APNIC Security Tutorial (as part of AFCEA Marianas Technet)

Transcription

1 APNIC Security Tutorial (as part of AFCEA Marianas Technet) Tamuning, Guam 24 April 2014 Proudly Supported by: Presenter Sheryl Hermoso (Shane) Training Officer, APNIC Sheryl has had various roles as a Network and Systems Administrator prior to joining APNIC. Starting her career as a Technical Support Assistant while studying at the University of the Philippines. Sheryl later worked as a Network Engineer, where she managed the DILNET network backbone and wireless infrastructure. Areas of interests: IPv6, DNS/DNSSEC, Network Security, IRM Contact: sheryl@apnic.net 1

2 Overview Introduction to Security Security on Different Layers and Attack Mitigation VPN and IPsec RPKI and Resource Certification How can APNIC help you? Security Management and Practices Intro to Security: Attacks and Trends 2

3 Attack Trends - Breach Sources Aggregation Infiltration Exfiltration Source: Trustwave 2012 Global Security Report Attack Trends Hacktivism and vandalism are the common DDoS attack motivation High-bandwidth DDoS attacks are the new normal First-ever IPv6 DDoS attacks are reported in 2011 Trust issues across geographic boundaries Source: Arbor Networks Worldwide Infrastructure Security Report Volume VIII 3

4 Evolution of Attack Landscape propagation of malicious code stealth /advanced scanning techniques widespread attacks using NNTP to distribute attack DDoS attacks increase in worms sophisticated command & control widespread attacks on DNS infrastructure executable code attacks (against browsers) automated widespread attacks GUI intruder tools hijacking sessions Internet social engineering attacks packet spoofing automated probes/scans widespread denial-of-service attacks techniques to analyze code for vulnerabilities without source code anti-forensic techniques home users targeted distributed attack tools increase in wide-scale Trojan horse distribution Windows-based remote controllable Trojans (Back Orifice) Attack Sophistication Intruder Knowledge Threats, Risk and Vulnerability Threat Any circumstance or event with the potential to cause harm to a networked system Denial of Service / Unauthorized Access / Impersonation / Worms / Viruses Vulnerability A weakness in security procedures, network design, or implementation that can be exploited to violate a corporate security policy Risk The possibility that a particular vulnerability will be exploited Risk analysis: The process of identifying security risks, determining their impact, and identifying areas requiring protection 4

5 Attack Motivation Criminal Criminal who use critical infrastructure as a tools to commit crime Their motivation is money War Fighting/Espionage/Terrorist What most people think of when talking about threats to critical infrastructure Patriotic/Principle Large groups of people motivated by cause - be it national pride or a passion aka Anonymous Attack Motivation Nation States want SECRETS Organized criminals want MONEY Protesters or activists want ATTENTION Hackers and researchers want KNOWLEDGE (copied from NANOG60 keynote presentation by Jeff Moss, Feb 2014) 5

6 Common Types of Attack Ping sweeps and port scans - reconnaissance Sniffing capture packet as they travel through the network Man-in-the-middle attack intercepts messages that are intended for a valid device Spoofing - sets up a fake device and trick others to send messages to it Hijacking take control of a session Denial of Service (DoS) and Distributed DoS (DDoS) Attacks on Different Layers Application Presentation Session Transport Network Data Link Physical OSI Reference Model Layer 5: SMB, NFS, Socks Layer 2: PPTP, Token Ring Application Layer 7: DNS, DHCP, HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, TFTP DNS Poisoning, Phishing, SQL injection, Spam/Scam Transport Layer 4: TCP, UDP TCP attacks, Routing attack, SYN flooding, Sniffing Layer 3: IPv4, IPv6, ICMP, Internet IPsec Ping/ICMP Flood Network Access (Link floodinglayer) ARP spoofing, MAC TCP/IP Model 6

7 L2 Attacks - ARP Spoofing I want to connect to I don t know the MAC address Wait, I am ! ARP Request BB-BB-BB-BB-BB-BB AA-AA-AA-AA-AA-AA ARP Reply CC-CC-CC-CC-CC-CC ARP Reply Since the client s ARP Cache has already been poisoned, it will communicate directly to the fake Destination. I am This is my MAC address DD-DD-DD-DD-DD- DD L2 Attacks - DHCP DHCP Starvation Attack Broadcasting vast number of DHCP requests with spoofed MAC address simultaneously. DoS attack using DHCP leases Rogue DHCP Server Attacks Server runs out of IP addresses to allocate to valid users Attacker sends many different DHCP requests with many spoofed addresses. 7

8 L3 Attacks - Ping Flood Internet Attacker Victim Other forms of ICMP attack: - Ping of death - ICMP ping flood Broadcas t Enabled Network Routing Attacks Attempt to poison the routing information Distance Vector Routing Announce 0 distance to all other nodes Blackhole traffic Eavesdrop Link State Routing Can drop links randomly Can claim direct link to any other routers A bit harder to attack than DV BGP attacks ASes can announce arbitrary prefix ASes can alter path 8

9 L4 Attacks TCP Flooding Exploits the TCP 3-way handshake Attacker sends a series of SYN packets without replying with the ACK packet Finite queue size for incomplete connections SYN SYN+ACK ACK CONNECTION ESTABLISHED Server TCP Attacks Exploits the TCP 3-way handshake Attacker sends a series of SYN packets without replying with the ACK packet Finite queue size for incomplete connections SYN SYN+ACK Attacker ACK? Server (Victim) OPEN CONNECTIONS 9

10 Attacks on SSL BEAST Attack (2011) Browser Exploit Against SSL/TLS CBC vulnerability discovered in 2002 Fixed in TLS 1.1 CRIME Attack (2012) Compression Ratio Info-leak Made Easy Exploit against HTTP compression fixed by disabling TLS Compression BREACH Attack (2013) Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext Presented at BlackHat 2013 (Aug) Attacks HTTP responses using HTTP Compression 19 Heartbleed OpenSSL Bug (March 2014) Source: 10

11 ios vulnerability (21 Feb 2014) It appears that when using ios's Secure Transport component to establish an encrypted connection using a raw IP address, the system does not check that the "common name" record (a hostname pattern, such as *.hetzner.de) in a server's SSL certificate matches the server's IP address (eg, ) More details at the vulnerability affects both the ios and OS X operating systems Some checks: curl -o blah 1 Application Layer Attacks Applications don t authenticate properly Authentication information in clear FTP, Telnet, POP DNS insecurity DNS poisoning DNS zone transfer Are you sending your data in the clear? 11

12 1 Application Layer Attacks Scripting vulnerabilities Cookie poisoning Buffer overflow Hidden field manipulation Parameter tampering Cross-site scripting SQL injection Application Layer DDoS: Slowloris Incomplete HTTP requests Properties Low bandwidth Keep sockets alive Only affects certain web servers Doesn t work through load balancers Managed to work around accf_http 12

13 DNS Changer Criminals have learned that if they can control a user s DNS servers, they can control what sites the user connects to the Internet. How: infect computers with a malicious software (malware) This malware changes the user s DNS settings with that of the attacker s DNS servers Points the DNS configuration to DNS resolvers in specific address blocks and use it for their criminal enterprise For more: see the NANOG presentation by Merike Rogue DNS Servers through through through through through through If your computer is configured with one of these DNS servers, it is most likely infected with DNSChanger malware Are you using a trusted DNS server? 13

14 DNS Cache Poisoning Caching incorrect resource record that did not originate from authoritative DNS sources. Result: connection (web, , network) is redirected to another target (controlled by the attacker) DNS Cache Poisoning 1 I want to access Client 2 DNS Caching Server QID= QID=64569 QID=64570 QID=64571 match! (pretending to be the authoritative zone) Root/GTLD QID= Webserver ( ) ns.example.com 14

15 DNS Amplification A type of reflection attack combined with amplification Source of attack is reflected off another machine Traffic received is bigger (amplified) than the traffic sent by the attacker UDP packet s source address is spoofed DNS Amplification Attack Queries for Root/GTLD DNS Recursive server Compromised Machines (spoofed IP) ns.example.com Victim Server Attacker 15

16 Open Resolvers DNS servers that answer recursive queries from any host on the Internet Check if you re running open resolvers More statistics at For systems admins: Are you running an open resolver? Open Resolvers As of 13 Apr 2014: 27,429,020 servers responded to udp/53 probe 23,084,156 returned OK Reference: 16

17 Open NTP Project To check if you are running Open NTP ntpdc -n -c monlist ntpq -c rv New effort similar to the OpenResolvers project Wireless Attacks WEP first security mechanism for wireless networks Weaknesses in this protocol were discovered by Fluhrer, Mantin and Shamir, whose attacks became known as FMS attacks Tools were developed to automate WEP cracking Chopping attacks were released to crack WEP more effectively and faster Cloud-based WPA cracker How secure is your wireless connectivity? 17

18 Botnet Collection of compromised computers (or bot ) Computers are targeted by malware (malicious software) Once controlled, an attacker can use the compromised computer via standards-based network protocol such as IRC and HTTP How to become a bot: Drive-by downloads (malware) Go to malicious websites (exploits web browser vulnerabilities) Run malicious programs (Trojan) from websites or as attachment Are you aware if your machine has been compromised? Password Cracking Dictionary attacks Guessing passwords using a file of 1M possible password values Ordinary words and people s names Offline dictionary attack when the entire password file has been attacked Use random characters as password with varying upper and lower case, numbers, and symbols Brute-force attacks Checking all possible values until it has been found The resource needed to perform this attack grows exponentially while increasing the key size Social engineering Do you use secure passwords? 18

19 Pharming and Phishing Phishing victims are redirected to a fake website that looks genuine. When the victim supplies his account and password, this can be used by the attacker to the target site Typically uses fraud s with clickable links to fake websites Pharming redirect a website s traffic to another fake site by changing the victim s DNS settings or hosts file Do you click every link you receive in an ? Questions 19

20 Layered Approach to Security Attack Mitigation Goals of Information Security Confidentiality Integrity Availability prevents unauthorized use or disclosure of information safeguards the accuracy and completeness of information authorized users have reliable and timely access to information SECURITY 20

21 Access Control The ability to permit or deny the use of an object by a subject. It provides 3 essential services: Authentication (who can login) Authorization (what authorized users can do) Accountability (identifies what a user did) Authentication A means to verify or prove a user s identity The term user may refer to: Person Application or process Machine or device Identification comes before authentication Provide username to establish user s identity To prove identity, a user must present either of the following: What you know (passwords, passphrase, PIN) What you have (token, smart cards, passcodes, RFID) Who you are (biometrics such as fingerprints and iris scan, signature or voice) 21

22 Trusted Network Standard defensive-oriented technologies Firewall first line of defense Intrusion Detection second line of defense Build TRUST on top of the TCP/IP infrastructure Strong authentication Two-factor authentication something you have + something you know Public Key Infrastructure (PKI) Two-factor Authentication Requires a user to provide at least two authentication factors to prove his identity something you know Username/userID and password something you have Token using a one-time password (OTP) The OTP is generated using a small electronic device in physical possession of the user Different OTP generated each time and expires after some time An alternative way is through applications installed on your mobile device Multi-factor authentication is also common 22

23 Authorization Defines the user s rights and permissions on a system Typically done after user has been authenticated Grants a user access to a particular resource and what actions he is permitted to perform on that resource Access criteria based on the level of trust: Roles Groups Location Time Transaction type Authentication vs. Authorization Service Authentication Mechanism Authorization Mechanism Client Authentication simply identifies a party, authorization defines whether they can perform certain action RFC

24 Accountability The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity Senders cannot deny sending information Receivers cannot deny receiving it Users cannot deny performing a certain action Supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention and after-action recovery and legal action Source: NIST Risk Management Guide for Information Technology Systems Security on Different Layers Application Presentation Session Transport Network Data Link Physical Layer 7: DNS, DHCP, HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, TFTP DNS HTTPS, Poisoning, DNSSEC, Phishing, PGP, SQL SMIME injection, Spam/Scam Layer 5: SMB, NFS, Socks TCP attacks, TLS, Routing SSL, SSH attack, SYN flooding, Sniffing Layer 4: TCP, UDP Layer 3: IPv4, IPv6, ICMP, IPsec Ping/ICMP IPsec Flood Layer 2: ARP, Token Ring ARP IEEE spoofing, 802.1X, PPP MAC & flooding PPTP 24

25 VPN Protocols PPTP (Point-to-Point tunneling Protocol) Developed by Microsoft to secure dial-up connections Operates in the data-link layer L2F (Layer 2 Forwarding Protocol) Developed by Cisco Similar as PPTP L2TP (Layer 2 Tunneling Protocol) IETF standard Combines the functionality of PPTP and L2F IPsec (Internet Protocol Security) Open standard for VPN implementation Operates on the network layer Network Layer Security - IPsec Internet! IPSec! IETF standard that enables encrypted communication between peers: Consists of open standards for securing private communications Network layer encryption ensuring data confidentiality, integrity, and authentication Scales from small to very large networks 25

26 Pretty Good IPsec Policy IKE Phase 1 (aka ISAKMP SA or IKE SA or Main Mode) 3DES (AES-192 if both ends support it) Lifetime (8 hours = 480 min = sec) SHA-2 (256 bit keys) DH Group 14 (aka MODP# 14) IKE Phase 2 (aka IPsec SA or Quick Mode) 3DES (AES-192 if both ends support it) Lifetime (1 hour = 60 min = 3600 sec) SHA-2 (256 bit keys) PFS 2 DH Group 14 (aka MODP# 14) 51 Receiving Prefixes There are three scenarios for receiving prefixes from other ASNs Customer talking BGP Peer talking BGP Upstream/Transit talking BGP Each has different filtering requirements and need to be considered separately 26

27 Receiving Prefixes: From Customers ISPs should only accept prefixes which have been assigned or allocated to their downstream customer If ISP has assigned address space to its customer, then the customer IS entitled to announce it back to his ISP If the ISP has NOT assigned address space to its customer, then: Check in the five RIR databases to see if this address space really has been assigned to the customer. Legitimacy of Address (LoA) check The tool: whois h jwhois.apnic.net x.x.x.0/24 (jwhois queries all RIR database) Receiving Prefixes: From Customers Example use of whois to check if customer is entitled to announce address space: $ whois -h whois.apnic.net 2406:6400::/32 Inet6num: 2406:6400::/32 netname: APNIC-AP descr: Asia Pacific Network Information Centre descr: Regional Internet Registry for the Asia-Pacific descr: 6 Cordelia Street descr: South Brisbane, QLD 4101 descr: Australia country: AU Portable means its an admin-c: AIC1-AP tech-c: NO4-AP assignment to the customer, the mnt-by: APNIC-HM customer can announce it to you mnt-irt: IRT-APNIC-AP changed: hm-changed@apnic.net status: ASSIGNED PORTABLE changed: hm-changed@apnic.net source: APNIC 27

28 Receiving Prefixes: From Peers A peer is an ISP with whom you agree to exchange prefixes you originate into the Internet routing table Prefixes you accept from a peer are only those they have indicated they will announce Prefixes you announce to your peer are only those you have indicated you will announce Receiving Prefixes: From Peers Agreeing what each will announce to the other: Exchange of documentation as part of the peering agreement, and then ongoing updates OR Use of the Internet Routing Registry and configuration tools such as the IRRToolSet 28

29 Receiving Prefixes: From Upstream Upstream/Transit Provider is an ISP who you pay to give you transit to the WHOLE Internet Receiving prefixes from them is not desirable unless really necessary Ask upstream/transit provider to either: originate a default-route OR announce one prefix you can use as default SSL/TLS Most widely-used protocol for security Encrypts the segments of network connections above the Transport Layer SSL and TLS SSL v3.0 specified in an I-D in 1996 (draft-freier-ssl-version3-02.txt) TLS v1.0 specified in RFC 2246 in 1999 TLS v1.0 = SSL v3.1 SSL v3.0 TLS v1.1 in 2006 TLS v1.2 in 2008 Goals of protocol Secure communication between applications Data encryption Server authentication Message integrity Client authentication (optional) 29

30 Benefits of TLS Application-layer independent can be implemented with any applications a wide range of applications supporting it SSL makes use of both asymmetric and symmetric key cryptography. performance reasons. Only the initial "client key exchange message" is encrypted with asymmetric encryption. Symmetric encryption is better in terms of performance/speed Uses X.509 certificates Certificates and Public Key Infrastructure SSL protocol layers comes on top of TCP (transport Layer), and is below application layer. no network infrastructure changes are required to deploy SSL Each and every connection that's made, through SSL has got one session information. Session can also be reused or resumed for other connections to the server 59 SSL Protocol Building Blocks SSL is a Combination of a Primary Record Protocol with Four Client Protocols SSL Handshake Protocol SSL Alert Protocol SSL Change Cipher Spec Protocol Application Data Protocol SSL Record Protocol 30

31 Applications Using SSL/TLS Protocol Defined Port Number SSL/TLS Port Number HTTP NNTP LDAP FTP-data FTP-control Telnet IMAP POP SMTP Public Key Infrastructure Combines public key cryptography and digital signatures to ensure confidentiality, integrity, authentication, nonrepudiation, and access control Digital certificate basic element of PKI; secure credential that identifies the owner Basic Components: Certificate Authority (CA) Registration Authority (RA) Repository Archive 31

32 Secure Shell Protocol (SSH) Protocol for secure remote login Provides support for secure remote login, secure file transfer, and secure forwarding of TCP/IP and X Window System traffic Consists of 3 major components: Transport layer protocol (server authentication, confidentiality, integrity) User authentication protocol (authenticates client to the server) Connection protocol (multiplexes the encrypted tunnel into several logical channels) Application Layer Security HTTPS PGP (Pretty Good Privacy) SMIME (Secure Multipurpose Internet Mail Extensions) TSIG and DNSSEC Wireless Encryption - WEP, WPA, WPA2 32

33 HTTPS Hypertext Transfer Protocol Secure Widely-used, message-oriented communications protocol Connectionless oriented protocol Technically not a protocol in itself, but simply layering HTTP on top of the SSL/TLS protocol Encapsulates data after security properties of the session Not to be confused with S-HTTP Note: A website must use HTTPS everywhere, otherwise it is still vulnerable to some attacks Pretty Good Privacy (PGP) Stands for Pretty Good Privacy, developed by Phil Zimmerman in 1995 PGP is a hybrid cryptosystem combines some of the best features of both conventional and public key cryptography Assumptions: All users are using public key cryptography and have generated private/public key pairs (using RSA or El Gamal) All users also use symmetric key system (DES or Rijndael) Offers authentication, confidentiality, compression, compatibility and segmentation 33

34 PGP - Trust Centralized / hierarchal trust where certain globally trusted bodies sign keys for every one else. Decentralized webs of trust where you pick who you trust yourself, and decide if you trust who those people trust in turn. Which works better for what reasons? Key management: Partying Key signing parties are ways to build webs of trust. Each participant carries identification, as well as a copy of their key fingerprint. (maybe some $ as well J ) Each participant decides if they re going to sign another key based on their personal policy. Keys are easiest kept in a keyring on an openpgp keyserver in the aftermath of the party. 34

35 VPN and IPsec Virtual Private Networks Creates a secure tunnel over a public network Any VPN is not automagically secure. You need to add security functionality to create secure VPNs. That means using firewalls for access control and probably IPsec or SSL/TLS for confidentiality and data origin authentication

36 VPN Protocols PPTP (Point-to-Point tunneling Protocol) Developed by Microsoft to secure dial-up connections Operates in the data-link layer L2F (Layer 2 Forwarding Protocol) Developed by Cisco Similar as PPTP L2TP (Layer 2 Tunneling Protocol) IETF standard Combines the functionality of PPTP and L2F IPsec (Internet Protocol Security) Open standard for VPN implementation Operates on the network layer Other VPN Implementations MPLS VPN Used for large and small enterprises Pseudowire, VPLS, VPRN GRE Tunnel Packet encapsulation protocol developed by Cisco Not encrypted Implemented with IPsec L2TP IPsec Uses L2TP protocol Usually implemented along with IPsec IPsec provides the secure channel, while L2TP provides the tunnel 36

37 What is IPSec? Internet! IPSec! IETF standard that enables encrypted communication between peers: Consists of open standards for securing private communications Network layer encryption ensuring data confidentiality, integrity, and authentication Scales from small to very large networks What Does IPsec Provide? Confidentiality.many algorithms to choose from Data integrity and source authentication Data signed by sender and signature verified by the recipient Modification of data can be detected by signature verification Because signature based on a shared secret, it gives source authentication Anti-replay protection Optional : the sender must provide it but the recipient may ignore Key Management IKE session negotiation and establishment Sessions are rekeyed or deleted automatically Secret keys are securely established and authenticated Remote peer is authenticated through varying options 74 37

38 Different Layers of Encryption Application Layer SSL, PGP, SSH, HTTPS Source Destination Network Layer - IPsec Link Layer Encryption Relevant Standard(s) IETF specific rfc2409: IKEv1 rfc4301: IPsec Architecture (updated) rfc4303: IPsec ESP (updated) rfc4306: IKEv2 rfc4718: IKEv2 Clarifications rfc4945: IPsec PKI Profile IPv6 and IPsec rfc4294: IPv6 Node Requirements Rfc4552: Authentication/Confidentiality for OSPFv3 rfc4877: Mobile IPv6 Using IPsec (updated) rfc4891: Using IPsec to secure IPv6-in-IPv4 Tunnels 76 38

39 IPsec Modes Tunnel Mode Entire IP packet is encrypted and becomes the data component of a new (and larger) IP packet. Frequently used in an IPsec site-to-site VPN Transport Mode IPsec header is inserted into the IP packet No new packet is created Works well in networks where increasing a packet s size could cause an issue Frequently used for remote-access VPNs Tunnel vs. Transport Mode IPsec IP Header TCP Header Payload Without IPsec IP Header IPsec Header TCP Header Payload Transport Mode IPsec New IP Header IPsec Header IP Header TCP Header Payload Tunnel Mode IPsec 39

40 Transport vs Tunnel Mode TFTP Routing Update File Transfer File Transfer Transport Mode: End systems are the initiator and recipient of protected traffic Tunnel Mode: Gateways act on behalf of hosts to protect traffic 79 IPsec Architecture AH Authentication Header IPsec Security Policy ESP Encapsulating Security Payload IKE The Internet Key Exchange 40

41 Security Associations (SA) A collection of parameters required to establish a secure session Uniquely identified by three parameters consisting of Security Parameter Index (SPI) IP destination address Security protocol (AH or ESP) identifier An SA is unidirectional Two SAs required for a bidirectional communication A single SA can be used for AH or ESP, but not both must create two (or more) SAs for each direction if using both AH and ESP Authentication Header (AH) Provides source authentication and data integrity Protection against source spoofing and replay attacks Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out If both AH and ESP are applied to a packet, AH follows ESP Operates on top of IP using protocol 51 In IPv4, AH protects the payload and all header fields except mutable fields and IP options (such as IPsec option) DEPRECATED 41

42 Encapsulating Security Payload (ESP) Uses IP protocol 50 Provides all that is offered by AH, plus data confidentiality It uses symmetric key encryption Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication is applied to data in the IPsec header as well as the data contained as payload IPv4 IPsec AH IPv4 AH Transport Mode: Before applying AH: After applying AH: Original IP Header TCP/UDP Data Original IP Header AH Header TCP/UDP Data Mutable Fields: - ToS - TTL - Hdr Checksum - Offset - Flags Authenticated except for mutable fields in IP header IPv4 AH Tunnel Mode: Before applying AH: After applying AH: Original IP Header TCP/UDP Data New IP Header AH Header Original IP Header Data Mutable Fields: - ToS - TTL - Hdr Checksum - Offset - Flags Authenticated except for mutable fields in new IP header 84 42

43 IPv4 IPsec ESP Before applying ESP: Original IP Header TCP/UDP Data IPv4 ESP Transport Mode: After applying ESP: Original IP Header ESP Header TCP/UDP Data ESP Trailer ESP Auth Encrypted Authenticated IPv4 ESP Tunnel Mode: Before applying ESP: After applying ESP: Original IP Header TCP/UDP Data New IP Header ESP Header Original IP Header TCP/UDP Data ESP Trailer ESP Auth Authenticated Encrypted 85 ESP Header Format ENCRYPTED Security Parameter Index (SPI) Sequence Number Initialization Vector (IV) Payload Data (Variable) Padding (0-255 bytes) Padding Length Next Header Authentication Data (ICV) SPI: Arbitrary 32-bit number that specifies SA to the receiving device Seq #: Start at 1 and must never repeat; receiver may choose to ignore IV: Used to initialize CBC mode of an encryption algorithm Payload Data: Encrypted IP header, TCP or UDP header and data Padding: Used for encryption algorithms which operate in CBC mode Padding Length: Number of bytes added to the data stream (may be 0) Next Header: The type of protocol from the original header which appears in the encrypted part of the packet Auth Data: ICV is a digital signature over the packet and it varies in length depending on the algorithm used (SHA-1, MD5) 86 43

44 Internet Key Exchange (IKE) An IPsec component used for performing mutual authentication and establishing and maintaining Security Associations. (RFC 5996) Typically used for establishing IPsec sessions A key exchange mechanism Five variations of an IKE negotiation: Two modes (aggressive and main modes) Three authentication methods (pre-shared, public key encryption, and public key signature) Uses UDP port 500 IKE Modes Mode Main mode Aggressive Mode Quick Mode Description Three exchanges of information between IPsec peers. Initiator sends one or more proposals to the other peer (responder), responder selects a proposal Diffie-Hellman (DH) key exchange Establish ISAKMP session Achieves same result as main mode using only 3 packets First packet sent by initiator containing all info to establish SA Second packet by responder with all security parameters selected Third packet finalizes authentication of the ISAKMP session Negotiates the parameters for the IPsec session. Entire negotiation occurs within the protection of ISAKMP session 44

45 Internet Key Exchange (IKE) Phase I Establish a secure channel (ISAKMP SA) Using either main mode or aggressive mode Authenticate computer identity using certificates or pre-shared secret Phase II Establishes a secure channel between computers intended for the transmission of data (IPsec SA) Using quick mode IPsec with IKE 1 Traffic which needs to be protected is recognized as requiring IPsec protection IPsec Peer Peers Authenticate using: - Pre-shared key - Digital Certificate 2 IKE Phase 1 Secure communication channel IPsec Peer 3 IKE Phase 2 IPsec Tunnel Secured traffic exchange 4 Secured Communications 90 45

46 IPsec IKE Phase 1 Uses DH Exchange First public key algorithm (1976) Diffie Hellman is a key establishment algorithm Two parties in a DF exchange can generate a shared secret There can even be N-party DF changes where N peers can all establish the same secret key Diffie Hellman can be done over an insecure channel IKE authenticates a Diffie-Hellman exchange Pre-shared secret Nonce (RSA signature) Digital signature 91 IKE Phase 1 Main Mode Initiator 3 Compute DH shared secret and derive keying material Responder Internet 1 Negotiate IKE Policy IKE Message 1 (SA proposal) IKE Message 2 (accepted SA) 2 Authenticated DH Exchange IKE Message 3 (DH public value, nonce) IKE Message 4 (DH public value, nonce) 4 Protect IKE Peer Identity IKE Message 5 (Authentication material, ID) IKE Message 6 (Authentication material, ID) (Encrypted) 92 46

47 IKE Phase 2 Quick Mode 4 Validate message 2 1 Initiator 7 Compute keying material Internet Message 1 (authentication/keying material and SA proposal) Responder 2 Validate message 1 6 Validate message 3 Message 2 (authentication/keying material and accepted SA) 3 5 Message 3 (hash for proof of integrity/authentication) 93 IKE v2: Replacement for Current IKE Specification Feature Preservation Most features and characteristics of baseline IKE v1 protocol are being preserved in v2 Compilation of Features and Extensions Quite a few features that were added on top of the baseline IKE protocol functionality in v1 are being reconciled into the mainline v2 framework Some New Features 47

48 IKE v2: What Is Not Changing Features in v1 that have been debated but are ultimately being preserved in v2 Most payloads reused Use of nonces to ensure uniqueness of keys v1 extensions and enhancements being merged into mainline v2 specification Use of a configuration payload similar to MODECFG for address assignment X-auth type functionality retained through EAP Use of NAT Discovery and NAT Traversal techniques IKE v2: What Is Changing Significant Changes Being to the Baseline Functionality of IKE EAP adopted as the method to provide legacy authentication integration with IKE Adds standard mobility support through MOBIKE Ability to detect whether the tunnel is still alive or not Liveness check Incorporation of NAT traversal DoS attack resilience Check if source actually exists 48

49 How Does IKE v2 Work? IKE_SA_INIT (Two Messages) IKE_SA Authentication Parameters Negotiated IKE_AUTH (Two Messages) IKE Authentication Occurs and One CHILD_SA Created CREATE_CHILD_SA (Two Messages) Second CHILD_SA Created Protected Data Non-Vendor Specific Deployment Issues Historical Perception Configuration nightmare Not interoperable Performance Perception Need empirical data Where is the real performance hit? Standards Need Cohesion 98 49

50 Vendor Specific Deployment Issues Lack of interoperable defaults A default does NOT mandate a specific security policy Defaults can be modified by end users Configuration complexity Too many knobs Vendor-specific terminology Good News: IPv6 support in most current implementations 99 Pretty Good IPsec Policy IKE Phase 1 (aka ISAKMP SA or IKE SA or Main Mode) 3DES (AES-192 if both ends support it) Lifetime (8 hours = 480 min = sec) SHA-2 (256 bit keys) DH Group 14 (aka MODP# 14) IKE Phase 2 (aka IPsec SA or Quick Mode) 3DES (AES-192 if both ends support it) Lifetime (1 hour = 60 min = 3600 sec) SHA-2 (256 bit keys) PFS 2 DH Group 14 (aka MODP# 14)

51 Sample Router Configuration crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 crypto isakmp key Training123 address ! crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac! crypto map LAB-VPN 10 ipsec-isakmp match address 101 set transform-set ESP-AES-SHA set peer Phase 1 SA Phase 2 SA Encryption and Authentication Sample Router Configuration int fa 0/1 crypto map LAB-VPN Exit! Apply on outbound interface access-list 101 permit ip Define interesting VPN traffic 51

52 Help With Configuring IPsec Documents for Cisco IPsec configuration: technologies_configuration_example09186a f73.shtml technologies_configuration_example09186a f86.shtml Document for Juniper IPsec configuration: Capture: Telnet

53 Capture: Telnet + IPsec 105 Public Key Infrastructure Network Security Workshop 53

54 Public Key Infrastructure Framework that builds the network of trust Combines public key cryptography, digital signatures, to ensure confidentiality, integrity, authentication, nonrepudiation, and access control Protects applications that require high level of security Functions of a PKI Registration Initialization Certification Key pair recovery Key generation Key update Cross-certification Revocation 54

55 Public Key Infrastructure Source: Components of a PKI Certificate authority The trusted third party Trusted by both the owner of the certificate and the party relying upon the certificate. Validation authority Registration authority For big CAs, a separate RA might be necessary to take some work off the CA Identity verification and registration of the entity applying for a certificate Central directory 55

56 Certificates Public key certificates bind public key values to subjects A trusted certificate authority (CA) verifies the subject s identity and digitally sign each certificate Validates Has a limited valid lifetime Can be used using untrusted communications and can be cached in unsecured storage Because client can independently check the certificate s signature Certificate is NOT equal to signature It is implemented using signature Certificates are static If there are changes, it has to be re-issued Digital Certificate Digital certificate basic element of PKI; secure credential that identifies the owner Also called public key certificate Certificate examples: X509 (standard) PGP (Pretty Good Privacy) 56

57 Every certificate contains Body of the certificate Version number, serial number, names of the issuer and subject Public key associated with the subject Expiration date (not before, not after) Extensions for additional tributes Signature algorithm Used by the CA to sign the certificate Signature Created by applying the certificate body as input to a one-way hash function. The output value is encrypted with the CA s private key to form the signature value Digital Certificate Lifecycle Key Pair Generated Certificate Issued Recertify Certificate valid and in use Private Key compromised Certificate Expires Keypair Expired Certificate Revoked

58 Certificate Authority Issuer and signer of the certificate Trusted (Third) Party Based on trust model Who to trust? Types: Enterprise CA Individual CA (PGP) Global CA (such as VeriSign) Functions: Enrolls and Validates Subscribers Issues and Manages Certificates Manages Revocation and Renewal of Certificates Establishes Policies & Procedures Certificate Revocation Lists CA periodically publishes a data structure called a certificate revocation list (CRL). Described in X.509 standard. Each revoked certificate is identified in a CRL by its serial number. CRL might be distributed by posting at known Web URL or from CA s own X.500 directory entry. 58

59 Who Can Be a CA? A CA signs certificates, but which CA? Who picks CAs? Perhaps another CA issues a certificate to other CAs but who picked them? Ultimately, you have to trust someone the trust anchor Modern operating systems and browsers come with a list of built-in CAs You are trusting your vendors; they have decided to trust certain CAs Are these CAs trustworthy? 117 The Browser CA Problem Microsoft trusts over 300 certificate authorities If you delete one, Windows will helpfully reload it for you Mozilla trusts 150 Apple trusts 180 Any CA your browser trusts can issue a certificate for any site at all, even if there is already some other certificate for it If any single CA is compromised, your browser can be fooled This has happened

60 The Diginotar Case Someone penetrated Diginotar (a CA) and stole its private key This key was used to create fake certificates for gmail.com People in Iran who tried to connect securely to gmail instead connected to somewhere else but it looked authentic, because there was a Diginotar-issued certificate for Google Note: Diginotar was not Google s CA Diginotar is (a) no longer trusted by browsers, and (b) out of business 119 RPKI Resource Public Key Infrastructure 60

61 SIDR Working Group Secure Inter-Domain Routing (SIDR) Its purpose is to reduce vulnerabilities to the inter-domain routing system Addresses two vulnerabilities: Is an Autonomous System authorized to originate an IP prefix? Is the AS-Path represented in the route the same as the path through which the NLRI traveled? Projects: PKI, RPKI, BGPsec Source: SIDR WG BGP Security (BGPsec) Extension to BGP that provides improved security for BGP routing Currently an IETF Internet draft Implemented via a new optional non-transitive BGP path attribute that contains a digital signature Two things: BGP Prefix Origin Validation (using RPKI) BGP Path Validation 61

62 Three Pieces RPKI Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (deployed at all RIRs) Origin Validation Using the RPKI to detect and prevent mis-originations of someone else s prefixes (in deployment) AS-Path Validation / BGPsec Prevent Path Attacks on BGP (future work) What is RPKI? Resource Public Key Infrastructure (RPKI) A robust security framework for verifying the association between resource holder and their Internet resources Created to address the issues in RFC 4593 Uses X.509 v3 certificates With RFC3779 extensions 62

