A Protection Architecture for Enterprise Networks

Similar documents
Ethane: taking control of the enterprise

SANE: A Protection Architecture for Enterprise Networks

On the Internet, nobody knows you re a dog.

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

1/11/11. o Syllabus o Assignments o News o Lecture notes (also on Blackboard)

Easier Management Strategy for Small and Large Enterprise Networks with Enhanced Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Advanced iscsi Management April, 2008

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

20-CS Cyber Defense Overview Fall, Network Basics

0x1A Great Papers in Computer Security

Chapter 11: Networks

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Chapter 11: It s a Network. Introduction to Networking

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

Switched environments security... A fairy tale.

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Introduction and Overview. Why CSCI 454/554?

Application Firewalls

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

NETWORK THREATS DEMAN

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

CS244a: An Introduction to Computer Networks

Implementing Cisco Network Security (IINS) 3.0

A SIMPLE INTRODUCTION TO TOR

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Network Security. Thierry Sans

Introduction to IPsec. Charlie Kaufman

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Identifier Binding Attacks and Defenses in Software-Defined Networks

CSC Network Security

Syllabus: The syllabus is broadly structured as follows:

Internet Security Firewalls

Port Mirroring in CounterACT. CounterACT Technical Note

CS Paul Krzyzanowski

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Designing Windows Server 2008 Network and Applications Infrastructure

HikCentral V1.3 for Windows Hardening Guide

VPN Auto Provisioning

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

CompTIA Network+ Study Guide Table of Contents

Introduction to Security. Computer Networks Term A15

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

High Availability Synchronization PAN-OS 5.0.3

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Workshop on Windows Server 2012

Understanding Networking Fundamentals

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

COMPUTER NETWORK SECURITY

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

The Road to SDN: An Intellectual History of Programmable Networks Network Virtualization and Data Center Networks SDN - Introduction

Fundamentals of Network Security v1.1 Scope and Sequence

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Internet Platform Management. We have covered a wide array of Intel Active Management Technology. Chapter12

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

CSC 574 Computer and Network Security. TCP/IP Security

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

FIREWALL BEST PRACTICES TO BLOCK

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Network Control, Con t

Venusense UTM Introduction

Configuring Network Admission Control

CIT 380: Securing Computer Systems. Network Security Concepts

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

DNS Security. Ch 1: The Importance of DNS Security. Updated

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

Computer Networks. Wenzhong Li. Nanjing University

10 Defense Mechanisms

Data Plane Protection. The googles they do nothing.

Assignment - 1 Chap. 1 Wired LAN s

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

A Framework for Optimizing IP over Ethernet Naming System

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Networks and Communications MS216 - Course Outline -

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

Configuring OpenVPN on pfsense

Huawei NIP2000/5000 Intrusion Prevention System

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

Transcription:

A Protection Architecture for Enterprise Networks Martin Casado Tal Garfinkel Aditya Akella Michael Freedman (NYU) Dan Boneh Nick McKeown Scott Shenker (Stanford) (Stanford) (CMU/Stanford) (Stanford) (Stanford) (ICSI/Berkeley)

Talk Outline Example: Breaking into an Enterprise network Problems with enterprise security today SANE: rethinking the network architecture

Enterprise Threat Environment Incidental attacks (phishing, spam, worms, viruses, kiddies) External, Targeted Attacks Competitors (e.g. getloaded.com vs. truckstop.com) Idealists (e.g. SCO) Insiders (29% of all attacks?)

Enterprise Threat Environment Incidental attacks (worms, viruses, kiddies) External Targeted Attacks More access to resources Ability to hire skilled attacker Insiders (29% of all attacks?) Locality (access to internal network) Knowledge of internal workings

Example: External Targeted Attack Target: Large company (Bank.com) Attacker Profile: Skill-level equivalent to a B.S. in computer science Rules of Engagement: No physical access Cannot limit availability of network resources Goals: Map out operations Gain access to sensitive information Ability to disrupt internal communications if needed

Step 1: Reconnaissance Netcraft search: bank (find all relevant domains) Google/groups: @bank.com *at*bank*com *bank*com at*bank* frufru at media dot bank dot com lilo [at sign] shingle [dot] bank [dot] com laura@rapnet.something.bank.com Dr. HeL Lo at <dhello@bank.com > Gin ( dot ) H ( dot ) Polka ( at ) bank ( dot ) COM Car Mc Kubrik kubik AT NOSPAM bank dot com Chris Finkledine at chrisfink@bank.com David Spade at spadea@bank.com Alicebob@bank.com

Step 1.5: Profiling Google/groups: *Alicebob* *alicebob*bank* "someone please email me and tell me how to lose the weight? im trying the atkins but its sooo hard! catie how did you lose 67 lbs? what did you eat?? please email me at alicebob@bank.com and tell me ok??" You are truly blessed!!! I wish you a happy and healthy 8 more months. If you don't mind me asking...when was your tr? lengths? Is this your first pregnancy since your TR? I go for my TR on 10/24/03 so I am just trying to get lots of info together. Again Congratulations and I will lift you, dh and little one in prayer!!! etc...

Step 2: Contact Post to forum Establish rapport Get IM/email Write custom trojan Send infected file over IM, email, etc. router Alicebob

Step 3: Do Bad Stuff Gather local information Local network parameters Email addresses, documents etc. Gain access to traffic Sniffing (switches) Redirection (ARP, DHCP, DNS etc.) Further attack through binary injection Redirect + proxy Many vulnerable protocols (http, smtp, htp, nfs, SMB) Determine DoS attack channels router Alicebob

Properties of the Attack Does not require elite attacker Simple to launch by an insider Effective against traditional perimeter security models Difficult to stop with signature detection Weak internal protection allows propagation of attack once inside

IP vs. Security Overly permissive (e.g. broadcast on ARP request) Many heavily trusted components (end-hosts, dhcp, dns, directory service, routers etc.) IP addresses are meaningless (can be forged, stolen, changed etc.) (NOTE: very weak notion of identity) No hiding of info (reconnaissance is easy) No formal support for enforcing access controls within a network

Retrofitting Security onto IP Router ACLS or filtering rules at router Static ARP cache at router Port security on switch Static ARP cache on end-hosts Signature detection Proxies at choke points (full TCP termination) VLANs for isolation

Common Solutions = Crummy Networks (and not-great security) Inflexible Hard to move a machine (yet difficult to know if someone has moved) Really difficult to deploy a new protocol Brittle Change a firewall rule, break security policy Add a switch, break security policy Confusing Many disparate point solutions State = a bunch of soft state Hard to state meaningful policies Lose redundancy Introduce choke points Can't migrate routes b/c of all the soft state Strong coupling of topology and security policy

Argument Thus Far Targeted attacks can be quite effective IP not designed for attack resistance permissive Many trusted components Unauthenticated end-points No attempt to control access to information Attempts to retrofit access controls have resulted in less-than-ideal networks

Our Approach: Start from Scratch Secure by design Reduce trusted computing base Leverage characteristics unique to Enterprise Centrally managed Known users Structured connectivity Simple policy declaration Retain flexibility and redundancy (decouple topology and security policy)

SANE (Secure Architecture for the Networked Enterprise) Centrally declared policy defines all connectivity Policy declared over users, services, hosts (e.g. Alice can access internal-web using http) All communication requires permission (at the flow level) Users must authenticate before using network Network information is tightly controlled

SANE: High-Level Operation Authenticate Request hi, I m tal, my password is martin.friends.ambient-streams martin.friends.ambient-streams Publish Authenticate Global Network Policy: (allow all host all) martin.friends.ambient-streams allow hi, I m tal, martin, sundar, my aditya password is

SANE: Component Overview Send network topology information to Publish the DC Provide default connectivity Domain services Controller at the DC Specify access to controls the DC (export streams.ambient allow tal) Enforce paths Request created by access DC to services Handle flow revocation Switches Authenticates switches/end-hosts Contains network topology Computes routes Handles permission checking for all flows End-Hosts

Connectivity to the DC Switches construct spanning tree Rooted at DC Switches don t learn topology (just neighbors) Provides basic datagram service to DC

Keys Establishing Shared Switches authenticate with DC and establish symmetric key Ike2 for key establishment All subsequent packets to DC have authentication header (similar to ipsec esp header) K sw1 K sw2 K sw1 K sw2 K sw3 K sw4 K sw4 K sw3

Establishing Topology Switches generate neighbor lists K sw1 K sw2 K sw3 K sw4 during MST algorithm Send encrypted neighbor-list to DC DC aggregates to full topology No switch knows full topology K sw1 K sw2 K sw4 K sw3

User Authentication DC creates route from itself to authentication server Use third-party mechanism for user authentication Kerberos Radius AD DC places itself on-route for all authentication Snoops protocol to determine if authentication is successful Identifies user by location + network identifier (e.g. MAC address) DC Kerberos

Connection Setup Switches disallow all Ethernet broadcast (and respond to ARP for all IPs) First packet of every new flow is sent to DC for permission check DC sets up flow at each switch Packets of established flows are forwarded using multi-layer switching <src,dst,sprt,dprt> <ARP reply> <src,dst,sprt,dprt> Alice? DC Bob

Security Properties (revisited) Permission check before connectivity Simple mechanism Users only access resources they have permission to Policy enforced at every switch Authenticated end hosts (bound to location) High level policy declaration (topology independent) Control information regarding packet path, topology

Other Nice Properties Central point for connection logging (DC) Addition of switches (redundancy) does not undermine security policy Application-informed routing Anti-mobility

Extensions and Considerations Backwards compatibility Middlebox integration Performance Fault Tolerance Managing the DC as a single point of failure Adaptive routing

Easing Deployment Use trivial 2-port switches (bumps) On links between Ethernet switches Can be enhanced by using VLAN per port

Middle Box Integration Control of routes is powerful DC can force routes through middlebox based on policy Signature detection E.g. signature detection for all flows from laptops and users in marketing

Performance Decouple control and data path in switches Software control path (connection setup) (slightly higher latency) Simple, fast, hardware forwarding path (Gigabits) Dest MAC Addr check Flow Table Forwarding Encryption Not Found Software Broadcast

DC: Single Point of Failure? Exists today (DNS) Permission check is fast Replicate DC Computationally (multiple servers) Topologically (multiple servers in multiple places)

Status Built software version of similar system (using capabilities) All components in software Ran in group network (7 hosts) 1 month Currently in development of full system Switches in hardware + software DC using standard PC

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback