Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Chapter 8 Administering TCP/IP.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Internet Protocol Security (IPSec)
Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
DNS Domain Name Systems Introduction 1. DNS DNS is not needed for the internet to work IP addresses are all that is needed The internet would be extremely.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Name Resolution Domain Name System.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
Network security BGP and DNS Worms.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
IIT Indore © Neminath Hubballi
Feb 20, 2001CSCI {4,6}900: Ubiquitous Computing1 Announcements.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.
COMT 6251 Network Layers COMT Overview IP and general Internet Operations Address Mapping ATM LANs Other network protocols.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
How to use DNS during the evolution of ICN? Zhiwei Yan.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Netprog: Chat1 Chat Issues and Ideas for Service Design Refs: RFC 1459 (IRC)
Networking (Cont’d). Congestion Control l Is achieved by informing nodes along a route that congestion has occurred and asking them to reduce their packet.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Lecture 19 Page 1 CS 236 Online Privacy Privacy vs. security? Data privacy issues Network privacy issues Some privacy solutions.
THE LARGEST NAME SERVICE ACTING AS A PHONE BOOK FOR THE INTERNET The Domain Name System click here to next page 1.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
THE DNS (DOMAIN NAME SYSTEM). Before the DNS, all computers connected to the internet through ARPANET (the worlds first operational packet switching network).
Outline Routing security DNS security. Securing Key Internet Technologies Computer Security Peter Reiher March 14, 2017.
Understand Names Resolution
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS.
DNS Cache Poisoning Attack
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS security.
The Issue We all depend on the Internet
Chapter 19 Domain Name System (DNS)
NET 536 Network Security Lecture 8: DNS Security
COMPUTER NETWORKS PRESENTATION
Privacy Privacy vs. security? Data privacy issues
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
CSE 542: Operating Systems
Outline The spoofing problem Approaches to handle spoofing
Presentation transcript:

Issues in Internet Security

Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well: Not well: Not very secure Not very secure Very prone to failure Very prone to failure Not well regulated Not well regulated In general, all users should assume things might stop working at any given moment! In general, all users should assume things might stop working at any given moment!

The problem The internet forms a key infrastructure for our society. The internet forms a key infrastructure for our society. Basic unit for multiple systems: Basic unit for multiple systems: Banking Banking Electricity, power companies, and other utilities Electricity, power companies, and other utilities Water and sewage Water and sewage Hospitals and medical systems Hospitals and medical systems All of these mean that the internet is a powerful point of failure. All of these mean that the internet is a powerful point of failure.

What to do? In some ways, addressing this question is too broad. In some ways, addressing this question is too broad. Some steps: Some steps: Better awareness of risks Better awareness of risks Form better infrastructure Form better infrastructure Better government understanding (and yes, even monitoring) Better government understanding (and yes, even monitoring) More concretely, identify main points of failure and try to address these issues. More concretely, identify main points of failure and try to address these issues.

Core Weaknesses DNS and routing DNS and routing Privacy Privacy Optional security mechanisms do add security and privacy (such as IPSec). Optional security mechanisms do add security and privacy (such as IPSec). We’ll look at two more options today. We’ll look at two more options today. Physical infrastructure (largely up to companies) Physical infrastructure (largely up to companies) Weaknesses in individual providers (again out of our control) Weaknesses in individual providers (again out of our control)

DNS The Domain Name System (DNS) is the distributed system for mapping user friendly domain names (such as google.com or mathcs.slu.edu) to the correct IP addresses. The Domain Name System (DNS) is the distributed system for mapping user friendly domain names (such as google.com or mathcs.slu.edu) to the correct IP addresses. It is hierarchical: It is hierarchical: Authoritative name servers “own” a domain Authoritative name servers “own” a domain These govern which servers “own” subdomains These govern which servers “own” subdomains Invented in 1983 by Paul Mockapetris; prior to this every computer simply had a file called hosts.txt that stored all computers on the ARPANET. Invented in 1983 by Paul Mockapetris; prior to this every computer simply had a file called hosts.txt that stored all computers on the ARPANET.

How DNS is managed

How DNS works

More DNS details DNS is generally udp based (so not terribly reliable). DNS is generally udp based (so not terribly reliable). To reduce the load on the system, records are cached for some period of time; this is generally a small amount of time, but the protocol supports up to 68 years. To reduce the load on the system, records are cached for some period of time; this is generally a small amount of time, but the protocol supports up to 68 years. The OS of any computer runs a DNS resolvers that applications hand requests to. The OS of any computer runs a DNS resolvers that applications hand requests to. In addition, home users are relying on ISPs setting up a DNS server to track their current IP. In addition, home users are relying on ISPs setting up a DNS server to track their current IP. Things can be even more complex; some applications (such as web browsers) even keep their own DNS cache. Things can be even more complex; some applications (such as web browsers) even keep their own DNS cache.

DNS details (cont.) Hostnames and IPs don’t necessarily match 1-1. Hostnames and IPs don’t necessarily match 1-1. For example, often set up a domain name with multiple IPs in order to distribute traffic load. For example, often set up a domain name with multiple IPs in order to distribute traffic load. Also used for delivery. Also used for delivery. Multiple servers are generally provided for each domain to deal with any failures in the system. Multiple servers are generally provided for each domain to deal with any failures in the system. Variants such as dynamic DNS (DDNS) allow for rapid update by the hosts (such as for mobile systems). Variants such as dynamic DNS (DDNS) allow for rapid update by the hosts (such as for mobile systems).

Root servers At the top level, there are 13 root servers (A-M) somewhere in the world, with additional scattered backups. At the top level, there are 13 root servers (A-M) somewhere in the world, with additional scattered backups.

DNS resource records The data structure that holds the information is called a resource record (often abbreviated RR). The data structure that holds the information is called a resource record (often abbreviated RR). Contains: Contains:

Security and DNS DNS lookups are inherently not secret or secure. DNS lookups are inherently not secret or secure. Nothing guarantees information integrity in this system. Nothing guarantees information integrity in this system. This is a problem – the internet depends on this process working correctly! This is a problem – the internet depends on this process working correctly! Obvious availability issues, since these servers going down would disrupt service worldwide. Obvious availability issues, since these servers going down would disrupt service worldwide. The server or client could be a threat, since nothing is authenticated in this system. The server or client could be a threat, since nothing is authenticated in this system.

DNS lookup problems What can really go wrong? What can really go wrong? A DNS answer (coming from a server) could be spoofed by a malicious user. A DNS answer (coming from a server) could be spoofed by a malicious user. Relatively easy – it’s UDP, remember? Relatively easy – it’s UDP, remember? A DNS server could actually send false data. A DNS server could actually send false data. DNS databases could be corrupted. DNS databases could be corrupted.

DNSSEC: a solution The basic concept of DNSSEC is simple – all transactions are “signed” so that you know the correct source is giving you the data. The basic concept of DNSSEC is simple – all transactions are “signed” so that you know the correct source is giving you the data. Two options: Two options: The server responding can “sign” The server responding can “sign” Or the server that owns the namespace can “sign” Or the server that owns the namespace can “sign” DNSSEC has the server that owns the namespace sign the authenticity of any RR’s giving an address. DNSSEC has the server that owns the namespace sign the authenticity of any RR’s giving an address. Note: not a privacy solution! Note: not a privacy solution!

Practical implications Each DNS database must store signatures for RR’s. Each DNS database must store signatures for RR’s. Essentially adds several portions to the RR’s, including DNSKEY, RRSIG, etc. Essentially adds several portions to the RR’s, including DNSKEY, RRSIG, etc. The records have gotten much longer as a result. The records have gotten much longer as a result. ICANN (which manages DNS) signs for itself and top level domains. ICANN (which manages DNS) signs for itself and top level domains. Each top level domain signs for domains under it. Each top level domain signs for domains under it. And so on down. And so on down.

An example Consider mathcs.slu.edu (or ). Who signs this translation? Consider mathcs.slu.edu (or ). Who signs this translation? The SLU DNS server The SLU DNS server And how can we be sure that that is the correct server to sign? And how can we be sure that that is the correct server to sign? Because the EDU server verifies the SLU server’s signature Because the EDU server verifies the SLU server’s signature Each level leads one step closer to top level ICANN server, and this information lives in DNS databases. Each level leads one step closer to top level ICANN server, and this information lives in DNS databases. Ideally, every query will begin at the top, so entire chain is authenticated. Ideally, every query will begin at the top, so entire chain is authenticated.

Some problems To use DNSSEC, it must be supported by the DNS server above you (as well as all the others above that). To use DNSSEC, it must be supported by the DNS server above you (as well as all the others above that). If no RRSIG comes back in the RR, it could be an error. Or a man-in-the-middle attack. Or a configuration problem along the way. If no RRSIG comes back in the RR, it could be an error. Or a man-in-the-middle attack. Or a configuration problem along the way. To be secure, need to check all signatures yourself, but also can have trusted authority check them (and to have secure communication between yourself and authority). To be secure, need to check all signatures yourself, but also can have trusted authority check them (and to have secure communication between yourself and authority).

Non-existent records How can we get a signed record for EVERY possible non- existent name out there, to be sure they actually don’t exist? How can we get a signed record for EVERY possible non- existent name out there, to be sure they actually don’t exist? Solution: Names are alphabetically ordered. Between any two names, a bunch don’t exist, so we can sign this range of names. Solution: Names are alphabetically ordered. Between any two names, a bunch don’t exist, so we can sign this range of names. When someone looks up one of these names, we give them a range signature. When someone looks up one of these names, we give them a range signature.

For Example lasr.cs.ucla.edu pelican.cs.ucla.edu toucan.cs.ucla.edu pelican.cs.ucla.edu toucan.cs.ucla.edu lbsr.cs.ucla.edu – pd.cs.ucla.edu NOT ASSIGNED > host last.cs.ucla.edu You get authoritative information that the name isn’t assigned Foils spoofing attacks

DNSSEC status Implementations of DNSSEC are in use, and are heavily promoted (first by DARPA and now by DHS). Implementations of DNSSEC are in use, and are heavily promoted (first by DARPA and now by DHS). ICANN has signed the root, and all the major nodes are done (.com,.gov,.edu,.org,.net) ICANN has signed the root, and all the major nodes are done (.com,.gov,.edu,.org,.net) NOT all signed below, however, and many “island of security” exist in DNS. NOT all signed below, however, and many “island of security” exist in DNS. These sign for themselves and anyone below. These sign for themselves and anyone below. The utility of DNSSEC ultimately depends on the clients actually checking signatures. The utility of DNSSEC ultimately depends on the clients actually checking signatures.

Using DNSSEC Unfortunately, installing and managing DNSSEC is also fairly difficult. Unfortunately, installing and managing DNSSEC is also fairly difficult. Particularly hard for domains with lots of things to support, since every new name required lots of new things to sign. Particularly hard for domains with lots of things to support, since every new name required lots of new things to sign. In practice, many things sign certificates for lengthy amounts of time (days or months), which makes hijacking after an update much easier, also. In practice, many things sign certificates for lengthy amounts of time (days or months), which makes hijacking after an update much easier, also.

Privacy Obviously, DNSSEC does nothing to keep communication secret. DNS is inherently public! Obviously, DNSSEC does nothing to keep communication secret. DNS is inherently public! Encryption is the core of how we keep communication secret. So what else should we worry about? Encryption is the core of how we keep communication secret. So what else should we worry about? Traffic analysis: Traffic analysis: Sometimes, the goal is to hide that we are even talking to each other. Sometimes, the goal is to hide that we are even talking to each other. This can be deduced even if our data is encrypted, since routing is a public process. This can be deduced even if our data is encrypted, since routing is a public process.

Location privacy In addition to knowledge of communication, location information is given away by packet data. In addition to knowledge of communication, location information is given away by packet data. IP addresses often give away a lot of information about where you are. IP addresses often give away a lot of information about where you are. Mobile devices communicate while you are on the move! Mobile devices communicate while you are on the move! Can be used to get information on our movement and actions, often without our knowledge. Can be used to get information on our movement and actions, often without our knowledge. What types of solutions are possible today, given our internet infrastructure? What types of solutions are possible today, given our internet infrastructure?

Anonymizers Network sites that accept requests from outsiders. Network sites that accept requests from outsiders. They submit these requests under their own or a fake identity. They submit these requests under their own or a fake identity. Responses are returned to the original requester. Responses are returned to the original requester. In fact, a NAT box is a simple version of this! In fact, a NAT box is a simple version of this! Problem: Problem: The anonymizer knows your identity. The anonymizer knows your identity. Generally, should not assume this is a reliable source of anonymity, since can be tricked, hacked, or compelled into giving up information. Generally, should not assume this is a reliable source of anonymity, since can be tricked, hacked, or compelled into giving up information.

Onion Routing Meant to conceal sources and destinations in all traffic. Meant to conceal sources and destinations in all traffic. A group of nodes agree to be onion routers. A group of nodes agree to be onion routers. The users obtain cryptographic keys for those nodes. The users obtain cryptographic keys for those nodes. Each packet goes through many hops. Each packet goes through many hops. Many users send many packets through the routers, which conceals who is really talking to whom. Many users send many packets through the routers, which conceals who is really talking to whom. Setup for a packet: Setup for a packet: Encrypt the packet with the destination’s key. Encrypt the packet with the destination’s key. Wrap that with another packet to another router, encrypted with that router’s key. Wrap that with another packet to another router, encrypted with that router’s key. Iterate this many times. Iterate this many times.

A picture: SourceDestination Onion routers

What’s Really in the Packet

Delivering the Message

What does this get us? Assuming it all went right: Assuming it all went right: Nobody could read our data. Nobody could read our data. Nobody is sure who sent it (except the receiver). Nobody is sure who sent it (except the receiver). Nobody is sure who received it (except the sender). Nobody is sure who received it (except the sender).

Onion routing issues Using keys properly Using keys properly Traffic analysis is still possible Traffic analysis is still possible Overhead is a problem Overhead is a problem Multiple hops Multiple hops Multiple encryptions Multiple encryptions Limited anti-government possibilities. (In particular, China has a history of disabling these.) Limited anti-government possibilities. (In particular, China has a history of disabling these.) Ethical implications, also. Ethical implications, also. This makes running botnets much easier. This makes running botnets much easier.