CSC 4900 Computer Networks: Security Protocols (2)

Similar documents
Chapter 8 roadmap. Network Security

CSC 8560 Computer Networks: Security Protocols

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

COSC4377. Chapter 8 roadmap

Chapter 8 Security. Computer Networking: A Top Down Approach. Andrei Gurtov. 7 th edition Jim Kurose, Keith Ross Pearson/Addison Wesley April 2016

Computer Communication Networks Network Security

Chapter 8 Network Security

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Computer Networks. Wenzhong Li. Nanjing University

Network Security. Thierry Sans

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Lecture 9: Network Level Security IPSec

Networking Security SPRING 2018: GANG WANG

Chapter 8 Security. Computer Networking: A Top Down Approach

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Firewalls, Tunnels, and Network Intrusion Detection

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Chapter 8 Network Security. Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Chapter 8 Network Security

IPSec. Overview. Overview. Levente Buttyán

CSC 6575: Internet Security Fall 2017

Chapter 8. Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2004.

Chapter 5: Network Layer Security

Chapter 8 Network Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Network Encryption 3 4/20/17

CSCE 715: Network Systems Security

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

IP Security. Have a range of application specific security mechanisms

CSC 4900 Computer Networks: Network Layer

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

The IPsec protocols. Overview

Lecture 13 Page 1. Lecture 13 Page 3

IP Security IK2218/EP2120

Lecture 12 Page 1. Lecture 12 Page 3

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

14. Internet Security (J. Kurose)

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Network Security. Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2002.

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Virtual Private Network

Cryptography and Network Security. Sixth Edition by William Stallings

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Internet security and privacy

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Virtual Private Networks

Indicate whether the statement is true or false.

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

8. Network Layer Contents

EEC-682/782 Computer Networks I

CTS2134 Introduction to Networking. Module 08: Network Security

Gigabit SSL VPN Security Router

Network Interconnection

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

CSC Network Security

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Network Security and Cryptography. December Sample Exam Marking Scheme

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

CS 356 Internet Security Protocols. Fall 2013

Internet Security: Firewall

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Computer and Network Security

Manual Key Configuration for Two SonicWALLs

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Virtual Private Networks (VPN)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

The EN-4000 in Virtual Private Networks

CSE 461 Midterm Winter 2018

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

Unit 4: Firewalls (I)

Advanced Security and Mobile Networks

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

CSE 565 Computer Security Fall 2018

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Computer Security and Privacy

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Chapter 11 The IPSec Security Architecture for the Internet Protocol

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Network Security Fundamentals

VPN Overview. VPN Types

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Corso di Network Security a.a. 2012/2013. Solutions of exercises on the second part of the course

Security in IEEE Networks

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Network Control, Con t

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

The IPSec Security Architecture for the Internet Protocol

Transcription:

CSC 4900 Computer Networks: Security Protocols (2) Professor Henry Carter Fall 2017

Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 2

What is network-layer confidentiality? between two network entities: sending entity encrypts datagram payload, payload could be: TCP or UDP segment, ICMP message, OSPF message. all data sent from one entity to other would be hidden: web pages, e-mail, P2P file transfers, TCP SYN packets blanket coverage 3

Virtual Private Networks (VPNs) motivation: institutions often want private networks for security. costly: separate routers, links, DNS infrastructure. VPN: institution s inter-office traffic is sent over public Internet instead encrypted before entering public Internet logically separate from other traffic 4

Virtual Private Networks (VPNs) public Internet laptop w/ IPsec salesperson in hotel router w/ IPv4 and IPsec router w/ IPv4 and IPsec headquarters branch office 5

IPsec services data integrity origin authentication replay attack prevention confidentiality two protocols providing different service models: AH ESP 6

Two IPsec protocols Authentication Header (AH) protocol provides source authentication & data integrity but not confidentiality Encapsulation Security Protocol (ESP) provides source authentication, data integrity, and confidentiality more widely used than AH 7

Security associations (SAs) before sending data, security association (SA) established from sending to receiving entity SAs are simplex: for only one direction sending, receiving entitles maintain state information about SA recall: TCP endpoints also maintain state info IP is connectionless; IPsec is connection-oriented! how many SAs in VPN w/ headquarters, branch office, and n traveling salespeople? 8

