Network Control, Con t

Similar documents
Network Neutrality. Announcements. Middleboxes. Discussion: Limited QoS Deployment. Goals of Today s Lecture. Exploiting Lack of End-to-End QoS

Middleboxes. EE 122: Intro to Communication Networks. Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim

CSE 565 Computer Security Fall 2018

Network Interconnection

Network Attacks. CS Computer Security Profs. Vern Paxson & David Wagner

Networking Overview. CS Computer Security Profs. Vern Paxson & David Wagner

Denial-of-Service (DoS), continued

CSC Network Security

Firewalls, Tunnels, and Network Intrusion Detection

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Securing Internet Communication

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Detecting Attacks, Part 1

CS 161 Computer Security

CSC 4900 Computer Networks: Security Protocols (2)

Internet Protocol and Transmission Control Protocol

IP Security. Have a range of application specific security mechanisms

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Application Firewalls

Computer Security and Privacy

Computer and Network Security

CSCE 715: Network Systems Security

COSC 301 Network Management

CyberP3i Course Module Series

Lecture 11: Middleboxes and NAT (Duct tape for IPv4)

CS 161 Computer Security

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Internet Security: Firewall

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Protection of Communication Infrastructures

Network Security Fundamentals

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Network Protocols - Revision

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Web Security, Part 2

20-CS Cyber Defense Overview Fall, Network Basics

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

IPV6 SIMPLE SECURITY CAPABILITIES.

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Sample excerpt. Virtual Private Networks. Contents

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Privacy. CS Computer Security Profs. Vern Paxson & David Wagner

CSC 6575: Internet Security Fall 2017

Network Security: Firewall, VPN, IDS/IPS, SIEM

COMPUTER NETWORK SECURITY

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Network Security. Thierry Sans

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

IP Security IK2218/EP2120

History Page. Barracuda NextGen Firewall F

Chapter 8 roadmap. Network Security

CSCI 680: Computer & Network Security

Sirindhorn International Institute of Technology Thammasat University

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Indicate whether the statement is true or false.

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

ECPE / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

CS519: Computer Networks. Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

IPSec. Overview. Overview. Levente Buttyán

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Configuring Commonly Used IP ACLs

Unit 4: Firewalls (I)

Lecture 16: Network Layer Overview, Internet Protocol

Introduction to TCP/IP networking

Agenda. Forwarding (after a little more addressing) Follow-up from last time. Dealing with Address Scarcity. Sharing a Block of Addresses

EE 122: IP Forwarding and Transport Protocols

A SIMPLE INTRODUCTION TO TOR

CSC 574 Computer and Network Security. TCP/IP Security

Internet Security Firewalls

Network Security and Cryptography. December Sample Exam Marking Scheme

Chapter 9. Firewalls

Information Systems Security

Mohammad Hossein Manshaei 1393

Goals for Today s Class. EE 122: Networks & Protocols. What Global (non-digital) Communication Network Do You Use Every Day?

CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

Networks Fall This exam consists of 10 problems on the following 13 pages.

Cisco IP Fragmentation and PMTUD

INBOUND AND OUTBOUND NAT

Introduction to IPsec. Charlie Kaufman

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Using NAT in Overlapping Networks

Lecture 13 Page 1. Lecture 13 Page 3

HP Instant Support Enterprise Edition (ISEE) Security overview

CS 161 Computer Security

Transcription:

Network Control, Con t CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 19, 2010 1

Focus of Today s Lecture Finish discussion of packet-filter firewalls The general notion of reference monitors Firewall limitations Virtual Private Networks (VPNs) Application proxies Network Address Translation (NAT) 2

Problem: Outbound Connections Fail 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.drop * *:* -> *:* Inside host opens TCP connection to port 80 on external machine: Initial SYN packet passed through by rule 2 SYN+ACK packet coming back is dropped Fix? Fails rule 1 (not destined for port 25) Fails rule 2 (source not inside host) Matches rule 3 DROP In general, we need to distinguish between 2 kinds of inbound pkts Allow inbound packets associated with an outbound connection Restrict inbound packets associated with an inbound connection How do we tell them apart? Approach #1: remember previous outbound connections (takes state) Approach #2: leverage details of how TCP works 3

Inbound vs. Outbound Connections Key TCP feature: ACK bit set on all packets except first Plus: TCP receiver disregards packets with ACK set if they don t belong to an existing connection Solution ruleset: 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* Rules 1 and 2 allow traffic in either direction for inbound connections to port 25 on machine 1.2.3.4 Rules 2 and 3 allow outbound connections to any port 4

How This Ruleset Protects 1.allow tcp *:* -> 1.2.3.4:25 2.allow tcp 1.2.3.0/24:* -> *:* 3.allow tcp *:* -> 1.2.3.0/24:* only if ACK bit set 4.drop * *:* -> *:* Suppose external attacker tries to exploit vulnerability in SMB (TCP port 445): = Attempts to open an inbound TCP connection to internal SMB server Attempt #1: Sends SYN packet to server Packet lacks ACK bit no match to Rules 1-3, dropped by Rule 4 Attempt #2: Sends SYN+ACK packet to server Firewall permits the packet due to Rule 3 But then dropped by server s TCP stack (since ACK bit set, but isn t part of existing connection) 5

Security Principle: Reference Monitors Firewalls embody useful principles that are applicable elsewhere in computer security Optimized for enforcing particular kind of access control policy Chokepoint notion makes enforcement possible A key conceptual approach to access control: reference monitor Examines every request to access a controlled resource (an object) and determines whether to allow request Subject Request Reference Monitor Object 6

Reference Monitor Security Properties Always invoked Complete mediation property: all security-relevant operations must be mediated by RM RM should be invoked on every operation controlled by access control policy Tamper-resistant Maintain RM integrity (no code/state tampering) Verifiable Can verify RM operation (correctly enforces desired access control policy) Requires extremely simple RM Can t verify correctness for systems with any appreciable degree of complexity 7

Considering Firewalls as Reference Monitors Always invoked? Place Packet Filter on chokepoint link for all internal-external communications Packets only forwarded across link if firewall explicitly decides to do so after inspection 8

Potential Problems? What if a user hooks up an unsecured wireless access point to their internal machine? Anyone who drives by with wireless-enabled laptop can gain access to internal network Bypasses packet filter! To use a firewall safely, must ensure we ve covered all links between internal and external networks with firewalls Set of links known as the security perimeter 9

RM Property: Tamper-Resistant Do not allow management access to firewall other than from specific hosts I.e., firewall itself needs firewalling Must secure storage & propagation of configuration data Must also protect firewall s physical security 10

RM Property: Verifiable Current practice: Packet filter software too complex for feasible systematic verification Result: Bugs that allowed attackers to defeat intended security policy by sending unexpected packets that packet filter doesn t handle quite the way it should 11

Subverting Firewalls In addition, packet filters have a fundamentally limited semantic model They lack a full understanding of the meaning of the traffic they carry o In part because operate only at layers 3 & 4; not 7 One method of subversion: abuse ports Who says that e.g. port 22/tcp = SSH? o Why couldn t it be say Skype or BitTorrent? o Just requires that client & server agree on app proto 12

Hiding on Other Ports Method #1: use port allocated to another service (how can this be detected?) Method #2: tunneling Encapsulate one protocol inside another Receiver of outer protocol decapsulates interior tunneled protocol to recover it Pretty much any protocol can be tunneled over another (with enough effort) E.g., tunneling IP over SMTP Just need a way to code an IP datagram as an email message (either mail body or just headers) 13

Example: Tunneling IP over Email From: doesnt-matter@bogus.com To: my-buddy@tunnel-decapsulators.r.us Subject: Hereʼs my IP datagram IP-header-version: 4 IP-header-len: 5 IP-ID: 11234 IP-src: 1.2.3.4 IP-dst: 5.6.7.8 IP-payload: 0xa144bf2c0102 Program receives this legal email and builds an IP packet corresponding to description in email body injects it into the network How can a firewall detect this?? 14

Tunneling, conʼt E.g., IP-over-ICMP: Encode an IP datagram as the payload of a ping packet E.g., Skype-over-HTTP: Encode Skype message in URL of requests or header fields (or cookies) of replies Note #1: to tunnel, the sender and receiver must both cooperate Note #2: tunneling has many legitimate uses too E.g., overlay networks that forward packets along paths different from what direct routing would pick E.g., Virtual Private Networks (VPNs) o Make a remote machine look like it s local to its home network o Tunnel encrypts traffic for privacy & to prevent meddling 15

Secure External Access to Inside Machines Fileserver User Internet VPN server Company Yahoo Often need to provide secure remote access to a network protected by a firewall Remote access, telecommuting, branch offices, Create secure channel (Virtual Private Network, or VPN) to tunnel traffic from outside host/network to inside network Provides Authentication, Confidentiality, Integrity However, also raises perimeter issues (Try it yourself at http://www.net.berkeley.edu/vpn/) 16

Application Proxies Can more directly control applications by requiring them to go through a proxy for external access Proxy doesn t just forward, but acts as an applicationlevel middleman Example: SSH gateway Require all SSH in/out of site to go through gateway Gateway logs authentication, inspects decrypted text Site s firewall configured to prohibit any other SSH access 17

SSH Gateway Example host-to-gateway SSH session gateway-to-remote host SSH session 1.3.5.7 Firewall application gateway allow <port=22, host=1.3.5.7> drop <port=22> 18

Application Proxies Can more directly control applications by requiring them to go through a proxy for external access Proxy doesn t just forward, but acts as an applicationlevel middleman Example: SSH gateway Require all SSH in/out of site to go through gateway Gateway logs authentication, inspects decrypted text Site s firewall configured to prohibit any other SSH access Provides a powerful degree of monitoring/control, but costs significant resources Need to run extra server(s) per app Each server requires careful hardening 19

Network Control: NATs To conserve global Internet addresses, network operators often give their systems private addresses Usually numbered out of 10.0.0.0/8 or 192.168.0.0/16 These addresses will not work for reaching the hosts from external Internet locations Internet routers lack paths for them Hosts communicate externally by having their traffic go through a Network Address Translator (NAT) Active, in-path network element The NAT translates (maps) private addresses to a public address Also maps TCP/UDP ports 20

Multiple Private Addresses Using One Public Address via NAT 138.76.29.7 10.0.0.1 outside NAT inside 10.0.0.2 21

NAT Translation Table 2: NAT router changes packet source addr from 10.0.0.1, 3345 to 138.76.29.7, 5001, updates table NAT translation table Public side addr LAN side addr 138.76.29.7, 5001 10.0.0.1, 3345 S: 10.0.0.1, 3345 D: 128.119.40.186, 80 1: host 10.0.0.1 sends packet to 128.119.40.186, 80 10.0.0.1 2 S: 138.76.29.7, 5001 D: 128.119.40.186, 80 10.0.0.4 1 10.0.0.2 138.76.29.7 S: 128.119.40.186, 80 D: 138.76.29.7, 5001 3 3: Reply arrives dest. address: 138.76.29.7, 5001 S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4 10.0.0.3 4: NAT router changes packet dest addr from 138.76.29.7, 5001 to 10.0.0.1, 3345 22

Security Implications of NAT If an external packet arrives for which the NAT doesn t have a mapping in its table, it (necessarily) discards it Thus, as a side effect a NAT prevents probing of services offered by internal systems (Unless operator explicitly sets up an exception) NATs change IP headers (addresses) and transport headers (ports) Thus, any mechanism we might use to ensure layer 3/4 packet integrity will complain that packet has been meddled with ( operator convenience from using NAT is at odds with providing basic security guarantees) 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback