Elements of a wireless network

Transcription

1 Chapter 6 Wreless

2 Elements of a wreless network network nfrastructure nfrastructure mode base staton connects mobles nto wred network handoff: moble changes base staton provdng connecton nto wred network Wreless, Moble Networks 6-2

3 Elements of a wreless network ad hoc mode no base statons nodes can only transmt to other nodes wthn lnk coverage nodes organze themselves nto a network: route among themselves Wreless, Moble Networks 6-3

4 Wreless network taxonomy nfrastructure (e.g., APs) no nfrastructure sngle hop host connects to base staton (WF, WMAX, cellular) whch connects to larger Internet no base staton, no connecton to larger Internet (Bluetooth, ad hoc nets) multple hops host may have to relay through several wreless nodes to connect to larger Internet: mesh net no base staton, no connecton to larger Internet. May have to relay to reach other a gven wreless node MANET, VANET Wreless, Moble Networks 6-4

5 Wreless network characterstcs Multple wreless senders and recevers create addtonal problems (beyond multple access): C A B C A B A s sgnal strength C s sgnal strength Hdden termnal problem B, A hear each other B, C hear each other A, C can not hear each other means A, C unaware of ther nterference at B space Sgnal attenuaton: B, A hear each other B, C hear each other A, C can not hear each other nterferng at B Wreless, Moble Networks 6-5

6 LAN archtecture BSS 1 Internet hub, swtch or router wreless host communcates wth base staton base staton = access pont (AP) Basc Servce Set (BSS) (aka cell ) n nfrastructure mode contans: wreless hosts access pont (AP): base staton ad hoc mode: hosts only BSS 2 Wreless, Moble Networks 6-6

7 802.11: Channels, assocaton b: 2.4GHz-2.485GHz spectrum dvded nto 11 channels at dfferent frequences AP admn chooses frequency for AP nterference possble: channel can be same as that chosen by neghborng AP! host: must assocate wth an AP scans channels, lstenng for beacon frames contanng AP s name (SSID) and MAC address selects AP to assocate wth may perform authentcaton [Chapter 8] wll typcally run DHCP to get IP address n AP s subnet Wreless, Moble Networks 6-7

8 802.11: passve/actve scannng BBS 1 BBS 2 BBS 1 BBS 2 AP AP 2 AP AP 2 H1 passve scannng: (1)beacon frames sent from APs (2)assocaton Request frame sent: H1 to selected AP (3)assocaton Response frame sent from selected AP to H1 H1 actve scannng: (1) Probe Request frame broadcast from H1 (2) Probe Response frames sent from APs (3) Assocaton Request frame sent: H1 to selected AP (4) Assocaton Response frame sent from selected AP to H1 Wreless, Moble Networks 6-8

9 IEEE MAC Protocol: CSMA/CA sender 1 f sense channel dle for DIFS then transmt entre frame (no CD) 2 f sense channel busy then start random backoff tme tmer counts down whle channel dle transmt when tmer expres f no ACK, ncrease random backoff nterval, repeat recever - f frame receved OK return ACK after SIFS (ACK needed due to hdden termnal problem) DIFS sender data ACK recever SIFS Wreless, Moble Networks 6-9

10 Avodng collsons (more) dea: allow sender to reserve channel rather than random access of data frames: avod collsons of long data frames sender frst transmts small request-to-send (RTS) packets to BS usng CSMA RTSs may stll collde wth each other (but they re short) BS broadcasts clear-to-send CTS n response to RTS CTS heard by all nodes sender transmts data frame other statons defer transmssons avod data frame collsons completely usng small reservaton packets! Wreless, Moble Networks 6-10

11 Collson Avodance: RTS-CTS exchange A AP B RTS(A) RTS(B) reservaton collson RTS(A) CTS(A) CTS(A) DATA (A) defer tme ACK(A) Wreless, Moble Networks 6-11

12 frame: addressng frame control duraton address 1 address 2 address 3 seq control address 4 payload CRC Address 1: MAC address of wreless host or AP to receve ths frame Address 2: MAC address of wreless host or AP transmttng ths frame Address 3: MAC address of router nterface to whch AP s attached Address 4: used only n ad hoc mode Wreless, Moble Networks 6-12

13 frame: addressng H1 R1 router Internet R1 MAC addr H1 MAC addr dest. address source address frame AP MAC addr H1 MAC addr R1 MAC addr address 1 address 2 address frame Wreless, Moble Networks 6-13

14 frame: more duraton of reserved transmsson tme (RTS/CTS) frame seq # (for RDT) frame control duraton address 1 address 2 address 3 seq control address 4 payload CRC Protocol verson Type Subtype To AP From AP More frag Retry Power mgt More data WEP Rsvd frame type (RTS, CTS, ACK, data) Wreless, Moble Networks 6-14

15 802.15: personal area network less than 10 m dameter replacement for cables (mouse, keyboard, headphones) ad hoc: no nfrastructure master/slaves: slaves request permsson to send (to master) master grants requests S S P M P S P radus of coverage P : evolved from Bluetooth specfcaton GHz rado band up to 721 kbps M S P Master devce Slave devce Parked devce (nactve) Wreless, Moble Networks 6-15

16 Chapter 7 multmeda

17 Multmeda: audo analog audo sgnal sampled at constant rate telephone: 8,000 samples/sec CD musc: 44,100 samples/sec each sample quantzed,.e., rounded e.g., 2 8 =256 possble quantzed values each quantzed value represented by bts, e.g., 8 bts for 256 values audo sgnal ampltude quantzaton error samplng rate (N sample/sec) quantzed value of analog value analog sgnal tme Multmeda Networkng 7-17

18 Multmeda networkng: 3 applcaton types streamng, stored audo, vdeo streamng: can begn playout before downloadng entre fle stored (at server): can transmt faster than audo/vdeo wll be rendered (mples storng/bufferng at clent) e.g., YouTube, Netflx, Hulu conversatonal voce/vdeo over IP nteractve nature of human-to-human conversaton lmts delay tolerance e.g., Skype streamng lve audo, vdeo e.g., lve sportng event (futbol) Multmeda Networkng 7-18

19 Cumulatve data Streamng stored vdeo: 1. vdeo recorded (e.g., 30 frames/sec) 2. vdeo sent network delay (fxed n ths example) 3. vdeo receved, played out at clent (30 frames/sec) tme streamng: at ths tme, clent playng out early part of vdeo, whle server stll sendng later part of vdeo Multmeda Networkng 7-19

20 Streamng stored vdeo: challenges contnuous playout constrant: once clent playout begns, playback must match orgnal tmng but network delays are varable (jtter), so wll need clent-sde buffer to match playout requrements other challenges: clent nteractvty: pause, fast-forward, rewnd, jump through vdeo vdeo packets may be lost, retransmtted Multmeda Networkng 7-20

21 Streamng stored vdeo: revsted Cumulatve data constant bt rate vdeo transmsson varable network delay clent vdeo recepton buffered vdeo constant bt rate vdeo playout at clent clent playout delay tme clent-sde bufferng and playout delay: compensate for network-added delay, delay jtter Multmeda Networkng 7-21

22 Streamng multmeda: DASH DASH: Dynamc, Adaptve Streamng over HTTP server: dvdes vdeo fle nto multple chunks each chunk stored, encoded at dfferent rates manfest fle: provdes URLs for dfferent chunks clent: perodcally measures server-to-clent bandwdth consultng manfest, requests one chunk at a tme chooses maxmum codng rate sustanable gven current bandwdth can choose dfferent codng rates at dfferent ponts n tme (dependng on avalable bandwdth at tme) Multmeda Networkng 7-22

23 Streamng multmeda: DASH DASH: Dynamc, Adaptve Streamng over HTTP ntellgence at clent: clent determnes when to request chunk (so that buffer starvaton, or overflow does not occur) what encodng rate to request (hgher qualty when more bandwdth avalable) where to request chunk (can request from URL server that s close to clent or has hgh avalable bandwdth) Multmeda Networkng 7-23

24 Voce-over-IP (VoIP) VoIP end-end-delay requrement: needed to mantan conversatonal aspect hgher delays notceable, mpar nteractvty < 150 msec: good > 400 msec bad ncludes applcaton-level (packetzaton,playout), network delays sesson ntalzaton: how does callee advertse IP address, port number, encodng algorthms? value-added servces: call forwardng, screenng, recordng emergency servces: 911 Multmeda Networkng 7-24

25 VoIP: packet loss, delay network loss: IP datagram lost due to network congeston (router buffer overflow) delay loss: IP datagram arrves too late for playout at recever delays: processng, queueng n network; endsystem (sender, recever) delays typcal maxmum tolerable delay: 400 ms loss tolerance: dependng on voce encodng, loss concealment, packet loss rates between 1% and 10% can be tolerated Multmeda Networkng 7-25

26 Real-Tme Protocol (RTP) RTP specfes packet structure for packets carryng audo, vdeo data RFC 3550 RTP packet provdes payload type dentfcaton packet sequence numberng tme stampng RTP runs n end systems RTP packets encapsulated n UDP segments nteroperablty: f two VoIP applcatons run RTP, they may be able to work together Multmeda Networkng 7-26

27 Real-Tme Control Protocol (RTCP) works n conjuncton wth RTP each partcpant n RTP sesson perodcally sends RTCP control packets to all other partcpants each RTCP packet contans sender and/or recever reports report statstcs useful to applcaton: # packets sent, # packets lost, nterarrval jtter feedback used to control performance sender may modfy ts transmssons based on feedback Multmeda Networkng 7-27

28 SIP: Sesson Intaton Protocol [RFC 3261] long-term vson: all telephone calls, vdeo conference calls take place over Internet people dentfed by names or e-mal addresses, rather than by phone numbers can reach callee (f callee so desres), no matter where callee roams, no matter what IP devce callee s currently usng Multmeda Networkng 7-28

29 SIP servces SIP provdes mechansms for call setup: for caller to let callee know she wants to establsh a call so caller, callee can agree on meda type, encodng to end call determne current IP address of callee: maps mnemonc dentfer to current IP address call management: add new meda streams durng call change encodng durng call nvte others transfer, hold calls Multmeda Networkng 7-29

30 SIP proxy another functon of SIP server: proxy Alce sends nvte message to her proxy server contans address proxy responsble for routng SIP messages to callee, possbly through multple proxes Bob sends response back through same set of SIP proxes proxy returns Bob s SIP response message to Alce contans Bob s IP address SIP proxy analogous to local DNS server plus TCP setup Multmeda Networkng 7-30

31 Comparson wth H.323 H.323: another sgnalng protocol for real-tme, nteractve multmeda H.323: complete, vertcally ntegrated sute of protocols for multmeda conferencng: sgnalng, regstraton, admsson control, transport, codecs SIP: sngle component. Works wth RTP, but does not mandate t. Can be combned wth other protocols, servces H.323 comes from the ITU (telephony) SIP comes from IETF: borrows much of ts concepts from HTTP SIP has Web flavor; H.323 has telephony flavor SIP uses KISS prncple: Keep It Smple Stupd Multmeda Networkng 7-31

32 Dfferentated servces want qualtatve servce classes behaves lke a wre relatve servce dstncton: Platnum, Gold, Slver scalablty: smple functons n network core, relatvely complex functons at edge routers (or hosts) sgnalng, mantanng per-flow router state dffcult wth large number of flows don t defne defne servce classes, provde functonal components to buld servce classes Multmeda Networkng 7-32

33 Dffserv packet markng: detals packet s marked n the Type of Servce (TOS) n IPv4, and Traffc Class n IPv6 6 bts used for Dfferentated Servce Code Pont (DSCP) determne PHB that the packet wll receve 2 bts currently unused DSCP unused Multmeda Networkng 7-33

34 Chapter 8 Network Securty

35 5 Securty Rsks, Hacker Indvdual who gans unauthorzed access to systems Vulnerablty Weakness of a system, process, or archtecture Explot Means of takng advantage of a vulnerablty Zero-day explot Takng advantage of undscovered software vulnerablty Most vulnerabltes are well known

36 6 Rsks Assocated wth People Half of all securty breaches Human errors, gnorance, omssons Socal engneerng Strategy to gan password Phshng Glean access, authentcaton nformaton Pose as someone needng nformaton, Many rsks assocated wth people exst Easest way to crcumvent network securty Take advantage of human error

37 7 Rsks Assocated wth Transmsson and Hardware Physcal, Data Lnk, and Network layer securty rsks Requre more techncal sophstcaton Rsks nherent n network hardware and desgn Transmsson ntercepton Man-n-the-mddle attack Eavesdroppng Networks connectng to Internet va leased publc lnes Snffng Repeatng devces broadcast traffc over entre segment,

38 8 Rsks Assocated wth Transmsson and Hardware (cont d.) Rsks nherent n network hardware and desgn (cont d.) Port access va port scanner Unused swtch, router, server ports not secured Prvate address avalablty to outsde Routers not properly confgured to mask nternal subnets Router attack Routers not confgured to drop suspcous packets,

39 9 Rsks Assocated wth Transmsson and Hardware (cont d.) Rsks nherent n network hardware and desgn (cont d.) Port access va port scanner Unused swtch, router, server ports not secured Prvate address avalablty to outsde Routers not properly confgured to mask nternal subnets Router attack Routers not confgured to drop suspcous packets,

40 0 An Effectve Securty Polcy, Mnmze break-n rsk Communcate wth and manage users Use thoroughly planned securty polcy Securty polcy Identfes securty goals, rsks, authorty levels, desgnated securty coordnator, and team members Responsbltes of each employee How to address securty breaches Not ncluded n polcy: Hardware, software, archtecture, and protocols Confguraton detals

41 1 Router Access Lsts Control traffc through routers Router s man functons Examne packets Determne destnaton Based on Network layer addressng nformaton ACL (access control lst) Also called access lst Routers can declne to forward certan packets,

42 2 Router Access Lsts (cont d.) ACL varables used to permt or deny traffc Network layer protocol (IP, ICMP) Transport layer protocol (TCP, UDP) Source IP address Source netmask Destnaton IP address Destnaton netmask TCP or UDP port number,

43 3 Router Access Lsts (cont d.) ACL varables used to permt or deny traffc Network layer protocol (IP, ICMP) Transport layer protocol (TCP, UDP) Source IP address Source netmask Destnaton IP address Destnaton netmask TCP or UDP port number,

44 4 Intruson Detecton and Preventon (cont d.) IDS software detects many suspcous traffc patterns Examples: denal-of-servce, smurf attacks DMZ (demltarzed zone) Network s protectve permeter IDS sensors nstalled at network edges IDS at DMZ drawback Number of false postves logged IDS can only detect and log suspcous actvty,

45 5 Intruson Detecton and Preventon (cont d.) IDS software detects many suspcous traffc patterns Examples: denal-of-servce, smurf attacks DMZ (demltarzed zone) Network s protectve permeter IDS sensors nstalled at network edges IDS at DMZ drawback Number of false postves logged IDS can only detect and log suspcous actvty,

46 6 Proxy Servers Proxy servce Network host software applcaton Intermedary between external and nternal networks Screens all ncomng and outgong traffc, Proxy server Network host runnng proxy servce Also called applcaton layer gateway, applcaton gateway, proxy Manages securty at Applcaton layer

47 7 Proxy Servers (cont d.) Fundamental functon Prevent outsde world from dscoverng nternal network addresses Improves performance for external users Fle cachng,

48 8 NOS (Network Operatng System) Securty Restrct user authorzaton Access to server fles and drectores Publc rghts Conferred to all users Very lmted Group users accordng to securty levels Assgn addtonal rghts,

49 9 Logon Restrctons Addtonal restrctons to strengthen securty Tme of day Total tme logged on Source address Unsuccessful logon attempts,

50 0 Passwords Choosng secure password Guards aganst unauthorzed access Easy, nexpensve Communcate password gudelnes Use securty polcy Stress mportance of company s fnancal, personnel data securty,

51 What s network securty? confdentalty: only sender, ntended recever should understand message contents sender encrypts message recever decrypts message authentcaton: sender, recever want to confrm dentty of each other message ntegrty: sender, recever want to ensure message not altered (n transt, or afterwards) wthout detecton access and avalablty: servces must be accessble and avalable to users Network Securty

52 Symmetrc key cryptography K S K S plantext message, m encrypton algorthm cphertext K S (m) decrypton algorthm plantext m = K S (K S (m)) symmetrc key crypto: Bob and Alce share same (symmetrc) key: K S e.g., key s knowng substtuton pattern n mono alphabetc substtuton cpher Q: how do Bob and Alce agree on key value? Network Securty

53 Symmetrc key crypto: DES DES: Data Encrypton Standard US encrypton standard [NIST 1993] 56-bt symmetrc key, 64-bt plantext nput block cpher wth cpher block channg how secure s DES? DES Challenge: 56-bt-key-encrypted phrase decrypted (brute force) n less than a day no known good analytc attack makng DES more secure: 3DES: encrypt 3 tmes wth 3 dfferent keys Network Securty

54 Publc Key Cryptography symmetrc key crypto requres sender, recever know shared secret key Q: how to agree on key n frst place (partcularly f never met )? publc key crypto radcally dfferent approach [Dffe- Hellman76, RSA78] sender, recever do not share secret key publc encrypton key known to all prvate decrypton key known only to recever Network Securty

55 RSA n practce: sesson keys exponentaton n RSA s computatonally ntensve DES s at least 100 tmes faster than RSA use publc key cryto to establsh secure connecton, then establsh second key symmetrc sesson key for encryptng data sesson key, K S Bob and Alce use RSA to exchange a symmetrc key KS once both have KS, they use symmetrc key cryptography Network Securty

56 Dgtal sgnatures cryptographc technque analogous to hand-wrtten sgnatures: sender (Bob) dgtally sgns document, establshng he s document owner/creator. verfable, nonforgeable: recpent (Alce) can prove to someone that Bob, and no one else (ncludng Alce), must have sgned document Network Securty

57 Hash functon algorthms MD5 hash functon wdely used (RFC 1321) computes 128-bt message dgest n 4-step process. arbtrary 128-bt strng x, appears dffcult to construct msg m whose MD5 hash s equal to x SHA-1 s also used US standard [NIST, FIPS PUB 180-1] 160-bt message dgest Network Securty

58 Certfcaton authortes certfcaton authorty (CA): bnds publc key to partcular entty, E. E (person, router) regsters ts publc key wth CA. E provdes proof of dentty to CA. CA creates certfcate bndng E to ts publc key. certfcate contanng E s publc key dgtally sgned by CA CA says ths s E s publc key Bob s publc key K B + K B + Bob s dentfyng nformaton CA prvate key K - CA certfcate for Bob s publc key, sgned by CA Network Securty

59 Certfcaton authortes when Alce wants Bob s publc key: gets Bob s certfcate (Bob or elsewhere). apply CA s publc key to Bob s certfcate, get Bob s publc key K B + K B + Bob s publc key CA publc key K + CA Network Securty

60 SSL: Secure Sockets Layer wdely deployed securty protocol supported by almost all browsers, web servers https bllons $/year over SSL mechansms: [Woo 1994], mplementaton: Netscape varaton -TLS: transport layer securty, RFC 2246 provdes confdentalty ntegrty authentcaton orgnal goals: Web e-commerce transactons encrypton (especally credt-card numbers) Web-server authentcaton optonal clent authentcaton mnmum hassle n dong busness wth new merchant avalable to all TCP applcatons secure socket nterface Network Securty

61 SSL and TCP/IP Applcaton TCP IP normal applcaton Applcaton SSL TCP IP applcaton wth SSL SSL provdes applcaton programmng nterface (API) to applcatons C and Java SSL lbrares/classes readly avalable Network Securty

62 SSL cpher sute cpher sute publc-key algorthm symmetrc encrypton algorthm MAC algorthm SSL supports several cpher sutes negotaton: clent, server agree on cpher sute clent offers choce server pcks one common SSL symmetrc cphers DES Data Encrypton Standard: block 3DES Trple strength: block RC2 Rvest Cpher 2: block RC4 Rvest Cpher 4: stream SSL Publc key encrypton RSA Network Securty

63 Real SSL: handshake (1) Purpose 1. server authentcaton 2. negotaton: agree on crypto algorthms 3. establsh keys 4. clent authentcaton (optonal) Network Securty

64 Real SSL: handshake (2) 1. clent sends lst of algorthms t supports, along wth clent nonce 2. server chooses algorthms from lst; sends back: choce + certfcate + server nonce 3. clent verfes certfcate, extracts server s publc key, generates pre_master_secret, encrypts wth server s publc key, sends to server 4. clent and server ndependently compute encrypton and MAC keys from pre_master_secret and nonces 5. clent sends a MAC of all the handshake messages 6. server sends a MAC of all the handshake messages Network Securty

65 Real SSL: handshakng (3) last 2 steps protect handshake from tamperng clent typcally offers range of algorthms, some strong, some weak man-n-the mddle could delete stronger algorthms from lst last 2 steps prevent ths last two messages are encrypted Network Securty

66 Real SSL: handshakng (4) why two random nonces? suppose Trudy snffs all messages between Alce & Bob next day, Trudy sets up TCP connecton wth Bob, sends exact same sequence of records Bob (Amazon) thnks Alce made two separate orders for the same thng soluton: Bob sends dfferent random nonce for each connecton. Ths causes encrypton keys to be dfferent on the two days Trudy s messages wll fal Bob s ntegrty check Network Securty

67 What s network-layer confdentalty? between two network enttes: sendng entty encrypts datagram payload, payload could be: TCP or UDP segment, ICMP message, OSPF message. all data sent from one entty to other would be hdden: web pages, e-mal, P2P fle transfers, TCP SYN packets blanket coverage Network Securty

68 Vrtual Prvate Networks (VPNs) motvaton: nsttutons often want prvate networks for securty. costly: separate routers, lnks, DNS nfrastructure. VPN: nsttuton s nter-offce traffc s sent over publc Internet nstead encrypted before enterng publc Internet logcally separate from other traffc Network Securty

69 Two IPsec protocols Authentcaton Header (AH) protocol provdes source authentcaton & data ntegrty but not confdentalty Encapsulaton Securty Protocol (ESP) provdes source authentcaton, data ntegrty, and confdentalty more wdely used than AH Network Securty

70 Securty assocatons (SAs) before sendng data, securty assocaton (SA) establshed from sendng to recevng entty SAs are smplex: for only one drecton endng, recevng enttles mantan state nformaton about SA recall: TCP endponts also mantan state nfo IP s connectonless; IPsec s connecton-orented! how many SAs n VPN w/ headquarters, branch offce, and n travelng salespeople? Network Securty

71 IKE: PSK and PKI authentcaton (prove who you are) wth ether pre-shared secret (PSK) or wth PKI (pubc/prvate keys and certfcates). PSK: both sdes start wth secret run IKE to authentcate each other and to generate IPsec SAs (one n each drecton), ncludng encrypton, authentcaton keys PKI: both sdes start wth publc/prvate key par, certfcate run IKE to authentcate each other, obtan IPsec SAs (one n each drecton). smlar wth handshake n SSL. Network Securty

72 IPsec summary IKE message exchange for algorthms, secret keys, SPI numbers ether AH or ESP protocol (or both) AH provdes ntegrty, source authentcaton ESP protocol (wth AH) addtonally provdes encrypton IPsec peers can be two end systems, two routers/frewalls, or a router/frewall and an end system Network Securty

73 WEP desgn goals symmetrc key crypto confdentalty end host authorzaton data ntegrty self-synchronzng: each packet separately encrypted gven encrypted packet and key, can decrypt; can contnue to decrypt packets when precedng packet was lost (unlke Cpher Block Channg (CBC) n block cphers) Effcent mplementable n hardware or software Network Securty

74 WEP encrypton (1) sender calculates Integrty Check Value (ICV) over data four-byte hash/crc for data ntegrty each sde has 104-bt shared key sender creates 24-bt ntalzaton vector (IV), appends to key: gves 128-bt key sender also appends keyid (n 8-bt feld) 128-bt key nputted nto pseudo random number generator to get keystream data n frame + ICV s encrypted wth RC4: B\bytes of keystream are XORed wth bytes of data & ICV IV & keyid are appended to encrypted data to create payload payload nserted nto frame encrypted IV Key ID data ICV MAC payload Network Securty

75 WEP decrypton overvew encrypted IV Key ID data ICV recever extracts IV MAC payload nputs IV, shared secret key nto pseudo random generator, gets keystream XORs keystream wth encrypted data to decrypt data + ICV verfes ntegrty of data wth ICV note: message ntegrty approach used here s dfferent from MAC (message authentcaton code) and sgnatures (usng PKI). Network Securty

76 Breakng WEP encrypton securty hole: 24-bt IV, one IV per frame, -> IV s eventually reused IV transmtted n plantext -> IV reuse detected attack: Trudy causes Alce to encrypt known plantext d 1 d 2 d 3 d 4 Trudy sees: c = d XOR k IV Trudy knows c d, so can compute k IV Trudy knows encryptng key sequence k 1 IV k 2 IV k 3 IV Next tme IV s used, Trudy can decrypt! Network Securty

77 802.11: mproved securty numerous (stronger) forms of encrypton possble provdes key dstrbuton uses authentcaton server separate from access pont Network Securty

78 frewall Frewalls solates organzaton s nternal net from larger Internet, allowng some packets to pass, blockng others admnstered network trusted good guys publc Internet untrusted bad guys frewall Network Securty

79 Frewalls: why prevent denal of servce attacks: SYN floodng: attacker establshes many bogus TCP connectons, no resources left for real connectons prevent llegal modfcaton/access of nternal data e.g., attacker replaces CIA s homepage wth somethng else allow only authorzed access to nsde network set of authentcated users/hosts three types of frewalls: stateless packet flters stateful packet flters applcaton gateways Network Securty

80 Access Control Lsts ACL: table of rules, appled top to bottom to ncomng packets: (acton, condton) pars acton source address dest address protocol source port dest port flag bt allow /16 outsde of /16 TCP > any allow outsde of / /16 TCP 80 > 1023 ACK allow /16 outsde of /16 UDP > allow outsde of / /16 UDP 53 > deny all all all all all all Network Securty

81 Stateful packet flterng stateless packet flter: heavy handed tool admts packets that make no sense, e.g., dest port = 80, ACK bt set, even though no TCP connecton establshed: acton source address dest address protocol source port dest port flag bt allow outsde of / /16 TCP 80 > 1023 ACK stateful packet flter: track status of every TCP connecton track connecton setup (SYN), teardown (FIN): determne whether ncomng, outgong packets makes sense tmeout nactve connectons at frewall: no longer admt packets Network Securty

82 Intruson detecton systems packet flterng: operates on TCP/IP headers only no correlaton check among sessons IDS: ntruson detecton system deep packet nspecton: look at packet contents (e.g., check character strngs n packet aganst database of known vrus, attack strngs) examne correlaton among multple packets port scannng network mappng DoS attack Network Securty

83 Network Securty (summary) basc technques... cryptography (symmetrc and publc) message ntegrty end-pont authentcaton. used n many dfferent securty scenaros secure emal secure transport (SSL) IP sec operatonal securty: frewalls and IDS Network Securty

84 4 Authentcaton Protocols Authentcaton Process of verfyng user s credentals Grant user access to secured resources Authentcaton protocols Rules computers follow to accomplsh authentcaton Several authentcaton protocol types Vary by encrypton scheme: And steps taken to verfy credentals,

85 5 RADIUS and TACACS+ Centralzed servce Often used to manage resource access AAA (authentcaton, authorzaton, and accountng) Category of protocols that provde servce Establsh clent s dentty Examne credentals and allow or deny access Track clent s system or network usage,

86 6 RADIUS and TACACS+ (cont d.) RADIUS (Remote Authentcaton Dal-In User Servce) Defned by the IETF Runs over UDP Can operate as applcaton on remote access server Or on dedcated RADIUS server Hghly scalable May be used to authentcate wreless connectons Can work n conjuncton wth other network servers,

87 7 RADIUS and TACACS+ (cont d.) RADIUS (Remote Authentcaton Dal-In User Servce) Defned by the IETF Runs over UDP Can operate as applcaton on remote access server Or on dedcated RADIUS server Hghly scalable May be used to authentcate wreless connectons Can work n conjuncton wth other network servers,

88 8 PAP (Password Authentcaton Protocol) PPP does not secure connectons Requres authentcaton protocols PAP authentcaton protocol Operates over PPP Uses two-step authentcaton process Smple Not secure Sends clent s credentals n clear text,

89 9 CHAP and MS-CHAP CHAP (Challenge Handshake Authentcaton Protocol) Operates over PPP Encrypts user names, passwords Uses three-way handshake Three steps to complete authentcaton process Beneft over PAP Password never transmtted alone Password never transmtted n clear text,

90 0 CHAP and MS-CHAP (cont d.) MS-CHAP (Mcrosoft Challenge Authentcaton Protocol) Used on Wndows-based computers CHAP, MS-CHAP vulnerablty Eavesdroppng could capture character strng encrypted wth password, then decrypt,

91 1 CHAP and MS-CHAP (cont d.) MS-CHAP (Mcrosoft Challenge Authentcaton Protocol) Used on Wndows-based computers CHAP, MS-CHAP vulnerablty Eavesdroppng could capture character strng encrypted wth password, then decrypt,

92 2 EAP (Extensble Authentcaton Protocol) Another authentcaton protocol Operates over PPP Works wth other encrypton and authentcaton schemes Verfes clent, server credentals Requres authentcator to ntate authentcaton process Ask connected computer to verfy tself EAP s advantages: flexblty, adaptablty,

93 x (EAPoL), Codfed by IEEE Specfes use of one of many authentcaton methods plus EAP Grant access to and dynamcally generate and update authentcaton keys for transmssons to a partcular port Prmarly used wth wreless networks Orgnally desgned for wred LAN EAPoL (EAP over LAN) Only defnes process for authentcaton Commonly used wth RADIUS authentcaton

94 4 Kerberos Cross-platform authentcaton protocol Uses key encrypton Verfes clent dentty Securely exchanges nformaton after clent logs on Prvate key encrypton servce Provdes sgnfcant securty advantages over smple NOS authentcaton,

95 5 Kerberos (cont d.), Terms KDC (Key Dstrbuton Center) AS (authentcaton servce) Tcket Prncpal Sngle sgn-on Sngle authentcaton to access multple systems or resources Two-factor authentcaton Example: token and password

96 6 What Are Integrty and Avalablty? (cont d.) Integrty and avalablty compromsed by: Securty breaches Natural dsasters Malcous ntruders Power flaws Human error Follow gudelnes to keep network hghly avalable See Pages of text,

97 7 Malware, Malcous software Program desgned to ntrude upon or harm system, resources Examples: vruses, Trojan horses, worms, bots Vrus Replcatng program ntent to nfect more computers Coped to system wthout user knowledge Replcates through network connectons or exchange of external storage devces

98 8 Fault Tolerance, Capacty for system to contnue performng Despte unexpected hardware, software malfuncton Falure Devaton from specfed system performance level Gven tme perod Fault Malfuncton of one system component Can result n falure Fault-tolerant system goal Prevent faults from progressng to falures

99 9 Fault Tolerance (cont d.) Degrees of fault tolerance Optmal level depends on fle or servce crtcalty Hghest level System remans unaffected by most drastc problem,

100 00 Envronment Consder network devce envronment Protect devces from: Excessve heat, mosture Use temperature, humdty montors Break-ns Natural dsasters,

101 01 Power, Blackout Complete power loss Brownout Temporary dmmng of lghts Causes Forces of nature Utlty company mantenance, constructon Soluton Alternate power sources

102 02 Power (cont d.) Power flaws not tolerated by networks Types of power flaws that create damage Surge Momentary ncrease n voltage Nose Fluctuaton n voltage levels Brownout Momentary voltage decrease, Blackout Complete power loss

103 03 Power (cont d.) Power flaws not tolerated by networks Types of power flaws that create damage Surge Momentary ncrease n voltage Nose Fluctuaton n voltage levels Brownout Momentary voltage decrease, Blackout Complete power loss

104 04 Network Desgn Supply multple paths for data travel Topology LAN: star topology and parallel backbone provde greatest fault tolerance WAN: full-mesh topology SONET technology Uses two fber rngs for every connecton Can easly recover from fault n one of ts lnks,

105 05 Network Desgn (cont d.), Revew PayNTme example on Pages Possble solutons: supply duplcate connecton Use dfferent servce carrers Use two dfferent routes Crtcal data transactons follow more than one path Network redundancy advantages Reduces network fault rsk Lost functonalty, profts Dsadvantage: cost

106 06 Network Desgn (cont d.), Revew PayNTme example on Pages Possble solutons: supply duplcate connecton Use dfferent servce carrers Use two dfferent routes Crtcal data transactons follow more than one path Network redundancy advantages Reduces network fault rsk Lost functonalty, profts Dsadvantage: cost

107 07, Fgure 14-7 Lnk aggregaton between a swtch and server Courtesy Course Technology/Cengage Learnng

108 08 Network Desgn (cont d.), Revew PayNTme example on Pages Possble solutons: supply duplcate connecton Use dfferent servce carrers Use two dfferent routes Crtcal data transactons follow more than one path Network redundancy advantages Reduces network fault rsk Lost functonalty, profts Dsadvantage: cost

109 09 Network Desgn (cont d.), Revew PayNTme example on Pages Possble solutons: supply duplcate connecton Use dfferent servce carrers Use two dfferent routes Crtcal data transactons follow more than one path Network redundancy advantages Reduces network fault rsk Lost functonalty, profts Dsadvantage: cost

110 10 Servers, Crtcal servers Contan redundant components Provde fault tolerance, load balancng Server mrrorng Fault-tolerance technque One devce, component duplcates another's actvtes Uses dentcal servers, components Hgh-speed lnk between servers Synchronzaton software Form of replcaton Dynamc copyng of data from one locaton to another

111 11 Servers (cont d.) Server mrrorng advantage Flexblty n server locaton Dsadvantages Tme delay for mrrored server to assume functonalty Toll on network as data coped between stes Hardware and software costs May be justfable,

112 12 Servers (cont d.) Server mrrorng advantage Flexblty n server locaton Dsadvantages Tme delay for mrrored server to assume functonalty Toll on network as data coped between stes Hardware and software costs May be justfable,

113 13 Servers (cont d.) Server mrrorng advantage Flexblty n server locaton Dsadvantages Tme delay for mrrored server to assume functonalty Toll on network as data coped between stes Hardware and software costs May be justfable,

114 14 Storage, Data storage Issues of avalablty and fault tolerance apply Varous methods avalable Ensure shared data and applcatons never lost or rretrevable RAID (Redundant Array of Independent [or Inexpensve] Dsks) Collecton of dsks Provde shared data, applcaton fault tolerance

115 15 Storage (cont d.) Dsk array (drve) Group of hard dsks RAID drve (RAID array) Collecton of dsks workng n a RAID confguraton Sngle logcal drve,

116 16 Storage (cont d.) Dsk array (drve) Group of hard dsks RAID drve (RAID array) Collecton of dsks workng n a RAID confguraton Sngle logcal drve,

117 17 Storage (cont d.) Dsk array (drve) Group of hard dsks RAID drve (RAID array) Collecton of dsks workng n a RAID confguraton Sngle logcal drve,

118 18 Storage (cont d.) Dsk array (drve) Group of hard dsks RAID drve (RAID array) Collecton of dsks workng n a RAID confguraton Sngle logcal drve,

119 19 Storage (cont d.) Dsk array (drve) Group of hard dsks RAID drve (RAID array) Collecton of dsks workng n a RAID confguraton Sngle logcal drve,

120 20 Data Backup, Backup Copes of data or program fles Created for archvng, safekeepng Store off ste Wthout backup: rsk losng everythng Many backup optons avalable Performed by dfferent software and hardware Use dfferent storage meda types Can be controlled by NOS utltes, thrd-party software

121 21 Backup Strategy Devse a strategy to perform relable backups Document n accessble area Address varous questons Archve bt Fle attrbute Set to on or off On ndcates fle must be archved Used by varous backup methods,

122 22 Backup Strategy (cont d.), Full backup All data coped Uncheck archve bts Incremental backup Copy data changed snce last full, ncremental backup Uncheck archve bts Dfferental backup Copy only data changed snce last backup All data marked for subsequent backup Does not uncheck archve bts

123 23 Backup Strategy (cont d.), Full backup All data coped Uncheck archve bts Incremental backup Copy data changed snce last full, ncremental backup Uncheck archve bts Dfferental backup Copy only data changed snce last backup All data marked for subsequent backup Does not uncheck archve bts

124 24, Fgure The Grandfather-Father-Son backup rotaton scheme Courtesy Course Technology/Cengage Learnng

125 25 Dsaster Recovery Dsaster recovery Restorng crtcal functonalty, data After enterprse-wde outage Affectng more than sngle system, lmted group Consder possble extremes Not relatvely mnor outages, falures, securty breaches, data corrupton,

126 26 Dsaster Recovery Plannng Account for worst-case scenaros Identfy dsaster recovery team Provde contngency plans Restore and replace: Computer systems Power Telephony systems Paper-based fles, Plan contans varous sectons Lessen crtcal data loss rsk

127 27 Summary, Integrty and avalablty: mportant concepts Malware ams to ntrude upon or harm system Ant-malware software part of network protecton Fault tolerance allows system to contnue performng despte unexpected malfuncton Varous types of backup power supples exst Network desgn can provde dfferent levels of fault tolerance Mrrorng, clusterng, RAID, NAS, and SAN can provde fault tolerance