Network Security. Thierry Sans

Similar documents
CSC 4900 Computer Networks: Security Protocols (2)

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Chapter 8 roadmap. Network Security

Networking Security SPRING 2018: GANG WANG

CSc 466/566. Computer Security. 18 : Network Security Introduction

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

CSE 565 Computer Security Fall 2018

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Firewalls, Tunnels, and Network Intrusion Detection

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

ECE 435 Network Engineering Lecture 23

Network Security. Tadayoshi Kohno

CIT 380: Securing Computer Systems. Network Security Concepts

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

ASA/PIX Security Appliance

ECE 435 Network Engineering Lecture 23

AccessEnforcer Version 4.0 Features List

Threat Pragmatics & Cryptography Basics. PacNOG July, 2017 Suva, Fiji

CSE 565 Computer Security Fall 2018

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

ELEC5616 COMPUTER & NETWORK SECURITY

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Indicate whether the statement is true or false.

CSC 574 Computer and Network Security. TCP/IP Security

Introduction to Network Security Missouri S&T University CPE 5420 Network Access Control

CS System Security 2nd-Half Semester Review

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

CyberP3i Course Module Series

HP High-End Firewalls

Internetworking Lecture 10. Communications and network security

network security s642 computer security adam everspaugh

20-CS Cyber Defense Overview Fall, Network Basics

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

CTS2134 Introduction to Networking. Module 08: Network Security

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

CS Paul Krzyzanowski

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

COSC 301 Network Management

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Configuring attack detection and prevention 1

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

CS670: Network security

Unit 4: Firewalls (I)

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Network Security. Network Vulnerabilities

CSCE 715: Network Systems Security

Sirindhorn International Institute of Technology Thammasat University

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Gigabit SSL VPN Security Router

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Network Security Protocols and Defensive Mechanisms

Configuring attack detection and prevention 1

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Fundamentals of Network Security v1.1 Scope and Sequence

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Broadcast Infrastructure Cybersecurity - Part 2

Exam Questions SY0-401

Computer Network Vulnerabilities

CSC Network Security

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Internet Protocol and Transmission Control Protocol

Implementing Firewall Technologies

DDoS Testing with XM-2G. Step by Step Guide

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Network Security Fundamentals

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Networks Fall This exam consists of 10 problems on the following 13 pages.

Global Information Assurance Certification Paper

Security SSID Selection: Broadcast SSID:

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

AplombTech Smart Router Manual

SecBlade Firewall Cards Attack Protection Configuration Example

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Computer and Network Security

Chapter 7. Denial of Service Attacks

Computer security Lecture 11

CompTIA Network+ Study Guide Table of Contents

Attack Prevention Technology White Paper

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Cisco CCIE Security Written.

Virtual Private Networks (VPN)

INBOUND AND OUTBOUND NAT

Network Defenses 21 JANUARY KAMI VANIEA 1

Corso di Network Security a.a. 2012/2013. Solutions of exercises on the second part of the course

Transcription:

Network Security Thierry Sans

HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi

The attacker is capable of confidentiality integrity availability Scanning - survey the network and its hosts Eavesdropping - read messages Spoofing - forge illegitimate messages DOS (Denial of Service) - disrupt the communications The attacker can target any layer in the network stack

HTTP SMTP DNS BGP TCP UDP IPv4 IPv6 ICMP ARP Ethernet WiFi Packet Sniffing (eavesdropping)

HTTP SMTP DNS BGP TCP UDP IPv4 IPv6 ICMP ARP ARP-cache poisoning (spoofing) Ethernet WiFi

HTTP SMTP DNS BGP TCP UDP IPv4 ARP IPv6 ICMP Host discovery (scanning) IP forgery (spoofing) ICMP Ping flooding (DOS) Ethernet WiFi

HTTP SMTP DNS BGP TCP UDP Port scanning (scanning) TCP forgery (spoofing, DOS) TCP-syn flooding (DOS) UDP flooding (DOS) IPv4 IPv6 ICMP ARP Ethernet WiFi

HTTP SMTP DNS BGP Route Hijacking (spoofing, DOS) DNS-cache poisoning (spoofing, DOS) TCP UDP IPv4 IPv6 ICMP ARP Ethernet WiFi

TLS - Transport Layer Security

TLS - Tranport Layer Protection Transport Layer Security (a.k.a SSL v3) provides integrity: authentication handshake confidentiality: end-to-end secure channel Prevents all kinds of eavesdropping and spoofing for application protocols e.g HTTP + TLS = HTTPS 2-10 times slower than an insecure TCP connection Not used in practice to secure DNS and BGP

Authentication Handshake

Specific attacks of HTTPS Webpages can be delivered either with HTTPS or HTTP The browser can automatically switch between HTTP and HTTPS Sometime within the same webpage (mixed-content) e.g the main page loads over HTTPS but images, scripts or css load with HTTP An attacker can do a MitM attack and remove the SSL protection SSLStripping attack (challenge coming next)

