Computer and Network Security

Similar documents
CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

TSIN02 - Internetworking

UDP, TCP, IP multicast

CIS 551 / TCOM 401 Computer and Network Security

Chapter 5 End-to-End Protocols

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

TSIN02 - Internetworking

Introduction to Network. Topics

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Some slides courtesy David Wetherall. Communications Software. Lecture 4: Connections and Flow Control. CSE 123b. Spring 2003.

TSIN02 - Internetworking

CS 455: INTRODUCTION TO DISTRIBUTED SYSTEMS [NETWORKING] Frequently asked questions from the previous class surveys

Transport Layer (TCP/UDP)

Connections. Topics. Focus. Presentation Session. Application. Data Link. Transport. Physical. Network

Unit 2.

CMPE 80N: Introduction to Networking and the Internet

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

ECE 650 Systems Programming & Engineering. Spring 2018

Chapter 8 roadmap. Network Security

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Different Layers Lecture 20

TCP /IP Fundamentals Mr. Cantu

UDP and TCP. Introduction. So far we have studied some data link layer protocols such as PPP which are responsible for getting data

20-CS Cyber Defense Overview Fall, Network Basics

CS4700/CS5700 Fundamentals of Computer Networks

CS457 Transport Protocols. CS 457 Fall 2014

EE 122: Transport Protocols: UDP and TCP

Network Security. Thierry Sans

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

CS 716: Introduction to communication networks th class; 7 th Oct Instructor: Sridhar Iyer IIT Bombay

Network Model. Why a Layered Model? All People Seem To Need Data Processing

TSIN02 - Internetworking

network security s642 computer security adam everspaugh

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

OSI Transport Layer. objectives

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

COMPUTER NETWORKS CS CS 55201

COMPUTER NETWORKS CS CS 55201

9th Slide Set Computer Networks

Multiple unconnected networks

NT1210 Introduction to Networking. Unit 10

Islamic University of Gaza Faculty of Engineering Department of Computer Engineering ECOM 4021: Networks Discussion. Chapter 5 - Part 2

EE 122: Transport Protocols. Kevin Lai October 16, 2002

User Datagram Protocol

The Transport Layer: TCP & Reliable Data Transfer

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

EE 122: IP Forwarding and Transport Protocols

Computer Security and Privacy

Page 1. Goals for Today" Discussion" Example: Reliable File Transfer" CS162 Operating Systems and Systems Programming Lecture 11

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

CCNA 1 v3.11 Module 11 TCP/IP Transport and Application Layers

IS370 Data Communications and Computer Networks. Chapter 5 : Transport Layer

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Chapter 23 Process-to-Process Delivery: UDP, TCP, and SCTP 23.1

Announcements. No book chapter for this topic! Slides are posted online as usual Homework: Will be posted online Due 12/6

No book chapter for this topic! Slides are posted online as usual Homework: Will be posted online Due 12/6

7. TCP 최양희서울대학교컴퓨터공학부

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Internet transport protocols

Application Service Models

Configuring attack detection and prevention 1

05 Transmission Control Protocol (TCP)

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

ET4254 Communications and Networking 1

Transport Protocols Reading: Sections 2.5, 5.1, and 5.2. Goals for Todayʼs Lecture. Role of Transport Layer

Connection-oriented (virtual circuit) Reliable Transfer Buffered Transfer Unstructured Stream Full Duplex Point-to-point Connection End-to-end service

CSCI-GA Operating Systems. Networking. Hubertus Franke

ch02 True/False Indicate whether the statement is true or false.

UNIT V. Computer Networks [10MCA32] 1

Lecture 3: The Transport Layer: UDP and TCP

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

EEC-484/584 Computer Networks. Lecture 16. Wenbing Zhao

Introduction to TCP/IP networking

Internet and Intranet Protocols and Applications

Linux Networking: tcp. TCP context and interfaces

Transport layer. UDP: User Datagram Protocol [RFC 768] Review principles: Instantiation in the Internet UDP TCP

CE Advanced Network Security

Transport layer. Review principles: Instantiation in the Internet UDP TCP. Reliable data transfer Flow control Congestion control

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

Configuring Flood Protection

CS 3640: Introduction to Networks and Their Applications

User Datagram Protocol (UDP):

Announcements Computer Networking. Outline. Transport Protocols. Transport introduction. Error recovery & flow control. Mid-semester grades

Unit 4: Firewalls (I)

TCP/IP Transport Layer Protocols, TCP and UDP

EEC-682/782 Computer Networks I

Transport Protocols Reading: Sections 2.5, 5.1, and 5.2

HP High-End Firewalls

NWEN 243. Networked Applications. Layer 4 TCP and UDP

Hands-On Ethical Hacking and Network Defense

Internet Applications and the Application Layer Material from Kurose and Ross, Chapter 2: The Application Layer

CSE 461 Module 11. Connections

Problem. Chapter Outline. Chapter Goal. End-to-end Protocols. End-to-end Protocols. Chapter 5. End-to-End Protocols

NAT, IPv6, & UDP CS640, Announcements Assignment #3 released

4.0.1 CHAPTER INTRODUCTION

CS 356: Computer Network Architectures. Lecture 17: End-to-end Protocols and Lab 3 Chapter 5.1, 5.2. Xiaowei Yang

6.1 Internet Transport Layer Architecture 6.2 UDP (User Datagram Protocol) 6.3 TCP (Transmission Control Protocol) 6. Transport Layer 6-1

Configuring attack detection and prevention 1

Transcription:

CIS 551 / TCOM 401 Computer and Network Security Spring 2009 Lecture 8

Announcements Plan for Today: Networks: TCP Firewalls Midterm 1: One week from Today! 2/17/2009 In class, short answer, multiple choice, analysis Project 2 will be available soon 2/12/09 CIS/TCOM 551 2

Protocol Stack Revisited Application Presentation Session Transport UDP and TCP/IP Network Data Link So far Physical 2/12/09 CIS/TCOM 551 3

Application vs. Network Application Needs Network Char. Reliable, Ordered, Single-Copy Message Delivery Arbitrarily large message s Drops, Duplicates and Reorders Messages Finite message size Flow Control by Receiver Supports multiple applications per-host Arbitrary Delay 2/12/09 CIS/TCOM 551 4

User Datagram Protocol (UDP) 0 16 31 SrcPort Length DestPort Checksum Simplest transport-layer protocol Just exposes IP packet functionality to application level Ports identify sending/receiving process Demultiplexing information IP Packet Data (port, host) pair identifies a network process 2/12/09 CIS/TCOM 551 5

UDP End-to-End Model Multiplexing/Demultiplexing with Port number Application Application Application Application UDP Sender (Multiplexer) UDP Receiver (Demultiplexer) 2/12/09 CIS/TCOM 551 6

Using Ports Client contacts Server at a well-known port SMPT: port 25 DNS: port 53 POP3: port 110 Unix talk : port 517 In unix, ports are listed in /etc/services Sometimes Client and Server agree on a different port for subsequent communication Ports are an abstraction Implemented differently on different OS s Typically a message queue 2/12/09 CIS/TCOM 551 7

Transmission Control Protocol (TCP) Most widely used protocol for reliable byte streams Reliable, in-order delivery of a stream of bytes Full duplex: pair of streams, one in each direction Flow and congestion control mechanisms Like UDP, supports ports Built on top of IP (hence TCP/IP) 2/12/09 CIS/TCOM 551 8

TCP End-to-End Model Buffering corrects errors but may introduce delays Application Application Application Application TCP Sender: Send Buffers TCP Receiver Receive Buffers segment segment segment segment 2/12/09 CIS/TCOM 551 9

Packet Format Flags SYN FIN RESET PUSH URG ACK Fields 0 15 31 SrcPort DstPort SequenceNum Acknowledgment HL 0 Flags Advert.Wind. Checksum UrgPtr Options (variable) DATA 2/12/09 CIS/TCOM 551 10

Three-Way Handshake 2/12/09 CIS/TCOM 551 11

TCP State Transitions 2/12/09 CIS/TCOM 551 12

TCP Receiver Maintains a buffer from which application reads Advertises < buffer size as the window for sliding window Responds with Acknowledge and AdvertisedWindow on each send; updates byte counts when data O.K. Application blocked until read() O.K. 2/12/09 CIS/TCOM 551 13

TCP Sender Maintains a buffer; sending application is blocked until room in the buffer for its write Holds data until acknowledged by receiver as successfully received Implement window expansion and contraction; note difference between flow and congestion control 2/12/09 CIS/TCOM 551 14

TCP Flow & Congestion Control Flow vs. Congestion Control Flow control protects the recipient from being overwhelmed. Congestion control protects the network from being overwhelmed. TCP Congestion Control Additive Increase / Multiplicative Decrease Slow Start Fast Retransmit and Fast Recovery 2/12/09 CIS/TCOM 551 15

Increase and Decrease A value CongestionWindow is used to control the number of unacknowledged transmissions. This value is increased linearly until timeouts for ACKs are missed. When timeouts occur, CongestionWindow is decreased by half to reduce the pressure on the network quickly. The strategy is called additive increase / multiplicative decrease. 2/12/09 CIS/TCOM 551 16

Additive Increase 2/12/09 CIS/TCOM 551 17

TCP Sawtooth Pattern KB Time 2/12/09 CIS/TCOM 551 18

Slow Start Sending the entire window immediately could cause a traffic jam in the network. Begin slowly by setting the congestion window to one packet. When acknowledgements arrive, double the congestion window. Continue until ACKs do not arrive or flow control dominates. 2/12/09 CIS/TCOM 551 19

Slow Start 2/12/09 CIS/TCOM 551 20

Network Vulnerabilities Anonymity Attacker is remote, origin can be disguised Authentication Many points of attack Attacker only needs to find weakest link Attacker can mount attacks from many machines Sharing Many, many users sharing resources Complexity Distributed systems are large and heterogeneous Unknown perimeter Unknown attack paths 2/12/09 CIS/TCOM 551 21

Syn Flood Attack Recall TCP s 3-way handshake: SYN --- SYN+ACK --- ACK Receiver must maintain a queue of partially open TCP connections Called SYN_RECV connections Finite resource (often small: e.g. 20 entries) Timeouts for queue entries are about 1 minute. Attacker Floods a machine with SYN requests Never ACKs them Spoofs the sending address (Why? Two reasons!) 2/12/09 CIS/TCOM 551 22

Reflected denial of service ICMP message with an "echo request" is called 'ping' Broadcast a ping request For sender s address put target s address All hosts reply to ping, flooding the target with responses Hard to trace Hard to prevent Turn off ping? (Makes legitimate use impossible) Limit with network configuration by restricting scope of broadcast messages Sometimes called a "smurf attack" 2/12/09 CIS/TCOM 551 23

(Distributed) Denial of Service Coordinate multiple subverted machines to attack Flood a server with bogus requests TCP SYN packet flood > 600,000 packets per second Detection & Assessment? 12,800 attacks at 5000 hosts! (in 3 week period during 2001) IP Spoofing (forged source IP address) http://www.cs.ucsd.edu/users/savage/papers/usenixsec01.pdf Feb. 6 2007: 6 of 13 root servers suffered DDoS attack Oct. 21 2002: 9 of 13 root servers were swamped Prompted changes in the architecture Prevention? Filtering? Decentralized file storage? 2/12/09 CIS/TCOM 551 24

Kinds of Firewalls Personal firewalls Run at the end hosts e.g. Norton, Windows, etc. Benefit: has more application/user specific information Network Address Translators Rewrites packet address information Filter Based Operates by filtering based on packet headers Proxy based Operates at the level of the application e.g. HTTP web proxy 2/12/09 CIS/TCOM 551 25

Network Address Translation Idea: Break the invariant that IP addresses are globally unique 10.0.1.15 10.0.1.13 171.69.210.246 NAT Internet 10.0.1.12 10.0.1.14 NAT Port 10.0.1.14 2/12/09 CIS/TCOM 551 26

NAT Behavior NAT maintains a table of the form: <client IP> <client port> <NAT ID> Outgoing packets (on non-nat port): Look for client IP address, client port in the mapping table If found, replace client port with previously allocated NAT ID (same size as PORT #) If not found, allocate a new unique NAT ID and replace source port with NAT ID Replace source address with NAT address 2/12/09 CIS/TCOM 551 27

NAT Behavior Incoming Packets (on NAT port) Look up destination port number as NAT ID in port mapping table If found, replace destination address and port with client entries from the mapping table If not found, the packet is not for us and should be rejected Table entries expire after 2-3 minutes to allow them to be garbage collected "Private" IP addresses: 192.168.x.x 172.16.x.x 172.31.x.x 10.x.x.x 2/12/09 CIS/TCOM 551 28

Benefits of NAT Only allows connections to the outside that are established from inside. Hosts from outside can only contact internal hosts that appear in the mapping table, and they re only added when they establish the connection Some NATs support firewall-like configurability Can simplify network administration Divide network into smaller chunks Consolidate configuration data Traffic logging Load balancing Robust failover 2/12/09 CIS/TCOM 551 29

Drawbacks of NAT Rewriting IP addresses isn t so easy: Must also look for IP addresses in other locations and rewrite them (may have to be protocol-aware) Potentially changes sequence number information Must validate/recalculate checksums Hinder throughput May not work with all protocols Clients may have to be aware that NAT translation is going on Slow the adoption of IPv6? Limited filtering of packets / change packet semantics For example, NATs may not work well with encryption schemes that include IP address information 2/12/09 CIS/TCOM 551 30

Firewalls Filter Filter Inside Gateway Outside Filters protect against bad packets. Protect services offered internally from outside access. Provide outside services to hosts located inside. 2/12/09 CIS/TCOM 551 31

Filtering Firewalls Filtering can take advantage of the following information from network and transport layer headers: Source Destination Source Port Destination Port Flags (e.g. ACK) Protocol type (e.g. UDP vs. TCP) Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form if internal machine has established the TCP connection, permit inbound reply packets 2/12/09 CIS/TCOM 551 32

Filter Example Action ourhost port theirhost port comment block * * BAD * untrusted host allow GW 25 * * allow our SMTP port Apply rules from top to bottom with assumed default entry: Action ourhost port theirhost port comment block * * * * default Bad entry intended to allow connections to SMTP from inside: Action ourhost port theirhost port comment allow * * * 25 connect to their SMTP This allows all connections from port 25, but an outside machine can run anything on its port 25! 2/12/09 CIS/TCOM 551 33

Filter Example Continued Permit outgoing calls to port 25. Action src port dest port flags comment allow 123.45.6.* * * 25 * their SMTP allow * 25 * * ACK their replies This filter doesn t protect against IP address spoofing. The bad hosts can pretend to be one of the hosts with addresses 123.45.6.*. 2/12/09 CIS/TCOM 551 34

When to Filter? Firewall Inside Outside 2/12/09 CIS/TCOM 551 35

On Input or Output? Filtering on output can be more efficient since it can be combined with table lookup of the route. However, some information is lost at the output stage e.g. the physical input port on which the packet arrived. Can be useful information to prevent address spoofing. Filtering on input can protect the router itself. 2/12/09 CIS/TCOM 551 36

Principles for Firewall Configuration General principal: Filter as early as possible Least Privileges: Turn off everything that is unnecessary (e.g. Web Servers should disable SMTP port 25) Failsafe Defaults: By default should reject (Note that this could cause usability problems ) Egress Filtering: Filter outgoing packets too! You know the valid IP addresses for machines internal to the network, so drop those that aren t valid. This can help prevent DoS attacks in the Internet. 2/12/09 CIS/TCOM 551 37

Example real firewall config script ############ # FreeBSD Firewall configuration. # Single-machine custom firewall setup. Protects somewhat # against the outside world. ############ # Set this to your ip address. ip="192.100.666.1" setup_loopback # Allow anything outbound from this address. ${fwcmd} add allow all from ${ip} to any out # Deny anything outbound from other addresses. ${fwcmd} add deny log all from any to any out # Allow inbound ftp, ssh, email, tcp-dns, http, https, imap, imaps, # pop3, pop3s. ${fwcmd} add allow tcp from any to ${ip} 21 setup ${fwcmd} add allow tcp from any to ${ip} 22 setup ${fwcmd} add allow tcp from any to ${ip} 25 setup ${fwcmd} add allow tcp from any to ${ip} 53 setup ${fwcmd} add allow tcp from any to ${ip} 80 setup ${fwcmd} add allow tcp from any to ${ip} 443 setup 2/12/09 CIS/TCOM 551 38

Proxy-based Firewalls External Client External TCP/HTTP connection Firewall Web Proxy Internal TCP/HTTP connection Local Web Server Proxy acts like both a client and a server. Able to filter using application-level info For example, permit some URLs to be visible outside and prevent others from being visible. Proxies can provide other services too Caching, load balancing, etc. FTP and Telnet proxies are common too 2/12/09 CIS/TCOM 551 39

Benefits of Firewalls Increased security for internal hosts. Reduced amount of effort required to counter break ins. Possible added convenience of operation within firewall (with some risk). Reduced legal and other costs associated with hacker activities. 2/12/09 CIS/TCOM 551 40

Drawbacks of Firewalls Costs: Hardware purchase and maintenance Software development or purchase, and update costs Administrative setup and training, and ongoing administrative costs and trouble-shooting Lost business or inconvenience from broken gateway Loss of some services that an open connection would supply. False sense of security Firewalls don t protect against viruses 2/12/09 CIS/TCOM 551 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback