CSE 127 Computer Security
|
|
- Philomena Lyons
- 5 years ago
- Views:
Transcription
1 CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 17 Network Security II
2 Review: Internet Protocol Suite Application Layer Examples: SMTP, FTP, SSH, HTTP, etc. Transport Layer: Port-addressed host-to-host communications (on LAN or WAN). User Datagram Protocol (UDP): single packet transmission with no reliability or ordering mechanisms. Transmission Control Protocol (TCP): connection establishment, reliable transmission, and flow-control. Internet Layer (IP): Fragmentation, reassembly, and end-to-end (across network boundaries) routing of data packets. Provides a uniform interface that hides the underlying network topology. Link Layer: Transmission of data frames within a local network (without intervening routers). Example: Ethernet Physical Layer: Transmission of raw bits (rather than logical data packets) over a physical data link connecting network nodes. Example: 100BASE-T [Technically not part of the Internet Protocol Model, but is still there]
3 IP Addressing Earlier IP addresses are globally unique. Yeah, about that A few exceptions: Network Address Translation Anycast
4 Network Address Translation Internet NAT Port
5 Network Address Translation NAT maintains a table of the form: <client IP> <client port> <NAT ID> Outgoing packets (on non-nat port): Look for client IP address, client port in the mapping table If found replace client port with previously allocated NAT ID (same size as PORT #) If not found allocate a new unique NAT ID and replace source port with NAT ID Replace source address with NAT address
6 Network Address Translation Incoming Packets (on NAT port) Look up destination port number as NAT ID in port mapping table If found replace destination address and port with client entries from the mapping table If not found the packet is not for us and should be rejected Table entries expire after 2-3 minutes to allow them to be garbage collected
7 Network Address Translation Benefits Only allows connections to the outside that are established from inside. Hosts from outside can only contact internal hosts that appear in the mapping table, and they re only added when they establish the connection Don t need as large an external address space (i.e. 10 machines can share 1 IP address) Costs Rewriting IP addresses isn t so easy (what if they appear in protocol data? Then what happens to sequence numbers?) Breaks some protocols (e.g., streaming protocols commonly have client invoke server and then server opens new connection to client)
8 Anycast Basic idea: Multiple hosts with the same IP address. Typically, geographically distributed. Different routes (to different hosts) are announced via BGP. Packets get routed to the host that s easier to reach from a given source. Only one destination host gets any given packet, but a packet can go to any host with the given IP address.
9 Anycast
10 Anycast Pros: A single globally known address can be routed to a nearby host (CDN, etc.) Cons: Works well for UDP, not so well for TCP (especially long-lived connections) What if some packets go to one host and some to another
11 Domain Name System (DNS)
12 Domain Name System (DNS) Say I want to send packet to Need IP address for Domain Name System (DNS): maps host names to IP addresses Large distributed database Critical Internet infrastructure Control of DNS allows attacker to impersonate any domain (in the absence of end-toend host authentication using SSH or TLS) Target of attacks
13 Domain Name System (DNS) Mail client Applications Root Name Server Web browser Name Server DNS resolver OS Recursive Name Server Name Server
14
15 Domain Name System (DNS) Hierarchical Name Space root Root org net edu com uk ca Top Level Domain (TLD) wisc ucb ucsd cmu mit Second Level Domain cs www ece Subdomain
16 Domain Name System (DNS) Hierarchical service for the hierarchical name space Root name servers for top-level domains Authoritative name servers for subdomains Local name resolvers contact authoritative servers when they do not know a name Authoritative server: provides authoritative information for a set of domains Does not handle queries about other domains Recursive resolver: provides recursive resolution of a domain to return requested record to client Handles queries about all domains Same protocol for both types of servers Distinction is in intended purpose only
17 Domain Name System (DNS)
18 DNS Root Servers Hostname IP Addresses Manager a.root-servers.net , 2001:503:ba3e::2:30 VeriSign, Inc. b.root-servers.net , 2001:500:200::b University of Southern California (ISI) c.root-servers.net , 2001:500:2::c Cogent Communications d.root-servers.net , 2001:500:2d::d University of Maryland e.root-servers.net , 2001:500:a8::e NASA (Ames Research Center) f.root-servers.net , 2001:500:2f::f Internet Systems Consortium, Inc. g.root-servers.net , 2001:500:12::d0d US Department of Defense (NIC) h.root-servers.net , 2001:500:1::53 US Army (Research Lab) i.root-servers.net , 2001:7fe::53 Netnod j.root-servers.net , 2001:503:c27::2:30 VeriSign, Inc. k.root-servers.net , 2001:7fd::1 RIPE NCC l.root-servers.net , 2001:500:9f::42 ICANN m.root-servers.net , 2001:dc3::35 WIDE Project
19 DNS Root Servers
20 Domain Name System (DNS) Root Name Server [a.root-servers.net] 3. where s 4. check with ns-auth2.ucsd.edu? Name Server [a.edu-servers.net] Recursive Name Server Name Server [ns-auth2.ucsd.edu]
21 DNS Messages DNS uses UDP as transport Query ID links response to query 16 bits
22 DNS Messages Response types A (1): Address Record. Here s the IP address you are looking for. NS (2): Name Server. Go ask that guy over there. CNAME (5): Alias. The server you are looking for goes by another name. dozens more
23 DNS Caching DNS responses are cached Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record
24 DNS Caching
25 Security of DNS Users/hosts trust the host-address mapping provided by DNS Used as the basis for many security policies Browser same origin policy, URL address bar, user trust Basic DNS uses UDP without any authentication Man-in-the-middle attacks are possible Forging response to observed query is trivial Off-path attacks require guessing two parameters Query ID from response (16 bits) Source port (approx. 15 bits) Caching introduces additional vulnerabilities
26 Additional Record Injection DNS query results include Additional Records section Provide records for anticipated next resolution step Early DNS resolvers accepted and cached all additional records What is wrong with this? Let s say you are retrieving an image from a malicious site (img.attacker.com) The Authoritative Name Server for img.attacker.com is ns.attacker.com When ns.attacker.com responds to the DNS query it includes an additional record for
27 Additional Record Injection Can we just stop using additional section? Only accept answers from authoritative servers? Glue records: non-authoritative records necessary to contact next hop in resolution chain Necessary given current design of DNS Countermeasure: Bailiwick Rules
28 Bailiwick Rules Bailiwick rule: defines what response records a recursive resolver will accept Bailiwick: set of domains about which a server is has direct or indirect authority to speak Bailiwick determined by the initiator of query Answer should be relevant (in response to request) Answer should be in bailiwick
29 Forging DNS Replies For performance reasons, some DNS resolvers (e.g. BIND) re-used the same socket for all queries If source port is same: can be determined by attacker by having recursive resolver query attacker-controlled authoritative server Attacker only needs to guess 16-bit query ID Non-random query ID generators may make it easier
30 DNS Cache Poisoning Caching allows for attack amplification Once an incorrect record is cached, it is used until TTL expires Attack sketch: Attacker gets victim to issue a DNS query Example: embedded content in a web page If the queried domain is already in cache, attack fails Otherwise, flood resolver with forged responses Attacker wins if one of the responses has correct port and query ID, and arrives before the real response If real response wins, cache is updated and attacker is locked out until TTL expires
31 DNS Cache Poisoning Insight 1: start of race is controlled by attacker Forged responses can be synchronized with request Easier to win timing race against real name server Kaminsky 2008 Insight 2: Attacker can trigger requests for non-existing domains, guaranteed not to be in cache Example: foobar123.google.com Multiple requests Bypassing TTL timeouts Insight 3: Forged response can be NS record Redirects rest of recursive search to attacker-controlled name server Satisfies bailiwick rules Allows attacker to bundle A record for with response for foobar123.google.com
32
33
34 DNS Cache Poisoning Lots of DNS poisoning attacks have occurred in the wild January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops 2000 campaign: Hilary2000.org -> hilaryno.com
35 DNS Defenses Increase size of secret attacker needs to guess CSPRNG to generate query ID CSPRNG to select source port Make queries case-sensitive Duplicate queries Decrease opportunities for poisoning Ignore any additional record that is not necessary for current query Authentication DNSSEC TLS
36 DNS Defenses DNSSEC Signed DNS records How do you authenticate the non-existence of a record? TLS Only host with private key for domain will be able to complete TLS handshake Certificate ensures that rightful owner of domain has key
37 DNS Defenses (0x20 Encoding) Goal: Increase entropy in DNS Idea: Vary capitalization of queried domain DNS is case insensitive DNS server s response must use same capitalization All known servers happen to do this One additional bit of entropy per letter Attack must guess capitalization also
38 Summary Current DNS system does not provide strong evidence binding request to response Response can provide more data than was asked for Together allows attacker to poison DNS and divert traffic to their sites
39 Network Perimeter Defense
40 Network Perimeter Defense Typical elements Firewalls Network Address Translation Network Intrusion Detection/Prevention Systems(NIDS/NIPS)
41 Firewalls Goal: Protecting or isolating one part of the network from other parts In particular: protect your network from global Internet Filter or otherwise limit bad network traffic Protect services offered internally from outside access. Provide outside services to hosts located inside.
42 Firewalls Network Filter: inspect and block packets Stateless: each packet is evaluated in isolation Source, destination, other header fields Stateful: firewall maintains state about connections May be application-aware and inspect packet payload May be coupled with NAT Application Proxy Man in the middle: Act as a server to the client, act as a client to the server. Protected side receives only well-formed traffic from the proxy Personal Firewall Application on the end host Has additional application/user specific information
43 Packet Filtering Firewalls Filter packets based on network and transport layer headers: Source and destination IP addresses and ports Flags (e.g. ACK)
44 Ports Ports are used to distinguish applications and services on a machine. Low numbered ports are often reserved for server listening. High numbered ports are often assigned for client requests. Port 7 (UDP,TCP): echo server Port 13 (UDP,TCP): daytime Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 22 (TCP): ssh Port 25 (TCP): SMTP (Mail) Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 143 (TCP): IMAP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP): X11
45 Packet Filtering Firewalls Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form if internal machine has established the TCP connection, permit inbound reply packets
46 Network Firewalls Internal Network External-facing Servers External Network
47 Principles for Firewall Configuration Least Privilege: Turn off everything that is unnecessary (e.g. Web Servers should disable port 25 [SMTP]) Failsafe Defaults: By default should reject (Note that this can cause usability problems ) Egress Filtering: Filter outgoing packets too! You know the valid IP addresses for machines internal to the network, so drop those that aren t valid. This can help prevent DoS attacks in the Internet.
48 Proxy Firewalls Proxy acts like both a client and a server. Able to filter using application-level info For example, permit some URLs to be visible outside and prevent others from being visible. Proxies can provide other services too Caching, load balancing, etc. Web Server Web Proxy External Network
49 Firewalls Benefits Reduced attack surface against external attackers Filter out lots of noise in network traffic (helps focus attention) Reduced liability (common practice) Costs Actual cost: both hardware and administration Bottleneck and single point of failure on network False sense of security Limited language (addresses, ports); doesn t help with worms/viruses, ssh exploits, cross-site scripting, etc Inside vs outside model is fragile (once an internal host is compromised firewall does no good); What about wireless laptops?
50 Network Content Analysis Lots of devices want to look at network traffic for security Network Intrusion detection/prevention Systems (NIDS/NIPS) Try to find signatures of attacks or malware Spam filters Try to detect unwanted Data leakage Try to prevent sensitive information from leaving company Traffic differentiation Filter or slow down p2p traffic (e.g. Comcast)
51 Challenges Expensive to look into each packet 10Gbps -> ~1M packets per second ns per byte Network vantage point is imperfect What does a packet mean? What if a session is encrypted? Network evasion?
52 Network evasion Typically network intrusion detection systems are deployed like firewalls (between internal network and Internet) Key assumption is that NIDS sees the same traffic as destination host Not quite true Lots of ways to evade a NIDS by exploiting ambiguity
53 TTL evasion Suppose destination is 2 hops after NIDS box This is what NIDS sees (each letter is one pkt) ttl=2 ttl=2 ttl=2 ttl=2 ttl=1 ttl=2 ttl=2 I A M B E A D This is destination sees ttl=1 ttl=1 ttl=1 ttl=1 ttl=1 ttl=1 I A M B A D
54 Sequence # evasion Suppose attacker sends two packets 5 6 TCP Seq # A D I A M B E What does destination see? IAMBED? IAMBAD? IAMBD? Depends on host Lots of other evasion techniques E.g., how do you reassemble packet fragments
55 Solution Protocol normalization NIDS rewrites packets to remove all ambiguity E.g. all packets have ttl rewritten to reach any internal destination IDS tracks each flow and does not allow overlapping packets Can be very tricky to get right and expensive Potentially must buffer large amounts of data What if you get seq #2 through #100, but not seq #1? Tradeoff: when to drop data vs when to buffer
56 Summary Core protocols not designed for security Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist (but limited deployment) IP -> IPsec DNS -> DNSsec BGP -> SBGP Still need to be careful about protocol semantics Perimeter defenses can shrink the attack surface exposed by the network, but can t stop everything this way
57 Additional Resources DNS and BIND By Paul Albitz and Cricket Liu Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin
58 Homework Assignment 5 is due next week 10pm)
59 Next Lecture Hardware Security: Meltdown and Spectre (and Rowhammer if there s time)
Computer Security CS 426
Computer Security CS 426 Lecture 34 DNS Security 1 Domain Name System Translate host names to IP addresses E.g., www.google.com 74.125.91.103 Hostnames are human-friendly IP addresses keep changing And
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationInternet Security: How the Internet works and some basic vulnerabilities. Slides from D.Boneh, Stanford and others
Internet Security: How the Internet works and some basic vulnerabilities Slides from D.Boneh, Stanford and others 1 Internet Infrastructure ISP Backbone ISP Local and interdomain routing TCP/IP for routing
More informationDNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A
DNS Review Quiz Match the term to the description: C B A Level: Domain name DNS zone Delegation Descriptions: A. Transfer of authority for/to a subdomain B. A set of names under the same authority (ie.com
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12 Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for
More informationCSC 574 Computer and Network Security. DNS Security
CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationComputer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2009 Lecture 8 Announcements Plan for Today: Networks: TCP Firewalls Midterm 1: One week from Today! 2/17/2009 In class, short answer, multiple choice,
More informationLecture 4: Basic Internet Operations
Lecture 4: Basic Internet Operations Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4395 4-1 LAN View A LAN 2 B Hub 2 Gateway to Internet Hub 1 Z (Gateway) LAN 1
More informationIntroduction to Network. Topics
Introduction to Network Security Chapter 7 Transport Layer Protocols 1 TCP Layer Topics Responsible for reliable end-to-end transfer of application data. TCP vulnerabilities UDP UDP vulnerabilities DNS
More informationThe Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic
CSE 123 Computer Networking Fall 2009 Network security NAT, Firewalls, DDoS Geoff Voelker Network security The Internet is not always a friendly place In fact, hosts on the Internet are under constant
More informationInternet Security: How the Internet works and some basic vulnerabilities
CS 155 Internet Security: How the Internet works and some basic vulnerabilities Dan Boneh Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationChapter 2 Application Layer. Lecture 5 DNS. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012
Chapter 2 Application Layer Lecture 5 DNS Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Application Layer 2-1 Chapter 2: outline 2.1 principles
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More information20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationThe net and it s Ecosystem
The net and it s Ecosystem ICANN manages TLDs IANA manages assigned numbers TLD Owners Sell domain DNS names resolves names DNS Providers Resell domain names Regional Registries assign addresses CDN caches/
More informationTesting IPv6 address records in the DNS root
Testing IPv6 address records in the DNS root February 2007 Geoff Huston Chief Scientist APNIC Priming a DNS name server 1. Take the provided root hints file 2. Generate a DNS query for resource records
More informationDomain Name System.
Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011 Overview Final project + presentation Some TCP and UDP experiments Domain Name System (DNS) Hierarchical name space Maps
More informationELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
More informationNetworking Applications
Networking Dr. Ayman A. Abdel-Hamid College of Computing and Information Technology Arab Academy for Science & Technology and Maritime Transport 1 Outline Introduction Name Space concepts Domain Name Space
More informationIP ADDRESSES, NAMING, AND DNS
IP ADDRESSES, NAMING, AND DNS George Porter Apr 9, 2018 ATTRIBUTION These slides are released under an Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) Creative Commons license These
More informationThe big picture. Security. Some consequences. Three types of threat. LAN Eavesdropping. Network-based access control
The big picture Security Next two lectures about security Today: attack - All kinds of bad things attackers can do over the network Next lecture: defense - Techniques for protecting against these and other
More informationSecurity. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks
Security Next two lectures about security Today: attack - All kinds of bad things attackers can do over the network Next lecture: defense - Techniques for protecting against these and other attacks Note:
More informationSecurity. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks
Security Next two lectures about security Today: attack - All kinds of bad things attackers can do over the network Next lecture: defense - Techniques for protecting against these and other attacks Note:
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationNetwork security. CSE 127 Computer Security. TCP/IP Protocol Stack. Packet Switched Network Architecture. Protocols are structured in layers
CSE 127 Computer Security Spring 2011 Intro to networking and network security Stefan Savage security First need to understand basic networking Architecture IP UDP TCP DNS And vulnerabilities in their
More informationThe Domain Name System
The Domain Name System History of DNS Before DNS ARPAnet HOSTS.txt contains all the hosts information Maintained by SRI s Network Information Center In SRI-NIC host Problems: Not scalable! Traffic and
More informationK-Root Nameserver Operations
K-Root Nameserver Operations Andrei Robachevsky Chief Technical Officer andrei@ripe.net 1 Outline Root Server System What is a root server? Where is the root? Anycast Routing The basics Advantages of using
More informationApplication Firewalls
Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed
More informationComputer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 11. Network Security Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 The Internet Packet switching: store-and-forward routing across multiple
More informationCS Paul Krzyzanowski
The Internet Packet switching: store-and-forward routing across multiple physical networks... across multiple organizations Computer Security 11. Network Security ISP Paul Krzyzanowski Rutgers University
More informationAdvanced Networking. Domain Name System
Advanced Networking Domain Name System Purpose of DNS servers Human being has many identifications: 1) Our name can be used for identification Problem: Two differenet people may have same name. 2) Mobile
More informationAdvanced Networking. Domain Name System. Purpose of DNS servers. Purpose of DNS servers. Purpose of DNS servers
Purpose of DNS servers Advanced Networking Domain Name System Human being has many identifications: 1) Our name can be used for identification Problem: Two differenet people may have same name. 2) Mobile
More informationOSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)
OSI Session / presentation / application Layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1 Higher level protocols On top of IP, TCP, UDP, etc. there are a plethora
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More informationMore on DNS and DNSSEC
More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationSecurity Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)
Security Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings) Lecture Outline Network Attacks Attive Attacks Passive Attacks TCP Attacks Contermeasures IPSec SSL/TLS Firewalls
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationK-Root Name Server Operations
K-Root Name Server Operations Andrei Robachevsky andrei@ripe.net 1 Outline Root Server System brief update Architecture Current locations Anycast deployment K.root-servers.net Server Major milestones Current
More informationCSCE 463/612 Networks and Distributed Processing Spring 2018
CSCE 463/612 Networks and Distributed Processing Spring 2018 Application Layer IV Dmitri Loguinov Texas A&M University February 13, 2018 1 Chapter 2: Roadmap 2.1 Principles of network applications 2.2
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting
More informationChapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
More informationDNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix
DNS: Useful tool or just a hammer? Paul Ebersman pebersman@infoblox.com, @paul_ipv6 DNS-OARC 06 Oct 2013, Phoenix 1 Attacking your cache 2 Recursion DNS queries are either recursive or nonrecursive recursive
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationEECS 122: Introduction to Computer Networks DNS and WWW. Internet Names & Addresses
EECS 122: Introduction to Computer Networks DNS and WWW Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 94720-1776 Internet
More informationMore Internet Support Protocols
More Internet Support Protocols Domain Name System (DNS) Ch 2.5 Problem statement: Average brain can easily remember 7 digits On average, IP addresses have 10.28 digits We need an easier way to remember
More informationUnit 4: Firewalls (I)
Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is
More informationLecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015
Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet
More informationInternet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016
Internet Technology 06. Exam 1 Review Paul Krzyzanowski Rutgers University Spring 2016 March 2, 2016 2016 Paul Krzyzanowski 1 Question 1 Defend or contradict this statement: for maximum efficiency, at
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationInternet Technology 3/2/2016
Question 1 Defend or contradict this statement: for maximum efficiency, at the expense of reliability, an application should bypass TCP or UDP and use IP directly for communication. Internet Technology
More informationDNS Cache Poisoning Looking at CERT VU#800113
DNS Cache Poisoning Looking at CERT VU#800113 Nadhem J. AlFardan Consulting Systems Engineer Cisco Systems ANOTHER BORING DNS ISSUE Agenda DNS Poisoning - Introduction Looking at DNS Insufficient Socket
More informationComputer Security and Privacy
CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for
More informationDNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS
More informationApplied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.
Applied IT Security System Security Dr. Stephan Spitz Stephan.Spitz@de.gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System
More informationThe big picture. Security. Some consequences. Three types of threat. Warm up: phishing. Danger: malicious servers
Security The big picture Three lectures about security Today: attack - All kinds of bad things attackers can do over the network Next lecture: defense building blocks - Techniques for protecting against
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationICS 351: Networking Protocols
ICS 351: Networking Protocols IP packet forwarding application layer: DNS, HTTP transport layer: TCP and UDP network layer: IP, ICMP, ARP data-link layer: Ethernet, WiFi 1 Networking concepts each protocol
More informationIPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011
IPv6 Support in the DNS Athanassios Liakopoulos (aliako@grnet.gr) 6DEPLOY IPv6 Training, Skopje, June 2011 Copy Rights This slide set is the ownership of the 6DEPLOY project via its partners The Powerpoint
More informationCSEN 404 Introduction to Networks. Mervat AbuElkheir Mohamed Abdelrazik. ** Slides are attributed to J. F. Kurose
CSEN 404 Introduction to Networks Mervat AbuElkheir Mohamed Abdelrazik ** Slides are attributed to J. F. Kurose HTTP Method Types HTTP/1.0 GET POST HEAD asks server to leave requested object out of response
More informationNetwork Intrusion Detection Systems. Beyond packet filtering
Network Intrusion Detection Systems Beyond packet filtering Goal of NIDS Detect attacks as they happen: Real-time monitoring of networks Provide information about attacks that have succeeded: Forensic
More informationRIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.
K-root and DNSSEC Wolfgang Nagele RIPE NCC RIPE NCC One of the five Regional Internet Registries Provides IP address and AS number resources to Europe and Middle-East regions DNS related work - Parent
More informationGuide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols
Guide to Networking Essentials, 6 th Edition Chapter 5: Network Protocols Objectives Describe the purpose of a network protocol, the layers in the TCP/IP architecture, and the protocols in each TCP/IP
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationSome of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Firewalls Chester Rebeiro IIT Madras Firewall Block unauthorized traffic flowing from one network to another
More informationCyberP3i Course Module Series
CyberP3i Course Module Series Spring 2017 Designer: Dr. Lixin Wang, Associate Professor Firewall Configuration Firewall Configuration Learning Objectives 1. Be familiar with firewalls and types of firewalls
More informationR (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.
