1 / 56

CMSC 414 Computer and Network Security Lecture 28

CMSC 414 Computer and Network Security Lecture 28. Jonathan Katz. Administrivia. Final exam reminder + study guide DSS students contact me A-G in 3258 AVW; H-Z in classroom Course evaluations www.CourseEvalUM.umd.edu. SSL in wireshark. IPsec. Overview.

swann
Download Presentation

CMSC 414 Computer and Network Security Lecture 28

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMSC 414Computer and Network SecurityLecture 28 Jonathan Katz

  2. Administrivia • Final exam reminder + study guide • DSS students contact me • A-G in 3258 AVW; H-Z in classroom • Course evaluations • www.CourseEvalUM.umd.edu

  3. SSL in wireshark

  4. IPsec

  5. Overview • IPsec can provide security between any two network-layer entities • host-host, host-router, router-router • Used widely to establish VPNs • IPsec encrypts and/or authenticates network-layer traffic, and encapsulates it within a standard IP packet for routing over the Internet

  6. Overview • IPsec is a complex, over-engineered protocol • Lots of un-needed features • Interoperability is challenging • Defeats the point of having a standard • IPsec is less used than it should(?) be

  7. Overview • IPsec consists of two components • IKE --- Used to establish a key • AH/ESP --- Used to send data once a key is established (whether using IKE or out-of-band) • AH (authentication header) • Data integrity, but no confidentiality • ESP (encapsulating security payload) • Data integrity + confidentiality • (Other differences as well)

  8. Security policy database • Nodes maintain a table specifying what is required for each incoming packet • Drop • Forward/accept without IPsec protection • Require IPsec protection • Auth only • Enc only • Both • Decisions can be based on any information contained in the packet

  9. Security associations (SAs) • When a node receives a packet, it needs to know who it is from • May be receiving IPsec traffic from multiple senders at the same time -- possibly even with the same IP address • An SA defines a network-layer unidirectional logical connection • For bidirectional communication, need two SAs • The IPsec header indicates which security association to use

  10. Security associations (SAs) • An SA contains crypto keys, the identity/IP address of the other party, a sequence number, and crypto parameters (algorithms, auth/enc/both)

  11. IPsec: IKE

  12. Overview of IKE • IKE provides mutual authentication, establishes a shared key, and creates an SA • Assumes a long-term shared key, and uses this to establish a session key (as well as to provide authentication) • Supported key types • Public signature keys • Public encryption keys • Symmetric keys

  13. IKE phases • Phase 1: long-term keys used to derive a session key (and provide authentication) • Roughly analogous to SSL session • Phase 2: the session key is used to derive SAs • Roughly analogous to SSL connection • In theory, can run phase 1 once, followed by multiple executions of phase 2 • E.g., different flows between same endpoints • Why not use same key for each? • In practice, this rarely happens

  14. Phase 1 session keys • Two session keys are defined in phase 1 • One each for encryption/authentication • These keys are used to protect the final phase 1 messages as well as all phase 2 messages

  15. Key types • As mentioned earlier… • Why are there two PK options? • Signature-based option • Efficiency (can start protocol knowing only your own public key, then get other side’s key from their certificate) • Legal reasons/export control • Encryption-based option • Can be used to provide anonymity in both directions • Adds tremendously to the complexity of implementation

  16. IKE phase 1 • Aggressive mode • 3 messages • Main mode • 6 messages • Additional features: • Anonymity • Negotiation of crypto parameters

  17. Anonymity • Protocols can be designed so that identities of the parties are hidden from eavesdroppers • Even while providing authentication! • Can also protect anonymity of one side against active attacks • Whom to protect? • Initiator: since responder’s identity is generally known… • Responder: since otherwise it is easy to get anyone’s identity

  18. Aggressive mode • Alice sends ga, “Alice”, crypto algorithms • Note that choices are restricted by this message • Bob sends gb, choice of crypto algorithm, “proof” that he is really Bob • If Bob does not support any of the suggested algorithms, he simply does not reply • Note that there is no way to authenticate a refusal, since no session key yet established • Alice sends “proof” that she is Alice • Derive shared key from gab

  19. Main mode • Negotiate crypto algorithms (2 rounds) • Alice and Bob do regular Diffie-Hellman key exchange (2 rounds) • Alice sends encryption of “Alice” plus a proof that she is Alice, using long-term secret keys plus (keys derived from) gab • Bob does similarly…

  20. Crypto parameters… • Choice of: • Encryption method (DES, 3DES, …) • Hash function (MD5, SHA-1, …) • Authentication method (e.g., key type, etc.) • Diffie-Hellman group (e.g., (g, p), etc.) • A complete set of protocols (a security suite) must be specified

  21. Negotiating parameters • Many protocols allow parties to negotiate cryptographic algorithms and parameters • Allows users to migrate to stronger crypto; increases inter-operability (somewhat) • But, opens up a potential attack if not authenticated somehow… • Also makes for more complicated implementations

  22. “Proofs of identity” • Depend on which type of long-term shared key is being used • Similar (in spirit) to the authentication protocols discussed in class

  23. IPsec: AH/ESP

  24. AH vs. ESP • Two header types… • Authentication header (AH) • Provides integrity only • Encapsulating security payload (ESP) • Provides encryption + integrity • Both provide cryptographic protection of everything beyond the IP headers • AH additionally provides integrity protection of some fields of the IP header

  25. Transport vs. tunnel mode • Transport mode: add IPsec information between IP header and rest of packet • IP header | IPsec | [ packet ] • Designed for end-to-end secure communication protected

  26. Firewalls and transport mode • Transport mode may cause problems if there are firewalls between the communicating hosts • Firewalls can’t inspect higher-layer information, like ports or applications • Tunnel mode was suggested to overcome this… • Traffic secured between the firewalls (or between one firewall and the other end host) • End host(s) can be oblivious to what is being done

  27. Transport vs. tunnel mode • Tunnel mode: keep original IP packet intact but protect it; add new header information outside • New IP header | IPsec | [ old IP header | packet ] • Can be used when IPSec is applied at intermediate points along path (e.g., for firewall-to-firewall traffic) • Treat the link as a secure tunnel • New IP header different from old header since, e.g., src/dest have changed protected

  28. Transport vs. tunnel mode • Note that tunnel mode subsumes transport mode… • …but transport mode is more efficient • Tunnel mode also hides (some information about) the communicating parties

  29. More on AH • AH provides integrity protection on header • But some fields change en route! • Immutable fields included in the integrity check • Mutable but predictable fields are also included in the integrity check • The final value of the field is used

  30. More on ESP • ESP provides both confidentiality and integrity • On data only, not header • Header can’t be encrypted

  31. More on AH vs. ESP • ESP can already provide encryption and/or authentication • So why do we need AH? • AH also protects the IP header • Export restrictions • Firewalls need some high-level data to be unencrypted • None of these are compelling…

  32. Intrusion detection

  33. Prevention vs. detection • Firewalls (and other security mechanisms) aim to prevent intrusion • IDS aims to detect intrusion in case it occurs • Use both in tandem! • Defense in depth, full prevention impossible • Outsider vs. insider attacks • The sooner intrusion is detected, the less the damage • IDS can also be a deterrent, and can be use to detect weaknesses in other security mechanisms

  34. IDS tradeoff • IDS based on the assumption that attacker behavior is (sufficiently) different from legitimate user behavior • In reality, there will be overlap • Some legitimate behavior may appear malicious • Intruder can attempt to disguise their behavior as that of an honest user

  35. False positives/negatives • False positive • Alarm triggered by acceptable behavior • False negative • No alarm triggered by illegal behavior • Always a tradeoff between the false positive and false negative rate

  36. False alarms? • Say we have an IDS that is 99% accurate • I.e., Pr[alarm | attack] = 0.99 and Pr[no alarm | no attack] = 0.99 • An alarm goes off -- what is the probability that an attack is taking place? • To increase this probability, what should we focus on improving??

  37. False alarms • Say the probability of an attack is 1/1000 • Use Bayes’ law:Pr[attack | alarm] = Pr[alarm | attack] Pr[attack] / Pr[alarm] = 0.99 * 0.001 / (0.99 * 0.001 + 0.01 * 0.999)≈ 0.001/(0.001 + 0.01) ≈ 0.1 • I.e., when an alarm goes off, 90% of the time it will be a false alarm! • How best to lower this number?

  38. False alarms • Improving Pr[alarm | attack] to 100% givesPr[attack | alarm] ≈ 0.1 (essentially unchanged) • Improving Pr[no alarm | no attack] to 99.9% gives Pr[attack | alarm] ≈ 0.5

  39. Two types of IDS • Signature-based ≈ looks for improper behavior • Roughly analogous to blacklisting • Anomaly-based ≈ looks for atypical behavior • Roughly analogous to whitelisting

  40. Signature (rule-based) detection • Define a set of “bad patterns” (e.g., known exploit characteristics, known bad events) • Detect these patterns if they occur

  41. Example rules • Incoming packets with a certain pattern match a known exploit • Users should not read files in other users’ directories • Users should not be logged in simultaneously from more than one location • Users do not make copies of system programs • No incoming requests except to port 80

  42. Anomaly detection • Monitor behavior and compare to some “baseline” behavior using statistical tests • Look for deviations from “normal behavior” • “Normal behavior” can be defined on a global level or a per-user level • “Normal behavior” can be specified by a human, or learned automatically over time

  43. Profile of authorized user behavior Profile of Intruder behavior Probability density function Overlap in observed or expected behavior Measurable behaviour parameter Average behaviour of authorized user Average behaviour of intruder

  44. Two places IDS can be run • Host-based IDS (HIDS) • Network-based IDS (NIDS)

  45. Host-based IDS • Monitors events on a single host • Can (potentially) observe the effects of an attack (in addition to possibly detecting the attack itself) • Can detect both internal and external intrusions

  46. Distributed host-based IDS • Combine information collected at many different hosts in the network • One or more machines in the network will collect and analyze the network data • Can correlate information across multiple hosts • E.g., same event occurring simultaneously across all machines might be suspicious • Or, an event occurring on only one machine might be suspicious

  47. Network-based IDS • Monitors traffic at selected points on the network • Real time; packet-by-packet • By looking at all network traffic, can potentially get a global view

  48. Sensor types • Inline sensor • Inserted in network path; all traffic passes through the sensor • Passive sensor • Monitors a copy of network traffic • Passive sensor more efficient; inline sensor can block attacks immediately

  49. Sensor placement • Inside firewall? • Can detect attacks that penetrate firewall • Can detect firewall misconfiguration • Can examine outgoing traffic more easily to detect insider attacks • Can configure based on network resources being accessed (e.g., configure differently for traffic directed to web server) • Outside firewall? • Can document attacks (types/locations/number) even if prevented by firewall (can then be handled out-of-band)

More Related