Handout 15 computer network security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Handout # 15: Computer Network Security PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

Handout # 15: Computer Network Security. SII 199 – Computer Networks and Society. Professor Yashar Ganjali Department of Computer Science University of Toronto [email protected] http://www.cs.toronto.edu/~yganjali. Announcements. Final project Intermediate report

Download Presentation

Handout # 15: Computer Network Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Handout 15 computer network security

Handout # 15:Computer Network Security

SII 199 – Computer Networks and Society

Professor Yashar Ganjali

Department of Computer Science

University of Toronto

[email protected]

http://www.cs.toronto.edu/~yganjali


Announcements

Announcements

  • Final project

    • Intermediate report

      • Due: Fri. Nov. 16th, 5PM

    • In class presentations

      • Wed. Nov. 21st

        • We already have 6 teams

      • Wed. Nov. 28th

      • 15 minute presentation

  • Assignment 3

    • Due: Fri. Nov. 16th

    • Email your solutions to me, or bring to my office (BA 5238)

  • Volunteer for lecture notes?

    • Last chance!

University of Toronto – Fall 2012


The story

The Story …

  • Introduction to computer networks

  • The science of networks

  • Computer networks and healthcare

  • Computer networks and business

  • Computer networks and entertainment

  • Cloud computing /storage

  • Phishing, spam, and fraud in the Internet

  • Privacy in online social networks

  • This week: computer networks and security

University of Toronto – Fall 2012


The problem

The Problem

  • Computer networks create interconnectivity

    • We have seen many examples of good uses

  • Same connectivity can be used for evil

    • It is easier to

      • Access someone’s private information

      • Spread malicious code

      • Gain control of somebody’s machine

University of Toronto – Fall 2012


Viruses trojan horses and worms

Viruses, Trojan Horses, and Worms

  • Viruses

    • Small pieces of malicious software

    • Usually piggyback on real programs

    • Or documents: PDF files, spreadsheets, …

    • Reproduce by attaching to other programs

  • Worms

    • Replicates itself using security holes

    • Using computer networks

    • Without human interaction

  • Trojan Horses

    • A program that claims and appears to be useful (say a game)

    • … but in reality can be damaging (e.g. delete files)

    • Can create backdoors for attackers

    • Do not replicate

University of Toronto – Fall 2012


Life just before slammer

Life Just Before Slammer

University of Toronto – Fall 2012


Life just after slammer

Life Just After Slammer

University of Toronto – Fall 2012


A lesson in economy

A Lesson in Economy

  • Slammer used an extremely lightweight attack

  • Entire worm fit in a single packet! (376 bytes)

    • When scanning, worm could “fire and forget”.

    • Stateless!

  • Worm infected 75,000+ hosts in 10 minutes (despite broken random number generator).

    • At its peak, doubled every 8.5 seconds.

  • Progress limited by the Internet’s carrying capacity(= 55 million scans/sec)

University of Toronto – Fall 2012


Why security

Why Security?

  • First victim at 12:45 am

  • By 1:15 am, transcontinental links starting to fail

  • 300,000 access points downed in Portugal

  • All cell and Internet in Korea failed (27 million people)

  • 5 root name servers were knocked offline

  • 911 didn’t respond (Seattle)

  • Flights canceled

University of Toronto – Fall 2012


Witty worm

Witty Worm

University of Toronto – Fall 2012


Witty worm cont d

Witty Worm – Cont’d

  • Attacks firewalls and security products (ISS)

  • First to use vulnerabilities in security software

  • ISS announced a vulnerability

    • Buffer overflow problem

    • Attack in just one day!

  • Attack started from a small number of compromised machines

  • In 30 minutes 12,000 infected machines

    • 90 Gb/s of traffic

University of Toronto – Fall 2012


Network telescope

Network Telescope

  • Large piece of globally announced network addresses

  • No legitimate hosts (almost)

  • Inbound traffic is almost always anomalous

  • 1/256th of the all addresses (IPv4 space)

    • One packet in every 256 packets if unbiased random generators used.

  • Provides global view of the spread of Internet worms.

University of Toronto – Fall 2012


Today

Today

  • Network Security Goals

  • Security vs. Internet Design

  • Attacks

  • Defenses

University of Toronto – Fall 2012


Network security goals

Network Security Goals

  • Availability

    • Everyone can reach all network resources all the time

  • Protection

    • Protect users from interactions they don’t want

  • Authenticity

    • Know who you are speaking with

  • Data Integrity

    • Protect data en-route

  • Privacy

    • Protect private data

University of Toronto – Fall 2012


Today1

Today

  • Network Security Goals

  • Security vs. Internet Design

  • Attacks

  • Defenses

University of Toronto – Fall 2012


Internet design

Internet Design

  • Destination routing

  • Packet based (statistical multiplexing)

  • Global addressing (IP addresses)

  • Simple to join (as infrastructure)

  • Power in end hosts (end-to-end argument)

University of Toronto – Fall 2012


Internet design vs security

Internet Design vs. Security

  • Destination routing

    • Makes Internet routers simpler

    • How do we know where packets are coming from?

  • Packet based (statistical multiplexing)

  • Global addressing (IP addresses)

  • Simple to join (as infrastructure)

  • Power in end hosts

University of Toronto – Fall 2012


Internet design vs security1

Internet Design vs. Security

  • Destination Routing

  • Packet Based (statistical multiplexing)

    • Simple + Efficient

    • Difficult resource bound per-communication

      • How to keep someone from hogging?(remember, we can’t rely on source addresses)

  • Global Addressing (IP addresses)

  • Simple to join (as infrastructure)

  • Power in End Hosts

University of Toronto – Fall 2012


Internet design vs security2

Internet Design vs. Security

  • Destination routing

  • Packet based (statistical multiplexing)

  • Global Addressing (IP addresses)

    • Very democratic

    • Even people who don’t necessarily want to be talked to

      • “every psychopath is your next door neighbor” – Dan Geer

  • Simple to join (as infrastructure)

  • Power in end hosts

University of Toronto – Fall 2012


Internet design vs security3

Internet Design vs. Security

  • Destination routing

  • Packet based (statistical multiplexing)

  • Global addressing (IP addresses)

  • Simple to join (as infrastructure)

    • Very democratic

    • Misbehaving routers can do very bad things

      • No model of trust between routers

  • Power in End Hosts

University of Toronto – Fall 2012


Internet design vs security4

Internet Design vs. Security

  • Destination routing

  • Packet based (statistical multiplexing)

  • Global addressing (IP addresses)

  • Simple to join (as infrastructure)

  • Power in end-hosts

    • Decouple hosts and infrastructure = innovation at the edge!

    • Giving power to least trusted actors

      • How to guarantee good behavior?

University of Toronto – Fall 2012


Today2

Today

  • Network Security Goals

  • Security vs. Internet Design

  • Attacks

  • Defenses

University of Toronto – Fall 2012


Denial of service dos attacks

Denial of Service (DoS) Attacks

  • Send many requests to a server

    • Make the requests look legitimate

  • Exhaust some of the resources

    • Processing (CPU)

    • Bandwidth (uplink/downlink)

    • Memory

University of Toronto – Fall 2012


Dos via resource exhaustion

DoS: Via Resource Exhaustion

User-time

CPU

Uplinkbandwidth

Downlinkbandwidth

Memory(e.g. TCP TCBexhaustion)

University of Toronto – Fall 2012


Distributed dos ddos

Distributed DoS (DDoS)

  • Attacker compromises multiple hosts

  • Installs malicious program to do her biding(bots)

  • Bots flood (or otherwise attack) victims on command; Attack is coordinated

  • Bot-networks of 80k to 100k have been seen in the wild

    • Aggregate bandwidth > 20Gbps (probably more)

University of Toronto – Fall 2012


Today3

Today

  • Network Security Goals

  • Security vs. Internet Design

  • Attacks

  • Defenses

University of Toronto – Fall 2012


Firewalls

Firewalls

  • What is a firewall?

    • Device designed to permit or deny network transmissions

      • E.g. traffic entering or leaving your home network

      • Works based on a set of rules

      • Used to protect networks from unauthorized access

        • While permitting legitimate communications to pass.

  • Can be done in the network (e.g. network perimeter) or at the host

  • Configuration is not straight forward

    • Requires knowledge of the network

University of Toronto – Fall 2012


How can we prevent network attacks

How Can We Prevent Network Attacks?

  • Without changing current Internet’s design

  • What if we can change everything?

    • Clean slate design

University of Toronto – Fall 2012


Final comments

Final Comments

  • Internet not designed for security

  • Many, many attacks

    • Defense is very difficult

    • Attackers are smart; broken network aids them!

  • The impact can be sever

    • As we rely more on computer networks over time

  • Time for new designs/principles?

University of Toronto – Fall 2012


  • Login