* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Networks and Network Security - Nicolas T. COURTOIS` research in
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Airborne Networking wikipedia , lookup
Network tap wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Point-to-Point Protocol over Ethernet wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Distributed firewall wikipedia , lookup
TCP congestion control wikipedia , lookup
Basics of Network Security Network Nicolas T. Courtois - University College London Reading Roadmap 2 • Chapter 16.1. and 16.2. – Layering of Protocols • • (almost not studied: IPSec Chapter 16.3.) Not now: Chapter 16.5. SSL/TLS: will be studied later! • • • Chapter 17.1. - TCP sessions Chapter 17.2. - DNS Chapter 17.3. - Firewalls: Packet Filters Nicolas T. Courtois, January 2009 NetSec Shared Media Networks • Shared Medium = all messages can be received at any location. • Example: Most modern LAN (Local Area Networks) – WiFi and Ethernet are the most popular 3 Nicolas T. Courtois, 2011 NetSec Network Layers 4 Nicolas T. Courtois, 2011 NetSec OSI Levels: 5 Nicolas T. Courtois, 2011 © Shi Zhou NetSec Encapsulation / Protocol Stacking 6 Nicolas T. Courtois, 2011 NetSec Encapsulation (typical case) Application message message segment TCP data TCP data IP TCP data ETH IP TCP data TCP data TCP Header IP packet IP Header frame Link (Ethernet) Header 7 Nicolas T. Courtois, 2011 ETF Link (Ethernet) Trailer NetSec *** + A lot more industrial standards and protocols…. 8 Nicolas T. Courtois, 2011 NetSec Attacks: Passive / • Attack the browser/server Active: • – Sniff connections with a bank – Plugin MITM • Attack the TCP or UDP – Sniff port 8080 • – TCP session hijack • Attack the IP protocol – Sniff IP Datagrams • – Spoof IP address • Attack the LAN – Sniff Ethernet frames • Attack the Shared Media – Sniff the media / RF 9 Nicolas T. Courtois, 2011 • – ARP poisoning • – Relay attacks NetSec ARP Protocol 10 Nicolas T. Courtois, 2011 NetSec MAC Address = Media Access Control • 48 bits = 6 bytes • Example: 0A:BC:00: 00:00:1F • Should be fixed in hardware and never repeat – first half is the manufacturer… • In practice: – can be changed in SOME hardware – can be simulated in software! – can repeat • by accident OR • manufacturer does not care… 11 Nicolas T. Courtois, 2011 NetSec Address Resolution Protocol (ARP) • translate IP addresses to Ethernet MAC addresses – legacy: also used in WiFi Each host OS has: – a table of IP to MAC addresses 12 Nicolas T. Courtois, 2011 NetSec ARP Discovery Your IP address is managed centrally, by DHCP (attributed by a local DHCP server). Not always known to other hosts on the same LAN. New computer on the LAN – did not communicated before => • NOT in our table of IP to MAC addresses 13 Nicolas T. Courtois, 2011 NetSec Who is 192.168.1.3? 14 4/24/2009 Nicolas T. Courtois, 2011 Copyright © 2009 Shah Mahmood 14 NetSec ARP Poisoning - Example • How does it work? – ARP request: • Sender = 01:02:03: 01:02:03. • Content = “ARP who is” IP=192.168.1.3 ? – ARP reply: it’s me! • not authenticated! • me = MAC Address 01:02:03: 01:02:04. – From now on, all messages directed to 192.168.1.3 will be in fact sent to 01:02:03: 01:02:04. • Can be the attacker. 15 Nicolas T. Courtois, 2011 NetSec ARP Poisoning • Defenses – static ARP table, does not change – DHCP snooping (access control based on IP, MAC, and port)? – detection: Arpwatch, Reverse ARP • Legitimate use, very frequent: – redirect a user to a registration page before allowing usage of the network… 16 Nicolas T. Courtois, 2011 NetSec IP Protocol IP TCP 17 Nicolas T. Courtois, 2011 data IP Protocol Delivers packets from 1 IP address to another • Source: pelican = 192.168.0.40 • Destination: news.bbc.co.uk = 192.168.0.50 Each packet = datagram is independent of others • delivery not acknowledged • can be altered • can be lost • can arrive in any order • source address is required by upper-level protocols! IP IP TCP data payload IP Header IP Header: • Source: 192.168.0.40 • Destination: 192.168.0.50 • Time To Live: TTL=128 • Header checksum: 0x57d1 • Etc.. Non-cryptographic checksum Q. WHY is it good/needed? IP IP TCP data payload Sniffing – Passive Attacks • read interesting data • ftp, telnet send passwords in clear! Alice Network Defenses: •encryption, •improved routing Bob NetSec Tools for Network Sniffing • • • • 21 tcpdump, windump snort wireshark etc… Nicolas T. Courtois, 2011 NetSec Hub vs. Switch • Sniffing through a hub – a hub forwards all traffic to all connected ports – Easy sniffing for anyone • is sniffing with a router/switch possible? YES: tool = dsniff – flooding attacks, • saturate memory, becomes a hub – use ARP poisoning (studied later) 22 Nicolas T. Courtois, 2011 NetSec Ethereal Sniffer Example TCP, HTTP and Connection… 23 Nicolas T. Courtois, 2011 NetSec DNS =Domain Name Server(s) www.darpa.mil = 192.5.18.19 IP TCP 24 Nicolas T. Courtois, 2011 data NetSec Simple DNS Attack – Race Condition • attacker observes UDP DNS query sent to well known server on well known port •first response wins •second response is silently dropped 25 Nicolas T. Courtois, 2011 NetSec DNS Hijacking = DNS Redirection Route packets to the wrong server, A number of commercial ISPs use DNS hijacking for their own purposes, such as displaying advertisements… In the UK, the Information Commissioner's Office have acknowledged that this practice contravenes the EC Directives on Data Protection and Privacy and Electronic Communications (PECR)… but refused to act against companies which do it, claiming it does little actual harm… 26 Nicolas T. Courtois, 2011 NetSec Next Level: DNS Cache Poisoning: 1234 27 Nicolas T. Courtois, 2011 NetSec Secure DNS [2010] DNSSEC = Digitally sign DNS data + use PKI In July 2010 DNSSEC was integrated in all the Internet root servers. What remains: all usual problems with the PKI… Main problem: how do I know an authentic PK for any entity?... 28 Nicolas T. Courtois, 2011 NetSec Other IP Attacks IP TCP 29 Nicolas T. Courtois, 2011 data NetSec IP Spoofing • Easy, false source address router 30 Nicolas T. Courtois, 2011 NetSec Record and Playback • Easy… false source address again • can be detected… or not. 31 Nicolas T. Courtois, 2011 NetSec Squatting • Means: Simulating a local machine (relay) For example to access the Intranet. Etc. 32 Nicolas T. Courtois, 2011 NetSec Interconnection of Networks = InterNet 33 Nicolas T. Courtois, 2011 NetSec Internet = Public Network and Need for NAT • Local address space – vs. global Internet address space… – there is not enough IPv4 addresses 34 NAT = Network Address Translation Nicolas T. Courtois, 2011 NetSec NAT • Q: What is the security advantage of NAT? 35 Nicolas T. Courtois, 2011 NetSec NAT • Q: What is the security advantage of NAT? • Hides computers IP addresses port numbers and their connections in internal networks – asymmetry: local computers know more… • Forces businesses to use routers and firewalls 36 Nicolas T. Courtois, 2011 NetSec Detailed example Observations? 37 Nicolas T. Courtois, 2011 NetSec Detailed example 38 Nicolas T. Courtois, 2011 NetSec Detailed example 39 Nicolas T. Courtois, 2011 NetSec Firewalls 40 Nicolas T. Courtois, 2011 NetSec Business Need • Security – prevent intrusion – prevent data leaks – prevent compromised machines from spreading viruses to the Internet – other • Cost of using the network: many businesses PAY per megabyte => block access to P2P, Skype, VoIP etc… • Productivity – How do employees spend their time? • Liability – Avoid legal risks!!! 41 Nicolas T. Courtois, 2011 NetSec Firewall • Perimeter defence: – Divide the world into safe inside(intranet) and dangerous outside world (Internet) – Prevent anything bad from entering the inside • Block communications which are risky or just unnecessary 42 Nicolas T. Courtois, 2011 NetSec Sorts of firewalls: • Stateless packet filter • Dynamic packet filter = Stateful – smarter, knows if this is likely to be a response to a message really sent (connection was initiated or not) • Transport and application-layer firewalls • VPN and IPSEC • SSL/TLS 43 Nicolas T. Courtois, 2011 not firewalls anymore rather methods to ‘securely’ circumvent them OR/AND to avoid the need to have firewalls NetSec Stateless Firewalls = Packet Filters • Allow or block IP packets based on their IP header fields and TCP/UDP port numbers – Look at: • • • • protocol (TCP/UDP/ICMP), source and destination IP address, source and destination port, TCP flags etc • Major trend: modern firewalls are aware of more and more higher-level protocols!!! – How? Many ways… they inspect packets… 44 • Method 0: inbound smtp uses port 25 Nicolas T. Courtois, 2011 NetSec Stateless Firewalls = Packet Filters • Packet filter is defined as a rule table – – – – Linear list of rules Each rule consist of conditions and an action For each packet, the first matching rule is found Two possible actions: • allow (accept, permit, bypass) or – maybe also allow and log • block (drop, deny), – Or maybe block and log 45 Nicolas T. Courtois, 2011 NetSec Routers and Packet Filters • Firewall rule table is similar to a routing table, with the option of dropping some packets • Most routers implement a packet filter firewall – Need: very fast real-time filters… 46 Nicolas T. Courtois, 2011 NAT NetSec Packet Filter Example 1 Inbound email to SMTP server 1.2.3.10 * = any 47 Nicolas T. Courtois, 2011 - for each packet, the first matching rule is found NetSec TCP and UDP 48 Nicolas T. Courtois, 2011 NetSec TCP and UDP • TCP = Transmission Control Protocol – session and connection between two parties – port 1081 <=> port 80 • UDP =User Datagram Protocol – No need to open / close connections – Just transmit / broadcast /receive some data… 49 Nicolas T. Courtois, 2011 NetSec TCP Handshake – SYN and ACK 50 Nicolas T. Courtois, 2011 Copyright © 2009 Shah Mahmood 50 NetSec More Firewalls 51 Nicolas T. Courtois, 2011 NetSec Packet Filter Example 2 Allow only outbound connections: The flag ACK in the second rule will drop out packets without ACK. => ONLY ONE CASE: It becomes NOT possible to initiate TCP connections (SYN=1 ACK=0) from the inside. 52 Nicolas T. Courtois, 2011 NetSec Dynamic Firewalls • Stateful filter: change filtering rules based on previously seen packets… – no limit to how complex they can be… • Problem: outbound TCP or UDP packets create “a hole” for inbound packets on the same connection… 53 Nicolas T. Courtois, 2011 NetSec *Tricky Questions • We put ACK=1 in our rule WHEN we want to block the first packet of this connection, the one which initiates it. • Now who initiates the FTP data connection? Second stage in the ftp protocol. Port 21. – the server! NOT the client – (more details on the next slide) 54 Nicolas T. Courtois, 2011 NetSec *Tricky Question About FTP (past exams) traditional “active mode” FTP 55 Nicolas T. Courtois, 2011 NetSec **Additional Remarks About FTP Note that 20, 21 are “PRIVILEGED” ports: a program running in the userland will NOT typically be allowed to use them… Later FTP servers developed so called “passive mode” where the data connection is done differently, for example to circumvent firewalls blocking the server initiating the connection, and to allow web browser to connect to FTP sites as well… These “passive mode” connections use unprivileged ports of both sides, which makes them even harder to “firewall” and (prevent unintended usage)… 56 Nicolas T. Courtois, 2011 NetSec Layering the Defences 57 Nicolas T. Courtois, 2011 NetSec DMZ = De-Militarized Zone Common two-firewall configuration for isolating publicly-accessible services from the Internet but also from the Intranet • 58 a hardened ”bastion host” in the DMZ to connect with ssh from the outside! Nicolas T. Courtois, 2011 NetSec Firewall Circumventing • Remember: inbound smtp uses port 25 – WHY? – IANA-attributed = Internet Assigned Numbers Authority. – so that these things CAN be filtered by firewall… • New applications want to gain popularity => developers and users always DO THEIR BEST to circumvent firewalls – all done ”over web” = port 80, – or, better, “secure web” = port 443 – P2P protocols, Skype, TeamViewer… want or need to circumvent firewalls… 59 Nicolas T. Courtois, 2011 NetSec VPN and IPSEC 60 Nicolas T. Courtois, 2011 NetSec Business need: Connect two offices • Company with multiple offices: – Both parties have a firewall – leased line between offices would be expensive. – use the Internet: very cheap BUT dangerous/insecure 61 Nicolas T. Courtois, 2011 NetSec VPN = Virtual Private Network • As secure as a dedicated connection 62 Nicolas T. Courtois, 2011 NetSec IPSEC • A sort of “state of the art” low-level VPN system. – standard to secure the Internet at the IP level – secures network links, point-2-point connections on the way, • does NOT provide user-2-user or application-2-application security • Integrity + authenticity for ALL IP packets • Not yet widely used, mandatory for IPv6 – – – – everybody uses just SSL (at higher level). hard to make it work with existing firewalls etc.. IPSEC has no defenses against network traffic analysis Gollman: IPSEC violates two design principles of the Internet: network should be: • stateless: in IPSEC network nodes to work synchronized • unreliable: however in IPSEC there are problems if packets are lost… 63 Nicolas T. Courtois, 2011 NetSec How IPSEC Works • Integrity + authenticity for ALL IP packets – Based on symmetric key cryptography, complex standard – Key management: the hard part. IKE = Internet Key Exchange • Yet another encapsulation ESP = Encapsulating Security Protocol: E+A • 64 Nicolas T. Courtois, 2011 NetSec TCP 65 Nicolas T. Courtois, 2011 NetSec TCP = Transmission Control Protocol – Connect port 1081 at host1 – to port 80 at host2 66 Nicolas T. Courtois, 2011 NetSec TCP Basics One application message TCP 67 Nicolas T. Courtois, 2011 data TCP data TCP data TCP = Transmission Control Protocol • Connection-oriented, preserves order – Sender • break data into numbered packets – Receiver • acknowledge reception • lost packets are resent! • reassemble in correct order! Book Mail each page Reassemble book 1 19 1 5 1 TCP Header Header: • Source Port: 1081 • Destination Port: 80 • Checksum: 0xa858 • Flags… • etc.. TCP data Example: Connections and TCP Packets - Security • predictable sequence numbers – 32 bits – should start at random (each OS does it differently, many are NOT random) – then grow by 1 for every byte transmitted • at least one flag is always SET ***Simplified TCP State Diagram NetSec Session Hijacking 73 Nicolas T. Courtois, 2011 NetSec Session Hijacking Idea: • I do not know the password, • or do not have the right certificate and keys • or do not have the tamper-resistant token…. => I will join in the middle of existing session! 74 Nicolas T. Courtois, 2011 NetSec Session Hijacking • host-based session hijacking – root in Unix => can read and write local terminal devices? – network card firmware rootkit – etc… • network-based session hijacking – against TCP protocol – against HTTP – Q: why all banks have the ‘logout’ button even if they have a very short timeout? 75 Nicolas T. Courtois, 2011 NetSec Attacks on TCP 76 Nicolas T. Courtois, 2011 NetSec TCP Handshake – SYN and ACK 77 Nicolas T. Courtois, 2011 Copyright © 2009 Shah Mahmood 77 NetSec Attack – SYN Flooding many fake IP source 78 Nicolas T. Courtois, 2011 Copyright © 2009 Shah Mahmood 78 NetSec TCP Session Hijacking 79 Nicolas T. Courtois, 2011 NetSec TCP Hijacking [Morris 1984] • attacker spies on transmission between victim and server, e.g. a telnet session with a packet sniffer • waits for authentication to take place (pwd => OK or any other credentials like OTP token) • wants to hijack the session later! 80 Nicolas T. Courtois, 2011 NetSec TCP Hijacking Particulars • The attacker observes the sequence numbers, they are easy to guess: – with high probability it is incremented by 1 MSS (maximum segment size). • At a certain moment forges a packet to insert attacker’s commands • Does it work? – the first ‘fake’ packet is accepted if it is received first (race condition) • May be enough to execute the attack, like buy or transfer money with one click – but THEN (and only then… it may be too late), another packet with the same sequence number will be received, the attack will detected OR synchronization will simply be lost. • To make it really work to hijack the connection completely and keep it active for unlimited time, MUST be combined with ARP poisoning OR routing/MITM attacks 81 Nicolas T. Courtois, 2011 NetSec TCP Hijacking Defences VERY IMPORTANT in the normal TCP: The initial sequence number must be chosen at random. Good practice: See RFC1948 = Defending Against Sequence Number Attacks More advanced solutions: • Citing RFC1948: “Clearly, the proper solution is cryptographic authentication” BUT… “it will quite a long time before that is deployed” (tcpcrypt = proposed in July 2010). • There also some other ‘imperfect’ solutions like TCP cookies… (TCPCT proposal, 2009). 82 Nicolas T. Courtois, 2011 NetSec HTTP Session Hijacking 83 Nicolas T. Courtois, 2011 NetSec HTTP Session Hijacking • HTTP is a stateless protocol • Sessions are established using: – [ephemeral=session] cookies. • small text files, stored on user computer, containing useful information for user settings on a server 84 Nicolas T. Courtois, 2011 84 NetSec HTTP Session Hijacking (contd.) • Obtain Cookies: two main methods – Using MITM using packet sniffers • or sniffers at any other place level or protocol layer… – Browser attacks, • e.g. malicious Firefox plug-ins • Then the connection can be intercepted! – Demo: Gmail @ Blackhat 2007. 85 Nicolas T. Courtois, 2011 85 NetSec Risks from Session Hijacking Modify: • emails, • ftp file downloads, • http responses • DNS zone transfers, • etc.. • Carry out MITM attacks on SSL or weak cryptographic protocols. – often work because users ignored the warnings… • Denial of service attacks, e.g. reset the connection 86 Nicolas T. Courtois, 2011 NetSec HTTPS Session Hijacking??? Q: Why and how SSL prevents this? See part 6 87 Nicolas T. Courtois, 2011