Správa sítí I Bezpečnost a řízení přístupu

Transcription

1 Správa sítí I Bezpečnost a řízení přístupu Mgr. Rudolf B. Blažek, Ph.D. Katedra počítačových systémů Fakulta informačních technologií České vysoké učení technické v Praze Rudolf Blažek Moderní technologie Internetu MI-MTI, ZS2011/12, Přednáška 2 Evropský sociální fond Praha & EU: Investujeme do vaší budoucnos@

2 Network Management I Security and Access Control Mgr. Rudolf B. Blažek, Ph.D. Department of Computer Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek Modern Internet Technologies MIE-MTI, ZS2011/12, Přednáška 2 The European Social Fund Prague & EU: We Invest in Your Future

3 Lecture Overview Security and Access Control Firewall NAT (Network Address Translation) DHCP (Dynamic Host Config. Protocol) Authorization (Autorizace) Encryption (Šifrování) 3

4 Introduction to Network Protocols Introduction to Network Protocols 4

5 Introduction to Network Protocols Communication System Models OSI Model (Open Systems Interconnection model) Layer Function Data Unit Text Source: Wikipedia.org Host Layers Media Layers 7. Application Network process Application 6. Presentation Data representation Data encryption/decryption Machine dependent independent 5. Session Interhost communication 4. Transport End-to-end connections & reliability, Flow control Data Segment 3. Network Path determination, Logical addressing Packet 2. Data Link Physical addressing Frame 1. Physical Transmission (media, signal, binary) bit 5

6 Introduction to Network Protocols Communication System Models OSI Model (Open Systems Interconnection model) Layer Function Data Unit 7. Application Network process Application Text Source: Wikipedia.org Host Layers Media Layers 6. Presentation 5. Session 4. Transport Not Enough Activity End-to-end connections & reliability, Flow control Data Segment 3. Network Path determination, Logical addressing Packet 2. Data Link Physical addressing Frame 1. Physical Transmission (media, signal, binary) bit 6

7 Introduction to Network Protocols Communication System Models OSI Model (Open Systems Interconnection model) Layer Function Data Unit 7. Application Network process Application Text Source: Wikipedia.org Host Layers Media Layers 6. Presentation Data 5. Session 4. Transport End-to-end connections & reliability, Flow control Segment 3. Network Path determination, Logical addressing Packet 2. Data Link Physical addressing Frame 1. Physical Transmission (media, signal, binary) bit 7

8 Introduction to Network Protocols Communication System Models Communication System Models Host Layers Media Layers OSI Layer 7. Application 6. Presentation 5. Session 4. Transport TCP/IP Layer Various Five-layer TCP/IP models RFC 1122 "Four-layer Internet model" 5. Application 4. Application 4. Transport 3. Transport 3. Network 3. Network (Internet) 2. Internet 2. Data Link 2. Data Link (Network Interface) 1. Link 1. Physical 1. Physical (Hardware) 8

9 Introduction to Network Protocols Communication System Models Communication System Models Host Layers Media Layers OSI Layer 7. Application 6. Presentation 5. Session 4. Transport TCP/IP Layer Various Five-layer TCP/IP models RFC 1122 "Four-layer Internet model" 5. Application 4. Application 4. Transport 3. Transport 3. Network 3. Network (Internet) 2. Internet 2. Data Link 2. Data Link (Network Interface) 1. Link 1. Physical 1. Physical (Hardware) 9

10 Introduction to Network Protocols Communication System Models Internet Protocol Suite (TCP/IP Stack RFC 1122) Layer Protocols DHCP, DNS, TFTP, TLS/SSL, FTP, Gopher, HTTP, IMAP, IRC, NNTP, POP3, SIP, SMTP, SMPP, SNMP, SSH, Telnet, Echo, RTP, PNRP, rlogin, 4. Application ENRP Routing protocols like BGP and RIP which run over TCP/UDP (May also be considered part of the Internet Layer) 3. Transport TCP, UDP, DCCP, SCTP, IL, RUDP, RSVP Text Source: Wikipedia.org IP (IPv4, IPv6), ICMP, IGMP, ICMPv6 2. Internet OSPF for IPv4 has been moved to the Link layer since RFC Link ARP, RARP, OSPF (IPv4/IPv6), IS-IS, NDP 10

11 Introduction to Network Protocols Communication System Models Internet Protocol Suite (TCP/IP Stack RFC 1122) Layer Protocols Today s Lecture Text Source: Wikipedia.org DHCP, DNS, TFTP, TLS/SSL, FTP, Gopher, HTTP, IMAP, IRC, NNTP, 4. Application POP3, Routing SIP, protocols SMTP, SMPP, like BGP SNMP, and RIP which run over TCP/UDP (May TCP, UDP, also be DCCP, considered SCTP, IL, part RUDP, of 3. Transport RSVP 2. Internet 1. Link IP (IPv4, IPv6), ICMP, IGMP, ICMPv6 OSPF for IPv4 has been moved to the Link layer since RFC 2740 ARP, RARP, OSPF (IPv4/IPv6), IS- IS, NDP DHCP (DNS MiM Attack) Encryption Authorization NAT ARP MiM Attack Firewalls 11

12 Introduction to Network Protocols Network Connections Network Connections Host A Router Router Host B Stack Connections Source: Wikipedia.org Application Transport Peer-to-peer Application Transport Internet Internet Internet Internet Link Link Link Link Ethernet Fiber, Satellite, etc. Ethernet 12

13 Introduction to Network Protocols Network Connections Network Connections Host A Router Router Host B Uses host names and IP addresses Uses IP addresses Application Transport Stack Connections Peer-to-peer Application Transport Uses IP addresses Internet Internet Internet Internet Ethernet Uses MAC addresses Link Link Link Link Source: Wikipedia.org Ethernet Fiber, Satellite, etc. Ethernet 13

14 Introduction to Network Protocols Data Encapsulation Application Data Encapsulation Layer Data Encapsulation in a UDP Datagram 4. Application Data Text Source: Wikipedia.org 3. Transport 2. Internet 1. Link Unreliablee Service: UDP datagram Frame Header IP Header UDP UDP Header IP Datagram Payload Frame Payload (Data and Padding, bytes) Payload (Datagram) (Datagram) Frame Footer 14

15 Introduction to Network Protocols Data Encapsulation Application Data Encapsulation Layer Data Encapsulation in a TCP Packet 4. Application Data Text Source: Wikipedia.org 3. Transport 2. Internet 1. Link Reliable Service: TCP/IP packet Frame Header IP Header TCP TCP Header Payload IP Datagram Payload Frame Payload (Data and Padding, bytes) (Segment) (Datagram) Frame Footer 15

16 Security in a LAN Hubs and Switches Security in a LAN With a Hub Network Hub All hosts see all traffic Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC LAN (Local Area Network) 16

17 Security in a LAN Hubs and Switches Security in a LAN With a Hub Network Hub All hosts see all traffic This is not secure at all Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC LAN (Local Area Network) 17

18 Security in a LAN Hubs and Switches LAN Hubs and Switches OSI Layer LAN Component Host Layers Media Layers 7. Application 6. Presentation Web-switch, Content-switch 5. Session 4. Transport 3. Network Multi-Layer Switch 2. Data Link Switch 1. Physical Hub (e.g. load balancing) 18

19 Security in a LAN Hubs and Switches Security in a LAN With a Switch Hosts only see traffic intended for them This is more secure, but not by much Network Switch ARP attacks can be used to capture traffic in switched networks Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC 19

20 Security in a LAN Hubs and Switches Security in a LAN With a Switch Hosts only see traffic intended for them This is more secure, but not by much Network Switch ARP attacks can be used to capture traffic in switched networks Desktop PC Desktop PC Attacker Desktop PC Desktop PC 20

21 Security in a LAN APR Poisoning MiM on Two Hosts Man-in-the-Middle Attack on Two Hosts Compromising traffic between two hosts 21

22 Security in a LAN APR Poisoning MiM on Two Hosts ARP Man-in-the-Middle Attack (2 hosts) Computer A Who has IP ? ARP Request (broadcast) Computer B Attacker

23 Security in a LAN APR Poisoning MiM on Two Hosts ARP Man-in-the-Middle Attack (2 hosts) Computer A I have IP ARP Reply with MAC address of B Computer B A updates IP/MAC Cache Attacker

24 Security in a LAN APR Poisoning MiM on Two Hosts ARP Man-in-the-Middle Attack (2 hosts) Computer A Established Connection Computer B Attacker

25 Security in a LAN APR Poisoning MiM on Two Hosts ARP Man-in-the-Middle Attack (2 hosts) Computer A A updates IP/MAC Cache Forged ARP Reply with MAC address of Attacker Established Connection Attacker My IP address is Computer B

26 Security in a LAN APR Poisoning MiM on Two Hosts ARP Man-in-the-Middle Attack (2 hosts) Computer A My IP address is Established Connection Forged ARP Reply with MAC address of Attacker Computer B B updates IP/MAC Cache Attacker

27 Security in a LAN APR Poisoning MiM on Two Hosts ARP Man-in-the-Middle Attack (2 hosts) Computer A Computer B Compromised Connection Attacker

28 Security in a LAN APR Poisoning MiM on a Router MiM Attack on a Router Compromising traffic between all hosts in a local network and the outside world (e.g. Internet) 28

29 Security in a LAN APR Poisoning MiM on a Router Man-in-the-Middle Attack Router Internet (or remote LAN) LAN Computer A Computer B Attacker 29

30 Security in a LAN APR Poisoning MiM on a Router Man-in-the-Middle Attack Stage 1 IP/MAC Cache is updated and updating is disabled by attacker Router Internet (or remote LAN) LAN Computer A Computer B Many Forged ARP Requests with MAC address of Attacker who pretends to be all the computers in the LAN My IP is that of all A, B, C Attacker 30

31 Security in a LAN APR Poisoning MiM on a Router Man-in-the-Middle Attack Stage 1 Router Internet (or remote LAN) LAN Computer A Computer B Inbound Traffic Compromised Attacker 31

32 Security in a LAN APR Poisoning MiM on a Router Man-in-the-Middle Attack Stage 2 Router Internet (or remote LAN) LAN Computer A IP/MAC Cache of all computers is updated by attacker Computer B Many Forged ARP Requests With MAC address of Attacker who pretends to be the Router Inbound Traffic Compromised Attacker My IP is that of the Router 32

33 Security in a LAN APR Poisoning MiM on a Router Man-in-the-Middle Attack Router Internet (or remote LAN) LAN Computer A Computer B ALL Traffic Compromised Attacker 33

34 Security in a WLAN Introduction WLAN Intrusions The link-layer of wireless networks is open to intrusions. Common detection methods: Data-mining Statistical modeling Neural networks Genetic algorithms Signature based approaches... 34

35 Security in a WLAN Deauthentication Attack Deauthentication Attack 35

36 Security in a WLAN Deauthentication Attack Handshake Probe Request Probe Response Authentication Request Authentication Challenge Authentication Response Authentication Success Client Association Request Association Response Access Point Data Data Deauthentication Deauthentication 36

37 Security in a WLAN Deauthentication Attack Deauthentication Attack Data Client Intruder Data Deauthentication Access Point Deauthentication 37

38 Security in a WLAN Deauthentication Attack Goals of Deauthentication Attack DoS Attack: A flood of forged deauthentication frames causes some or all clients to disconnect from the AP even if they reconnect again. The WLAN is then essentially disabled WEP Cracking: In order to break the WEP encryption, the intruder forces the clients to deauthenticate so that it can observe authentication initialization vectors exchanged during reauthentication. 38

39 Security in a WLAN Deauthentication Attack Goals of Deauthentication Attack MiM Attack: The Man-in-the-Middle attack is performed by first forcing the clients to disconnect from an AP, and then using a fake WLAN with the same SSID. The traffic of clients that connected to the fake AP is then channeled through the intruder to steal data and credentials. 39

40 Security in LAN and WLAN Man-in-the Middle Attacks Man-in-the Middle Attacks Can use ARP, DNS, WiFi or other protocols Encrypted connections like SSH or HTTPS hijacked via fake public keys (fake identity) Goals of MiM attacks: Capture login names and passwords Record or hijack connections both in a LAN and to the outside world 40

41 Security in LAN and WLAN Man-in-the Middle Attacks Man-in-the Middle Attacks False feeling of security: Encrypted communication channels Switched networks Encrypted communications and switched networks do not protect us completely from MiM attacks! New: Quantum computers may soon decrypt secure connections that are captured now 41

42 Firewalls Server and Data Center Firewalls Security in a (Virtual) Data Center College of Electrical and Communication Engineering Server Administrators Network Interface (Administrative Access) Virtualization Server (Ubuntu Linux 8.04 Server) Secured Zone Server Hardware Monitoring Software Firewall Temperature of Processors & Main Board Disk Status Administrative Access to Servers Secure: ssh, ssl tunnels Convenient: Remote Desktop Protocol (Proposed and Tested by Dr. Rudolf Blazek) Virtualization Software (VirtualBox 1.6.2) Publicly Accessible Zone Unix user "firewall" Unix user "basic_services" OS: JeOS Ubuntu 8.04 Service: DNS, LDAP, etc. OS: JeOS Ubuntu 8.04 Service: Firewall for all services Virtual Server Unix user "opencms" Virtual Server OS: JeOS Ubuntu 8.04 Service: Web - College Content Management (OpenCms) Unix user "project_net" Virtual Server OS: JeOS Ubuntu 8.04 Service: College Project Management (Project.net) Unix user "svn" Virtual Server OS: JeOS Ubuntu 8.04 Service: Software Versioning System (Subversion) Unix user "xxx" OS: JeOS Ubuntu 8.04 / Windows Service: Any other desired services Virtual Server Virtual Server Public Access to Services No access to the main server during an intrusion. Network Interface (Public Access) Internet Software Disk Array RAID 0 Serial Console (UPS signals during power failure) Rack-Mounted UPS (Uninterrupted Power Supply) 42

43 Firewalls Server and Data Center Firewalls Virtual (Software) Firewall Software (VirtualBox 1.6.2) ible Zone Unix user "firewall" Virtual Server OS: JeOS Ubuntu 8.04 Service: Firewall for all services basic_services" untu 8.04, LDAP, etc. Virtual Server Firewall opencms" Virtual Server untu College Content Management (OpenCms) project_net" Virtual Server untu 8.04 ge Project Management (Project.net) svn" Virtual Server untu 8.04 ware Versioning System (Subversion) Firewall Firewall Firewall Public Access to Services No access to the main server during an intrusion. xxx" untu 8.04 / Windows other desired services Virtual Server Firewall 43

44 Firewalls LAN Firewalls Security in a LAN Internet Switch LAN (or remote LAN) Router WAN Firewall Switch (Wide Area Network) Switch Network Management I MI-MTI, ZS2011/12, Lecture 2 44

45 Firewalls LAN Firewalls Security in a LAN Internet CAN Switch LAN (or remote LAN) Router WAN Firewall Firewall Switch LAN Switch Firewall Firewall Network Management I LAN MI-MTI, ZS2011/12, Lecture 2 45

46 Firewalls Security Functions Firewall Security Requirements LAN Router/Switch Firewall WAN Protect the LAN from unwanted outside access and attacks Enable authorized access from the outside (preferably encrypted) Allow LAN hosts to communicate with the outside 46

47 Firewalls NAT Function Firewall s NAT LAN Router/Switch Firewall WAN Allow communication if the LAN uses private IP addresses Initiated in the LAN: NAT - Network Address Translation Private IP addresses Initiated in the WAN: DNAT - Destination network address translation (port forwarding) 47

48 Firewalls LAN Management Function LAN Management LAN WAN A basic requirement: Router/Switch Private IP addresses Firewall Assign IP addresses automatically to hosts DHCP: Dynamic Host Configuration Protocol 48

49 Firewalls Summary and Examples Firewalls Block unauthorized access Permit authorized communications Often provide NAT and DHCP Example: Basic residential routers Separate DHCP servers are used in large / secured LANs Software firewalls can be installed on a host to protect a single personal computer to protect each server behind a firewall for added security 49

50 Firewalls Summary and Examples Types of Firewalls Packet filter: inspects each packet and applies specified rules Application layer firewall: "understands" certain applications and protocols (FTP, DNS, web) Stateful filter: NAT: maintain sessions or network flows to detect out-of-place packets Provides basic fire-walling protection 50

51 Firewalls Summary and Examples Realistic Example of Packet Filter Rules Enable: NAT: DNAT: outgoing, established, and related connections management access from a selected IP address allow local hosts communicate with the Internet incoming HTTP and HTTPS connections on ports 80 and 443 forwarded to host (web access) incoming SSH connections on port 5427 forwarded to port 22 on host Block all other connections 51

52 Firewalls Summary and Examples Linux: iptables firewall Notice the backslashes!!! Otherwise you get disconnected right here! iptables --flush; \ iptables --flush -t nat; \ iptables --policy INPUT DROP; \ iptables --policy OUTPUT DROP; \ Allow new connections iptables --policy FORWARD DROP; \ out, but not in iptables -A OUTPUT -j ACCEPT -o lo; \ iptables -A INPUT -j ACCEPT -i lo; \ iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT; \ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; \ iptables -A INPUT -p tcp -m tcp -m multiport --dports 8080,22 -s j ACCEPT;\ Allow web and SSH management connections from a selected IP address 52

53 Firewalls Summary and Examples NAT via iptables NAT For Outgoing and Related Connections iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; \ iptables -A FORWARD -o eth0 -j ACCEPT; \ iptables -A FORWARD -i eth0 -j ACCEPT; \ DNAT Destination NAT Forward web connections to host iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --todestination :80 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --todestination :443 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport j DNAT --todestination :22 Enable SSH connections on port 5427 and forward them to port 22 of host

54 DHCP Introduction DHCP Dynamic Host Configuration Protocol Allows a computer in a LAN to be configured automatically: IP Address Gateway DNS Servers etc... Maintains a database for keeping track of connected computers 54

55 DHCP Message Encapsulation DHCP Message Encapsulation Layer DHCP Encapsulation in a UDP Datagram 4. Application DHCP Message Text Source: Wikipedia.org 3. Transport 2. Internet 1. Link Frame Header IP Header UDP UDP Header Payload IP Datagram Payload Frame Payload (Data and Padding, bytes) Frame Footer 55

56 DHCP Operation Phases Operation Phases: DHCP Discovery The client broadcasts messages on the physical subnet to discover available DHCP servers User Datagram Protocol (UDP) packet with the broadcast destination (or a specific subnet broadcast address) 56

57 DHCP Operation Phases Operation Phases: DHCP Offer A DHCP server receives an IP lease request Reserves an IP address for the client Sends a DHCPOFFER message to the client The message contains: The client's MAC address the offered IP address a subnet mask the lease duration and the IP address of the DHCP server 57

58 DHCP Operation Phases Operation Phases: DHCP Request The client can receive DHCP offers from multiple servers But it will accept only one DHCP offer It will broadcast a DHCP request message It contains a Transaction ID field identifying the server whose offer was accepted Other DHCP servers withdraw any offers and return the offered addresses to the pool Not sending the DHCP request may lead to a DoS attack 58

59 DHCP Operation Phases Operation Phases: DHCP Acknowledgement The server sends the client a DHCPPACK packet with: the lease duration any other configuration information the client requested. This completes the IP configuration process 59

60 Cryptography Introduction Encryption / Cryptography Source: Wikipedia.org 60

61 Cryptography Introduction Encryption / Cryptography A perfectly secure cryptographic system: Knowing the ciphertext reveals no more information than if you did not know it Requires keys as long as the message Different key must be used with each new encryption Not very practical. 61

62 Cryptography Ciphers Ciphers Source: Wikipedia.org 62

63 Cryptography Ciphers Classical Ciphers The ciphertext reveals a lot of statistical information about the plaintext It can often be used to break the ciphers via frequency analysis (9th century) Classical ciphers are now usually only used for puzzles in magazines 63

64 Cryptography Ciphers Modern Ciphers Two main approaches Symmetric-key (private-key) cryptography Asymmetric-key (public-key) cryptography Some Ciphers include Digital Rights Management (DRM) to authorize access Governments & military sometimes try to control encryption algorithm use & export 64

65 Cryptography Ciphers Symmetric (Private) Key The key must remain secret at both ends The key should be changed frequently (for each communication session) Management of key pairs is difficult 65

66 Cryptography Ciphers Asymmetric (Public) Key Messages encrypted with a public key can only be decrypted using a private key Only the private key must be kept secret The same private/public key pair may be used for many sessions Requires trusted certificate authorities Stored in the software (e.g. a web browser) Otherwise MiM attacks can be launched (attacker offers a public key with fake identity) 66

67 Cryptography Ciphers Popular Modern Symmetric-key Ciphers DES Data Encryption Standard (1976) Developed by IBM, but details kept secret by NSA (U.S. National Security Agency) AES Advanced Encryption Standard (NIST, 2001) Developed by the U.S. government Used worldwide (since DES is not secure) 67

68 Cryptography Ciphers Popular Modern Asymmetric-key Ciphers DSA Digital Signature Algorithm (NIST, 1991) A standard for digital signatures in the USA Developed by the US government RSA Rivest, Shamir, and Adleman (MIT, 1978) Can be used for both signing & encryption Considered secure with long keys 68

69 Cryptography Secure Protocols Main Secure Network Communication Protocols Secure Sockets Layer (SSL) Only version 3.0 is safe Transport Layer Security (TLS) Successor of SSL Encrypt content above the Transport Layer Use symmetric cryptography for privacy Allow authentication e.g. via client certificates Keyed message authentication for reliability 69

70 Cryptography Secure Protocols Internet Protocol Suite (TCP/IP Stack RFC 1122) Layer Protocols Today s Lecture Text Source: Wikipedia.org DHCP, DNS, TFTP, TLS/SSL, FTP, Gopher, HTTP, IMAP, IRC, NNTP, 4. Application POP3, Routing SIP, protocols SMTP, SMPP, like BGP SNMP, and RIP which run over TCP/UDP (May TCP, UDP, also be DCCP, considered SCTP, IL, part RUDP, of 3. Transport RSVP 2. Internet 1. Link IP (IPv4, IPv6), ICMP, IGMP, ICMPv6 OSPF for IPv4 has been moved to the Link layer since RFC 2740 ARP, RARP, OSPF (IPv4/IPv6), IS- IS, NDP DHCP (DNS MiM Attack) Encryption & Authorization NAT ARP MiM Attack Firewalls 70

71 Cryptography OpenSSL OpenSSL Implementation of SSL and TLS protocols Open source Available on most platforms Full-strength general purpose cryptography library 71

72 Cryptography OpenSSL OpenSSL: Generating Keys RSA Private/Public Key Pair (Size 2048 bits) Protected by password openssl genrsa -des3 -out privkey.pem 2048 Without password protection openssl genrsa -out privkey.pem 2048 DSA Private/Public Key Pair 2048 bits, with password openssl dsaparam -out dsaparam.pem 2048 openssl gendsa -des3 -out privkey.pem dsaparam.pem 72