-of-Service Optional reading http://www.cert.org/archive/pdf/DoS_trends.pdf COMP4690, HKBU 15 Stack-based Buffer Overflow Will be introduced in detail in the next lecture. COMP4690, HKBU 16 Password Cracking Most systems and applications authenticate the user using a static password. Most operating systems store the passwords in an encrypted (hashed) form. To crack the passwords: Acquisition of the password database (without shadow, it’s easy; with shadow, may use buffer overflow) Knowledge of the password encryption algorithm Having a program that can encrypt and compare the passwords (dictionary attack or brute-force) E.g., Crack 5.0a, john the ripper, pwdump2 & L0phtcrack It is important to define a strong password policy. COMP4690, HKBU 17 Trojan Horses and Rootkits The Trojan horse appears to serve some useful purpose, yet it is really just disguising the malicious operation. A rootkit is a more powerful Trojan horse. The attacker must first get root access, then use the rootkit to keep that access by preventing an administrator from finding the access. It typically contain a large number of Trojan horse programs that replace or patch critical system programs. They blind the administrators and convince them that nothing is out of the ordinary. Kernel-level rootkit is even more powerful and difficult to handle. COMP4690, HKBU 18 Security Technology and Tools Data Encryption Data encryption can be accomplished at several levels. It hides the information from unauthorized access. It alerts us when the integrity of the message has been corrupted. COMP4690, HKBU 19 Firewalls A method of protecting one network from another untrusted network. A firewall has two components: one to block traffic and another to allow authorized traffic through Firewalls can be packet filters, proxies, or a combination of the two. Packet filtering focuses on analyzing the packets and comparing them to a set of rules to determine if the packet should be allowed through or blocked. A proxy acts as a middleman in the connection process. The user’s session establishes a connection to the proxy, which in turn establishes a connection to the external system. COMP4690, HKBU 20 Packet Filter Packet filter firewalls operate at layer 3 (network layer). Decisions on whether to allow or deny the packet are made by examining the packet header for the following information: Source IP address Destination IP address Source port (UDP, TCP) Destination port (UDP, TCP) Acknowledgement bit (TCP) Packet filters are prone to spoofing of source and destination addresses and ports. COMP4690, HKBU 21 Packet Filter COMP4690, HKBU 22 Application Proxy Servers Application-level gateway, or proxy server Proxy servers act as a relay between the source and destination systems. Application proxies support authentication very well and are often combined with caching services to reduce network congestion. There must be a specific proxy for each type of service. E.g. a telnet proxy cannot be used for FTP service. COMP4690, HKBU 23 Application Proxy Servers COMP4690, HKBU 24 Circuit-Level Gateway Similar to the proxy, there is no direct connection between the systems. But at different layer. SOCKS: RFC 1928 A protocol for handling TCP traffic through a proxy server, can be used with virtually any TCP application Tow components: SOCKS server and SOCKS client It enables hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS server, without requiring direct IP-reachability. It checks incoming and outgoing packets and hides the IP addresses of client applications. COMP4690, HKBU 25 Circuit-Level Gateway COMP4690, HKBU 26 Firewall Platforms Host-based Gateway Appliance Use an operating system platform like Unix, Linux, and MS Windows to provide the underlying operating resources. Use specialized hardware, often running some form of proprietary operating system. Desktop Firewalls Reside on the user’s workstation and provides firewall services between the host and the network. COMP4690, HKBU 27 Firewall Limitations cannot protect from attacks bypassing it cannot protect against internal threats eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) eg disgruntled employee cannot protect against transfer of all virus infected programs or files because of huge range of O/S & file types COMP4690, HKBU 28 Remote Access Security Remote access technologies consist of any technology and application that allow a user access to the organizational network when he does not has a physical LAN connection. Security elements Authentication: login credentials Access restrictions: what resources the user can access Time restrictions: when and for what duration Connection restrictions: limits of simultaneous connections per user, consecutive failed login attempts Protocol restrictions: restrict what protocols and services are available COMP4690, HKBU 29 Link-level Security Remote access services must include the ability to authenticate a user and establish a reliable connection. Point-to-Point Protocol (PPP) can be used for establishing the connection. The following protocols can be used for authentication Password Authentication Protocol (PAP): RFC1334 (in 1992) Challenge Handshake Protocol (CHAP): RFC1334 Use a handshake between the client and the server. User ID and password are transmitted in cleartext. Use a three-way handshake. Upon connection, the server sends the connecting system a random challenge. The client than encrypts the challenge with its password. Extensible Authentication Protocol (EAP): RFC2284 (in 1998) A general protocol for PPP authentication which supports multiple authentication mechanisms. COMP4690, HKBU 30 Securing Network Services In 1980s, Sun Microsystems developed the Network Information Service (NIS) Network File Systems (NFS) Remote Procedure Call (RPC) Allow networked workstations to operate as if they were a single system. HP, DEC, and IBM all implemented NIS, NFS, RPC on their UNIX implementations. COMP4690, HKBU 31 Remote Procedure Call (RPC) RPC provides the ability to execute a function on another computer in a reasonably transparent fashion. It allows for distributed programs. RPC authentication Client programs must be able to authenticate themselves to an RPC server before the server executes the requested function. There are several different RPC authentication mechanisms: AUTH_NONE: no authentication, anonymous access AUTH_UNIX: the RPC clients send the Unix UID and GID to the server. The server implicitly trusts the user is who he claims to be. AUTH_DES: authentication based on public key cryptography and DES, not widely available except in Sun Microsystems implementations AUTH_KERB: authentication based on Kerberos, but depends on a Kerberos server being available in the network COMP4690, HKBU 32 Secure RPC Sun Microsystems later developed Secure RPC to address the security weaknesses. Use Diffie-Hellman key exchange mechanism and DES for encrypting information sent over the network. When coupled with higher-level protocols like NFS, Secure RPC can create a very secure network. Secure RPC authentication Use Diffie-Hellman key exchange. Each Secure RPC entity has a public and private key, both of which are stored on the Secure RPC server. The public key is stored unencrypted; the secret key is stored encrypted with the entity’s password. COMP4690, HKBU 33 Network Information Services (NIS) NIS is a distributed database system allowing network users the capability to share password files, group files, host tables, and other files over the network. The files appear to be available on every computer, but they actually store on only a single computer called the NIS server. With NIS, a large network can be managed more easily because all of the account and configuration information needs to be stored on only a single machine. COMP4690, HKBU 34 Limitations with NIS NIS stores the encrypted password values in the passwd map, which can be downloaded by any user. Spoofing NIS: NIS clients get information from a NIS server through RPC calls. Under early SunOS version of the NIS service, it was possible for an attacker to supply his own version of the password file to a login request, therefore access to the system. COMP4690, HKBU 35 NIS+ NIS+ provides increased security. Each NIS+ domain has one and only one NIS+ root domain server. It contains the master copy of the information stored in the NIS+ root domain. There may also be NIS+ server for sub-domains. Entities that communicate using NIS+ are called NIS+ principals. Each NIS+ principal has a public key and a secret key stored on an NIS+ server. All communications between NIS+ servers and NIS+ principals use Secure RPC. COMP4690, HKBU 36 Virtual Private Networks (VPN) WANs are used to build private networks for organizations to transfer their private data. X.25 Frame Relay ATM Very expensive Internet connections are comparatively cheap, but it is a publicly shared network. Eavesdropping, packet manipulation, spoofing, … VPN addresses these security concerns by implementing encryption, data integrity, and authentication. The VPN consortium (http://www.vpnc.org/) supports the following standards: Point-to-Point Tunneling Protocol (PPTP) IPSec with encryption Layer 2 Tunneling Protocol (L2TP) over IPSec COMP4690, HKBU 37 PPTP Based on Microsoft’s Remote Access Services (RAS), first included in Windows NT. PPTP is a layer 2 protocol, also containing data-link information. PPP is often used over PPTP. With PPTP, authentication is done using PPP with CHAP, PAP, or EAP. COMP4690, HKBU 38 IPSec IPSec is a collection of protocols forming an extension to the Internet Protocol. It provides authentication and encryption services. The specification is quite complex defined in numerous RFC’s: RFC 2401/2402/2406/2408 It is mandatory in IPv6, optional in IPv4 Three protocols are used to provide the IPSec services: Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) (RFC 2409) COMP4690, HKBU 39 IPSec COMP4690, HKBU 40 IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality Limited traffic flow confidentiality COMP4690, HKBU 41 IPSec Services COMP4690, HKBU 42 Security Association IPSec provides many options for performing network encryption and authentication Lots of information to manage SA: security association a relationship between two or more entities that describes how the entities will use security services to communicate securely Unidirectional Identified by a randomly chosen unique number called SPI (security parameter index) and the IP address of the destination COMP4690, HKBU 43 IPSec: Authentication Header (AH) provides support for data integrity & authentication of IP packets end system/router can authenticate user/app prevents address spoofing attacks prevents replay attacks by tracking sequence numbers Authentication is based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key COMP4690, HKBU 44 IPSec Ahtentication Header COMP4690, HKBU 45 Scope of AH Authentication Transport mode, IPv4: The AH is inserted after the original IP header and before the IP payload. Authentication covers the entire packet, excluding mutable fields in the IPv4 header that are set to zero for MAC calculation. Tunnel mode, IPv4: The entire original IP packet is authenticated, and the AH is inserted between the original IP header and a new outer IP header. The inner IP header carries the ultimate source & destination addresses, while outer IP header contain different IP addresses. COMP4690, HKBU 46 IPSec: Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality can optionally provide the same authentication services as AH supports range of ciphers, modes, padding DES, Triple-DES, RC5, IDEA, CAST, etc CBC most common pad to meet blocksize, for traffic flow COMP4690, HKBU 47 IPSec ESP Format COMP4690, HKBU 48 Scope of ESP Encryption and Authentication Transport Mode ESP: The ESP header is inserted into the IP packet immediately prior to the transport-layer header, and an ESP trailer is placed after the IP packet. Tunnel Mode ESP: The ESP header is prefixed to the packet, and then the packet plus the ESP trailer is encrypted. COMP4690, HKBU 49 Transport and Tunnel Modes Both AH and ESP support two modes of use Transport mode Provide protection to the payload of an IP packet. Used for end-to-end communication between two hosts Tunnel mode Provide protection to the entire IP packet. After the AH or ESP fields are added to the IP packet, the entire packet is treated as the payload of new “outer” IP packet with a new outer IP header. Commonly used on security gateways or firewalls. COMP4690, HKBU 50 IPSec: Key Management handles key generation & distribution typically need 2 pairs of keys manual key management 2 per direction for AH & ESP sysadmin manually configures every system automated key management automated system for on demand creation of keys for SA’s in large systems has Oakley & ISAKMP elements COMP4690, HKBU 51 IPSec: Oakley a key exchange protocol based on Diffie-Hellman key exchange adds features to address weaknesses cookies, groups (global params), nonces, DH key exchange with authentication can use arithmetic in prime fields or elliptic curve fields COMP4690, HKBU 52 IPSec: ISAKMP Internet Security Association and Key Management Protocol provides framework for key management defines procedures and packet formats to establish, negotiate, modify, & delete SAs independent of key exchange protocol, encryption alg, & authentication method COMP4690, HKBU 53 L2TP Microsoft and Cisco co-developed L2TP as an open standard for secure multi-protocol routing. It is a layer 2 protocol with stringent authentication, including the use of certificates. Typically, L2TP packet is encapsulated with IPSec ESP and AH, followed by another PPP encapsulation for transmission over the datalink layer. COMP4690, HKBU 54 SSL and TLS Secure Socket Layer (SSL) transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) uses TCP to provide a reliable end-to-end service SSL has two layers of protocols COMP4690, HKBU 55 SSL Architecture COMP4690, HKBU 56 SSL Architecture SSL session an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections SSL connection a transient, peer-to-peer, communications link associated with 1 SSL session COMP4690, HKBU 57 SSL Record Protocol confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption message integrity using a MAC with shared secret key similar to HMAC but with different padding COMP4690, HKBU 58 SSL Change Cipher Spec Protocol one of 3 SSL specific protocols which use the SSL Record protocol a single message causes pending state to become current hence updating the cipher suite in use COMP4690, HKBU 59 SSL Alert Protocol conveys SSL-related alerts to peer entity severity specific alert warning or fatal unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data COMP4690, HKBU 60 SSL Handshake Protocol allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish COMP4690, HKBU 61 TLS (Transport Layer Security) IETF standard RFC 2246 similar to SSLv3 with minor differences in record format version number uses HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding COMP4690, HKBU 62 Application Layer Security Secure Electronic Transactions (SET) Privacy Enhanced Mail (PEM) Secure Hypertext Transfer protocol (SHTTP/HTTPS) S/MIME COMP4690, HKBU 63 Network Availability and Network Disaster Recovery Planning Network Reliability Star topology Ring topology The failure of a single link doesn’t affect other links. The hub/switch is the weak link, can be improved by redundant power supplies, backplane, control logic. In token-ring, a link failure or node failure will fail the whole network. In MAN or WAN, ring topology is reliable and common. Bus topology A link failure will fail the entire network. COMP4690, HKBU 64