8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
Firewalls and Intrusion Detection Systems
Internet Control Message Protocol (ICMP)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Network Layer4-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley,
Chapter 5 The Network Layer.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
ICMP: Internet Control Message Protocol used by hosts, routers, gateways to communication network-level information –error reporting: unreachable host,
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
12 – NAT, ICMP, IPv6 Network Layer4-1. Network Layer4-2 Chapter 4 Network Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.
4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
FIREWALL Mạng máy tính nâng cao-V1.
Network Security7-1 Today r Collect Ch6 HW r Assign Ch7 HW m Ch7 #2,3,4,5,7,9,10,12 m Due Wednesday Nov 19 r Continue with Chapter 7 (Security)
Chapter 6: Packet Filtering
Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Firewalls A note on the use of these ppt slides:
1 WEP Design Goals r Symmetric key crypto m Confidentiality m Station authorization m Data integrity r Self synchronizing: each packet separately encrypted.
Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students, readers). They’re.
8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service.
ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)
Ch 8. Security in computer networks Myungchul Kim
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
TCP/IP Protocols Contains Five Layers
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 5: Mobile security,
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Network Security7-1 Firewalls Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
K. Salah1 Security Protocols in the Internet IPSec.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
4: Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Last time Message Integrity Authentication
Security in the layers 8: Network Security.
Error and Control Messages in the Internet Protocol
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
TCP/IP Protocol Suite1 Lecturer 8. TCP/IP Protocol Suite2 INTRODUCTION We are living in the information age. We need to keep information about every aspect.
Chapter 6 Network Security
Firewalls By conventional definition, a firewall is a partition made
Introduction to Network Security
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments; ICMP and SNMP messages. r network-layer authentication m destination host can authenticate source IP address r two principal protocols: m authentication header (AH) protocol m encapsulation security payload (ESP) protocol r for both AH and ESP, source, destination handshake: m create network-layer logical channel called a security association (SA) r each SA unidirectional. r uniquely determined by: m security protocol (AH or ESP) m source IP address m 32-bit connection ID

8: Network Security 8-2 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall administered network public Internet firewall

8: Network Security 8-3 Firewalls: Why prevent denial of service attacks: m SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data. m e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) three types of firewalls: m stateless packet filters m stateful packet filters m application gateways

8: Network Security 8-4 Stateless packet filtering r internal network connected to Internet via router firewall r router filters packet-by-packet, decision to forward/drop packet based on: m source IP address, destination IP address m TCP/UDP source and destination port numbers m ICMP message type m TCP SYN and ACK bits Should arriving packet be allowed in? Departing packet let out?

8: Network Security 8-5 Stateless packet filtering: example r example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m all incoming, outgoing UDP flows and telnet connections are blocked. r example 2: Block inbound TCP segments with ACK=0. m prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

8: Network Security 8-6 Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except , port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg ). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Stateless packet filtering: more examples

8: Network Security 8-7 action source address dest address protocol source port dest port flag bit allow222.22/16 outside of /16 TCP> any allowoutside of /16 TCP80> 1023ACK allow222.22/16 outside of /16 UDP> allowoutside of /16 UDP53> denyall Access Control Lists r ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs

8: Network Security 8-8 Stateful packet filtering r stateless packet filter: heavy handed tool m admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allowoutside of /16 TCP80> 1023ACK r stateful packet filter: track status of every TCP connection m track connection setup (SYN), teardown (FIN): can determine whether incoming, outgoing packets “makes sense” m timeout inactive connections at firewall: no longer admit packets

8: Network Security 8-9 action source address dest address proto source port dest port flag bit check conxion allow222.22/16 outside of /16 TCP> any allowoutside of /16 TCP80> 1023ACK x allow222.22/16 outside of /16 UDP> allowoutside of /16 UDP53> x denyall Stateful packet filtering r ACL augmented to indicate need to check connection state table before admitting packet

8: Network Security 8-10 Application gateways r filters packets on application data as well as on IP/TCP/UDP fields. r example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway.

8: Network Security 8-11 Limitations of firewalls and gateways r IP spoofing: router can’t know if data “really” comes from claimed source r if multiple app’s. need special treatment, each has own app. gateway. r client software must know how to contact gateway. m e.g., must set IP address of proxy in Web browser r filters often use all or nothing policy for UDP. r tradeoff: degree of communication with outside world, level of security r many highly protected sites still suffer from attacks.

8: Network Security 8-12 Intrusion detection systems r packet filtering: m operates on TCP/IP headers only m no correlation check among sessions r IDS: intrusion detection system m deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) m examine correlation among multiple packets port scanning network mapping DoS attack

8: Network Security 8-13 Web server FTP server DNS server application gateway Internet demilitarized zone internal network firewall IDS sensors Intrusion detection systems r multiple IDSs: different types of checking at different locations

8: Network Security 8-14 Network Security (summary) Basic techniques…... m cryptography (symmetric and public) m message integrity m end-point authentication …. used in many different security scenarios m secure m secure transport (SSL) m IP sec m Operational Security: firewalls and IDS

Availability r Access over Internet must be unimpeded m Context: flooding attacks, in which attackers try to overwhelm system resources r Denial of service (DoS) attacks disrupt availability m Distributed DoS is a coordinated attack from multiple attackers r Example: SYN flood m Problem: server cannot distinguish legitimate handshake from one that is part of this attack Only difference is whether third part of TCP handshake is sent m Flood can overwhelm communication medium Can’t do anything about this (except buy a bigger pipe) m Flood can overwhelm resources on legitimate system

Regular TCP handshake

Too many half-opened TCP connections at server creates a DoS attack Server is waiting client to finish the connection Buffer space is full and legitimate connection cannot be completed

Flooding DoS attack

Prevention of SYN flood: SYN Cookies r Server no longer keeps the client’s state m Embed the state in the sequence number m When SYN received, server computes a sequence number to be function of source, destination, counter, and a secret The function may be one-way hash function The secret is known only by the server Use as reply SYN sequence number When reply ACK arrives, validate it m The sequence number must be hard to guess

SYN Cookie y = H(source, destination, secret, counter) computed by server s is secret known only by server H is a one-way hash function Server no longer keeps client’s state Server verifies sequence number with s Client cannot forge a sequence number without actually engaging in handshake

Alternative prevention to SYN flood: adaptive Time-Out r Change time-out time as space available for pending connections decreases r Example: modified SunOS kernel m Time-out period shortened from 75 to 15 sec m Formula for queueing pending connections changed: Process allows up to b pending connections on port a number of completed connections but awaiting process p total number of pending connections c tunable parameter Whenever a + p > cb, drop current SYN message

ICMP: Internet Control Message Protocol r used by hosts & routers to communicate network-level information m error reporting: unreachable host, network, port, protocol m echo request/reply (used by ping) r network-layer “above” IP: m ICMP msgs carried in IP datagrams r ICMP message: type, code plus first 8 bytes of IP datagram causing error Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header

Flooding DoS attacks

2: Application Layer 24 Slides credits r J.F Kurose and K.W. Ross

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.