Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 12 Page 1 CS 136, Fall 2011 Network Security, Continued CS 136 Computer Security Peter Reiher November 1, 2011.

Published byDella Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 12 Page 1 CS 136, Fall 2011 Network Security, Continued CS 136 Computer Security Peter Reiher November 1, 2011."— Presentation transcript:

1 Lecture 12 Page 1 CS 136, Fall 2011 Network Security, Continued CS 136 Computer Security Peter Reiher November 1, 2011

2 Lecture 12 Page 2 CS 136, Fall 2011 Encryption and Network Security Relies on the kinds of encryption algorithms and protocols discussed previously Can be applied at different places in the network stack With different effects and costs

3 Lecture 12 Page 3 CS 136, Fall 2011 Link Level Encryption SourceDestination plaintext Let’s say we want to send a message using encryption ciphertext plaintextciphertext plaintextciphertext plaintextciphertext plaintext Different keys (maybe even different ciphers) used at each hop

4 Lecture 12 Page 4 CS 136, Fall 2011 End-to-End Encryption SourceDestination plaintextciphertext plaintext Cryptography only at the end points Only the end points see the plaintext Normal way network cryptography done When would link encryption be better?

5 Lecture 12 Page 5 CS 136, Fall 2011 Where Are the Endpoints, Anyway? If you do end-to-end encryption, where are the endpoints? The network layer end points? The transport layer end points? The application layer end points? Maybe not even end machine to end machine (e.g., VPNs)? Has serious implications for where you do cryptography –And keying and trust issues

6 Lecture 12 Page 6 CS 136, Fall 2011 IPsec Standard for applying cryptography at the network layer of IP stack Provides various options for encrypting and authenticating packets –On end-to-end basis –Without concern for transport layer (or higher)

7 Lecture 12 Page 7 CS 136, Fall 2011 What IPsec Covers Message integrity Message authentication Message confidentiality

8 Lecture 12 Page 8 CS 136, Fall 2011 What Isn’t Covered Non-repudiation Digital signatures Key distribution Traffic analysis Handling of security associations Some of these covered in related standards

9 Lecture 12 Page 9 CS 136, Fall 2011 Some Important Terms for IPsec Security Association - “ A Security Association (SA) is a simplex ‘connection’ that affords security services to the traffic carried by it.” –Basically, a secure one-way channel SPI (Security Parameters Index) – Combined with destination IP address and IPsec protocol type, uniquely identifies an SA

10 Lecture 12 Page 10 CS 136, Fall 2011 General Structure of IPsec Really designed for end-to-end encryption –Though could do link level Designed to operate with either IPv4 or IPv6 Meant to operate with a variety of different encryption protocols And to be neutral to key distribution methods Has sub-protocols –E.g., Encapsulating Security Payload

11 Lecture 12 Page 11 CS 136, Fall 2011 Encapsulating Security Payload (ESP) Protocol Encrypt the data and place it within the ESP The ESP has normal IP headers Can be used to encrypt just the payload of the packet Or the entire IP packet

12 Lecture 12 Page 12 CS 136, Fall 2011 ESP Modes Transport mode –Encrypt just the transport-level data in the original packet –No IP headers encrypted Tunnel mode –Original IP datagram is encrypted and placed in ESP –Unencrypted headers wrapped around ESP

13 Lecture 12 Page 13 CS 136, Fall 2011 ESP in Transport Mode Extract the transport-layer frame –E.g., TCP, UDP, etc. Encapsulate it in an ESP Encrypt it The encrypted data is now the last payload of a cleartext IP datagram

14 Lecture 12 Page 14 CS 136, Fall 2011 ESP Transport Mode Original IP header ESP Hdr Normal Packet Payload ESP Trlr ESP Auth Encrypted Authenticated

15 Lecture 12 Page 15 CS 136, Fall 2011 Using ESP in Tunnel Mode Encrypt the IP datagram –The entire datagram Encapsulate it in a cleartext IP datagram Routers not understanding IPsec can still handle it Receiver reverses the process

16 Lecture 12 Page 16 CS 136, Fall 2011 ESP Tunnel Mode New IP hdr ESP Hdr Original Packet Payload ESP Trlr ESP Auth Orig. IP hdr Encrypted Authenticated

17 Lecture 12 Page 17 CS 136, Fall 2011 Uses and Implications of Tunnel Mode Typically used when there are security gateways between sender and receiver –And/or sender and receiver don’t speak IPsec Outer header shows security gateway identities –Not identities of real parties Can thus be used to hide some traffic patterns

18 Lecture 12 Page 18 CS 136, Fall 2011 What IPsec Requires Protocol standards –To allow messages to move securely between nodes Supporting mechanisms at hosts running IPsec –E.g., a Security Association Database Lots of plug-in stuff to do the cryptographic heavy lifting

19 Lecture 12 Page 19 CS 136, Fall 2011 The Protocol Components Pretty simple Necessary to interoperate with non-IPsec equipment So everything important is inside an individual IP packet’s payload No inter-message components to protocol –Though some security modes enforce inter-message invariants

20 Lecture 12 Page 20 CS 136, Fall 2011 The Supporting Mechanisms Methods of defining security associations Databases for keeping track of what’s going on with other IPsec nodes –To know what processing to apply to outgoing packets –To know what processing to apply to incoming packets

21 Lecture 12 Page 21 CS 136, Fall 2011 Plug-In Mechanisms Designed for high degree of generality So easy to plug in: –Different crypto algorithms –Different hashing/signature schemes –Different key management mechanisms

22 Lecture 12 Page 22 CS 136, Fall 2011 Status of IPsec Accepted Internet standard Widely implemented and used –Supported in Windows 2000, XP, Vista, Windows 7 –In Linux 2.6 (and later) kernel The architecture doesn’t require everyone to use it RFC 3602 on using AES in IPsec still listed as “proposed” AES will become default for ESP in IPsec

23 Lecture 12 Page 23 CS 136, Fall 2011 Traffic Control Mechanisms Filtering –Source address filtering –Other forms of filtering Rate limits Protection against traffic analysis –Padding –Routing control

24 Lecture 12 Page 24 CS 136, Fall 2011 Source Address Filtering Filtering out some packets because of their source address value –Usually because you believe their source address is spoofed Often called ingress filtering –Or egress filtering...

25 Lecture 12 Page 25 CS 136, Fall 2011 Source Address Filtering for Address Assurance Router “knows” what network it sits in front of –In particular, knows IP addresses of machines there Filter outgoing packets with source addresses not in that range Prevents your users from spoofing other nodes’ addresses –But not from spoofing each other’s

26 Lecture 12 Page 26 CS 136, Fall 2011 Source Address Filtering Example 128.171.192.* 95.113.27.1256.29.138.2 My network shouldn’t be creating packets with this source address So drop the packet

27 Lecture 12 Page 27 CS 136, Fall 2011 Source Address Filtering in the Other Direction Often called egress filtering –Or ingress filtering... Occurs as packets leave the Internet and enter a border router –On way to that router’s network What addresses shouldn’t be coming into your local network?

28 Lecture 12 Page 28 CS 136, Fall 2011 Filtering Incoming Packets 128.171.192.* 128.171.192.5128.171.192.7 Packets with this source address should be going out, not coming in So drop the packet

29 Lecture 12 Page 29 CS 136, Fall 2011 Other Forms of Filtering One can filter on things other than source address –Such as worm signatures, unknown protocol identifiers, etc. Also, there are unallocated IP addresses in IPv4 space –Can filter for packets going to or coming from those addresses Some source addresses for local use only –Internet routers can drop packets to/from them

30 Lecture 12 Page 30 CS 136, Fall 2011 Realistic Limits on Filtering Little filtering possible in Internet core –Packets being handled too fast –Backbone providers don’t want to filter –Damage great if you screw it up Filtering near edges has its own limits –In what’s possible –In what’s affordable –In what the router owners will do

31 Lecture 12 Page 31 CS 136, Fall 2011 Rate Limits Many routers can place limits on the traffic they send to a destination Ensuring that the destination isn’t overloaded –Popular for denial of service defenses Limits can be defined somewhat flexibly But often not enough flexibility to let the good traffic through and stop the bad

32 Lecture 12 Page 32 CS 136, Fall 2011 Padding Sometimes you don’t want intruders to know what your traffic characteristics are Padding adds extra traffic to hide the real stuff Fake traffic must look like real traffic –Usually means encrypt it all Must be done carefully, or clever attackers can tell the good stuff from the noise

33 Lecture 12 Page 33 CS 136, Fall 2011 Routing Control Use ability to control message routing to conceal the traffic in the network Used in onion routing to hide who is sending traffic to whom –For anonymization purposes Routing control also used in some network defense –To hide real location of a machine –E.g., SOS DDoS defense system

34 Lecture 12 Page 34 CS 136, Fall 2011 Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits between a LAN/WAN and the Internet Running special software to regulate network traffic

35 Lecture 12 Page 35 CS 136, Fall 2011 Typical Use of a Firewall Local Network The Internet ??? Firewall ???

36 Lecture 12 Page 36 CS 136, Fall 2011 Firewalls and Perimeter Defense Firewalls implement a form of security called perimeter defense Protect the inside of something by defending the outside strongly –The firewall machine is often called a bastion host Control the entry and exit points If nothing bad can get in, I’m safe, right?

37 Lecture 12 Page 37 CS 136, Fall 2011 Weaknesses of Perimeter Defense Models Breaching the perimeter compromises all security Windows passwords are a form of perimeter defense –If you get past the password, you can do anything Perimeter defense is part of the solution, not the entire solution

38 Lecture 12 Page 38 CS 136, Fall 2011 Weaknesses of Perimeter Defense

39 Lecture 12 Page 39 CS 136, Fall 2011 Defense in Depth An old principle in warfare Don’t rely on a single defensive mechanism or defense at a single point Combine different defenses Defeating one defense doesn’t defeat your entire plan

40 Lecture 12 Page 40 CS 136, Fall 2011 So What Should Happen?

41 Lecture 12 Page 41 CS 136, Fall 2011 Or, Better

42 Lecture 12 Page 42 CS 136, Fall 2011 Or, Even Better

43 Lecture 12 Page 43 CS 136, Fall 2011 So Are Firewalls Any Use? Definitely! They aren’t the full solution, but they are absolutely part of it Anyone who cares about security needs to run a decent firewall They just have to do other stuff, too 94% of respondents in 2008 CSI survey say they use firewalls

44 Lecture 12 Page 44 CS 136, Fall 2011 The Brass Tacks of Firewalls What do they really do? Examine each incoming packet Decide to let the packet through or drop it –Criteria could be simple or complex Perhaps log the decision Maybe send rejected packets elsewhere Pretty much all there is to it

45 Lecture 12 Page 45 CS 136, Fall 2011 Types of Firewalls Filtering gateways –AKA screening routers Application level gateways –AKA proxy gateways Reverse firewalls

46 Lecture 12 Page 46 CS 136, Fall 2011 Filtering Gateways Based on packet header information –Primarily, IP addresses, port numbers, and protocol numbers Based on that information, either let the packet through or reject it

47 Lecture 12 Page 47 CS 136, Fall 2011 Example Use of Filtering Gateways Allow particular external machines to telnet into specific internal machines –Denying telnet to other machines Or allow full access to some external machines And none to others

48 Lecture 12 Page 48 CS 136, Fall 2011 A Fundamental Problem IP addresses can be spoofed If your filtering firewall trusts packet headers, it offers little protection Situation may be improved by IPsec –But hasn’t been yet Firewalls can perform the ingress/egress filtering discussed earlier

49 Lecture 12 Page 49 CS 136, Fall 2011 Filtering Based on Ports Most incoming traffic is destined for a particular machine and port –Which can be derived from the IP and TCP headers Only let through packets to select machines at specific ports Makes it impossible to externally exploit flaws in little-used ports –If you configure the firewall right...

50 Lecture 12 Page 50 CS 136, Fall 2011 Pros and Cons of Filtering Gateways +Fast +Cheap +Flexible +Transparent –Limited capabilities –Dependent on header authentication –Generally poor logging –May rely on router security

51 Lecture 12 Page 51 CS 136, Fall 2011 Application Level Gateways Also known as proxy gateways and stateful firewalls Firewalls that understand the application- level details of network traffic –To some degree Traffic is accepted or rejected based on the probable results of accepting it

52 Lecture 12 Page 52 CS 136, Fall 2011 How Application Level Gateways Work The firewall serves as a general framework Various proxies are plugged into the framework Incoming packets are examined –Handed to the appropriate proxy Proxy typically accepts or rejects

53 Lecture 12 Page 53 CS 136, Fall 2011 Deep Packet Inspection Another name for typical activity of application level firewalls Looking into packets beyond their headers –Especially the IP header “Deep” sometimes also means deeper understanding of what’s going on –Though not always

54 Lecture 12 Page 54 CS 136, Fall 2011 Firewall Proxies Programs capable of understanding particular kinds of traffic –E.g., FTP, HTTP, videoconferencing Proxies are specialized A good proxy has deep understanding of the network application

55 Lecture 12 Page 55 CS 136, Fall 2011 What Are the Limits of Proxies? Proxies can only test for threats they understand Either they must permit a very limited set of operations Or they must have deep understanding of the program they protect –If too deep, they may share the flaw Performance limits on how much work they can do on certain types of packets

56 Lecture 12 Page 56 CS 136, Fall 2011 Pros and Cons of Application Level Gateways +Highly flexible +Good logging +Content-based filtering +Potentially transparent –Slower –More complex and expensive –A good proxy is hard to find

57 Lecture 12 Page 57 CS 136, Fall 2011 Reverse Firewalls Normal firewalls keep stuff from the outside from getting inside Reverse firewalls keep stuff from the insider from getting outside Often colocated with regular firewalls Why do we need them?

58 Lecture 12 Page 58 CS 136, Fall 2011 Possible Uses of Reverse Firewalls Concealing details of your network from attackers Preventing compromised machines from sending things out –E.g., intercepting bot communications or stopping DDoS –Preventing data exfiltration

59 Lecture 12 Page 59 CS 136, Fall 2011 Firewall Characteristics Statefulness Transparency Handling authentication Handling encryption

60 Lecture 12 Page 60 CS 136, Fall 2011 Stateful Firewalls Much network traffic is connection- oriented –E.g., telnet and videoconferencing Proper handling of that traffic requires the firewall to maintain state But handling information about connections is more complex

61 Lecture 12 Page 61 CS 136, Fall 2011 Firewalls and Transparency Ideally, the firewall should be invisible –Except when it vetoes access Users inside should be able to communicate outside without knowing about the firewall External users should be able to invoke internal services transparently

62 Lecture 12 Page 62 CS 136, Fall 2011 Firewalls and Authentication Many systems want to give special privileges to specific sites or users Firewalls can only support that to the extent that strong authentication is available –At the granularity required For general use, may not be possible –In current systems

63 Lecture 12 Page 63 CS 136, Fall 2011 Firewalls and Encryption Firewalls provide no confidentiality Unless the data is encrypted But if the data is encrypted, the firewall can’t examine it So typically the firewall must be able to decrypt –Or only work on unencrypted parts of packets Can decrypt, analyze, and re-encrypt

Download ppt "Lecture 12 Page 1 CS 136, Fall 2011 Network Security, Continued CS 136 Computer Security Peter Reiher November 1, 2011."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Cryptography and Network Security

Cryptography and Network Security
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014.

Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Similar presentations

Ads by Google