this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Similar documents
Network Security. Thierry Sans

On the Internet, nobody knows you re a dog.

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen. 20 June 2017 EPFL Summer Research Institute

Lecture 12. Application Layer. Application Layer 1

Firewalls, Tunnels, and Network Intrusion Detection

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

A SIMPLE INTRODUCTION TO TOR

CS Paul Krzyzanowski

Internet Protocol and Transmission Control Protocol

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

DNS Security. Ch 1: The Importance of DNS Security. Updated

Chapter 7. Denial of Service Attacks

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

Chapter 8 roadmap. Network Security

CSE 565 Computer Security Fall 2018

Denial of Service (DoS)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Detecting Specific Threats

Telex Anticensorship in the

Comprehensive datacenter protection

Computer Science 461 Final Exam May 22, :30-3:30pm

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

COSC 301 Network Management

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

CSE 565 Computer Security Fall 2018

Deployment Scenarios for Standalone Content Engines

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

502 / 504 GATEWAY_TIMEOUT errors when browsing to certain sites

Configuring Access Rules

Configuring attack detection and prevention 1

Distributed Denial of Service (DDoS)

Chapter 10: Denial-of-Services

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

COMPUTER NETWORK SECURITY

Denial of Service, Traceback and Anonymity

Basic Concepts in Intrusion Detection

Unit 4: Firewalls (I)

Intelligent and Secure Network

Telex Anticensorship in the Network Infrastructure

Anonymous Communication and Internet Freedom

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017

Network Control, Con t

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

20-CS Cyber Defense Overview Fall, Network Basics

0x1A Great Papers in Computer Security

Anonymous Communication and Internet Freedom

Imma Chargin Mah Lazer

Sirindhorn International Institute of Technology Thammasat University

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

Networking Security SPRING 2018: GANG WANG

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

The Protocols that run the Internet

CSE 565 Computer Security Fall 2018

dfence: Transparent Network- based Denial of Service Mitigation

CSc 466/566. Computer Security. 18 : Network Security Introduction

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Configuring attack detection and prevention 1

Computer Network Vulnerabilities

Configuring F5 for SSL Intercept

F5 DDoS Hybrid Defender : Setup. Version

Improving Network Security by SDN OrchSec and AutoSec Architectures

Computer Security and Privacy

CyberP3i Course Module Series

CSC 4900 Computer Networks: Security Protocols (2)

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Network Security. Tadayoshi Kohno

Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

F5 Synthesis Information Session. April, 2014

BIG-IP Local Traffic Management: Basics. Version 12.1

Corrigendum 3. Tender Number: 10/ dated

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Advanced Security and Mobile Networks

Closed book. Closed notes. No electronic device.

Computer Security: Principles and Practice

Personalized Pseudonyms for Servers in the Cloud. Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.

Configuring Firewall TCP SYN Cookie

Network Security. Course notes. Version

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

haltdos - Web Application Firewall

Scrutinizer Flow Analytics

Transcription:

INFRASTRUCTURE SECURITY this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities Goals * prevent or mitigate resource attacks (one way to make a denial-ofservice attack) - resources are link bandwidth, compute cycles, memory - there is always some amplification (or the attacker would be no better off than the target) e.g., botnets e.g., SYN flood e.g., random subdomain DNS attack e.g., demanding HTTP requests e.g., reflection attack e.g., trigger Ethernet broadcast - the attacker often tries to hide e.g., false IP source address ("spoofing") e.g., master of a botnet is hidden e.g., short times-to-live - because of fate sharing, an attack at any level works

Goals, Continued * block specific communications - spam, robocalls, malware - illegal communication, communication that violates parental controls (might be recorded instead of blocked) - unplanned communication in an enterprise network - port scanning * protecting freedom and privacy - complementary to endpoint security, because the adversary observes packet headers, etc. that are not encrypted - the opposite of blocking -same technology, taking different sides Packet Filtering * by far the most common technique for infrastructure security

BASIC FILTERING FIREWALL ROUTER INTRUSION DETECTION SYSTEM INTRUSION PREVENTION SYSTEM FILTERING CRITERIA predicates on IP packet headers can have a table of ongoing sessions any predicates; keeping data on traffic, looking for anomalies ACTIONS TAKEN drop packets raise an alarm, divert packets for further analysis drop packets, refuse requests PACKET STEERING located at all network edges, need session affinity located on all packet paths special-purpose forwarding HOW ARE THE FILTERS PROTECTED? big capacity virtualized for dynamic scale-out

* filtering criteria - signature-based - source name if bad communication (flooding, spam) is one-way, source name can be false, which is a problem; on the other hand, having a false source name is a clear sign of bad communication - anomaly detection for diagnosis of flooding attacks - filtering criteria are a real weak point in infrastructure security; either attacks are missed or there is a lot of collateral damage from filtering out good packets * positive filtering: drop is default, identify good packets to get through - there is an pattern for positive filtering

OVERLAY PATTERN FOR POSITIVE FILTERING PATHS THOUGH MACHINES TO PROTECTED TARGET source S2 ingress egress T s Internet network filter filter source S1 ingress egress protected target T all paths of approved packets go through nodes all paths to target go through filtering nodes

OVERLAY PATTERN FOR POSITIVE FILTERING 1. How do packets get approved and enter the? network src = S1, dst = T TCP compound application TCP session ingress I egress E protected target T src = S1, dst = T src = I, dst = E src = E, dst = T source S1 TCP ingress I implements link egress E filter implements link protected target T public Internet T s Internet network 2. How are packets routed through the to hide them from attackers? 3. What are the secrets by which the filters recognize packets?

PROXIES SUBVERT FILTERING it may be benign set up your network this way so some users can escape an over-simplified firewall it may be ethical user may want privacy, freedom from censorship, anonymity from acceptor of session user s machine server s machine Web-based application network [browser] HTTP session dynamic link dangerous. com src = user, dst = proxy src = proxy, dst = server proxied TLS session TLS session user proxy server user s IP network this IP interface uses proxy as destination, ignores HTTP request other IP networks this IP interface looks up dangerous.com in DNS

PROXIES SUBVERT FILTERING in the last scheme, if user is subject to censoring in access network, access network could block packets to known proxies to use decoy routing, Cirripede, Telex, user must first send a message to the friendly network that, in a secret code, tells the friendly network that he wants to use the service packet timing, order of TCP packets, unused packet fields, pseudo-random packet fields censoring network friendly network 1. subsession between proxy and overt overt destination Cirripede client censoring filter deflecting router Cirripede proxy subsession between client and proxy 2. subsession between proxy and covert covert destination to get privacy from proxies, need Tor over-rides normal routing for this client requires a very complex session protocol

* filtering resources - there is a vast tree of paths from sources to target (root of tree), across multiple networks - advantages of filtering near target: fewer paths to cover, fewer packets to process, target's network has the incentives to do it - advantages of filtering near sources: attack traffic is dropped sooner, source's access network knows more about the source, there are many more resources near sources than near the target - disadvantages of filtering near sources: lack of incentives, coordination is difficult (complex, hard to secure) * today s practices - filter near targets, with virtualization in clouds to provide the resources necessary during attacks - also replicate and virtualize the protected target, so there is more capacity to withstand attacks - reduce amplification with SYN cookies, longer DNS caching, etc.

Compositional Intrastructure Security * interactions with bridging - if a network is isolated (no bridging), then attacker needs physical access * interactions with layering - we must have this property for filtering to be valid: no packet is received on a link that was not sent on the link - sounds easy, but what if the link belongs to a cloud tenant, and is implemented in a network shared among tenants? - signature-based filtering looks for specific keywords in specific positions in a packet, so it had better know the exact layers above the filter (better to filter in each network separately) * interactions with middleboxes - packet filters are middleboxes, so all the issues with encryption and middleboxes are relevant - the interaction between proxies and filtering is extremely important; there is a battle for control among users, proxy hosts, network AAs, services * interactions with routing - routing might send packets of the same session along different routes because of failures or load-balancing, which conflicts with the need for session affinity * interactions with session protocols - SYN cookies dumb down TCP, which is not helpful to those trying to extend it; SYN-flood-defense servers don t have this bad interaction

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback