CS526: Information Security Chris Clifton

Transcription

1 CS526: Information Security Chris Clifton November 13, 2003 Network Security Network Security: What is the Problem? Name examples of security breaches Morris Worm viruses (many) CS526, Fall

2 Network Security: What is it? What is the purpose of a network? Move bits from A to B Securely A Network B CS526, Fall Securely means Confidentiality Only A and B see bits Integrity Message intact Really from A Order? Availability B gets it in time A Network B CS526, Fall

3 Network Security: What is the Problem? Were our examples Network security failures? Morris Worm viruses (many) CS526, Fall Confidentiality Encryption Integrity Digital Signatures Retransmission Order? Availability Quality of Service Network Security: Mostly Solved! CS526, Fall

4 Network Security: What s all the fuss? Firewalls Solve poor internal security using the network Intrusion Detection Detect non-network security breaches accomplished via the network Early start on forensics CS526, Fall Network Security: What is interesting? Distributed Authentication Scaling issues Autonomy Distributed Cooperation Commit Fault tolerance Availability Denial of service But first: State of practice CS526, Fall

5 Typical corporate network Intranet Firewall Mail forwarding Demilitarized Zone (DMZ) File Server Web Server Web Server DNS (DMZ) Mail server DNS (internal) Firewall User machines User machines User machines Internet CS526, Fall Network Regions Internet Intranet DMZ Network Boundaries Firewall Typical network: Terms Filtering firewall: Based on packet headers Audit mechanism Proxy Proxy firewall: Gives external view that hides intranet CS526, Fall

6 Issues IP: Intranet hidden from outside world Internal addresses can be real Proxy maps between real address and firewall Fake addresses: 10.b.c.d, 172.[16-31].c.d, c.d Network Address Translation Protocol maps internal to assigned address Mail Forwarding Hide internal addresses Map incoming mail to real server Additional incoming/outgoing checks CS526, Fall Firewalls: Configuration External Firewall What traffic allowed External source: IP restrictions What type of traffic: Ports (e.g., SMTP, HTTP) Proxy between DMZ servers and internet Proxy between inner and outer firewall Internal Firewall Traffic restrictions: Ports, From/to IP Proxy between intranet and outside CS526, Fall

7 DMZ Administration Direct console access required? Real hassle Special access SSH connections allowed from internal to DMZ administration connections Only from specified internal IPs Only through internal firewall CS526, Fall Distributed Authentication Authentication has been covered But does it scale? Scaling Issues: Repeat authentication Multiple administrators CS526, Fall

8 Repeat authentication: Kerberos Kerberos developed at MIT in the 1980s Project Athena: clusters of publicly available computers for student/faculty use Shared file service log in anywhere Problem: how to ensure user logging in at A authorized to use resources at B? Solution: ticket as credential Ticket server Client Client address Valid time Session key Encrypted with ticket server s key CS526, Fall Kerberos Authentication Example Client sends to Authentication Server Client name, Ticket server name Authentication Server returns Client: {k client,ticket server } k client password, ticket client, ticket server Client performs similar exchange with ticket server Ticket contains session key, only ticket server can decrypt Now client has session key and ticket for service Message includes ticket and encrypted generation time as signature CS526, Fall

9 Kerberos: Problems Subject to replay attacks Relies on clock synchronization Window of opportunity based on maximum message delay Standard password attacks Password used to decrypt initial authenticator ticket Some fixed fields enable verifying if password broken CS526, Fall The Next Problem: Multiple Administration Domains Problem: Many users We know how to authenticate But how to administer? Solution: Hierarchical directories X.500, LDAP, Active Directory CS526, Fall

10 X.500: What is it? Goal: Global white pages Lookup anyone, anywhere Developed by Telecommunications Industry ISO standard directory for OSI networks Idea: Distributed Directory Application uses Directory User Agent to access a Directory Access Point CS526, Fall Issues How is name used? Access resource given the name Build a name to find a resource Information about resource Do humans need to use name? Construct and Recall Is resource static? Resource may move Change in location may change name Performance requirements Human-scale CS526, Fall

11 Directory Information Base (X.501) Tree structure Root is entire directory Levels are groups Country Organization Individual Entry structure Unique name Build from tree Attributes: Type/value pairs Schema enforces type rules Alias entries CS526, Fall Directory Entry Organization level CN=Purdue University L=West Lafayette Person level CN=Chris Clifton SN=Clifton TITLE=Associate Professor CS526, Fall

12 Query: Directory Operations (X.511) Read get selected attributes of an entry Compare does an entry match a set of attributes List children of an entry Search portion of directory for matching entries Abandon request Modification add, remove, modify entry Modify distinguished name CS526, Fall Distributed Directory (X.518) Directory System Agent May have local data Can forward requests to other system agents Can process requests from user agents and other system agents Referrals If DSA can t handle request, can make request to other DSA Or tell DUA to ask other DSA CS526, Fall

13 Access Control Directory information can be protected Two issues: Authentication (X.509) Access control (X.501) Standards specify basic access control Individual DSA s can define their own CS526, Fall Replication (X.525) Single entries can be replicated to multiple DSAs One is master for that entry Two replication schemes: Cache copies On demand Shadow copies Agreed in advance Copies required to enforce access control When entry sent, policy must be sent as well Modifications at Master only Copy can be out of date Each entry must be internally consistent DSA giving copy must identify as copy CS526, Fall

14 Protocols (X.519) Directory Access Protocol Request/response from DUA to DSA Directory System Protocol Request/response between DSAs Directory Information Shadowing Protocol DSA-DSA with shadowing agreement Directory Operational binding management Protocol Administrative information between DSAs CS526, Fall Uses Look-up Attributes, not just Distinguished Name Context Humans can construct likely names Browsing Yellow pages Aliases Search restriction/relaxation Groups Multi-valued member attribute Authentication information contained in directory E.g., password attribute CS526, Fall

15 LDAP vs. X.500 Lightweight Directory Access Protocol Supports X.500 interface Doesn t require OSI protocol IETF RFC 2251, 2256 X.500 for the internet crowd Useful as generic addressing interface Netscape address book System logon identification/authentication CS526, Fall The Next Problem: Multiple Administration Domains Problem: Many users We know how to authenticate But how to administer? Solution: Hierarchical directories X.500, LDAP, Active Directory Still not enough Is every administrator in the hierarchy enforcing our policy? Think this is an interesting area of research? Talk to Prof. Ninghui Li CS526, Fall

16 CS526: Information Security Chris Clifton November 18, 2003 Network Security Attacks and Defense Confidentiality on the network manageable Encryption to protect transmission Public key cryptography / key management to verify recipient Integrity reducible to single system Digital signatures verify source Commit protocols handle network failure What about Availability? CS526, Fall

17 Network Attacks Flooding Overwhelm TCP stack on target machine Prevents legitimate connections Routing Misdirect traffic Spoofing Imitate legitimate source But we know how to handle this! CS526, Fall What is a Flood attack? Limit availability by Overwhelming service by following service s protocol Perhaps not exactly Examples SYN flood Overwhelms TCP stack attacks CS526, Fall

18 Syn Flood TCP connection multistep SYN to initiate SYN+ACK to respond ACK gets agreement Sequence numbers then incremented for future messages Ensures message order Retransmit if lost Verifies party really initiated connection We ll get back to this CS526, Fall Syn Flood Implementation Receive SYN Allocate connection Acknowledge Wait for response See the problem? What if no response And many SYNs All space for connections allocated None for legitimate ones Time? CS526, Fall

19 Solution Ideas Limit connections from one source? But source is in packet, can be faked Ignore connections from illegitimate sources If you know who is legitimate Can figure it quickly And the attacker doesn t know this Drop oldest connection attempts Adaptive timeout CS526, Fall Network Solutions TCP intercept Router establishes connection to client When connected establish with server Synkill Monitor machine as firewall Good addresses: history of successful connections Bad addresses: previous timeout attempt Block and terminate attempts from bad addresses CS526, Fall

20 Protocol solutions Problem: Server maintaining state Runs out of space Solution: Don t maintain state on server How does it know sequence numbers? Encrypt in SYN response h(source,destination,random)+sequence+time Client increments this and ACKs Server subtracts h(), time to get sequence Knows if this is in valid range CS526, Fall Service-Level Flooding Overload server Processing Storage Typically garbage requests using legitimate protocol Large s to victim Many http connections Heavy use of scripts Often exploit flaws in service implementation Self-replicating attacks CS526, Fall

21 Solutions Limit traffic from any source Still open to distributed attacks Quality of Service Guarantee service to known good sites Careful Programming Don t allow service to defeat itself Throttling Limit traffic to any service Protects other services on same host CS526, Fall IP-Spoofing Start with SYN flood to spoofed client Open connection from spoofing client to server Real client fails to respond Should terminate Spoofing client sends ACK Must guess Sequence Number S CS526, Fall

22 CS526: Information Security Chris Clifton November 18, 2003 Network Security (slides courtesy Wenke Lee) Note to 1 st year SFS students (only) Interested in Summer internship? Independent study or thesis next year? Did the ITSEC/Common Criteria lectures interest you? If so, please talk to me after class CS526, Fall

23 Routing Routers/ Switches SRC I want to know the shortest path DST So, the routers must exchange local information! CS526, Fall IP Routing Routing is based on network addresses Routers use forwarding table Destination, next hop, network interface, metric Table look-up for each packet Need to recognize address structure Routing information exchange allows computation of new routes, which is used to update the forwarding table CS526, Fall

24 Routing Protocol Framework - Information Model OSPF RIB RIPv2 RIB BGP4 RIB Forwarding Information Base FIB FIB (Dest, NextHop, Routing Metrics) Forwarding Algorithm NPDU Header (Network Protocol Data Unit) Forwarding Decision CS526, Fall Routing Information Link State: I have these links to XYZ (routers or networks); their current status is (e.g., delay) Distance Vector: I can get to XYZ (networks) in m hops CS526, Fall

25 Every node sends its neighbor a vector: the # of hops of reaching each B other node. A Distribution of Routes - Distance Vector C CS526, Fall Link State A node sends to its neighbors the state of its directly connected links: up/down and costs. Each node that receives the information forwards it to all its neighbors. CS526, Fall

26 Routing Security Routing Information Exchange correctness of Routing Information Base Interface between RIB and FIB configuration, FIB update etc. Kernel-Level (IP): Packet Forwarding Is the packet forwarded according to the FIB? CS526, Fall RIP Routing information protocol is a simple distance vector protocol Initialization: When the routing daemon is initialized, it sends requests through each network interface Neighboring routers will reply with routing table information Updates: Routers advertise tables with neighbors periodically (~30 seconds); or triggered by route changes. CS526, Fall

27 RIP - Cont d To prevent route oscillation, existing routes are retained until a new one is discovered with strictly lower cost Split-Horizon Update Routers do not advertise a route on an interface from which it learned of the route in the first place! CS526, Fall Properties: RIP Good news travels fast; Bad news travels slowly Routing loop, routing inconsistency, and slow convergence Security: Ripv2 provides simple password authentication Black hole routers possible CS526, Fall

28 Route Convergence - good news A: 0 A: 1 A: 2 A: 3 A: 4 A: G1 G2 G3 G4 G5 G1 happily advertises route to network A with distance 1 G2-G5 G5 quickly learns the good news and install the routes CS526, Fall A: 0 A: 3 A: 2 A: 3 A: 4 A: Route Convergence - bad news G1 G2 G3 G4 G5 G1 s s link to A goes down G1 learns a better route via G2 Packets going to A through G2 will loop between G2 and G1 G1 and G2 will find the cost of their routes to A slowly count to infinity Use a number, e.g., 16, to approximate infinity Split horizon only prevents loops involving two nodes CS526, Fall

29 A B Black DHole E A: 3 hops B: 2 hops C: 2 hops You: G F Who won t t jump on a better route? C Your Neighbor: H A: 1 hop C C lies easily about routes to A Your neighbor and you look into the routes CS526, Fall Food for Thought... RIP implicitly assumes: every router is trusted and so are routing information packets Every router is entitled to tell others I have a short cut to Pluto that is just one hop Is it possible to prevent RIP black hole attacks? Is is possible to detect RIP black routers? CS526, Fall

30 One possible improvement Predecessor is the second-to-last network is the path from the source to the destination Inclusion of predecessor allows implicit reconstruction of the whole path Helps to validate the integrity of distance CS526, Fall Predecessor A: B B A D E A: B A: B You: G A: F A: B F A: B C A: 1 hop A: B Your Neighbor: H A: B 4 B: D 3 C: C 1 D: G 2 E: G 2 F: B 4 G: G 1 CS526, Fall

31 OSPF Link State routing protocol (RFC1583) Routers are organized in domains and areas Hello message for neighbor acquisition Link State information are flooded through the whole area A topology database is maintained by every router CS526, Fall Important LSA Fields Advertising router ID (originator) Advertised link or network ID Sequence number [0x ,0x7fffffff] Age [0, 60 minutes] CS526, Fall

32 When to Originate a LSA? Upon link state changes, or Upon timer expiration CS526, Fall Questions to Ask: How do you know one LSA is fresher than the other? An LSA originated by you will be received by every router; will you receive the LSA originated by you? Will the sequence number wrap-around around cause any problem? (i.e., == 0x7fffffff) Age ==> 1 hour CS526, Fall

33 Sequence #: old vs. new LSAs 0x ATM Next: 0x Only accept LSAs with newer/larger Seq#. CS526, Fall Sequence# & Self-Stabilization (2). router crashes. (3). 0x (1). 0x up (5). 0x ATM up (4). 0x an old copy still exists! CS526, Fall

34 Flushing via Premature Aging Specified behavior when Seq# # wraps around: (1),(2),(3) (1) 0x7FFFFFFF MaxSeq# ATM (2) 0x7FFFFFF with MaxAge to purge this entry. (3) 0x CS526, Fall Attack the Routing Infrastructure (Vicious Advertising Routers) Flooding up up EVIL! 1. up ==> down 2. not exist ==> up up up Impact varies depending on how critical the link is to the world! CS526, Fall

35 Attack the Routing Infrastructure (Vicious Intermediate Routers) Flooding up down All the links can be attacked EVIL! up down Authentication, please come to the rescue! CS526, Fall Exchanging without LSA Signature? If attackers can just change the content of LSAs without being detected, the routers must use all LSAs with care! Seq# ATM CS526, Fall

36 Fight-Back - Originator Reaction Seq# (1) 0x ATM (3) 0x fight-back (2) 0x seq++ attack CS526, Fall Signature - How Critical? Observations: Prolonged fight-back will not happen in real attacks What s preventing the attacker from using LS_seq=MaxSeq? Can you prevent false LSA without signature? Can you determine who did it after you realize that you ve been fooled without signature? What needs to be signed by whom anyway? CS526, Fall

37 OSPF Security Strength In most benign cases, if something goes wrong, the advertising router will detect it and try to correct it by generating new LSAs The attackers have to persistently inject bad LSAs in order for it to stick Self-Stabilization Protocols: force the attackers to perform persistent attacks CS526, Fall Detection of Hit-and-Run vs. Persistent Attacks Hit-and-Run Attacks: Hard to Detect/Isolate Inject one (or very few) bad packet but cause lasting damaging effect Persistent Attacks: Attackers have to continuously inject attack packets in order to inflict significant damages OSPF type of Link State protocols are resilient to hit-and-run attacks CS526, Fall

38 Secure Protocol/system Design? If we can force the attackers to launch persistent attacks, we have a better chance to detect and isolate the attack sources OSPF flooding coupled with periodic LSA does a fairly good job because it is refreshing link state persistently! What other implications do flooding have on security? CS526, Fall