Symbolic Simulation of Tunneling Protocols Carl A. Gunter, Matthew Jacobs, Gaurav Shah, Mark-Oliver Stehr (UIUC), and Alwyn Goodloe Alwyn Goodloe HCES.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

Internet Protocol Security (IP Sec)

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

Module 5: Configuring Access for Remote Clients and Networks.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Configuring Virtual Private Networks for Remote Clients and Networks.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Protected Extensible Authentication Protocol

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Research Overview Carl A. Gunter University of Pennsylvania.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

K. Salah1 Security Protocols in the Internet IPSec.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

Intranet, Extranet, Firewall. Intranet and Extranet.

Chapter 20: Getting from the Office to the Road: VPNs BAI617.

WIRELESS LAN SECURITY Using

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Chapter 13 – Network Security

L3A: A Protocol for Layer Three Accounting Alwyn Goodloe, Matthew Jacobs, Gaurav Shah University of Pennsylvania Carl A. Gunter University of Illinois.

Network Security Architectures Part 2 Formalization and Testing Summer School on Software Security Theory to Practice Carl A. Gunter University of Pennsylvania.

1 Reasoning about Concurrency for Security Tunnels Alwyn E. Goodloe University of Pennsylvania Carl A. Gunter University of Illinois Urbana-Champaign.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Module 11: Remote Access Fundamentals

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Your Wireless Network has No Clothes* William A. Arbaugh, Narendar Shankar Y.C. Justin Wan University of Maryland Presentation by Eddy Purnomo,

V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

Network Layer Security Network Systems Security Mort Anvari.

K. Salah1 Security Protocols in the Internet IPSec.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Virtual Private Networks

Secure Software Confidentiality Integrity Data Security Authentication

IT443 – Network Security Administration Instructor: Bo Sheng

* Essential Network Security Book Slides.

Firewalls Purpose of a Firewall Characteristic of a firewall

Goals Introduce the Windows Server 2003 family of operating systems

IT Security for Meteorological Measuring Networks

Presentation transcript:

Symbolic Simulation of Tunneling Protocols Carl A. Gunter, Matthew Jacobs, Gaurav Shah, Mark-Oliver Stehr (UIUC), and Alwyn Goodloe Alwyn Goodloe HCES 2004

Overview Motivating problem from wireless security. Solution by composing secure tunnels. Software engineering and modeling. Future plans.

Wireless Security Why is wireless security any different from wired security? Resource constraints. Resource constraints. Increased risk to confidentiality. Increased risk to confidentiality. Value of the network link. Value of the network link.

Wireless Security Efforts Layer 1 (Physical) Spread spectrum Spread spectrum Layer 2 (Link) x – (b) WEP, (g) x – (b) WEP, (g) CDMA 2000 CDMA 2000 GPRS GPRS

GPRS

Network Layer Wireless Security We propose that security be addressed at the network layer. Advantages Independent of underlying link layer. Independent of underlying link layer. Overcomes many of the problems of layer 2 solutions. Overcomes many of the problems of layer 2 solutions. Leverages extensive experience, s/w, and h/w support from Ipsec for VPNs. Leverages extensive experience, s/w, and h/w support from Ipsec for VPNs.Disadvantage Need set up protocols. Need set up protocols.

Protocols for Tunnel Composition We have been investigating protocols for composing IPSec security tunnels. Given a scenario we ask: What tunnels should we establish What tunnels should we establish What properties should these tunnels have. What properties should these tunnels have. Develop protocols that compose these tunnels into a satisfactory solution. Lots of messy details to consider in order to get the composition to work. Lots of messy details to consider in order to get the composition to work.

Toward Network Layer Security Suppose we have three parties: client, server, network access server (NAS). The client wishes to securely access the server. We will assume that the client has a relationship with the NAS and the server, but the NAS does not have a relationship to the server. The Client will have to authenticate itself to both the NAS and the server. The Client will have to authenticate itself to both the NAS and the server.

Network Layer Wireless Security

Problem Similar problem to GPRS above. The NAS does not protect the client from attacking incoming traffic. Being forced to pay for service you never used is worse than denial of service.

How About a Firewall

Why Not a Firewall A stateful firewall can be programmed to allow only traffic from the address to which a connection has been made. The firewall can not see the contents of the IPSec traffic. Resulting in minimum protection.

L3A Protocol Principles The user’s traffic should travel in DOS resistant IPSec tunnels. These IPSec tunnels should be set up using DOS resistant protocols. The NAS should ensure that when the accounting system logs traffic as being from a user it is actually from that user. Authenticate incoming traffic. Authenticate incoming traffic.

L3A Architecture

L3A Protocol Components L3A protocol that sets up the six tunnels. SIKE Key Exchange protocol (X509 + DOS protection). Very simple. Does not use two party key generation. Very simple. Does not use two party key generation. No guarantee of perfect forward secrecy. No guarantee of perfect forward secrecy. Assumes existence of public key infrastructure. Assumes existence of public key infrastructure.

L3A Protocol Overview Client NAS Server

Key Exchange SIKE A B rA, SPI(n,0) rA,rB, SPI(n,m), certB, cookieA certA,cookieA, DA, Ps(a,DA) Where DA = [rA, IPB, SPI(n,m)] Where CookieA = VersionSecret | Hash([rA,rB,IPA, SPI(n,m)],Secret) DB, Ps(b,DB) Where DB = [rB, IPA, rA, SPI(n,m), Pe(A, K)]

Methodology An English language description resembling an IETF RFC is produced. A formal specification is written in Maude. Systems are modeled using membership equational logic and rewriting logic. Systems are modeled using membership equational logic and rewriting logic. Symbolic simulation has been our main debugging aid. We feel the design is now relatively stable. We feel the design is now relatively stable.

Maude Model of L3A Our Maude model seeks to apply good SE techniques to modeling the L3A protocol. Our Maude model seeks to apply good SE techniques to modeling the L3A protocol. Documentation and proper configuration control. Documentation and proper configuration control. Accent is on verifying design. Component interaction was our primary concern. Modeled the various components and layers. IP, IPSec, L3A, ….. IP, IPSec, L3A, ….. Symbolic simulation highlights the unexpected interactions.

Overview of Module Interaction L3A PKI SIKE IP SEC IP setkey

Security Assoc StateMessage IP SECSecurity Policy SIKE PKI L3A Abstract L3A L3a Test Abstract L3A Test Concrete SIKE Test IP Routing Table IP Message Setkey

Modeling Uncovered Problems Problems arose from interactions among the components. Numerous iterations were required to resolve problems resulting from when the IP Sec databases are updated. Numerous iterations were required to resolve problems resulting from when the IP Sec databases are updated. When things are not done right packets can slip into partially setup tunnels. When things are not done right packets can slip into partially setup tunnels.

We Didn’t Model Timeouts and resends. Lost Messages. Periodic updates to the secret used to generate the cookie. Fragmentation. Can be the source of DOS attacks. Can be the source of DOS attacks. UDP layer. Ports not mentioned at all in the model. Attacks. Formally verify SIKE/L3A. TBD.

Implementation Platform. X86 running FreeBSD. C, Python, and TLS crypto libraries. Radius server to be used for accounting. Radius server to be used for accounting. Will demonstrate that our protocol can be implemented using available technology. We will seek to validate the implementation against the Maude model. The protocol is very deterministic. The protocol is very deterministic. Should be able to match a run of the simulation against a run of the actual protocol modulo some specific field values. Should be able to match a run of the simulation against a run of the actual protocol modulo some specific field values. The process for less deterministic protocols is more challenging. The process for less deterministic protocols is more challenging.

Future Work Continue work on composition of security tunnels. Perform formal verification of SIKE. We assert that the composition of DOS resistant tunnels is DOS resistant. Existing formal methods lack the tools to reason about DOS. We plan on working toward filling this void in the formal methods toolkit.