Download Bishop: Chapter 26 Network Security

Bishop: Chapter 26
Network Security
Based on notes by
Prashanth Reddy Pasham
Outline




Introduction
Policy Development
Network Organization
 Firewalls
 DMZ
Availability and Network Flooding
Network Security
2
Introduction

How to develop a network infrastructure from
security requirements?



1.
2.
3.
4.
Know security requirements
it leads to the development of security policy.
which in turn suggests the form of the network
security goals  policy
network policy  functionalities
distribution of functionalities to various parts of the
network  network diagram
Functionality of each part  host configuration
Network Security
3
Introduction

Goals of Drib’s Security policy

Data related to company plans is to be kept secret




available only to those who need to know
Customer data should be available only to those who
fill the order
Releasing sensitive data requires the consent of the
company’s officials and lawyers.
Our goal is to design a network infrastructure that
will meet these requirements
Network Security
4
Policy Development

Policies




Must provide public access to some information
Limit access to other information even within the
company.
Drib requires a policy that minimizes the threat or
data being leaked to unauthorized entities.
Unauthorized?
Network Security
5
Policy Development

Drib has three internal organizations

Customer Service Group(CSG)




Development Group(DG)




Develops, modifies, maintains products
Rely on CSG for the description of customer complaints, suggestions,
ideas.
No direct talk with customers
Corporate group(CG)


Deals with customers
Maintains all customer data
Serves as interface between the other groups and clients of the drib
Handles Drib's debentures, lawsuits, patents and other corporate level
work.
Policy describes the way information is to flow among these groups
Network Security
6
Policy Development

Data Classes

Public Data(PD)



Development data for existing products(DDEP)




Available only to developers
may change, as may various aspects of development.
Corporate data(CoD)


Available only internally
Company lawyers, officers and developers
Development data for future products(DDFP)


Available to anyone
Includes product specifications, price information and marketing
literature.
Information about corporate functions
Customer data(CuD)

Credit card information
Network Security
7
Policy Development

User Classes







Outsiders
Developers
Corporation executives
Employees
See table on page 776 for user rights
Availability: global, 24/7
Consistency check

Does the policy described above meets the goals of the
Drib?
Network Security
8
Network Organization
Demilitarized Zone (DMZ)
Inner Firewall
Intranet
Corporate data subnet
Mail server
Mail Server
Customer data subnet
DNS Server(DMZ)
Web Server
Internal
DNS Server(internal)
Log Server
Outer Firewall
Internet
Development subnet
Network Security
9
Network Organization

Network Regions




Internet
Internal Network( Intranet)
DMZ
Network Boundaries

Firewall



Filtering firewall: Based on packet headers
ex: preventing BackOrifice
Proxy


Proxy firewall: Gives external view that hides intranet
ex: mail proxy
Network Security
10
Analysis of Network Infrastructure

Conceal the addresses of the internal network


Internal addresses can be real
Fake addresses: 10.b.c.d, 172.[16-31].c.d,
192.168.c.d


Network Address Translation Protocol maps internal to
assigned address
Mail Server



Hide internal addresses
Map incoming mail to “real” server
Additional incoming/outgoing checks
Network Security
11
Firewalls: Configuration

Outer Firewall

What traffic allowed




External source: IP restrictions
What type of traffic: Ports (e.g., SMTP, HTTP)
Proxy between DMZ servers and internet
Internal Firewall


Traffic restrictions: Ports, From/to IP
Proxy between intranet and outside
Network Security
12
In the DMZ

DMZ Mail Server


performs address and content checking on all electronic
mail messages
When it receives a letter from the Internet, it performs
the following Steps



reassembles the message into a set of headers, a letter,
and any attachments
scans the letter and attachments for any computer virus or
malicious logic.
 Restore the attachments to transmit
 Rescan it for any violation of SMTP specification
Scans the recipient address lines.
 Addresses that directed the mail to the drib are
rewritten to direct the mail to the internal mail server
Network Security
13
In the DMZ

DMZ Mail Server

When it receives a outgoing letter from the
internal mail server



Steps 1 and 2 are the same
In step 3 the mail proxy scans the header lines.
All lines that mention internal hosts are rewritten
to identify the host as “drib.org”, the name of
the outside firewall.
Network Security
14
In the DMZ

DMZ WWW Server


Identifies itself as “www.drib.org” and uses IP
address of the outside firewall
DMZ DNS Server

It contain entries for





DMZ mail, Web and log hosts
Internal trusted administrative host
Outer firewall
Inner firewall
DMZ Log Server
Network Security
15
Availability and Network Flooding

Flooding



Limit availability by


Overwhelm TCP stack on target machine
Prevents legitimate connections
Overwhelming service
Examples

SYN flood

Overwhelms TCP stack
Network Security
16
SYN flood



A form of DOS attack
The attacker initiates large number of TCP
SYN packets and refuses to execute the 3rd
part of the TCP three-way handshake for
those packets
If the packets come from multiple sources
(the attacking machines) but have the
same destination (the victim machine) 
DDOS
Network Security
17
Syn Flood



A: the initiator; B: the destination
TCP connection multi-step
 A: SYN to initiate
 B: SYN+ACK to respond
 C: ACK gets agreement
Sequence numbers then
incremented for future messages
 Ensures message order
 Retransmit if lost
 Verifies party really initiated
connection
Network Security
18
Syn Flood

Implementation: A, the attacker;
B: the victim
 B






Receives SYN
Allocate connection
Acknowledge
Wait for response
Time?
See the problem?
 What if no response
 And many SYNs
All space for connections
allocated
 None left for legitimate ones
Network Security
19
Solution Ideas

Limit connections from one source?


Ignore connections from illegitimate sources




But source is in packet, can be faked
If you know who is legitimate
Can figure it quickly
And the attacker doesn’t know this
Drop oldest connection attempts
Network Security
20
Two Approaches to Counter SYN Flood
A.
B.
Using intermediate hosts to eliminate
SYN flood
Relying on TCP state and memory
allocations
Network Security
21
A. Intermediate Hosts
Basic idea



Using routers to divert or eliminate
illegitimate traffic
Resources on the target are not
consumed by the attacks.
Network Security
22
A. Intermediate Hosts

Approaches
a)
Only legitimate handshakes can reach the
firewall.

b)
e.g., Cisco routers’ “TCP intercept mode”
Network traffic monitor/tracker

e.g., Synkill [Schuba, etc. 1997]
Network Security
23
A. Intermediate Hosts

TCP intercept





Router establishes connection to client
When connected establish with server
If the client never sends the ACK (before timing
out), then the initial SYN packet is part of an
attack handshake.
The target never sees the illegitimate SYN
packets.
The router uses short time-outs to protect itself.
Network Security
24
A. Intermediate Hosts

Synkill



An active monitor that analyzes packets being sent
to some set of systems (potential victim targets)
Monitor machine as “firewall”
Classification of IP addresses into classes






Good addresses: history of successful connections
Bad addresses: previous timeout attempt
New addresses
Block and terminate attempts from bad addresses
Dynamically managed classes
Question: How if a good IP turns bad ?
Network Security
25
B. TCP State and Memory Allocations
Problem: Server maintaining state

Runs out of space


Solutions
a)
b)
Don’t maintain state on server; let the
client track the state.  the SYN cookie
approach
The adaptive time-out approach
Network Security
26
B. TCP State and Memory Allocations
a)
The SYN cookie approach:



The server does not maintain state of
connections
Q: How does the server know the sequence
numbers?
Ans: The state is encoded in the initial
sequence number of the ACK; the server
retrieves this info from the client’s ACK
packet.
Network Security
27
B. TCP State and Memory Allocations
a)
The SYN cookie approach:

The SYN cookie is encoded in the SYN
response




h(source,destination,random)+sequence+time
See p.795 for the formula.
Client increments this and ACKs
Server subtracts h(), time to get sequence

Knows if this is in valid range
Network Security
28
B. TCP State and Memory Allocations
b)
The adaptive time-out approach



Assumption: There is a fixed amount of space
for the state of pending connections
Varies the times before the time-outs,
depending on the amount of space available
for new pending connections
As the amount of available space decreases,
so does the amount of time before the
system begins to time out connections.
Network Security
29
Summary



A brief overview
Many issues and techniques in Network
Security
One or more new courses are needed!
Network Security
30