63 What is RPKI? represents the allocation hierarchy of IP address space and Autonomous Systems (AS) numbers A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents Helps to secure Internet routing by validating routes Proof that prefix announcements are coming from the legitimate holder of the resource RPKI is in the process of standardization through the Secure Inter-Domain Routing (SIDR) working group RFCs on RPKI RFC 6810 The Resource Public Key Infrastructure (RPKI) to Router Protocol (January 2013) - Standard RFC 6480 An Infrastructure to Support Secure Internet Routing (Feb 2012) - informational RFC 6481 A Profile for Resource Certificate Repository Structure (Feb 2012) - standard RFC 6491 RPKI Objects Issued by IANA RFC 6493 The RPKI Ghostbusters Record RFC 6487 A Profile for X.509 PKIX Resource Certificate 63

64 A bit of History 1986 Bellovin & Perlman identify the vulnerability in DNS and Routing National Academies study called it out 2000 S-BGP X.509 PKI to support Secure BGP - Kent, Lynn, et al NANOG S-BGP Workshop 2006 RPKI.NET(for ARIN) & APNIC start work on RPKI. RIPE starts in RPKI.NET Open Testbed and running code in test routers Benefits of RPKI - Routing Prevents Route Hijacking when an entity participating in Internet routing announces a prefix without authorization Reason: malicious attack Prevents mis-origination A prefix that is originated by an AS which does not own it Reason: configuration mistake 64

65 Internet Routing The Internet Global Routing Table 4.128/ / / / /24 Announce /24 Traffic / /24 Right to Resources ISP gets their resources from the RIR ISP notifies its upstream of the prefixes to be announced Upstream _MUST_ check the Whois database if resource has been delegated to customer ISP. We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it. 65

66 X.509 Certificate Resource certificates are based on the X.509 certificate format - RFC 5280 Extended by RFC 3779 this extension binds a list of resources (IP, ASN) to the subject of the certificate X.509 Certificate with 3779 Extension X.509 Certificate SIA Subject Information Access; contains a URI that references the directory RFC 3779 Extension SIA Owner's Public Key 66

67 Two Components Certificate Authority (CA) Internet Registries (RIR, NIR, Large LIR) Issue certificates for customers Allow customers to use the CA s GUI to issue ROAs for their prefixes Relying Party (RP) Software which gathers data from CAs Route Origin Authorization (ROA) Certificate holder uses its private key to sign an ROA Verifies that an AS has been given permission by an address block holder to advertise routes to one or more prefixes without that block 67

68 Resource Certification RIRs have been developing a new service for their members APNIC has now launched Resource Certification for the AP region The goal is to improve the security of inter-domain routing and augmenting the information published in the APNIC Whois Database Resource Certification Benefits Routing information corresponds to properly delegated address resources Resource Certification gives resource holders proof that they hold certain resources Resource holders can attest to those resources when distributing them Resource Certification is a highly robust means of preventing the injection of false information into the Internet's routing system. 68

69 APNIC Resource Certification A robust security framework for verifying the association between resource holders and their Internet resources. Initiative from APNIC aimed at improving the security of inter-domain routing, and augmenting the information published in the Whois database Verifies a holder s current right-of-use over an Internet resource How it Works 69

70 Creating ROA Records Login to MyAPNIC, then Resources -> Certification Adding ROA Records 70

71 Deleting ROA Records RPKI Validation RPKI-capable routers can fetch the validated ROA dataset from a trust anchor BGP states: VALID if a matching VRP* was found INVALID a VRP was found, but ASN did not match UNKNOWN if no matching or covering VRP was found 71

72 Questions How APNIC can help you?

73 Internet Challenges Today Internet Security Unauthorized Intrusions Denial of Service (DoS) Attacks Internal Attacks Non-compliance etc. Spam Unsolicited Commercial (UCE) & Unsolicited Bulk (UBE) Spam volume is exploding Network abuse RIR s do not regulate conduct of Internet activity Investigation possibilities Cooperation of the network administrators Law enforcement agencies APNIC Service offerings Whois Database an important resource! Troubleshooting Tracking source of abuse Protecting address space to prevent hijacking Information dissemination APNIC Conferences Technical talks & tutorials Publications & Research Education Training courses, Workshops and Seminars 73

74 Steps we take to ensure Whois accuracy Member account opening verification of corporate existence with corporate registries or regulators (where possible) Membership renewal once a year to corporate contact, with payment record Internet resources revoked if account not paid or renewed Transfer policies encourage registration of resources value of Internet resources encourage registration Efforts in Preventing Network Abuse As a registry, APNIC adopts and applies policies for it s community which address network abuse. APNIC does not have the capacity to investigate abuse complaints or the legal powers to regulate Internet activity. APNIC seeks to raise awareness of the need for responsible network management in the Asia Pacific, through training and communication. 74

75 Why APNIC appear as the source in some abuse search reports? Some designed to search the ARIN Whois database and may refer to APNIC as the culprit Many websites with Whois lookup functions has the same limitations However the IP addresses are registered by five RIRs on a regional basis Detecting the Abuse If a standard search refers you to APNIC It means only that the network in question is registered in the Asia Pacific region Does not mean that APNIC is responsible or that the hacker/spammer is using APNIC network 75

76 Can APNIC stop Abuse? No, because APNIC is not an ISP and does not provide network connectivity to other networks APNIC does not control Internet routing APNIC is not a law enforcement agency APNIC has no industry regulatory power Investigation of Complaints Laws relating to network abuse vary from country to country Investigation possibilities Cooperation of the network administrators Law enforcement agencies Local jurisdiction Jurisdiction where the problem originates 76

77 What can you do? Use the APNIC Whois Database to obtain network contact information APNIC Whois may or may not show specific customer assignments for the addresses in question But will show the ISP holding APNIC space Contact the network responsible and also its ISP/upstream Contact APNIC for help, advice, training or support Community discussions can be raised in the APNIC conferences, mailing lists, etc. APNIC Resource Quality Assurance Community awareness Build relationships with reputable organizations that maintain bogon/black list Keep the WHOIS Database accurate Actively remind resource holders to update their data 77

78 APNIC also manages Reverse DNS Forward DNS maps names to numbers svc00.apnic.net è Reverse DNS maps numbers to names è svc00.apnic.net Person (Host) Address (IPv4/IPv6) 155 The APNIC Whois Database

79 The APNIC Whois Database Holds IP address records within the AP region Can use this database to track down the source of the network abuse IP addresses, ASNs, Reverse Domains, Routing policies Can find contact details of the relevant network administrators not the individual users use administrators log files to contact the individual involved Resource Registration As part of the membership agreement with APNIC, all members are required to register their resources in the APNIC Whois database. Members must keep records up to date: Whenever there is a change in contacts When new resources are received When resources are sub-allocated or assigned

80 Whois Object Types OBJECT PURPOSE person contact persons role contact groups/roles inetnum IPv4 addresses Inet6num IPv6 addresses aut-num Autonomous System number domain reverse domains route prefixes being announced mntner (maintainer) data protection mnt-irt Incident Response Team How to use APNIC Whois Web browser Whois client or query tool whois.apnic.net Identify network contacts from the registration records IRT (Incident Response Team) if present Contact persons: tech-c or admin-c 80

81 What if Whois info is invalid? Members (ISPs) are responsible for reporting changes to APNIC Under formal membership agreement Report invalid ISP contacts to APNIC APNIC will contact member and update registration details What if Whois info is invalid? Customer assignment information is the responsibility of ISPs ISPs are responsible for updating their customer network registrations Tools such as traceroute, looking glass and RIS may be used to track the upstream provider if needed More information available from APNIC 81

82 Inetnum / Inet6num Objects Contains IP allocation and assignment information APNIC creates an inetnum (or inet6num) object for each allocation or assignment they make to the Member All members must create inetnum (or inet6num) objects for each sub-allocation or assignment they make to customers 163 IRT Object Incident Response Team (IRT) Dedicated abuse handling teams (not netops) Implemented in Nov 2010 through Prop-079 Abuse contact information Mandatory object reference in inetnum, inet6num, and autnum objects 82

83 IRT Object Why provide abuse contact Dedicated contacts or team that specifically resolve computer security incidents Efficient and accurate response Stops the tech-c and admin-c from getting abuse reports Shared response to address abuse APNIC Whois Registration 83

84 APNIC Whois Registration APNIC Whois Registration 84

85 APNIC Whois Registration Maintainer Hierarchy Diagram Allocated to APNIC: Maint-by can only be changed by IANA Allocated to Member: Maint-by can only be changed by APNIC Sub-allocated to Customer: Maint-by can only be changed by Member

86 Using the Whois step by step 3 inetnum: 1 2 person: nic-hdl: KX17-AP Contact info mntner: Data Protection Allocation (Created by APNIC) inetnum:... KX17-AP... mnt-by:... 4 inetnum:... KX17-AP... mnt-by:... 5 Customer Assignments (Created by Member) inetnum:... KX17-AP... mnt-by:... 6 Whois Database Queries Flags used for inetnum queries None one level less specific matches - L find all less specific matches - m find first level more specific matches - M find all More specific matches - x find exact match (if no match, nothing) - d enables use of flags for reverse domains - r turn off recursive lookups 86

87 Whois Database Query - inetnum whois -L /20 Less specific (= bigger block) inetnum: /8 whois /20 inetnum: /20 whois m /20 More specific (= smaller blocks) inetnum: /24 inetnum: /25 inetnum: /26 Recursive Lookups whois à inetnum route, & person recursion enabled by default whois -r inetnum route person à & whois -T inetnum à inetnum person & whois -r -T inetnum à inetnum recursion turned off type of object specified type of object specified & recursion turned off 87

88 Inverse Queries Inverse queries are performed on inverse keys See object template (whois t) Returns all public objects that reference the object with the key specified as a query argument Practical when searching for objects in which a particular value is referenced, such as your nic-hdl Syntax: whois -i <attribute> <value> Customer Privacy Public data Includes portable addresses (inetnum objects), and other objects e.g.route objects Public data: must be visible Private data Can include non-portable addresses (inetnum objects) Members have the option to make private data visible Customer assignments Can be changed to be public data (public data is an optional choice) 88

89 What needs to be visible? IANA range Non-APNIC range APNIC range APNIC allocations & assignments NIR range must be visible PORTABLE addresses NIR allocations & assignments LIR/ISP Customer assignments Infrastructure Sub-allocations visibility optional NON-PORTABLE addresses APNIC Whois Database & the Internet Routing Registry APNIC Whois Database Two databases in one Public Network Management Database Whois info about networks & contact persons IP addresses, AS numbers etc Routing Registry contains routing information routing policy, routes, filters, peers etc. APNIC RR is part of the global IRR 89

90 Benefits of APNIC RR integrated in Whois Database Facilitates network troubleshooting Registration of routing policies Generation of router configurations Provides global view of routing Security Management and Practices 90

91 Open-Source Tools for Monitoring Logging and monitoring systems Syslog, SNMP, Nagios, Cacti, Netflow, Nfsen Detection and data gathering IDS system, active scanners, packet analyzers, Netflow Firewalls and NAC IPTables, Packetfence Security tools does not have to be expensive! It can also be free. NetFlow

92 Packetfence Securing the Host Machine Encrypt! Encrypting s IMAPS SMTP over TLS/SSL Use PGP Browser Set browser preferences Add-ons or plugins (NoScript, HTTPS Everywhere, Adblock, etc) File encryption Full disk encryption (FileVault for Mac, Bitlocker on Windows, Truecrypt) 92