Virtual Private Network and Security. Michael Tsai 2016/05/11

Transcription

1 Virtual Private Network and Security Michael Tsai 2016/05/11

2 But, first, a bit about Transport Layer + Port No.

3 Multiplexing & Demultiplexing Socket: port 80 Web Server (Apache) FTP Your Network Device Firefox (HTTP) LINE Socket: port Transport Layer Skype Transport Layer Network & Lower Layers Web Server Network & Lower Layers Pkt Pkt Pkt Pkt Pkt Pkt Pkt 海一樣的封包. 有進有出. 哪個是誰的?

4 Well-Known Port Number Service/ Application FTP Port Number 20 (data) / 21 (command) Service/ Application Port Number HTTP 80 / 8080 SSH 22 HTTPS 443 Telnet 23 SMTP (mail server->server) 25 POP3 (mail client -> server) IMAP (mail client -> server) DNS 53 NFS 2049 DHCP 67/68 PPTP (VPN) 1723

5 UDP: Connection-less Simplest design Transport Header has only 4 fields: Source and destination port numbers Length Checksum Why do we need checksum for end-to-end connections? Possible: no bottom layer protocol does it IP only has header checksum (no data checksum) Layer 2 CAN have NO error detection scheme (though most do) Could be caused by relaying hosts (router / switch) (e.g., memory corruption)

6 TCP: Reliable Transport Why? IP is not reliable Lost packets, errornous packets No idea about latency - varying over time Basic ingredients: Error detection: verify checksum ACK or NACK: notify the other side whether a packet is correctly received Re-transmission: if not, do it again Sequence number: check for missing or redundant packets Time-out: estimate the latency. If not received within a time period, then do it again. Need an accurate estimation of round-trip time (RTT). What if it is too short or too long?

7 TCP: Pipelined Transmissions Sender Transmission time =L/R Receiver Sender Transmission time =L/R Receiver Round Trip Time Round Trip Time N ack pipeline. ack

8 TCP Designs Round-trip Time Estimation EstimatedRTT=0.875 * EstimatedRTT * SampleRTT DevRTT=0.75*DevRTT+0.25* SampleRTT EstimatedRTT TimeoutInterval=EstimatedRTT+4*DevRTT Flow Control Make sure the buffer at the receiver is not filled up (the top layer is too slow) Receiver will provide the information of the remaining size of the buffer à receive window Transmitter makes sure that the transmitted data will not exceed the size of the receive window

9 TCP Designs Connection Management Establish: SYN (Client initial sequence number) àsyn-ack àack End: FINàACK Congestion Control 因為 一次送多個未 ack 的封包 而造成的網路更塞車 封包掉 à 塞車了 à 減少傳送速度 收到 ACK à 通順的網路 à 增加傳送速度 Slow start: 從 1 開始, 緩慢地增加 (2x) 一次可以傳送未 ack 封包個數

10 NAT (Network Address Translation) Revisited 對照表 : 菜瓜布有連到 要找助教請轉到 菜瓜布 馬撒起 內部用 : Src: Dest: Src: Dest: 內部用 : 門牌 : Src: Dest: 凱莉 內部用 : Src: Dest: 小小郭 內部用 : 內部用門牌 :

11 NAT (Network Address Translation) Revisited 菜瓜布 eth0: Src: port Dest: port 53 Src: 馬撒起 Dest: eth0: 對照表 : 菜瓜布有連到 ( port > port > port 53) 要找助教請轉到 ( port 80 redirects to port 8080) eth0 (public IP): Src: port Dest: port 53 凱莉 小小郭 eth0: port 80: listening (httpd) eth0: Src: port 53 Dest: port eth1 (private IP):

12 Check all the connections netstat: print network connections, routing tables, and interface statistics Example: netstat -na --inet (list connections on all interfaces, using numerical addresses, listing only IP connections) netstat -s (print the statistics) netstat -i (list interface statistics)

13 Security UNIX, Linux, and any OS that communicates over a network is probably NOT secure Fundamentally, Linux is probably not the most secure: Optimized for convenience - multi-user + networked Developed by a large number of programmers - large variation in their background Most administrative functions are implemented OUTSIDE of kernel But, open-source nature allows a large number of people to scrutinize each line of code for possible security threats

14 Security Abstract: security = K / (convenience) Very secure ==?? for your user? Security would probably not improve over time More connected More complicated (Attackers are more organized)

15 How Security is Compromised Social engineering: human users are the weakest links Phishing - collect info from deceptive , IM, and web sites. Software vulnerabilities Examples: buffer overflows, input validation vulnerabilities Sol: Keeping up with security patches Configuration errors (or default setting ) Example: boot loader password

16 In-Class Reading Homework Security tips and philosophy (22.3)

17 Some tips that I like Unnecessary services Remote logging Trojan horses - look for information before installing Looking for unusual activities.

18 VPN (Virtual Private Network) 菜瓜布 Common Types of VPN: IPSec, SSL VPN, PPTP/L2TP 內部用 : 門牌 : 馬撒起 內部用 : 凱莉內部用 : Src: Dest: 小小郭內部用 : 內部用門牌 : 透過網路連線, 把通往內部的封包都先送到 , 然後再解開轉送到真正的目的地 姜姜 Src: x.x Dest: Src: Dest: 門牌 : x.x 內部用 :

19 Crypto 101: encryption Plaintext ( ) Key ( ) Ciphertext ( ) Hello, Here is your health check result Encryption ( ) GVfsQanXp Sa88w4A0I FMwnVRIf2 2cTZNamxi Wij0T6HMy Symmetric algorithms (shared key) Both parties have the same shared key, and use the same key for encryption and decryption Asymmetric algorithms (public key and private key) Each party has a public key and a private key - public key is used for encryption and private key is used for decryption Content from Prof. Hsu-Chun Hsiao s Cryptography and Network Security slides

20 Symmetric encryption Secure channel K AB K AB m Encryption ( ) c = E K AB (m) Insecure channel c Decryption ( ) m = D K AB (c) Asymmetric encryption Authenticated channel K B K B -1 m Encryption ( ) c = E K B (m) Insecure channel c Decryption ( ) m = D K B -1 (c)

21 Properties Encryption is reversible with corresponding decryption key It is computational infeasible to recover ciphertext without knowing the key find a private key from its public key Longer key provides better security

22 Computational Infeasible ~2^33 devices in the world ~2^30 symmetric cryptographic operations per device per second ~2^25 seconds per year ~2^128 operations to brute force AES-128 encryption ( =40) ~2^40 years to brute force AES-128 encryption ~2^33 years since the beginning of the universe XD

23 Comparison Symmetric Asymmetric Secret key is only known to the communicating parties For secure comm., key should be secret and authentic 112 bit key for high security (2015) ~1,000,000 ops/s on 1 GHz CPU Public key is known to everyone Private key only known to owner For secure comm., private key is secret and public key is authentic 2048 bit key (RSA) for high security (2015) ~100 signatures/s, ~1000 verifies/s (RSA) on 1 GHz CPU

24 TLS & SSL Nescape s Secure Sockets Layer (SSL) 2.0 > 3.0 (proprietary) > Transport Layer Security (TLS) 1.0 (non proprietary) by IETF as an effort to secure HTTP Sitting on top of TCP (there are versions to work with UDP too) Provide: Encryption: (you already know) Authentication: Verify you are really who you claim to be Integrity: Detect message tampering (modification) and forgery (entire thing is put together by the attacker) Most secure protocols work similarly

25 Common Workflow Verify each other s public key (man-in-the-middle attack) Certificate (signed by a trusted third party) Check against a database (e.g., SSH s ~/.ssh/known_hosts) DNS (example: SSHFP) Use public-private key to establish a shared key

26 SSH SSH: the secure shell As secure replacement for rlogin, rcp, and telnet Crypto is used to confirm a user s identity / encrypt all communications Can use public crypto to establish the user s identity Can use personal password to establish the user s identity (vulnerable to brute-force / dictionary attack)

27 SSH SCP/SFTP: securely copy/transfer files from remote hosts Example: scp

28 Poor man s VPN: SSH tunnel An SSH tunnel for RDP External system rdesktop random port port 22 SSH server sshd random port random port ssh port 9989 FIREWALL Windows system Internet side Enterprise side RDP server port 3389

29 VPN s downsides VPN: only a secure tunnel between endpoints Nothing about the security of the endpoints Example: give access to VPN users to your private network VPN connections should probably be given less privileges (treat them as external users)

30 Today s In-Class Homework 2 1: Connect to CSIE VPN from your Ubuntu VM (no instruction for Linux yet! Try it yourself!) Use SSH Tunnel to create a tunnel from your machine s to linux[1-10] (and then to s 80 port) > Use your browser to test it (