Preventing eavesdropping attacks

Preventing packet sniffing over Ethernet Hub : broadcast all messages on all ports Switch : (smart HUB) forward messages on specific port based on their MAC addresses isolate Ethernet traffics (no straightforward packet sniffing)

Packet sniffing over a wireless network Encrypt message before sending them over the air Wireless Security WEP WPA Personal WPA2 Enterprise Authentication Shared Key Shared Key Shared Key RADIUS Server Cryptography RC4 TKIP and RC4 CCMP and AES Security Broken Broken External attackers only Good

Preventing spoofing attacks

Preventing ARP-cache poisoning Authenticating ARP messages has been proposed (research) but never implemented Static ARP tables (not practical in dynamic environment) Detection and correction tools

Preventing IP forgery IPsec - Internet Protocol Security provides authentication (and optionally encryption) of IP traffic Uses SHA2 and AES (previously SHA1 and 3DES) Used usually between routers (link and network layers only) However IPsec is rarely deployed in practice IPsec encapsulation m IP header IPsec header m IP header m IP header IPsec secure channel router 1 router 2

Preventing DNS spoofing DNSSEC - Domain Name System Security Extensions provides authentication (but not encryption) between DNS servers Not widely deployed yet

Preventing route hijacking (BGP) Bogon Filtering Best Current Practice to limit fake route advertisement Deny route advertised by hosts with spoofed addresses Implemented by ISPs (Internet Service Providers)

Preventing DOS attacks

Preventing TCP-syn flooding TCP-syn cookie prevents from maintaining a queue of half-opened TCP connections

Preventing DOS and DDOS attacks in general Network Ingress Filtering (a.k.a BCP 38) Best Current Practice to limit the impact of DOS and DDOS 1. Deny access to network traffic with spoofed addresses 2. Ensure that traffic is traceable to its correct source network Implemented by ISPs (Internet Service Providers)

Preventing scanning attacks (and beyond)

Preventing host discovery and port-scanning Host discovery uses ICMP ping echo message ICMP can be disabled or reserved to hosts on the same network Port Scanning uses TCP-syn messages TCP connections can be rejected if a source attempts to initiate multiple connections on multiple ports simultaneously Packet filtering can prevent these two scanning techniques

Limitation of a host-by-host packet filtering solution How to enable packet filtering on every host on the network? 1. Each host needs to have packet filtering capability across different hardware, OS and versions 2. The admin needs to have administrative privilege on every host to push the packet filtering policy Impossible in practice

Firewall

Network Firewall Protected Network Internet Firewall

Network Firewall A firewall defines a logical defense parameter and acts an access control between two networks Packet filtering based on IP addresses (TCP filtering) inbound traffic from the Internet trying to get into the protected network outbound traffic going the other way For the most part, we trust the outbound but not the inbound

Widely used in practice Assuming the attacks comes from outside, a firewall can prevent Most scanning attacks Some spoofing attacks Some flooding attacks (as long as it can handle the load) Anomalous messages e.g smurf attack and others But more generally, it can restrict access to protected hosts

Two type of firewalls Stateless packet filtering is purely based on the IP address and the port Stateful packet filtering tracks the status of every connection (TCP 3 way handshake)

Example of a stateful firewall policy ACL - Access Control Lists action protocol IP src port src IP dst port dst state allow TCP 222.22/16 >1023! 222.22/16 80 any allow TCP! 222.22/16 80 222.22/16 >1023 ack allow UDP 222.22/16 >1023! 222.22/16 53 - allow UDP! 222.22/16 53 222.22/16 >1023 - deny all all all all all all

Concept of DMZ DMZ - DeMilitarized Zone isolates exposed public servers e.g web, mail, database and so on Protected Network Internet DMZ Internal Network

Intrusion Detection

Two approaches to build an IDS Signature-based IDS Have pre-defined malicious message pattern Relies on a signature database Heuristic-based Builds a model of acceptable message exchange patterns Relies on machine learning

(Network) Intrusion Detection Systems IDS - Intrusion detection systems performs deep packet inspection Looks at the headers Look at packet contents (payload) Looks at the packet fragmentation

IDS in the protected network IDSs often operate in stealth mode Protected Network Internet IDS

IPS - Intrusion Prevention system IPS = IDS + Firewall IP addresses sending malicious packets can be filtered

Problem with nomad hosts Protected Network Internet

VPN - Virtual Private Network

Protected Network VPN - Virtual Private Network VPN protected nomad hosts outside the protected network VPN server Internet

Tunneling protocol 1. Alice s message is encapsulated and sent to the VPN server 2. The VPN extract this traffic and send it to the destination 3. Same thing on the way back Provides anonymity (from the IP perspective at least) TCP header TCP header m TCP header m TCP secure channel VPN server

Different type of VPNs VPN can be built using different technology e.g. IPsec TLS (e.g openvpn) SSH

VPN to enforce security or evade it :) Evade censorship and geo-restrictions by masking the real IP address

The TOR network a.k.a Onion Routing

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback