Networking Security SPRING 2018: GANG WANG

Similar documents
Chapter 8 roadmap. Network Security

CSC 4900 Computer Networks: Security Protocols (2)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Network Security. Thierry Sans

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

CTS2134 Introduction to Networking. Module 08: Network Security

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Firewalls, Tunnels, and Network Intrusion Detection

CSc 466/566. Computer Security. 18 : Network Security Introduction

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Computer Communication Networks Network Security

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Unit 4: Firewalls (I)

Computer Networks. Wenzhong Li. Nanjing University

Configuring attack detection and prevention 1

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

CSC 574 Computer and Network Security. TCP/IP Security

ELEC5616 COMPUTER & NETWORK SECURITY

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Computer and Network Security

Configuring attack detection and prevention 1

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

CS System Security 2nd-Half Semester Review

20-CS Cyber Defense Overview Fall, Network Basics

CS 356 Internet Security Protocols. Fall 2013

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Curso: Ethical Hacking and Countermeasures

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Introduction and Overview. Why CSCI 454/554?

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Ethical Hacking and Prevention

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

CSE 565 Computer Security Fall 2018

Internet Protocol and Transmission Control Protocol

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Computer Network Vulnerabilities

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

ECE 435 Network Engineering Lecture 23

CSE 565 Computer Security Fall 2018

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CSC 8560 Computer Networks: Security Protocols

CSE543 Computer and Network Security Module: Network Security

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Computer Security and Privacy

Internet Security: Firewall

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Network Security. Tadayoshi Kohno

network security s642 computer security adam everspaugh

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Virtual Private Network

Internetworking Lecture 10. Communications and network security

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

IP Security IK2218/EP2120

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

CSE 565 Computer Security Fall 2018

CSC 6575: Internet Security Fall 2017

Three interface Router without NAT Cisco IOS Firewall Configuration

IP Security. Have a range of application specific security mechanisms

CSCE 715: Network Systems Security

Network Interconnection

Basic Concepts in Intrusion Detection

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Network Security. Chapter 0. Attacks and Attack Detection

ECE 435 Network Engineering Lecture 23

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

AccessEnforcer Version 4.0 Features List

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Cisco CCIE Security Written.

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Networks and Communications MS216 - Course Outline -

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Gladiator Incident Alert

Training UNIFIED SECURITY. Signature based packet analysis

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

CIT 380: Securing Computer Systems. Network Security Concepts

Different Layers Lecture 20

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Transcription:

Networking Security SPRING 2018: GANG WANG

About the Midterm Close book; Close notes; Close computer/phone/calculator; No cheat sheet. You are NOT allowed to leave the room during the exam There are 6 problems (100 points in total) You have 75 minutes Please try to make your hand-writing readable *Student with special need, please contact me after the class

3 Recap: Example Spoofing

Re-Cap: Email Spoofing SMTP has no authentication MAIL FROM can be set to anything (e.g., a spoofing target) Also called Return-Path The delivery address of your reply email From fields in header can be changed to anything Directly visible to users Widely used for spear phishing 4

Anti-spoofing Protocols Exist, but not widely adopted SPF: authentication by IP Proposed in 2001, standardized in 2014 DNS: specifies the IP range that can send email on behalf of x.com DKIM: public key based method Drafted in 2004, standardized in 2011 Sender domain signs the email DMARC: Drafted in 2011, standardized in 2015 Complementary to SPF and DKIM (addressed the identifier alignment issue) Specific what to do when authentication fails 5

Anti-Spoofing protocols: Technical Weaknesses SPF: authentication by IP Mail forwarding breaks SPF identifier alignment is not required, deceptive to users DKIM: public key based method Mailing list often modify content, breaks DKIM signature Identifier alignment is not required, deceptive to users DMARC: Still not widely used Cannot correctly handle mailing lists 6

DKIM Weaknesses: Identifier Alignment Domain that signs the message DKIM-Signature: v=1; a=rsa-sha256; d=attacker.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@attacker.com; t=1480474251; h=from:from:subject:date:to:mime-version:content-type; bh= ; b=... Subject: Urgent! Response needed immediately. From: visa@uscis.gov Domain displayed to users To: uitest12767@yahoo.com The email sender domain that user sees is different from the one that is actually used to perform DKIM authentication 7

Email Providers cannot(fully) detect Spoofing Security indicator? Unknown usability Do people understand? Gmail Web Hotmail Web 8

9 Network Scanning

The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world They just need to find one vulnerability: a security analyst need to close every vulnerability. 10 Slides credit to Susan J Lincke

Pre-Attack: Network Scanning Nmap ( Network Mapper ) is an open source tool for network exploration and security auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, What operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use 11

She was using nmap (Matrix Reloaded) to discover that citypower uses vulnerable SSH software 12 Source: https://nmap.org/movies/matrix/matrix-nmap.mp4

Checkout Z-Map https://zmap.io/ Single machine, scan IPv4 address space in under 5 minutes IPv4: 32-bits IP, in total 4,294,967,296 IPv4 addresses 13

Network Attack: Gaining Access? Network Attacks: Sniffing (Eavesdropping) IP Address Spoofing Session Hijacking System Attacks: Buffer Overflow Password Cracking SQL Injection Web Protocol Abuse Denial of Service Virus, Worm, Trojan 14 Login: Ginger Password: Snap

Passive Attacks Eavesdropping (Sniffing) Listen to packets from other parties Alice Traffic Analysis Learn about network from observing traffic patterns Footprinting (Network Mapping) Test to determine software installed on system Eve Bob 15

Some Active Attacks Denial of Service Message did not make it; or service could not run Denial of Service Joe Bill Masquerading or Spoofing The actual sender is not the claimed sender Message Modification The message was modified in transmission (Man-in-the-middle) Packet Replay A past packet is transmitted again in order to gain access Message Modification Joe Ann Ann Bill Spoofing Joe (Actually Bill) Ann Packet Replay Joe Ann Bill 16

Man-in-the-Middle Attack 10.1.1.1 10.1.1.3 (3) Password (1) Login (2) Login (4) Password 10.1.1.2 17

Botnets Attacker Command and Control C&C Botnets: Bots Zombies Bots: Host illegal movies, music, pornography, criminal web sites, Forward Spam for financial gain

Distributed Denial of Service (DDOS) Attacker Command and Control C&C Zombies Victim Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies

Common Attacks & Countermeasures Finding a way into the network Firewalls Exploiting software vulnerabilities Intrusion Detection Systems (IDS) TCP hijacking IPSec Denial of Service Ingress filtering, IDS Packet sniffing Encryption (SSH, SSL, HTTPS) Social engineering problems Education 20

Firewalls Isolates organization s internal net from larger Internet Allows some packets to pass, blocking others Can help to defend against port scan administered network public Internet firewall 21

Firewalls: Why Allow only authorized access to inside network Prevent illegal modification/access of internal data e.g., attacker replaces CIA s homepage with something else Prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for real connections 2 types of firewalls: Stateless packet filters Stateful packet filters 22

23 TCP 3-Way Handshake

Stateless packet filtering Internal network connected to Internet via router firewall Router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Should arriving packet be allowed in? Departing packet let out? TCP 3-way handshake 24 Stateful FW vs. stateless FW

Access Control Lists Allow HTTP initiated from inside ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs action source address dest address protocol source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 25 Allow DNS inbound & outbound

Stateless packet filtering examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution s public Web server only. Prevent streaming audio/video from eating up the available bandwidth. Prevent your network from being used for a smurf DoS attack. Prevent your network from being tracerouted Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (eg 130.207.255.255). Drop all outgoing ICMP TTL expired traffic 26

Stateful packet filtering (protocol state analysis) Stateless packet filter: admits packets that make no sense e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK Stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN) determine whether incoming, outgoing packets makes sense timeout inactive connections at firewall: no longer admit packets 27

Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet Reject if not part of ongoing connections action source address allow 222.22/16 allow outside of 222.22/16 dest address outside of 222.22/16 222.22/16 proto source port dest port TCP > 1023 80 flag bit any check conn. table TCP 80 > 1023 ACK x allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- x deny all all all all all all Source address Dest address Source port Dest port 28 222.22.1.7 37.96.87.123 12699 80 222.22.93.2 199.1.205.23 37654 80 Ongoing connections

Limitations of firewalls IP spoofing: router can t know if data really comes from claimed source Tradeoff: degree of communication with outside world, level of security If multiple applications need special treatment, each has own app gateway Many highly protected sites still suffer from attacks. Client software must know how to contact gateway. set IP address of proxy in Web browser 29

30 Intrusion Detection Systems (IDS)

Intrusion Detection Systems Packet filtering in firewalls: Operates on TCP/IP headers only No correlation check among sessions IDS: intrusion detection system Deep packet inspection: look at packet contents (e.g., check strings in packet against database of known virus) Examine correlation among multiple packets port scanning, network mapping, DoS attack Generate alerts when it observes potentially malicious traffic Passive mornitoring 31

A different method: Intrusion Prevention System IPS: actively filters out suspicious traffic Terminate connections, blocking access of user accounts, IP addresses Respond to detected threats at a real time Delete malicious content Apply patches Reconfigure a firewall or router Run executables in virtual environments Cisco global correlation IPS Reputation scores for the sources Reputation obtained from centralized databases 32

Signature based IDS Signature based IDS maintains a database of attack signatures Each signature is a set of rules pertaining to an intrusion activity A list of characteristics of a single or a series of packets Packet size, source, destination port numbers, protocol type, payload Limitations: Blind to new attacks (false negatives) False alarms (false positives) False positive rate False negative rate True positive rate = 1 - FP True negative rate = 1 - FN high Costs ever packet is compared to a large collection of signatures 33

34 How to detect previously unknown attacks

Anomaly based IDS [Dorothy Denning 86] Observe normal traffic first, then, Look for packet streams that are statistically unusual Unusual percentage of ICMP packets Sudden exponential growth in port scans and ping echo requests Advantage: can detect new attacks (in theory) Disadvantage: Need to have a lot of training data to see what normal is hard to distinguish normal from abnormal activities (e.g., stealthy malware) 35

IPSec Network layer security protocol Designed for IPv6, backwards-compatible for IPv4 36

Attack models and security goals in IP protocol IP forgery attacks Attacker forges an IP address Eavesdropping attacks Attacker learns the content of IP packets [Goal 1] Authenticity of IP addresses (AH and ESP) [Goal 2] Confidentiality of IP packets Payload of IP packets (ESP) Header of IP packets (tunneling mode in IPSec) 37

Authentication Header (AH) Encapsulating Security Payload (ESP) AH protocol [Light mode]: Source authentication, data integrity No confidentiality AH header inserted between IP header and data field. ICV (integrity check value) ESP Protocol [Full mode] Source authentication, data integrity, and confidentiality Payload encrypted More complex than AH Identifier, protocol type, sequence number, ICV, digital signature, IP header AH header data (e.g., TCP, UDP segment) 38 IP datagram with an AH header

Tunneling Mode vs. Transport Mode Tunneling mode encapsulates the IP header generates a new IP header, treats the old one as part of datagram payload for anonymity purpose (hides real destination IP addresses) Transport mode is simpler (does not generate new IP header) Authentication header (AH) Transport Mode AH+Transport (new AH header) Tunneling Mode AH+Tunneling (new AH header, new IP header) Encapsulating security payload (ESP) ESP+Transport (payload encryption) ESP+Tunneling (payload encryption) 39

ESP with Tunnel mode or Transport mode http://docs.hp.com/en/j4255-90011/ch04s03.html 40

Key management in IPSec Manual: system admins manually configure crypto algorithms and secret keys Pre-shared keys Only suitable for small, low-risk environments Automated: crypto algorithms and keys are obtained automatically Internet Key Exchange protocol (IKE) Uses public key cryptography to distribute keys Suitable for large, high-risk environments 41

42 VPN

Virtual private networks (VPN) VPN: end-to-end secure connections over public Internet Using authentication and encryption to protect payload Creates virtual channels of connected entities host-to-host, Host-gateway, Gateway-to-gateway VPN can work on different network layers PGP (application layer) SSL (transport layer) IPSec (network layer) PPTP (data link layer) application transport network link physical 43 http://www.computing.vt.edu/internet_and_web/internet_access/vpn.html

Tunneling Tunneling is to encapsulate one type of packet into another DNS tunneling: e.g., encapsulating arbitrary data into DNS packets HTTP tunneling: e.g., encapsulating SMTP traffic in HTTP traffic Sender and receiver agree on format, interpretation Deep packet inspection may detect tunnels Probability distribution of payload E.g., firewall only allows HTTP traffic, Encapsulate SMTP traffic in HTTP packets 44

Encapsulate SMTP into HTTP packet HTTP packet for 9.3.1.1 SMTP packet For 9.3.1.1 SMTP packet For 9.3.1.1 4.2.1.8 Internet 9.3.1.1 SMTP packet For 9.3.1.1 payload HTTP packet for 9.3.1.1 45

PPTP (point-to-point tunneling protocol) VPN at data link layer Protects frames on the network Create tunnel to hide entire payload of frames Encapsulation of data-link frame & IP datagram No inherent encryption capabilities Encryption can be added to obtain data confidentiality (in true VPN) Alternative: L2TP (layer-2 tunneling protocol) segment datagram frame application transport network link physical 46

PPTP (point-to-point tunneling protocol) Your Home Router Virginia Tech s VPN Gateway 47

PPTP (point-to-point tunneling protocol) Without VPN: Ethernet MAC (to ISP s router) IP datagram (to final-destination) payload Encryption with shared key with VT VPN server Ethernet MAC (to VT s LAN router ) IP datagram (to final-destination) IP datagram (to VT s VPN server) Ethernet MAC (to ISP s router) For getting out of the ISP s network 48

VPN pros and cons Advantages of VPN Security - confidentiality, integrity, authentication Leverage existing network infrastructure ease of deployment Disadvantage of VPN Process overhead: to encrypt, encapsulate every packet High workload for VPN gateways Each frame contains few useful payload bytes Incompatible with network address translation (NAT) 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback