Download Class notes - Center For Information Management, Integration and

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
Document related concepts

Peering wikipedia , lookup

Net neutrality law wikipedia , lookup

Computer security wikipedia , lookup

Wireless security wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

AppleTalk wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Airborne Networking wikipedia , lookup

RapidIO wikipedia , lookup

Network tap wikipedia , lookup

Computer network wikipedia , lookup

IEEE 1355 wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

TCP congestion control wikipedia , lookup

Net bias wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Internet protocol suite wikipedia , lookup

Transcript 
Internet Security
Background on Internet technologies and protocols
LANs and WANs
IP Addressing, DNS
OSI model
TCP/IP, UDP
• Attacks
• Firewalls
1
Background on Internet Technologies
• Evolution of Networking
– Batch Environment - 1950s
• no direct interaction between users and their programs during
execution
– Time Sharing - 1960s
• dumb terminals were connected to a central computer system
• Users were able to interact with the computer and could share its
information processing resources
• Marked the beginning of computer communications
– Distributed Processing: use of minicomputers - 1970s
• Users demanded computing closer to their work areas
• Communication between neighbor processors and applications via
networks
– WAN and LAN- 1980s
2
LANs
• collection of hosts connected by a high speed network
• designed and developed for communications and
resource sharing in a local work environment (room,
campus, building)
• users can access other networks via bridges and
gateways
PC 1
Printer
PC 2
PC n
File Server
3
WANs and Internetworks
• span a large geographic area, cross public property
• often based on services provided by 3rd party companies,
use telephone networks for transmission from one node to
another
• can be used to connect several LANs together
• Routers attached to each LAN filter the network traffic to
and from the WAN
• LANs can also be connected by special modems or
dedicated leased lines
Internetwork
PC 1
Router
PC 2
File Server
PC n
4
Routers
• Special purpose computers used for
interconnecting networks
• Essentially a router receives messages
originating from one network and sends (routes)
them to the other network
• The process of selecting a network over which
to send a message is called routing
• Ex: computers X and Y can communicate via
routers R1, R2 and R3
5
An example
R1
x
R2
R3
Y
6
Internet
• The global Internet consists of thousands of
computer networks interconnected by routers.
• Internet appears as a single, seamless
communication system to which many
computers can attach.
– each computer is assigned an address
– any computer can send a message to any other
computer
7
Transmission Capacity
• Speed of transmission is measured in bits per
second (bps) or cycles per second (Hertz)
• Multiplexing: many signals can be sent on a
single physical channel
• Based on the physical medium
– twisted wire pair, coaxial cable, fiber optic cable,
satellite transmission, microwave
– Dial-up access, Leased circuits, Cable modem, DSL
technologies,Wireless access
9
Packet Switching
• A message is not sent as a single unit, but
broken down into small packets that are
transmitted individually
• Each packet has header that contains the info
about source, destination and the packer number
• Packets may travel on different routes
• May even arrive the destination out of order
• Good for data communication
10
Packet Switches
• A WAN is constructed from many switches
• A switch moves packets from one connection to the other
• A switch is a dedicated computer, with two types of connections
– High-speed connections with other switches; they can be: leased phone
lines, optical fibers, microwave, satellite.
– Low-speed connection: used to connect with an individual computer, or a
LAN.
11
Switched Network
Switch
High speed
connection
Switch
Switch
Internet2(http://www.internet2.edu/)
• Is a high speed network that enables communications 100 - 1000
times faster than today’s internet
• Rutgers, which is part of the Internet2 consortium, has launched
RUNet 2000 ($100million)
• Operates at 10Gbps (compare with the fastest modems now
available ~Mbps) 15,000 times faster than a typical home
broadband connection
• Developed by academic and research community: more than 205
universities, NSF, NIH, NASA,.., IBM,DEC,Cisco, Sun, MCI,
Sprint, ..
• In Europe: European Union-funded network, TEN-34 was
launched (initially 34Mbps, will later reach 155Mbps)
• designed to provide a range of broadband network applications:
collaborative research, distance learning, video-conferencing,
remote medical consultation and diagnoses
13
Internet2 (cont’d)
• Current telephone uses circuit switching where a piece of
network entirely dedicated to a call
• In contrast, information over Internet is broken down into small
data packets, and the packets navigate from junction to junction
(routers)
• Aim of Internet2 is to install “gigapops” (gigabit capacity point
of presence) capable of routing packets more quickly through
the network (by launching a gigabit switch router to support
speeds of 10Gbps)
• With current Internet, real-time images have the same priority as
email; Internet2 will be able to distinguish these two (Current IP
is democratic)
• Although Internet2 is being developed for universities and
research labs, in next 5 years it may reach homes (for $30/month
with 10Mbps)
14
IP Addressing

Every host on the Internet has a unique IP address.

IP protocol (the one in use now) has 32 bits for an
address. How many hosts total? 232 =
4,294,987,296.

32 bits must be divided into a Network portion and
a Host portion.

Typically written in a "dotted decimal" form:
128.6.10.4
In this case, the network portion is 128.6
The host portion is 10.4
15
IP Addressing (cont’d)
• How to divide up the addresses ?
Four Classes of IP addresses:
– 1.Class A: First bit is 0, next 7 bits define the network,
last 24 bits define the hosts. 128 networks with
16,777,216 hosts each.
– 2.Class B: First two bits are 1 and 0, next 14 bits define
the network, last 16 bits define the hosts. 16,384 networks
with 65,536 hosts each.
– 3.Class C: First three bits are 1 1 0, the next 21 bits define
the network, last 8 bits define the host. 2,097,152
networks with 256 hosts each.
– 4.Class D (Multicast): First three bits are 1 1 1, next 29
bits define a multicast address.
16
IP Addressing (cont’d)

For a network with a large number of hosts (e.g. Class B
networks), we can divide the hosts into subnetworks using a
subnet mask.
The subnet mask indicates which of the 32 bits should be
considered the network portion and which should be
considered the host portion.
 A common subnet mask is: 255.255.255.0
meaning the first 24 bits define the network and the last 8
bits define the host.
 Special IP address: 127.0.0.1 called the "localhost"

17
Domain Name Services
• Each host on the Internet has its own unique IP address - Who
can remember all of them ?
• DNS gives us a means to map an IP address to a "host name"
and vice versa.
• Host names are typically broken down into 4 or 5 parts:
– 1.A geographic (e.g. country) designation is given at the "highest
level":
• uk us ca au fr it dr zw
– 2.An organizational designation may be in place of geographic but
can also appear in combination:
• com edu gov mil org net
– 3.The next level down in the "organizational" level:
• rutgers microsoft pizzahut plannetreebok
– 4.Within an organization, there may be several individual hosts,
each with their own name:
• CIMIC
andromeda
18
Domain Name Services (cont’d)
• These parts are assembled from right to left:
–
–
–
–
andromeda.rutgers.edu
www.microsoft.com
psych.leeds.ed.uk
www.whitehouse.gov
• Resolving Internet Names using DNS
– Most commonly used IP and host name pairs are kept in a
hosts file. See /etc/hosts
– If not in the hosts file, a primary DNS site is consulted.
– UDP is used to send a DNS Query message to the designated
Name Server on port 53.
– This is done in a logical fashion. e.g. for host names ending in
rutgers.edu, a local Rutgers DNS server can be queried.
19
Domain Name Services (cont’d)
• If not found at a local DNS server, additional secondary
DNS servers are checked until
• 1.The connection times out or
• 2.The request exceeds a predefined hop count
• 3.The list of DNS servers is exhausted
• Look at: /etc/resolv.conf on UNIX
systems. In Windows, look at the properties of
the TCP/IP protocol.
20
The Structure of WWW
A global collection of hypertext pages stored on
Internet hosts.
– Hypertext - Text documents that allow non-linear reading
through hypertext links.
– Normally we read a book in a linear fashion. Page 1, then
Page 2, etc.
– With hypertext, we follow our curiosity by skipping
around the document(s) using hypertext links.
• Hypertext is made up of three distinct parts:
–Text Pages - The text you read.
–Anchors - The starting point for a link.
–Links - A pointer to another text page.
21
WWW(cont’d)



URL - Uniform Resource Locator. The address
of a hypertext page or other Internet resource.
HTML - The HyperText Markup Language. The
language used to create hypertext pages for use
on the WWW.
WWW Browser - A program capable of
displaying hypertext pages and navigating the
WWW by allowing users to select hypertext
links. Examples:


Netscape Navigator , NCSA Mosaic, Microsoft
Internet Explorer, Mozilla
WWW Server - A daemon program (httpd) that
responds to requests from a WWW Browser by
sending it HTML hypertext pages.
22
The WWW Client/Server Model
• WWW Servers are Servers
• The request protocol used for WWW pages is HTTP The HyperText Transfer Protocol.
– 1.HTTP is an application layer protocol.
– 2.Uses TCP/IP to make a connection.
– 3.Issues a GET command.
– 4.HTML Pages are returned.
• Other protocols can also be used within a WWW
Browser:
– FTP - File Transfer Protocol
– E-Mail
– Telnet
23
URL’s
• Uniform Resource Locators
– A three part name for a WWW or Internet resource:
protocol://hostname/filename
• 1.Protocol: The application layer protocol used to
access the resource. Examples: HTTP, FTP, GOPHER,
MAILTO
• 2.Host Name: The name of the host (or IP address)
where the resource is located.
• 3.File Name: The directory and file name of the
resource.
» URL Examples
24
Communication Architecture
• Why do we need?
– Communication systems involve heterogeneous
technologies
– change rapidly
– they are complex (addressing, routing, multiplexing,
error control, …)
• How to cope with the above?
– modularization
– standardization
• International Standards Organization (ISO)
developed the Open Systems Interconnection (OSI)
25
reference model (1974)
OSI Reference Model
• Consists of seven layers
• Each layer provides a set of functions to the layers
above and relies on the functions provided by the
layers below
• Each layer communicates with its peer layer on the
other node (protocols)
• The layer boundaries (interfaces) should be
designed in such a way as to minimize the
information flow between the boundaries
• The main idea is to have independent standards for
different layers so that changes to one would not
cause changes in other layers
26
OSI Reference Model (cont’d)
+--------------+
+--------------+
| application |<--------------------->| application |
+--------------+
+--------------+
| presentation |<--------------------->| presentation |
+--------------+
+--------------+
|
session
|<--------------------->|
session
|
+--------------+
+--------------+
| transport
|<--------------------->| transport
|
+--------------+
+---------+
+--------------+
|
network
|<---->| network |<---->|
network
|
+--------------+
+---------+
+--------------+
| data link
|<---->|data link|<---->| data link
|
+--------------+
+---------+
+--------------+
| physical
|<---->|physical |<---->| physical
|
+--------------+
+---------+
+--------------+
27
OSI Reference Model (cont’d)
User A
Higher
level
protocols
Lower
level
protocols
User B
application
application
presentation
presentation
session
session
transport
transport
network
network
data link
data link
physical
physical
Higher
level
protocols
Lower
level
protocols
physical medium
28
Physical Layer
• The physical layer defines electrical signaling on the
transmission channel; how bits are converted into electrical
current, light pulses or any other physical form
• Specific functions
– connection establishment and termination
– encoding and transmission of bits
– Repeating or amplification to increase the range of transmission
29
Data Link Layer
• Specifies how to organize data into packets, and how to transmit
packets over a network. For example, defined in this layer are:
– maximum packet size,
– format packet header,
– checksum computation
• Defines how the network layer packets are transmitted as bits
• Examples of data link layer protocols
– PPP (Point to Point Protocol)
– Ethernet framing protocol
• Bridges work at this layer only
• Other functions
– Framing and Error detection
• transmission might get corrupted, bits may be lost (parity,
checksum)
• may lose connection
– Flow control
• may send data too fast for a modem
• data might get delayed a long time in the network
30
The Network Layer
• Specifies how addresses are formed (IP addresses)
• How packets are forwarded (store and forward technique)
• Delivers packets from sending computer to receiving computer
(host-to-host)
• Defines how information from the transport layer is sent over
networks and how different hosts are addressed
• Example of a network layer protocol: the Internet Protocol
• Device that takes care of the network level functions is router
or sometimes a gateway
• Functions
– Addressing: Determines which machine to send the packet to
– Routing: Determines the best set of links
– Congestion Control: Routes the packets via a different route if one
intermediate node gets flooded with packets
31
IP address is different from physical
address
32
The Transport Layer
• Handles details of reliable transfer
– format of acks, retransmission times, rules for changing it
• Essentially, takes care of data transfer, ensuring the
integrity of data if desired by the upper layers
• Provides end-to-end delivery
• Functions:
–
–
–
–
establishing and terminating connection
flow control
error detection and correction
multiplexing
• TCP and UDP operate at this layer
33
The Session Layer
• Specifies how to establish a communication with a
remote system e.g.: telnet
– authentication details; e.g.: passwords
• Establishes and terminates connections and arranges
sessions to logical parts
• Provides a means of controlling the dialogue between
two end users
– Dialogue management (half versus full duplex)
– Synchronization and recovery management
• This layer is not often used in existing systems
• TCP and RPC provide some functions at this layer
34
The Presentation Layer
• Specifies how to represent data
– Takes care of data type conversion
• Different computers use different internal representation
(Ex: ASCII, EBDIC) for integers and characters;
• How to translate from one representation to another
• An example of protocol residing at this layer: XDR
(External Data Representation), which is used by RPC
applications to provide interoperability between
heterogeneous computer systems
• Presentation layer functions are, in most systems,
handled elsewhere in the network protocols
35
The Application Layer
• Specifies how one particular application uses a network
– Specifies request format (how to name a file) and how the
application on another machine responds.
• Defines the protocols to be used between the
application programs
• Examples of protocols at this layer are: protocols for
electronic mail (e.g. SMTP), file transfer (e.g. FTP)
and remote login,directory look up, http
36
How layered software works?
• Each layer solves one part of the problem
• To do so, each layer on the sending computer adds information to
the outgoing data
• The same layer in the receiving computer uses the additional
information to process data (for example:checksums in data
layer)
37
How layered software works?
• Layering Principle:
Layer N software on the destination
computer, must receive the exact
message sent by layer N software on the
sending computer.
• For example
– if one layer adds a header, the
corresponding layer has to remove it.
– If one layer encrypts data, the
receiving computer layer has to
decrypt it.
38
Once Again, The purpose of Layers
• Each layer can be:
– Designed
– Implemented
– Tested
independently of other layers.
Each Layer can change and evolve independent of
other layers
39
Applications
•
•
•
•
•
•
•
•
•
•
•
Electronic mail
File transfers (FTP)
Remote login (TELNET, rlogin)
Chat
Bulletin boards and Network News
Commerce
Network news
Networked information discovery and retrieval tools
Fax over the Internet
Games
….
40
TCP/IP Protocol Stack
Basic protocols
Layers 5-7
Layer 4
Layer 3
Layer 2
TELNET
FTP
TCP
SMTP HTTP …..
UDP
IP
Ethernet Token-ring
ATM
PPP …..
41
TCP/IP Protocol Stack
Infrastructure and Security protocols
Layers 5-7
TELNET
FTP
SMTP HTTP …..
DNS SSL
Layer 4
Layer 3
Layer 2
RIP
TCP
ICMP IPSEC
UDP
IP
Ethernet Token-ring
EGP
BGP
ARP RARP
ATM
PPP …..
ICMP: Internet Control Message Protocol, ARP: Address Resolution Protocol
RARP: Reverse Address Resolution Protocol, DNS: Domain Name Service
RIP: Routing Information Protocol, BGP: Border Gateway Protocol 42
EGP: External Gateway Protocol, SSL: Secure Socket Layer
TCP/IP(Transmission Control
Protocol/Internet Protocol)
• TCP/IP is the basic communication protocol of the
Internet
– Protocol: the special set of rules for communicating that the end
points in a telecommunication connection use when they send
signals back and forth.
• TCP , IP , HTTP, FTP, and other protocols, each with defined
set of rules to use with other Internet points relative to a
defined set of capabilities.
43
• TCP:
TCP/IP(Cont’d)
– manages the assembling of a message into packets that are
transmitted over the Internet and received by a TCP layer that
reassembles the packets into the original message.
• A packet is the unit of data that is routed between an origin
and a destination on the Internet or any other packetswitched network
• IP
– handles the address part of each packet so that it gets to the
right destination.
44
TCP/IP(Cont’d)
• Uses the client/server model of communication
• Communication is primarily point-to-point:
– Each communication is from one point (or host computer) in
the network to another point or host.
• Higher layer application protocols that use TCP/IP to get to
the Internet
– Hypertext Transfer Protocol (HTTP), File Transfer Protocol
(FTP), Telnet (Telnet), and the Simple Mail Transfer Protocol
(SMTP).
45
TCP
• Adds Port Numbers, packet Sequence Numbers,
Acknowledgement Numbers and other fields to IP addresses

A Port number refers to a specific application running on a host. e.g.
SMTP uses Port 25 while Telnet uses Port 23.
• TCP Header format
– source port number
• source IP address + source port number is a socket: uniquely
identifies sender
– destination port number
• destination IP address + destination port number is a socket: uniquely
identifies receiver
– SYN, ACK flags
– sequence number
– acknowledgement number
46
TCP (cont’d)
• Result is a TCP/IP "stream" - a connection established using
handshake and error detection/control through positive
acknowledgement.
– Three-way handshake:
• 1. A sends a SYN message to B - I'd like to set up a connection and I
will start with sequence number s
• 2. B Replies with a SYN and ACK message to A - Yes I will talk to
you.
• 3. A sends an ACK message to B along with the first piece of data - I
got your ACK so here's the start of my data.
initiator
responder
47
TCP (cont’d)
• Useful for when error correction is required and
connection will last a long time (e.g. large data
transfer).
• Large data is broken into chunks and sent
separately. Can arrive in any order. Discards
duplicates.
• Provides flow control.
48
User Datagram Protocol (UDP)

Adds Port Numbers to IP addresses


A Port number refers to a specific application running on a host. e.g.
SMTP uses Port 25 while Telnet uses Port 23.
UPP header format
– source port number
• source IP address + source port number is a socket: uniquely identifies sender
– destination port number
• destination IP address + destination port number is a socket: uniquely identifies
receiver





Also an optional Checksum - Error checking
No handshaking or error control
Also called a "Connectionless" protocol
Often referred to as "Unreliable" - meaning error control can't be
relied upon.
Useful for situations where overhead is a concern. Small data49
requests such as queries, etc.
TCP/UDP Port Numbers and
Services





TCP and UDP add Port Numbers to the IP addresses.
Each port corresponds to a specific application or
service.
Ports 1 - 1024 are generally considered privileged
ports. That is, on UNIX systems, one needs to have
special permissions to run services on these ports.
Above 1024, any port number can be used.
Internet assigned numbers committee agrees on
some standard port numbers.
50
TCP/UDP Port Numbers and Services
(cont’d)
• The following are some well known services
and their assigned IP port numbers.
–
–
–
–
–
–
–
Service
Day Time
FTP
Telnet
SMTP Mail
DNS
HTTP/WWW
Port
13
21
23
25
53
80
Protocol
TCP/UDP
TCP
TCP
TCP
UDP
TCP
51
Internet Security
• Background on Internet technologies and protocols
•
•
•
•
LANs and WANs
IP Addressing, DNS
OSI model
TCP/IP, UDP
Attacks
• Firewalls
• benefits, limitations
• various types
52
Attacks
• Public, private, and government networks have been
penetrated by unauthorized users and rogue programs
• Increased volume of security breaches
• Computer Emergency Response Team (CERT) reports a
tremendous increase in cracking incidents
• Insider attack
– The insider is already an authorized user
– insider acquires privileged access
• exploiting bugs in privileged systems programs
• exploiting poorly configured privileges
– install backdoors/trojan horses to facilitate subsequent
acquisition of privileged access
– Exploitation of software bugs
• Outsider attack
– acquire access to an authorized account
– perpetrate an insider attack
53
Attacks
• outsider/insider attack
– password-based attacks
– attacks that exploit trusted access
– spoof network protocols to effectively acquire access to an
authorized account (IP spoofing)
•
•
•
•
•
•
Unauthorized access to resources
Disclosure, modification, and destruction of resources
Compromised system used as hostile attack facility
Masquerade as authorized user or end system
E-Mail forgery
Importation of malicious or infected code
– Session hijacking
– Network sniffing/packet sniffing
• User IDs, passwords, and other information are often stolen on
Internet
• Denial of service attack
– flooding network ports
54
Attacks
• Infrastructure attacks
– router attacks
• modify router configurations
– domain name server attacks
– internet service attacks
• web sites, ftp archives
55
Contributing Factors
• Lack of awareness of Internet threats and risks
– Security measures are often not considered until an Enterprise has
been penetrated by malicious users
• Wide-open network policies
– Many Internet sites allow wide-open Internet access
• Vast majority of Internet traffic is unencrypted
– Network traffic can be monitored and captured
• Lack of security in TCP/IP protocol suite
– Most TCP/IP protocols not built with security in mind
– Work is actively progressing within the Internet Engineering Task
Force (IETF)
• Complexity of security management and administration
• Exploitation of software (e.g., protocol implementation)
bugs
– Example: Sendmail bugs
• Cracker skills keep improving
56
Who is perpetrating these attacks?
•
•
•
•
People with lots of free time
Former/disgruntled employees
Current/disgruntled employees
Current/former/disgruntled customers
• Governments
57
TCP SYN Flooding attack
• TCP 3 way handshake
– send SYN packet with random IP source address
– return SYN-ACK packet is lost
– this half open connection stays for a fairly long
period of time
• Denial of service attack
• Basis for IP spoofing attack
initiator
responder
58
SYN Flooding
• Upper limit of how many concurrent SYN requests
TCP can process for a given socket (called the backlog)
• length of the queue where incoming (as yet incomplete)
connections are kept
• Queue limit applies to both
– the number of incomplete connections (the 3-way handshake
is not complete)
– the number of completed connections that have not been
pulled from the queue by the application by way of the
accept() system call.
• If backlog limit reached, TCP silently discards all
incoming SYN requests until the pending connections
can be dealt with
59
DoS vs Distributed DoS
60
IP Spoofing
• send SYN packet with spoofed IP address
• SYN flood real source so it drops SYN-ACK
packet
• guess sequence number and send ACK packet to
target
– target will continue to accept packets and response
packets will be dropped
initiator
responder
61
IP Spoofing
•
•
•
•
•
•
•
First, choose the target host
Discover a pattern of trust, along with a trusted host
Disable the trusted host
Sample the target's TCP sequence numbers
Impersonate the trusted host
Guess the sequence numbers
Make a connection attempt to a service that only
requires address-based authentication
• If successful, the attacker executes a simple command
to leave a backdoor
62
Patterns of trust
• After choosing a target, must determine the patterns of
trust
– It is necessary to assume the target host *does* in fact trust
somebody. If it didn't, the attack ends here
• Figuring out who a host trusts may or may not be easy
• A 'showmount -e' may show where filesystems are
exported
• rpcinfo can give out valuable information as well
• With sufficient background information, it should not
be too difficult
• If all else fails, trying neighboring IP addresses in a
brute force effort may be a viable option
63
SYN Flooding
• The attacking host sends several SYN requests to the TCP port
she desires disabled
• The attacking host also must make sure that the source IPaddress is spoofed to be that of another, currently unreachable
host (the target TCP will be sending it's response to this address)
• IP may inform TCP that the host is unreachable, but TCP
considers these errors to be transient and leaves the resolution of
them up to IP (reroute the packets, etc) effectively ignoring
them.)
• IP-address must be unreachable because the attacker does not
want any host to receive the SYN/ACKs that will be coming
from the target TCP (this would result in a RST being sent to the
target TCP, which would foil our attack).
64
Sequence number sampling and
prediction
• Attacker needs to get an idea of where in the 32-bit sequence
number space the target's TCP is
• Connect to a TCP port on the target (SMTP is a good choice) just
prior to launching the attack and completes the three-way
handshake.
• Same as normal connection, except that attacker saves the value
of the Initial Sequence Number sent by the target host
• Repeat process several times and the final ISN sent is stored
• The attacker needs to get an idea of what the RTT (round-trip
time) from the target to her host is like. (repeat and average)
• Necessary to accuraetly predict the next ISN
• Baseline (the last ISN sent), incrementation speed
(128,000/second and 64,000 per connect), datagram travel time –
guess the next ISN
• Immediately proceed to the next phase of the attack
– Another TCP connection on attack port, ISN predicted would be off by
64,000
65
Session Hijacking
• Send SYN packet with spoofed source IP
address and appropriate sequence number to one
end
• SYN-flood that end
• send ACK packets to target at the other end
66
Packet Sniffing
• Shared media network
– a program that monitors and analyzes network
traffic, detecting bottlenecks and problems
– packets can be intercepted at any point
– login packets travelling over the Internet can be
captured
– intruder can find hostname, username, password and
gain access to the system
– can also obtain sensitive information
67
Internet Security
• Background on Internet technologies and protocols
• LANs and WANs
• OSI model
• TCP/IP, UDP, DNS
• Attacks
Firewalls
benefits, limitations
various types
68
Internet Firewalls
 What we need
 Make some services available within the company such as
Telnet/Rlogin and FTP between the company's hosts.
– Disallow outside users from gaining access to the
company's internal hosts via Telnet, FTP, etc.
– Allow users within the company to access other services on
the Internet such as WWW and FTP.
– Allow users from the Internet to visit the company's WWW
home pages.
– Allow the exchange of e-mail with others on the Internet.
69
But,
 It is difficult to restrict traffic in only one
direction
 Recall that the TCP/IP protocol sends
acknowledgements to make sure data arrives
whole.
 What we need is a more sophisticated
gatekeeper that can distinguish what services to
allow and which to block.
 The general term for this is a Firewall.
70
Firewalls
• Filter between private network and internet
• Prevent specific types of information from
moving between the outside world (untrusted
network) and the inside world (trusted network)
• May be separate computer system; a software
service running on existing router or server; or a
separate network containing supporting devices
71
Proxy Servers
• Proxy servers: Software servers that handle all
communications originating from inside an
organization
– May improve performance considerably, by caching most
frequently asked pages.
72
Firewalls and Proxy Servers
73
Most rudimentary firewall
• Network adapter input filters
• Examines
– source or destination addresses
– other information in the incoming packet
• Matches IP addresses
• port numbers for UDP and TCP
• protocol of the traffic - TCP, UDP, and generic routing encapsulation
(GRE)
• Blocks packet or allows it through
• Applies only to incoming traffic
• Cannot control outgoing traffic
74
Basic Internet Firewalls
 A basic firewall is a router or host with 2 network interfaces.
– One interface is connected to the Internet - the Host side.
– The second is connected to the company's internal network.
 Two overall policies:
– Anything not explicitly denied is allowed.
– Anything not explicitly allowed is denied.
75
Benefits
• Secure and carefully administer firewall
machines to allow controlled interaction with the
external internet
• internal machines can be administered with
varying degrees of care
• does work
76
Basic Limitations
•
•
•
•
Connections that bypass firewall may be dangerous
services through firewall introduce vulnerabilities
insiders can exercise internal vulnerabilities
not possible to safely squeeze everything that users
desire through a firewall
– users settle for degraded service
– tolerate increased vulnerability
• performance may suffer
• single point of failure
77
Types of Firewalls
 Packet Filtering firewall
 IP layer
 application gateway firewall
 application layer
 circuit relay firewalls
 TCP layer
 combinations of these
78
Packet filtering firewall
 Special software examines the network traffic (TCP, UDP and
IP packets) and selectively blocks or allows IP packets
 Each IP packet contains
 32 bit source IP address, 32 bit destination IP address, 8 bit protocol
field, additional header fields, data
 typically several 100 bytes long
 an IP packet carries TCP or UDP header data
IP header TCP header
application data
IP header UDP header
application data
 TCP/UDP header in data part of IP packets carries
 16 bit source port number, 16 bit destination port number
 TCP header also carries
 SYN: first packet in a TCP connection
 ACK: packet from an existing connection
79
Packet filtering firewall
 IP packets are filtered based on




source IP address + source port number
destination IP address + destination port number
protocol field: TCP or UDP
TCP protocol flag: SYN or ACK
 packet filtering can be very effective for simple services
 never allow packet with source address of internal machine
to enter from external internet
Internal
network
Mail
gateway
Packet
filtering
router
External
Internet
Allow only packets with
source address Mail
gateway
Allow only packets with
destination address
Mail gateway,
destination port 25
Allow only TCP ACK
packets with source
port 25 to destination
port 1023
80
Packet Filtering Firewall
81
Packet filtering firewall
 Example: Drop any TCP/IP packets coming from the
Internet to port 23 (Telnet) of any internal host.
 The allow/deny policy lists must be maintained and
grow quite complex.
 Assume company LAN uses IP addresses: 200.10.10.*
 Asterisk ( * ) means "any"
Source IP
200.10.10.*
*
Source Port
*
*
Destination IP
*
200.10.10.*
Destination Port Allow?
23
23
No
No
82
Packet filtering firewall
Internal
network 1
Internal
network 2
Mail gateway
(internal
network 3)




Packet
filtering
router
1
4
External
Internet
2
3
1: Allow packets with destination in internal networks 2 and 3
2: Allow packets with destination in internal networks 1 and 3
3:Allow packets with any destination
4: Allow TCP packets with destination address Mail gateway, destination port 25
Allow only TCP ACK packets with source port 25 with destination Mail gateway, port
83
1023
Packet filtering firewall
 packet filtering firewall when connection to Internet is via
an external service provider
Internal
network
Packet
filtering
firewall
host
External
router
External
Internet
 packet filtering is effective for coarse grained controls
 not very effective for fine grained control
 can do: allow incoming telnet from a particular host
 cannot do: allow incoming telnet from a particular user
 Vulnerabilities




IP source address can be spoofed
IP source routing
filtering hard to configure correctly
remote router management uses cleartext passwords
84
Packet Filtering Firewall
• Stateless
– Static filtering: requires that filtering rules governing how the
firewall decides which packets are allowed and which are
denied are developed and installed
– Dynamic filtering: allows firewall to react to emergent event
and update or create rules to deal with event
• Stateful
– Stateful inspection: firewalls that keep track of each network
connection between internal and external systems using a
state table
85
Attacks & Solutions?
• Packet fragmentation
• Source routing
• TTL attacks
86
Packet filtering - Advantages
• Generally faster since fewer evaluations performed
• Easily implemented as hardware solutions
• A single rule can help protect an entire network by
prohibiting connections between specific Internet
sources and internal computers.
• Do not require client computers to be specifically
configured
• In conjunction with network address translation, you
can use packet filter firewalls to shield internal IP
addresses from external users
87
Packet filtering - Disadvantages
• Do not understand application layer protocols.
• Cannot restrict access to protocol subsets - less secure
than application layer and circuit level firewalls
• Packet filters - typically stateless
• Limited abilities to manipulate information within a
packet.
• No value-added features, such as HTTP object caching,
URL filtering, and authentication – since no knowledge
of protocols
• Little or no audit event generation and alerting
mechanisms.
• Difficult to test "accept" and "deny" rules.
88
Circuit Gateways
• Circuit gateway firewall operates at transport layer
• Look at sessions, instead of packets or connections
• Built in support for protocols with secondary
connections, such as FTP, RTP
• Like filtering firewalls, do not usually look at data
traffic flowing between two networks, but prevent
direct connections between one network and another
• Accomplished by creating tunnels connecting specific
processes or systems on each side of the firewall, and
allow only authorized traffic in the tunnels
• Mitigates risk of network reconnaissance, DoS and IP
spoofing
89
90
Application gateway firewall
Internal
network
Application
gateway
firewall
host
External
router
External
Internet
• Proxies or relays
– Allow incoming Telnet from our users who are travelling
• user telnets to gateway machine
• gateway does strong authentication and establishes telnet relay to internal
machine
• user to internal machine telnet session is relayed through the gateway
– Once established, relays do not examine traffic
– Outgoing telnet can similarly be relayed through the gateway
• user telnets to gateway machine
• gateway establishes telnet relay to external machine
• user to external machine telnet session is relayed through the gateway
91
Application gateway firewall
• Outgoing ftp requires incoming call
– inside user initiates ftp connection to outside machine
– when a file is transferred outside machine initiates a tcp
connection to inside machine to effect the transfer
• allowing incoming tcp calls to internal machines is
dangerous
– use gateway as a proxy for outgoing ftp
• Proxies and relays have to be implemented for each
service
– proxies for sophisticated services such as X windows, NFS,
WWW, Gopher exist
92
Application gateway firewall
• Packet filtering and application gateway can be
bundled on the same host
Protocol
tcp
udp
Source IP
200.10.10.*
*
Source Port
*
*
Destination IP
*
200.10.10.*
Destination Port Allow?
23
23
No
No
• application gateways work better for TCP based
services
– recall that UDP is connectionless
• better for control over individual service relative to packet
filters
• allow filtering of application protocols
– disallow PUT for FTP from internal clients
– disallow Java applets
– filter email attachments for viruses
93
Application Layer Filtering
• Most sophisticated level of firewall traffic inspection
• Analyze a data stream for a particular application,
provide application-specific processing
–
–
–
–
inspecting
screening or blocking
redirecting
and modifying data
• Inspect many different protocols
• Works on clear-text traffic – what about encrypted
data?
94
Options
• Terminating the SSL traffic at the firewall
• Regenerating SSL traffic from the firewall to the
exposed Web service
• Allowing the SSL traffic to pass through the
firewall to the back-end server
95
Software vs. Hardware: the SOHO Firewall
Debate
• Which firewall type should the residential user
implement?
• Where would you rather defend against a hacker?
• With the software option, hacker is inside your
computer
• With the hardware device, even if hacker manages to
crash firewall system, computer and information are
still safely behind the now disabled connection
96
Content Filters
• Software filter—not a firewall—that allows administrators to
restrict content access from within network
• Essentially a set of scripts or programs restricting user access to
certain networking protocols/Internet locations
• Primary focus to restrict internal access to external material
• Most common content filters restrict users from accessing nonbusiness Web sites or deny incoming span
97
Related documents
Firewall Configuration
Firewall Configuration
TCP/IP Configuration
TCP/IP Configuration
chap01 - cknuckles
chap01 - cknuckles
The Internet and the World Wide Web
The Internet and the World Wide Web
Basic Network Concepts
Basic Network Concepts
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
Application Control
Application Control
1. Application layer, Transport layer, Internet layer, Link layer 2
1. Application layer, Transport layer, Internet layer, Link layer 2
Proposed Differentiated Services on the Internet
Proposed Differentiated Services on the Internet
How the Internet Works
How the Internet Works
TCP/IP Architecture TCP/IP ARCHITECTURE
TCP/IP Architecture TCP/IP ARCHITECTURE
Introduction to computer networks
Introduction to computer networks