R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:
More informationCS 43: Computer Networks. 10: Naming and DNS September 24, 2018
CS 43: Computer Networks 10: Naming and DNS September 24, 2018 Last class Distributed systems architectures Client-Server Peer-to-Peer Challenges in design Partial failures Event ordering Lecture 10 -
More informationCS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS
: Computer Networks Lecture 6: Apr 5, 2004 Naming and DNS Any problem in computer science can be solved with another layer of indirection David Wheeler Naming is a layer of indirection What problems does
More informationFlashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities
Flashback.. Internet design goals Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1 1. Interconnection 2. Failure resilience
More informationCSCI-1680 Network Layer:
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca Based partly on lecture notes by Jennifer Rexford, Rob Sherwood, David Mazières, Phil Levis, John JannoA Administrivia Homework 2 is due tomorrow So we can
More informationLecture 05: Application Layer (Part 02) Domain Name System. Dr. Anis Koubaa
NET 331 Computer Networks Lecture 05: Application Layer (Part 02) Domain Name System Dr. Anis Koubaa Reformatted slides from textbook Computer Networking a top-down appraoch, Fifth Edition by Kurose and
More informationSecurity. - All kinds of bad things attackers can do over the network. Next lecture: defense building blocks
Security Three lectures about security Today: attack - All kinds of bad things attackers can do over the network Next lecture: defense building blocks - Techniques for protecting against these and other
More informationA Technical Overview of the Lucent Managed Firewall
Lucent Managed Version 2.0 A Technical Overview of the Lucent Managed This document provides a technical overview of the Lucent Managed architecture. Key technical features and potential application scenarios
More informationCSc 466/566. Computer Security. 18 : Network Security Introduction
1/81 CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:57:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More information(DNS, and DNSSEC and DDOS) Geoff Huston APNIC
D* (DNS, and DNSSEC and DDOS) Geoff Huston APNIC How to be bad 2 How to be bad Host and application-based exploits abound And are not going away anytime soon! And there are attacks on the Internet infrastructure
More informationReview for Internet Introduction
Review for Internet Introduction What s the Internet: Two Views View 1: Nuts and Bolts View billions of connected hosts routers and switches protocols control sending, receiving of messages network of
More informationNetwork and Internet Vulnerabilities
Network and Internet Vulnerabilities Computer Security Lecture 10 Mike Just 1 School of Informatics University of Edinburgh 15th February 2010 1 Based on original lecture notes by David Aspinall Internet
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationComputer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 12. Firewalls & VPNs Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Conversation Isolation: Network Layer Virtual Private Networks (VPNs)
More informationFirewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003
Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003 A system or combination of systems that enforces a boundary between two or more networks - NCSA
More informationDomain Name Service. DNS Overview. October 2009 Computer Networking 1
Domain Name Service DNS Overview October 2009 Computer Networking 1 Why DNS? Addresses are used to locate objects (contain routing information) Names are easier to remember and use than numbers DNS provides
More informationDNS Attacks. Haythem EL MIR, CISSP CTO, NACS
DNS Attacks Haythem EL MIR, CISSP CTO, NACS Why worry about DNS? All Applications Rely on DNS! VeriSign: DoS attack could shut down internet Denial-of-service attacks are growing faster than bandwidth
More informationComputer Networks. Domain Name System. Jianping Pan Spring /25/17 CSC361 1
Computer Networks Domain Name System Jianping Pan Spring 2017 1/25/17 CSC361 1 Review: Web/HTTP Web URI/URL, HTML tags embedded/linked objects HTTP request and response persistence, statefulness web caching,
More informationLecture 7: Application Layer Domain Name System
Lecture 7: Application Layer Domain Name System COMP 332, Spring 2018 Victoria Manfredi Acknowledgements: materials adapted from Computer Networking: A Top Down Approach 7 th edition: 1996-2016, J.F Kurose
More informationApplications & Application-Layer Protocols: (SMTP) and DNS
CS 312 Internet Concepts Applications & Application-Layer Protocols: E (SMTP) and DNS Dr. Michele Weigle Department of Computer Science Old Dominion University mweigle@cs.odu.edu http://www.cs.odu.edu/~mweigle/cs312-f11
More informationDNS Security. Ch 1: The Importance of DNS Security. Updated
DNS Security Ch 1: The Importance of DNS Security Updated 8-21-17 DNS is Essential Without DNS, no one can use domain names like ccsf.edu Almost every Internet communication begins with a DNS resolution
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationCSCE 463/612 Networks and Distributed Processing Spring 2018
CSCE 463/612 Networks and Distributed Processing Spring 2018 Application Layer III Dmitri Loguinov Texas A&M University February 8, 2018 Original slides copyright 1996-2004 J.F Kurose and K.W. Ross 1 Chapter
More informationCPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer
1 CPSC 826 Intering The Network Layer: Routing & Addressing Outline The Network Layer Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu November 10, 2004 Network layer
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.1: Network Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) 2 Network Security INTRODUCTION 3 What
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More information2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008
2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How do you attack the DNS? A typical DNS query
More informationECE 4450:427/527 - Computer Networks Spring 2017
ECE 4450:427/527 - Computer Networks Spring 2017 Dr. Nghi Tran Department of Electrical & Computer Engineering Lecture 6.2: IP Dr. Nghi Tran (ECE-University of Akron) ECE 4450:427/527 Computer Networks
More information