Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Similar documents
IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Computer Security and Privacy

CSC 4900 Computer Networks: Security Protocols (2)

COSC4377. Chapter 8 roadmap

Chapter 8 Network Security

IP Security IK2218/EP2120

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

IP Security. Have a range of application specific security mechanisms

CSCE 715: Network Systems Security

Network Encryption 3 4/20/17

IPSec. Overview. Overview. Levente Buttyán

Network Security. Thierry Sans

CSC Network Security

The IPsec protocols. Overview

Firewalls, Tunnels, and Network Intrusion Detection

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSC 6575: Internet Security Fall 2017

Lecture 13 Page 1. Lecture 13 Page 3

Computer Networks. Wenzhong Li. Nanjing University

Virtual Private Network

Chapter 8 roadmap. Network Security

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Cryptography and Network Security. Sixth Edition by William Stallings

Lecture 12 Page 1. Lecture 12 Page 3

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

CSC 8560 Computer Networks: Security Protocols

Chapter 6/8. IP Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

20-CS Cyber Defense Overview Fall, Network Basics

Chapter 5: Network Layer Security

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Sample excerpt. Virtual Private Networks. Contents

Internet security and privacy

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Internet Security: Firewall

Chapter 8 Security. Computer Networking: A Top Down Approach. Andrei Gurtov. 7 th edition Jim Kurose, Keith Ross Pearson/Addison Wesley April 2016

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Networking Security SPRING 2018: GANG WANG

8. Network Layer Contents

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Chapter 24 Wireless Network Security

Network Security: IPsec. Tuomas Aura

05 - WLAN Encryption and Data Integrity Protocols

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE509: (Intro to) Systems Security

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

14. Internet Security (J. Kurose)

Security in IEEE Networks

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

CS 356 Internet Security Protocols. Fall 2013

EEC-682/782 Computer Networks I

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Chapter 8. Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2004.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Wireless Network Security Spring 2015

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

AIT 682: Network and Systems Security

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

CSE 565 Computer Security Fall 2018

Cryptography and Network Security

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Internetworking Lecture 10. Communications and network security

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Introduction to TCP/IP networking

Wireless Network Security Spring 2016

Virtual Private Networks

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Network Security. Tadayoshi Kohno

CSE543 Computer and Network Security Module: Network Security

Computer Communication Networks Network Security

WarDriving. related fixed line attacks war dialing port scanning

Internet and Intranet Protocols and Applications

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

System i. Version 5 Release 4

Virtual Private Networks (VPN)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

VPNs and VPN Technologies

Computer and Network Security

Network Security and Cryptography. December Sample Exam Marking Scheme

Chapter 8 Security. Computer Networking: A Top Down Approach

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Internet Protocol and Transmission Control Protocol

Wireless Network Security

Lecture 9: Network Level Security IPSec

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Chapter 2 Advanced TCP/IP

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Transcription:

Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks Castle and Moat Analogy More like the moat around a castle than a firewall Restricts access from the outside Restricts outbound connections, too (!!) Important: filter out undesirable activity from internal hosts! Firewall Locations in the Network Between internal LAN and external network At the gateways of sensitive sub-networks within the organizational LAN payroll s network must be protected separately within the corporate network On end-user machines personal firewall Microsoft s Internet Connection Firewall (ICF) comes standard with Windows XP Firewall Types Firewall: Illustration Packet- or session-filtering router (filter) Proxy gateway all incoming traffic is directed to firewall, all outgoing traffic appears to come from firewall application-level: separate proxy for each application different proxies for SMTP (email), HTTP, FTP, etc. filtering rules are application-specific circuit-level: application-independent, transparent only generic IP traffic filtering (example: SOCKS) Personal firewall with application-specific rules e.g., no outbound telnet connections from email client 1

Packet Filtering Packet Filtering Examples For each packet, firewall decides whether to allow it to proceed decision must be made on per-packet basis stateless; cannot examine packet s context (TCP connection, application to which it belongs, etc.) To decide, use information available in the packet IP source and destination addresses, ports protocol identifier (TCP, UDP, ICMP, etc.) TCP flags (SYN, ACK, RST, PSH, FIN) ICMP message type Filtering rules are based on pattern-matching Stateless Filtering is Not Enough Example: Variable Port Use In TCP connections, ports with numbers less than 1024 are permanently assigned to servers 20,21 for FTP, 23 for telnet, 25 for SMTP, 80 for HTTP Clients use ports numbered from 1024 to 16383 they must be available for clients to receive responses What should a firewall do if it sees, say, an incoming request to some client s port 5612? it must allow it: this could be a server s response in a previously established connection OR it could be malicious traffic can t tell without keeping state for each connection Inbound SMTP Outbound SMTP Session Filtering Example: Connection State Table Decision is still made separately for each packet, but in the context of a connection if new connection, then check against security policy if existing connection, then look it up in the table and update the table, if necessary only allow incoming traffic to a high-numbered port if there is an established connection to that port Hard to filter stateless protocols (UDP) and ICMP Typical filter: deny everything that s not allowed must be careful filtering out service traffic such as ICMP 2

Example: FTP Client opens command channel to server; tells server second port number Server acknowledges Server opens data channel to client s second port Client acknowledges 20 Data FTP server PORT 5151 OK DATA CHANNEL TCP ACK FTP client 21 Connection from a Command random port on an 5150 5151 external host FTP Packet Filter The following filtering rules allow a user to FTP from any IP address to the FTP server at 172.168.10.12 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20! Allows packets from any client to the FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023! Allows the FTP server to send packets back to any IP address with TCP ports > 1023 interface Ethernet 0 access-list 100 in! Apply the first rule to inbound traffic access-list 101 out! Apply the second rule to outbound traffic! Anything not explicitly permitted by the access list is denied! Weaknesses of Packet Filters Do not prevent application-specific attacks for example, if there is a buffer overflow in URL decoding routine, firewall will not block an attack string No user authentication mechanisms except (spoofable) address-based authentication firewalls don t have any upper-level functionality Vulnerable to TCP/IP attacks such as spoofing solution: list of addresses for each interface (packets with internal addresses shouldn t come from outside) Security breaches due to mis-configuration Abnormal Fragmentation For example, ACK bit is set in both fragments, but when reassembled, SYN bit is set (can stage SYN flooding through firewall) Fragmentation Attack IP Networks, Send 2 fragments with the ACK bit set; fragment offsets are chosen so that the full datagram re-assembled by server forms a packet with the SYN bit set (the fragment offset of the second packet overlaps into the space of the first packet) All following packets will have the ACK bit set Telnet Server Telnet Client Allow only if ACK bit 23 set 1234 SYN packet (no ACK) FRAG1 (with ACK) FRAG2 (with ACK) ACK Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service Many solutions are application-specific TLS for Web, S/MIME for email, SSH for remote login IPSec aims to provide a framework of open standards for secure communications over IP protect every protocol running on top of IPv4 and IPv6 3

IPSec: Network Layer Security Network-layer secrecy: sending host encrypts the data in IP datagram TCP and UDP segments; ICMP and SNMP messages. Network-layer authentication destination host can authenticate source IP address Two principle protocols: authentication header (AH) protocol encapsulation security payload (ESP) protocol For both AH and ESP, source-destination handshake: create network-layer logical channel called a service agreement (SA) Each SA unidirectional. Uniquely determined by: security protocol (AH or ESP) source IP address 32-bit connection ID IPSec IPSec = AH + ESP + IPcomp + IKE Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Compression Sets up keys and algorithms for AH and ESP AH and ESP rely on an existing security association idea: parties must share a set of secret keys and agree on each other s IP addresses and crypto algorithms Internet Key Exchange (IKE) goal: establish security association for AH and ESP if IKE is broken, AH and ESP provide no protection! IPSec in Transport Mode IPSec in Tunnel Mode End-to-end security between two hosts typically, client to gateway (e.g., PC to remote host) Requires IPSec support at each host Gateway-to-gateway security internal traffic behind gateways not protected Only requires IPSec support at gateways Tunnel Mode Illustration Transport vs Tunnel Mode Transport mode secures packet payload and leaves IP header unchanged Implements IPSec Implements IPSec IP header (real dest) IPSec header TCP/UDP header + data Tunnel mode encapsulates both IP header and payload into IPSec packets IP header (gateway) IPSec header IP header (real dest) TCP/UDP header + data IPSec protects communication on the insecure part of the network 4

ESP Protocol Confidentiality: encrypt packet (+ ESP trailer) Compute Hash Message Authentication Code (HMAC) and add to ESP header Encryption: 3DES, AES Hash: MD5, SHA Security Association One-way sender-recipient relationship SA determines how packets are processed cryptographic algorithms, keys, lifetimes, sequence numbers, mode (transport or tunnel)... SA is uniquely identified by SPI (Security Parameters Index) each IPSec keeps a database of SAs SPI is sent with packet, tells recipient which SA to use destination IP address, and protocol identifier (AH or ESP) Security Association AH (Transport Mode) More than one SA can apply to a packet! e.g., end-to-end authentication (AH) and additional encryption (ESP) on the public part of the network Before AH is applied AH (Tunnel Mode) Before AH is applied AH: Authentication Header Provides integrity and origin authentication Authenticates portions of the IP header Anti-replay service (to counter denial of service) No confidentiality Next header (TCP) Payload length Security parameters index (SPI) Sequence number Reserved ICV: Integrity Check Value (HMAC of IP header, AH, TCP payload) Identifies security association (shared keys and algorithms) Anti-replay Authenticates source, verifies integrity of payload 5

ESP Packet Prevention of Replay Attacks Identifies security association (shared keys and algorithms) Anti-replay TCP segment (transport mode) or entire IP packet (tunnel mode) Pad to block size for cipher, also hide actual payload length Type of payload When SA is established, sender initializes 32-bit counter to 0, increments by 1 for each packet if wraps around 2 32-1, new SA must be established Recipient maintains a sliding 64-bit window if a packet with high sequence number is received, do not advance window until packet is authenticated HMAC-based Integrity Check Value (similar to AH) IEEE 802.11 Security War-driving: drive around Bay area, see what 802.11 networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy! Securing 802.11 encryption, authentication first attempt at 802.11 security: Wired Equivalent Privacy (WEP): a failure current attempt: 802.11i Wired Equivalent Privacy (WEP) authentication as in protocol ap4.0 host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host no key distribution mechanism authentication: knowing the shared key is enough WEP Data Encryption 802.11 WEP Encryption Host/AP share 40 bit symmetric key (semipermanent) Host appends 24-bit initialization vector () to create 64-bit key 64 bit key used to generate stream of keys, k i k i used to encrypt i th byte, d i, in frame: c i = d i XOR k i and encrypted bytes, c i sent in frame (per frame) KS: 40-bit secret symmetric key p l a i n t e x t f r a m e d a t a p l u s C R C key sequence generator ( for given K S, ) k1 k2 k3 kn kn+1 kn+1 d1 d2 d3 dn CRC1 CRC4 c1 c2 c3 cn cn+1 cn +4 Figure 7.8-new1: 802.11 WEP protocol Sender-side WEP encryption 8 0 2. 1 1 h e a d e r WEP-encrypted data plus CRC 6

Breaking 802.11 WEP Encryption Security hole: 24-bit, one per frame, -> s eventually reused transmitted in plaintext -> reuse detected Attack: Trudy causes Alice to encrypt known plaintext d 1 d 2 d 3 d 4 Trudy sees: c i = d i XOR k i Trudy knows c i d i, so can compute k i Trudy knows encrypting key sequence k 1 k 2 k 3 Next time is used, Trudy can decrypt! 802.11i: Improved Security numerous (stronger) forms of encryption possible provides key distribution uses authentication server separate from access point 802.11i: 4 Phases of Operation STA: client station 1 Discovery of security capabilities AP: access point wired network 2 STA and AS mutually authenticate, together generate Master Key (MK). AP serves as pass through 3 STA derives Pairwise Master Key (PMK) 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity 3 AS derives same PMK, sends to AP AS: Authentication server 802.11i Requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). Officially ratified by the IEEE in June of 2004, and thereby became part of the 802.11 family of wireless network specifications. AES requires a dedicated chip, and this may mean hardware upgrades for most existing Wi-Fi networks. Other features, e.g., key caching, which facilitates fast reconnection to the server for users who have temporarily gone offline. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback