Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE331: Introduction to Networks and Security Lecture 29 Fall 2002.

Similar presentations


Presentation on theme: "CSE331: Introduction to Networks and Security Lecture 29 Fall 2002."— Presentation transcript:

1 CSE331: Introduction to Networks and Security Lecture 29 Fall 2002

2 CSE331 Fall 20022 Announcements Project 3 is due today. Project 4 will be available on the web site this afternoon. Homework 3 will be handed out on Wednesday.

3 CSE331 Fall 20023 Recap Access Control (Authorization) –Access Control Matrix –Access Control Lists Today –Capability Lists –Firewalls

4 CSE331 Fall 20024 Capabilities Lists A[s][o]Obj 1 Obj 2 …Obj N Subj 1 {r,w,x}{r,w}…{} Subj 2 {w,x}{}…{r} …………… Subj M {x}{r,w,x}… For each subject, store a list of (Object x Rights) pairs.

5 CSE331 Fall 20025 Capabilities A capability is a (Object, Rights) pair –Used like a movie ticket (“Harry Potter”, {view}) Should be unforgeable –Otherwise, subjects could get illegal access Authentication takes place when the capabilities are granted (not needed at use) Harder to do revocation (must find all tickets) –Capabilities can be passed from subject to subject Easy to audit a subject, hard to audit an object

6 CSE331 Fall 20026 Implementing Capabilities Must be able to name objects Unique identifiers –Must keep map of UIDs to objects –Must protect integrity of the map –Extra level of indirection to use the object –Generating UIDs can be difficult Pointers –Name changes when the object moves –Remote pointers in distributed setting –Aliasing possible

7 CSE331 Fall 20027 Unforgeability of Capabilities Special hardware: tagged words in memory –Can’t copy/modify tagged words Store the capabilities in protected address space Could use static scoping mechanism of safe programming languages. –Java’s “private” fields Could use cryptographic techniques –OS kernel could sign (Object, Rights) pairs using a private key –Any process can verify the capability

8 CSE331 Fall 20028 Firewalls Gateway InsideOutside Filter Filters protect against “bad” packets. A gateway machine restores needed services. Protect services offered internally from outside access. Provide outside services to hosts located inside.

9 CSE331 Fall 20029 Possible Firewall Architecture Hosts Routers Networks Internal Network External Network Gateway DMZ Filtering Routers “Demilitarized Zone”

10 CSE331 Fall 200210 Benefits of Firewalls Increased security for internal hosts. Reduced amount of effort required to counter break ins. Possible added convenience of operation within firewall (with some risk). Reduced legal and other costs associated with hacker activities.

11 CSE331 Fall 200211 Costs of Firewalls Hardware purchase and maintenance Software development or purchase, and update costs Administrative setup and training, and ongoing administrative costs and trouble- shooting Lost business or inconvenience from broken gateway Loss of some services that an open connection would supply.

12 CSE331 Fall 200212 Kinds of Firewalls Filtering: operates by filtering based on packet headers Circuit: operates at the level of TCP Application: operates at the level of the application

13 CSE331 Fall 200213 Filtering Firewalls Filtering can take advantage of the following information from network and transport layer headers: –Source –Destination –Source Port –Destination Port –Flags (e.g. ACK)

14 CSE331 Fall 200214 IPv4 Packet Format IPv4 (Version field set to “4”) Version Hlen TOS Length Ident Flags Offset TTL Protocol Checksum SourceAddr DestinationAddr Options(variable length) Pad Other Headers and Payload

15 CSE331 Fall 200215 TCP and UDP packets Protocols support O.S. “port numbers”: SrcPort DstPort Checksum LengthSequenceNum SrcPort DstPort Options (variable) Checksum UrgPtr HL 0 Flags Advert.Wind. Acknowledgment Other Headers and Payload UDPTCP Other Headers and Payload

16 CSE331 Fall 200216 Three-Way Handshake

17 CSE331 Fall 200217 TCP State Transitions

18 CSE331 Fall 200218 Ports Ports are used to distinguish applications and services on a machine. Low numbered ports are often reserved for server listening. High numbered ports are often assigned for client requests. Port 7 (UDP,TCP): echo server Port 13 (UDP,TCP): daytime Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 23 (TCP): telnet Port 25 (TCP): SMTP Port 79 (TCP): finger Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP): X11

19 CSE331 Fall 200219 Filter Example Actionourhostporttheirhostportcomment block**BAD*untrusted host allowGW25**allow our SMTP port Actionourhostporttheirhostportcomment block****default Apply rules from top to bottom with assumed default entry: Bad entry intended to allow connections to SMTP from inside: Actionourhostporttheirhostportcomment allow***25connect to their SMTP This allows all connections from port 25, but an outside machine can run anything on its port 25!

20 CSE331 Fall 200220 Filter Example Continued Actionsrcportdestportflagscomment allow{our hosts}**25*their SMTP allow*25**ACKtheir replies Permit outgoing calls to port 25. This filter doesn’t protect against IP address spoofing. The bad hosts can “pretend” to be one of {our hosts}.

21 CSE331 Fall 200221 When to Filter Router Inside Outside

22 CSE331 Fall 200222 On Input or Output Filtering on output can be more efficient since it can be combined with table lookup of the route. However, some information is lost at the output stage –e.g. the physical input port on which the packet arrived. –Can be useful information to prevent address spoofing. Filtering on input can protect the router itself.

23 CSE331 Fall 200223 Recommend: Filter ASAP Actionsrcportdestportcomment blockBAD***we don’t trust them allow**GW25connect to our SMTP allowGW25**our reply packets Actionsrcportdestportcomment block**BAD*subtle difference allow**GW25connect to our SMTP allowGW25**our reply packets Is preferred over:

24 CSE331 Fall 200224 Example of a Pitfall Filter output to allow incoming and outgoing mail, but prohibit all else. Apply this output filter set to both interfaces of the router. Does it work? Unintended consequence: allows all communication on high numbered ports! Actiondestportcomment allow*25incoming mail allow*>= 1024outgoing responses block**nothing else


Download ppt "CSE331: Introduction to Networks and Security Lecture 29 Fall 2002."

Similar presentations


Ads by Google