Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 13 Page 1 CS 136, Fall 2010 Network Security: Virtual Private Networks, Wireless Networks, and Honeypots CS 136 Computer Security Peter Reiher.

Published byLucas Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 13 Page 1 CS 136, Fall 2010 Network Security: Virtual Private Networks, Wireless Networks, and Honeypots CS 136 Computer Security Peter Reiher."— Presentation transcript:

1 Lecture 13 Page 1 CS 136, Fall 2010 Network Security: Virtual Private Networks, Wireless Networks, and Honeypots CS 136 Computer Security Peter Reiher Novemver 9, 2010

2 Lecture 13 Page 2 CS 136, Fall 2010 Outline Virtual private networks Wireless network security –General issues –WEP and WPA Honeypots and honeynets

3 Lecture 13 Page 3 CS 136, Fall 2010 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts of the US How can you have secure cooperation between them?

4 Lecture 13 Page 4 CS 136, Fall 2010 Leased Line Solutions Lease private lines from some telephone company The phone company ensures that your lines cannot be tapped –To the extent you trust in phone company security Can be expensive and limiting

5 Lecture 13 Page 5 CS 136, Fall 2010 Another Solution Communicate via the Internet –Getting full connectivity, bandwidth, reliability, etc. –At a lower price, too But how do you keep the traffic secure? Encrypt everything!

6 Lecture 13 Page 6 CS 136, Fall 2010 Encryption and Virtual Private Networks Use encryption to convert a shared line to a private line Set up a firewall at each installation’s network Set up shared encryption keys between the firewalls Encrypt all traffic using those keys

7 Lecture 13 Page 7 CS 136, Fall 2010 Actual Use of Encryption in VPNs VPNs run over the Internet Internet routers can’t handle fully encrypted packets Obviously, VPN packets aren’t entirely encrypted They are encrypted in a tunnel mode

8 Lecture 13 Page 8 CS 136, Fall 2010 Is This Solution Feasible? A VPN can be half the cost of leased lines (or less) And give the owner more direct control over the line’s security Ease of use improving –Often based on IPsec

9 Lecture 13 Page 9 CS 136, Fall 2010 Key Management and VPNs All security of the VPN relies on key secrecy How do you communicate the key? –In early implementations, manually –Modern VPNs use IKE or proprietary key servers How often do you change the key? –IKE allows frequent changes

10 Lecture 13 Page 10 CS 136, Fall 2010 VPNs and Firewalls VPN encryption is typically done between firewall machines –VPN often integrated into firewall product Do I need the firewall for anything else? Probably, since I still need to allow non-VPN traffic in and out Need firewall “inside” VPN –Since VPN traffic encrypted –Including stuff like IP addresses and ports –“Inside” means “later in same box” usually

11 Lecture 13 Page 11 CS 136, Fall 2010 VPNs and Portable Computing Increasingly, workers connect to offices remotely –While on travel –Or when working from home VPNs offer secure solution –Typically as software in the portable computer Usually needs to be pre-configured

12 Lecture 13 Page 12 CS 136, Fall 2010 VPN Deployment Issues Desirable not to have to pre-deploy VPN software –Clients get access from any machine Possible by using downloaded code –Connect to server, download VPN applet, away you go –Often done via web browser –Leveraging existing SSL code –Authentication via user ID/password –Implies you trust the applet... Issue of compromised user machine

13 Lecture 13 Page 13 CS 136, Fall 2010 VPN Products VPNs are big business Many products are available Some for basic VPN service Some for specialized use –Such as networked meetings –Or providing remote system administration and debugging

14 Lecture 13 Page 14 CS 136, Fall 2010 Juniper Secure Access 700 A hardware VPN Uses SSL Accessible via web browser –Which avoids some pre-deployment costs –Downloads code using browser extensibility Does various security checks on client machine before allowing access

15 Lecture 13 Page 15 CS 136, Fall 2010 Citrix GoToMeeting Service provided through Citrix web servers Connects many meeting participants via a custom VPN –Care taken that Citrix doesn’t have VPN key Basic interface through web browser

16 Lecture 13 Page 16 CS 136, Fall 2010 Wireless Network Security Wireless networks are “just like” other networks Except... –Almost always broadcast –Generally short range –Usually supporting mobility –Often very open

17 Lecture 13 Page 17 CS 136, Fall 2010 Special Problems For Wireless Networks Eavesdropping is really easy –Just put up an antenna in the right place Traffic injection just as easy –Encryption/authentication can catch forgeries –But denial of service possible Wireless tends to flakiness

18 Lecture 13 Page 18 CS 136, Fall 2010 Different Types of Wireless Networks 802.11 networks –Variants on local area network technologies Bluetooth networks –Very short range Cellular telephone networks Line-of-sight networks –Dedicated, for relatively long hauls

19 Lecture 13 Page 19 CS 136, Fall 2010 The General Solution For Wireless Security Wireless networks inherently less secure than wired ones So we need to add extra security How to do it? Link encryption –Encrypt traffic just as it crosses the wireless network Decrypt it before sending it along

20 Lecture 13 Page 20 CS 136, Fall 2010 Why Not End-to-End Encryption? Some non-wireless destinations might not be prepared to perform crypto –What if wireless user wants protection anyway? Doesn’t help wireless access point provide exclusive access –Any eavesdropper can use network

21 Lecture 13 Page 21 CS 136, Fall 2010 802.11 Security Originally, 802.11 protocols didn’t include security Once the need became clear, it was sort of too late –Huge number of units in the field –Couldn’t change the protocols So, what to do?

22 Lecture 13 Page 22 CS 136, Fall 2010 WEP First solution to the 802.11 security problem Wired Equivalency Protocol Intended to provide encryption in 802.11 networks –Without changing the protocol –So all existing hardware just worked The backward compatibility worked The security didn’t

23 Lecture 13 Page 23 CS 136, Fall 2010 What Did WEP Do? Used stream cipher (RC4) for confidentiality –With 104 bit keys –Usually stored on the computer using the wireless network –24 bit IV also used Used checksum for integrity

24 Lecture 13 Page 24 CS 136, Fall 2010 What Was the Problem With WEP? Access point generates session key from one permanent key plus IV –Making replays and key deduction attacks a problem IV was intended to prevent that But it was too short and used improperly In 2001, WEP cracking method shown –Took less than 1 minute to get key

25 Lecture 13 Page 25 CS 136, Fall 2010 WPA and WPA2 Generates new key for each session Can use either TKIP or AES mode Various vulnerabilities in TKIP mode AES mode hasn’t been cracked yet –May be available for some WPA –Definitely in WPA2

26 Lecture 13 Page 26 CS 136, Fall 2010 Honeypots and Honeynets A honeypot is a machine set up to attract attackers Classic use is to learn more about attackers Ongoing research on using honeypots as part of a system’s defenses

27 Lecture 13 Page 27 CS 136, Fall 2010 Setting Up A Honeypot Usually a machine dedicated to this purpose Probably easier to find and compromise than your real machines But has lots of software watching what’s happening on it Providing early warning of attacks

28 Lecture 13 Page 28 CS 136, Fall 2010 What Have Honeypots Been Used For? To study attackers’ common practices There are lengthy traces of what attackers do when they compromise a honeypot machine Not clear these traces actually provided much we didn’t already know

29 Lecture 13 Page 29 CS 136, Fall 2010 Can a Honeypot Contribute to Defense? Perhaps can serve as an early warning system –Assuming that attacker hits the honeypot first –And that you know it’s happened If you can detect it’s happened there, why not everywhere?

30 Lecture 13 Page 30 CS 136, Fall 2010 Honeynets A collection of honeypots on a single network –Maybe on a single machine with multiple addresses –Perhaps using virtualization techniques Typically, no other machines are on the network Since whole network is phony, all incoming traffic is probably attack traffic

31 Lecture 13 Page 31 CS 136, Fall 2010 What Can You Do With Honeynets? Similar things to what can be done with honeypots –But at the network level Also good for tracking the spread of worms –Worm code typically knocks on their door repeatedly Main tool for detecting and analyzing botnets Has given evidence on prevalence of DDoS attacks –Through backscatter –Based on attacker using IP spoofing

32 Lecture 13 Page 32 CS 136, Fall 2010 Do You Need A Honeypot? Not in the same way you need a firewall Only worthwhile if you have a security administrator spending a lot of time watching things Or if your job is keeping up to date on hacker activity More something that someone needs to be doing –Particularly, security experts who care about the overall state of the network world –But not necessarily you

33 Lecture 13 Page 33 CS 136, Fall 2010 So, You Want a Honeypot? If you decide you want to run one, what do you do? Could buy a commercial product –E.g., NeuralIQ Event Horizon Could build your own Could look for open source stuff

34 Lecture 13 Page 34 CS 136, Fall 2010 The Honeynet Project A non-profit organization dedicated to improving Internet security Many activities related to honeynets –White papers based on information gained from honeynets –Tools to run honeypots and honeynets www.honeynet.org

Download ppt "Lecture 13 Page 1 CS 136, Fall 2010 Network Security: Virtual Private Networks, Wireless Networks, and Honeypots CS 136 Computer Security Peter Reiher."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Eric Kilroy. Introduction  Virtual Private Network A way to connect to a private network through a public network such as the internet.

Eric Kilroy. Introduction  Virtual Private Network A way to connect to a private network through a public network such as the internet.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CS682 – Network Management and Security Session 7.

CS682 – Network Management and Security Session 7.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing

1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN

Similar presentations

Ads by Google