Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 12 Page 1 CS 136, Fall 2011 Network Security: Con’t CS 136 Computer Security Peter Reiher November 3, 2011.

Published byLinda Wilcox Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 12 Page 1 CS 136, Fall 2011 Network Security: Con’t CS 136 Computer Security Peter Reiher November 3, 2011."— Presentation transcript:

1 Lecture 12 Page 1 CS 136, Fall 2011 Network Security: Con’t CS 136 Computer Security Peter Reiher November 3, 2011

2 Lecture 12 Page 2 CS 136, Fall 2011 Outline Configuring firewalls Virtual private networks Wireless network security –General issues –WEP and WPA Honeypots and honeynets

3 Lecture 12 Page 3 CS 136, Fall 2011 Firewall Configuration and Administration Again, the firewall is the point of attack for intruders Thus, it must be extraordinarily secure How do you achieve that level of security?

4 Lecture 12 Page 4 CS 136, Fall 2011 Firewall Location Clearly, between you and the bad guys But you may have some different types of machines/functionalities Sometimes makes sense to divide your network into segments –Typically, less secure public network and more secure internal network –Using separate firewalls

5 Lecture 12 Page 5 CS 136, Fall 2011 Firewalls and DMZs A standard way to configure multiple firewalls for a single organization Used when organization runs machines with different openness needs –And security requirements Basically, use firewalls to divide your network into segments

6 Lecture 12 Page 6 CS 136, Fall 2011 A Typical DMZ Organization Your production LAN Your web server The Internet Firewall set up to protect your LAN Firewall set up to protect your web server DMZ

7 Lecture 12 Page 7 CS 136, Fall 2011 Advantages of DMZ Approach Can customize firewalls for different purposes Can customize traffic analysis in different areas of network Keeps inherently less safe traffic away from critical resources

8 Lecture 12 Page 8 CS 136, Fall 2011 Dangers of a DMZ Things in the DMZ aren’t well protected –If they’re compromised, provide a foothold into your network One problem in DMZ might compromise all machines there Vital that main network doesn’t treat machines in DMZ as trusted Must avoid back doors from DMZ to network

9 Lecture 12 Page 9 CS 136, Fall 2011 Firewall Hardening Devote a special machine only to firewall duties Alter OS operations on that machine –To allow only firewall activities –And to close known vulnerabilities Strictly limit access to the machine –Both login and remote execution

10 Lecture 12 Page 10 CS 136, Fall 2011 Keep Your Firewall Current New vulnerabilities are discovered all the time Must update your firewall to fix them Even more important, sometimes you have to open doors temporarily –Make sure you shut them again later Can automate some updates to firewalls How about getting rid of old stuff?

11 Lecture 12 Page 11 CS 136, Fall 2011 Closing the Back Doors Firewall security is based on assumption that all traffic goes through the firewall So be careful with: –Wireless connections –Portable computers –Sneakernet mechanisms and other entry points Put a firewall at every entry point to your network And make sure all your firewalls are up to date

12 Lecture 12 Page 12 CS 136, Fall 2011 What About Portable Computers? Local Café BobCarolXavierAlice

13 Lecture 12 Page 13 CS 136, Fall 2011 Now Bob Goes To Work... Bob’s Office Worker Bob

14 Lecture 12 Page 14 CS 136, Fall 2011 How To Handle This Problem? Essentially quarantine the portable computer until it’s safe Don’t permit connection to wireless access point until you’re satisfied that the portable is safe –Or put them in constrained network Common in Cisco, Microsoft, and other companies’ products –Network access control

15 Lecture 12 Page 15 CS 136, Fall 2011 Single Machine Firewalls Instead of separate machine protecting network, A machine puts software between the outside world and the rest of machine Under its own control To protect itself Available on most modern systems

16 Lecture 12 Page 16 CS 136, Fall 2011 Pros and Cons of Individual Firewalls +Customized to particular machine –Specific to local software and usage +Under machine owner’s control +Can use in-machine knowledge for its decisions +May be able to do deeper inspection +Provides defense in depth

17 Lecture 12 Page 17 CS 136, Fall 2011 Cons of Personal Firewalls −Only protects that machine −Less likely to be properly configured −Since most users don’t understand security well −And/or don’t view it as their job On the whole, generally viewed as valuable

18 Lecture 12 Page 18 CS 136, Fall 2011 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts of the US How can you have secure cooperation between them?

19 Lecture 12 Page 19 CS 136, Fall 2011 Leased Line Solutions Lease private lines from some telephone company The phone company ensures that your lines cannot be tapped –To the extent you trust in phone company security Can be expensive and limiting

20 Lecture 12 Page 20 CS 136, Fall 2011 Another Solution Communicate via the Internet –Getting full connectivity, bandwidth, reliability, etc. –At a lower price, too But how do you keep the traffic secure? Encrypt everything!

21 Lecture 12 Page 21 CS 136, Fall 2011 Encryption and Virtual Private Networks Use encryption to convert a shared line to a private line Set up a firewall at each installation’s network Set up shared encryption keys between the firewalls Encrypt all traffic using those keys

22 Lecture 12 Page 22 CS 136, Fall 2011 Actual Use of Encryption in VPNs VPNs run over the Internet Internet routers can’t handle fully encrypted packets Obviously, VPN packets aren’t entirely encrypted They are encrypted in a tunnel mode

23 Lecture 12 Page 23 CS 136, Fall 2011 Is This Solution Feasible? A VPN can be half the cost of leased lines (or less) And give the owner more direct control over the line’s security Ease of use improving –Often based on IPsec

24 Lecture 12 Page 24 CS 136, Fall 2011 Key Management and VPNs All security of the VPN relies on key secrecy How do you communicate the key? –In early implementations, manually –Modern VPNs use IKE or proprietary key servers How often do you change the key? –IKE allows frequent changes

25 Lecture 12 Page 25 CS 136, Fall 2011 VPNs and Firewalls VPN encryption is typically done between firewall machines –VPN often integrated into firewall product Do I need the firewall for anything else? Probably, since I still need to allow non-VPN traffic in and out Need firewall “inside” VPN –Since VPN traffic encrypted –Including stuff like IP addresses and ports –“Inside” means “later in same box” usually

26 Lecture 12 Page 26 CS 136, Fall 2011 VPNs and Portable Computing Increasingly, workers connect to offices remotely –While on travel –Or when working from home VPNs offer secure solution –Typically as software in the portable computer Usually needs to be pre-configured

27 Lecture 12 Page 27 CS 136, Fall 2011 VPN Deployment Issues Desirable not to have to pre-deploy VPN software –Clients get access from any machine Possible by using downloaded code –Connect to server, download VPN applet, away you go –Often done via web browser –Leveraging existing SSL code –Authentication via user ID/password –Implies you trust the applet... Issue of compromised user machine

28 Lecture 12 Page 28 CS 136, Fall 2011 VPN Products VPNs are big business Many products are available Some for basic VPN service Some for specialized use –Such as networked meetings –Or providing remote system administration and debugging

29 Lecture 12 Page 29 CS 136, Fall 2011 Juniper Secure Access 700 A hardware VPN Uses SSL Accessible via web browser –Which avoids some pre-deployment costs –Downloads code using browser extensibility Does various security checks on client machine before allowing access

30 Lecture 12 Page 30 CS 136, Fall 2011 Citrix GoToMeeting Service provided through Citrix web servers –For videoconferencing Connects many meeting participants via a custom VPN –Care taken that Citrix doesn’t have VPN key Basic interface through web browser

31 Lecture 12 Page 31 CS 136, Fall 2011 Wireless Network Security Wireless networks are “just like” other networks Except... –Almost always broadcast –Generally short range –Usually supporting mobility –Often very open

32 Lecture 12 Page 32 CS 136, Fall 2011 Special Problems For Wireless Networks Eavesdropping is really easy –Just put up an antenna in the right place Traffic injection just as easy –Encryption/authentication can catch forgeries –But denial of service possible Wireless tends to flakiness

33 Lecture 12 Page 33 CS 136, Fall 2011 Types of Wireless Networks 802.11 networks –Variants on local area network technologies Bluetooth networks –Very short range Cellular telephone networks Line-of-sight networks –Dedicated, for relatively long hauls Satellite networks

34 Lecture 12 Page 34 CS 136, Fall 2011 The General Solution For Wireless Security Wireless networks inherently less secure than wired ones So we need to add extra security How to do it? Link encryption –Encrypt traffic just as it crosses the wireless network Decrypt it before sending it along

35 Lecture 12 Page 35 CS 136, Fall 2011 Why Not End-to-End Encryption? Some non-wireless destinations might not be prepared to perform crypto –What if wireless user wants protection anyway? Doesn’t help wireless access point provide exclusive access –Any eavesdropper can use network

36 Lecture 12 Page 36 CS 136, Fall 2011 Firesheep Many wireless networks aren’t encrypted Many web services don’t use end-to-end encryption for entire sessions Firesheep was a demo of the dangers of those in combination Simple Firefox plug-in to scan unprotected wireless nets for unencrypted cookies –Allowing session hijacking attacks When run in that environment, tended to be highly successful

37 Lecture 12 Page 37 CS 136, Fall 2011 Why Does Session Hijacking Work? Web sites try to avoid computation costs of encryption So they only encrypt login Subsequent HTTP messages “authenticated” with a cookie Anyone who has the cookie can authenticate Cookie is sent in the clear... Why especially a problem for wireless?

38 Lecture 12 Page 38 CS 136, Fall 2011 802.11 Security Originally, 802.11 protocols didn’t include security Once the need became clear, it was sort of too late –Huge number of units in the field –Couldn’t change the protocols So, what to do?

39 Lecture 12 Page 39 CS 136, Fall 2011 WEP First solution to the 802.11 security problem Wired Equivalency Protocol Intended to provide encryption in 802.11 networks –Without changing the protocol –So all existing hardware just worked The backward compatibility worked The security didn’t

40 Lecture 12 Page 40 CS 136, Fall 2011 What Did WEP Do? Used stream cipher (RC4) for confidentiality –With 104 bit keys –Usually stored on the computer using the wireless network –24 bit IV also used Used checksum for integrity

41 Lecture 12 Page 41 CS 136, Fall 2011 What Was the Problem With WEP? Access point generates session key from its own permanent key plus IV –Making replays and key deduction attacks a problem IV was intended to prevent that But it was too short and used improperly In 2001, WEP cracking method shown –Took less than 1 minute to get key

42 Lecture 12 Page 42 CS 136, Fall 2011 WPA and WPA2 Generates new key for each session Can use either TKIP or AES mode Various vulnerabilities in TKIP mode AES mode hasn’t been cracked yet –May be available for some WPA –Definitely in WPA2

43 Lecture 12 Page 43 CS 136, Fall 2011 Honeypots and Honeynets A honeypot is a machine set up to attract attackers Classic use is to learn more about attackers Ongoing research on using honeypots as part of a system’s defenses

44 Lecture 12 Page 44 CS 136, Fall 2011 Setting Up A Honeypot Usually a machine dedicated to this purpose Probably easier to find and compromise than your real machines But has lots of software watching what’s happening on it Providing early warning of attacks

45 Lecture 12 Page 45 CS 136, Fall 2011 What Have Honeypots Been Used For? To study attackers’ common practices There are lengthy traces of what attackers do when they compromise a honeypot machine Not clear these traces actually provided much we didn’t already know

46 Lecture 12 Page 46 CS 136, Fall 2011 Can a Honeypot Contribute to Defense? Perhaps can serve as an early warning system –Assuming that attacker hits the honeypot first –And that you know it’s happened If you can detect it’s happened there, why not everywhere?

47 Lecture 12 Page 47 CS 136, Fall 2011 Honeynets A collection of honeypots on a single network –Maybe on a single machine with multiple addresses –More often using virtualization Typically, no other machines are on the network Since whole network is phony, all incoming traffic is probably attack traffic

48 Lecture 12 Page 48 CS 136, Fall 2011 What Can You Do With Honeynets? Similar things to honeypots –But at the network level Also good for tracking the spread of worms –Worm code typically visits them repeatedly Main tool for detecting and analyzing botnets Gives evidence on of DDoS attacks –Through backscatter –Based on attacker using IP spoofing

49 Lecture 12 Page 49 CS 136, Fall 2011 Backscatter Some attacks are based on massive spoofing of IP addresses –Particularly distributed denial of service attacks Attack packets are typically reasonably well formed If target gets them, it will reply to them This can be helpful

50 Lecture 12 Page 50 CS 136, Fall 2011 Backscatter In Action 117.15.202.74 95.113.27.1256.29.138.2 FAKE! What does the target do with this packet? It probably sends a reply 56.29.138.295.113.27.12 To the forged address! 95.113.27.12 What if this machine is a honeypot?

51 Lecture 12 Page 51 CS 136, Fall 2011 So What? The honeypot knows it didn’t ask for this response So it must have resulted from spoofing Which means the source of the packet is under attack With sufficient cleverness, you can figure out a lot more

52 Lecture 12 Page 52 CS 136, Fall 2011 What Can Backscatter Tell Us? Who’s being attacked For how long With what sorts of packets Even estimates of the volume of attack

53 Lecture 12 Page 53 CS 136, Fall 2011 How Do We Deduce This Stuff? Who’s being attacked –Whoever sends us reply packets For how long –How long do we see their replies? With what sorts of packets –What kind of reply? Even estimates of the volume of attack –This is trickier

54 Lecture 12 Page 54 CS 136, Fall 2011 Estimating Attack Volumes Assume the attacker uses random spoofing –Spoofed addresses chosen randomly Your honeynet owns some set of addresses –Perhaps 256 of them Your addresses will be spoofed proportionally to all others –Allowing you to calculate how many total packets were sent

55 Lecture 12 Page 55 CS 136, Fall 2011 Complicating Factors in This Calculation Not all spoofed packets are delivered –It’s a denial of service attack, after all Not all delivered packets get responses Not all responses are delivered Attackers don’t always spoof at random

56 Lecture 12 Page 56 CS 136, Fall 2011 Honeynets and Botnets Honeynets widely used by security researchers to “capture” bots Honeynet is reachable from Internet Intentionally weakly defended Bots tend to compromise them Researcher gets a copy of the bot

57 Lecture 12 Page 57 CS 136, Fall 2011 Issues With Honeynet Research Don’t want captured bot infecting others –Or performing other attack activities So you need to prevent it from attacking out But you also need to see its control traffic

58 Lecture 12 Page 58 CS 136, Fall 2011 What To Do With a Bot? When the bot is captured, what do you do with it? Typically, analyze it –Especially for new types of bots –To find weaknesses –And to track rest of botnet Analysis helpful for tracing “ancestry”

59 Lecture 12 Page 59 CS 136, Fall 2011 Botnet Countermeasures Bot creators don’t want their bots captured –If analyzed, they are likely to be stopped So they try to avoid honeynets How?

60 Lecture 12 Page 60 CS 136, Fall 2011 IP Cloaking Malware creators try to avoid IP addresses run by defenders –Like honeynets They assemble lists of such addresses and their malware avoids them Widely used technique –Google 2011 study reports 200,000 malware sites using it

61 Lecture 12 Page 61 CS 136, Fall 2011 Virtualization Battles Most honeynets built with VMs –Too expensive to buy and run enough physical machines –VMs easier to examine So bots try to avoid VMs –Which implies detecting them So honeynet operators try to hide virtualization

62 Lecture 12 Page 62 CS 136, Fall 2011 Avoiding Virtualization Basically, try to detect the differences between real and virtual machine –Or between human and automated responses E.g., look for actual mouse clicks Or look for browser emulation, rather than real thing

63 Lecture 12 Page 63 CS 136, Fall 2011 Do You Need A Honeypot? Not in the same way you need a firewall Only useful if your security administrator spending a lot of time watching things –E.g., very large enterprises Or if your job is observing hacker activity Something that someone needs to be doing –Particularly, security experts watching the overall state of the network world –But not necessarily you

64 Lecture 12 Page 64 CS 136, Fall 2011 So, You Want a Honeypot? If you decide you want to run one, what do you do? Could buy a commercial product –E.g., NeuralIQ Event Horizon Could build your own Could look for open source stuff

65 Lecture 12 Page 65 CS 136, Fall 2011 The Honeynet Project A non-profit organization dedicated to improving Internet security Many activities related to honeynets –White papers based on information gained from honeynets –Tools to run honeypots and honeynets www.honeynet.org

Download ppt "Lecture 12 Page 1 CS 136, Fall 2011 Network Security: Con’t CS 136 Computer Security Peter Reiher November 3, 2011."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CS682 – Network Management and Security Session 7.

CS682 – Network Management and Security Session 7.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Virtual Private Network

Virtual Private Network
Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014.

Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Similar presentations

Ads by Google