Example SA from R1 to R2 R1 Stores: 32-bit SA identifier: Security Parameter Index (SPI) origin SA interface (200.168.1.100) destination SA interface (193.68.2.23) type of encryption used (e.g., AES with CBC) encryption key type of integrity check used (e.g., HMAC with SHA-256) authentication key headquarters Internet branch office 200.168.1.100 193.68.2.23 172.16.1/24 R1 security association R2 172.16.2/24 9

IPsec datagram focus for now on tunnel mode with ESP 10

Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 11

IEEE 802.11 Security war-driving: drive around Bay area, see what 802.11 networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy! securing 802.11 encryption, authentication first attempt at 802.11 security: Wired Equivalent Privacy (WEP): a failure current attempt: 802.11i 12

Wired Equivalent Privacy (WEP) authentication as in protocol ap4.0 host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host no key distribution mechanism authentication: knowing the shared key is enough 13

WEP Encryption Sender-side WEP encryption 14

Breaking WEP security hole: 24-bit IV, one IV per frame, -> IV s eventually reused IV transmitted in plaintext -> IV reuse detected attack: Trudy causes Alice to encrypt known plaintext d 1 d 2 d 3 d 4 IV Trudy sees: c i = d i XOR k i IV Trudy knows c i d i, so can compute k i IV IV IV Trudy knows encrypting key sequence k 1 k 2 k 3 Next time IV is used, Trudy can decrypt! 15

802.11i: Improved Security numerous (stronger) forms of encryption possible provides key distribution uses authentication server separate from access point Common implementation: WPA2 16

Four phases 17

EAP: extensible authentication protocol EAP: end-end client (mobile) to authentication server protocol EAP sent over separate links mobile-to-ap (EAP over LAN) AP to authentication server (RADIUS over UDP) EAP TLS EAP EAP over LAN (EAPoL) IEEE 802.11 RADIUS UDP/IP 18

Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication 8.5 Securing e-mail 8.6 Securing TCP connections: SSL 8.7 Network layer security: IPsec 8.8 Securing wireless LANs 8.9 Operational security: firewalls and IDS 19

Firewalls firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others. 20

Firewalls: why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for real connections prevent illegal modification/access of internal data e.g., attacker replaces CIA s homepage with something else allow only authorized access to inside network set of authenticated users/hosts three types of firewalls: stateless packet filters, stateful packet filters, application gateways 21

Stateless Packet Filtering internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits 22

Stateless Packet Filtering: Example example 1: block incoming and outgoing datagrams with IP Protocol field = 17 and with either source or dest port = 23. result: all incoming, outgoing UDP flows and telnet connections are blocked. example 2: Block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. 23

Stateless packet filtering: more examples 24

Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs: looks like OpenFlow forwarding (Ch. 4)! action source address dest address protocol source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 25

Stateful Packet Filtering stateless packet filter: heavy handed tool admits packets that make no sense, e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets makes sense timeout inactive connections at firewall: no longer admit packets 26

Stateful Packet Filtering ACL augmented to indicate need to check connection state table before admitting packet action source address dest address proto source port dest port flag bit check conxion allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK x allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- x deny all all all all all all 27

Application gateways filter packets on application data as well as on IP/TCP/UDP fields. host-to-gateway telnet session application gateway example: allow select internal users to telnet outside router and filter gateway-to-remote host telnet session 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. 28

Limitations of Firewalls and Gateways IP spoofing: router can t know if data really comes from claimed source if multiple apps need special treatment, each has own app gateway client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks 29

Intrusion Detection Systems packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets port scanning network mapping DoS attack 30

Intrusion Detection Systems multiple IDSs: different types of checking at different locations 31

Network Security Summary Basic techniques... cryptography (symmetric and public) message integrity end-point authentication. used in many different security scenarios secure email secure transport (SSL) IP sec 802.11 Operational Security: firewalls and IDS 32

Next Time... Textbook Chapter 9.1-9.4 Remember, you need to read it BEFORE you come to class! Homework Prepare for the final! 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback