1 / 81

Chapter 5 Network Security

Chapter 5 Network Security. Sue Fitzgerald Metropolitan State University CS 328 Computer Security Fall 2008. Overview. Networks facilitate information sharing Networks permit remote attacks Network security includes Network architecture Protocols Modern applications permit remote access

tanek-romero
Download Presentation

Chapter 5 Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 Network Security Sue Fitzgerald Metropolitan State University CS 328 Computer Security Fall 2008

  2. Overview • Networks facilitate information sharing • Networks permit remote attacks • Network security includes • Network architecture • Protocols • Modern applications permit remote access • Anyone with access can attack

  3. Framework • The big picture • LANS – local area networks • More expensive, faster • Ethernet – broadcast (party line) • Switched LAN (Fig 5.2) • WANS – wide area networks • Lower speed, long distances, cheaper per foot • Telephone, satellite, fiber

  4. Finding Networked Machines • Naming • supgroup.enterprise.domain • cs.metrostate.edu • Mostly unique except • Server name may map to many machines (load balancing) • One machine could have more than one name (aliases)

  5. IP Address • Machine-understandable name • 32 bits – IPv4 (e.g., 199.17.228.108) • 128 bits – IPv6 • Mostly unique except • Multihomed machines • DHCP • NAT

  6. DHCP • Dynamic Host Configuration Protocol • Runs on a LAN • Assigns any available IP address each time a machine boots up/joins the LAN • Machines do not get the same address every time

  7. NAT • Network address translation • Used when an enterprise does not have enough IP addresses to go around • Outside world sees one IP address • A NAT box maps that single IP address to several machines on the LAN (see Fig. 5.3) • Each machine has a unique MAC addresses

  8. Finding a Machine • Given a name, how to find the IP address? • DNS - Domain Name Servers • Internet-wide infrastructure • Hierarchy of nameservers follows the hierarchy of names • Top level name servers map to domains (.edu, .com, .gov, .org, .mil – 20 in all + country codes)

  9. Finding a Machine (continued) • The domain server passes the request to the correct enterprise name server • The enterprise name server points to the subgroup name server • In practice, lots of caching occurs and name inquiries may be directed to close peers

  10. Routing • Given the IP address of the computer, a route must be established • Routing – list of machines on the path from one computer to another • Lots of routing protocols • Within LAN • Within enterprise • Across the Internet

  11. Routing (continued) • Open Shortest Path First (OSPF) – constructs routes within an enterprise • Border Gateway Protocol (BGP) – constructs and maintains routes across the Internet (between enterprises) • Each autonomous system keeps a table of preferred routes for each range of IP addresses • Peers exchange information and update their routing tables

  12. Physical Hardware Addressing • Each machine has a unique media access control (MAC) address • 48 – 64 bits • Mostly unique, but can be changed manually • Address Resolution Protocol (ARP) • Used to map from network layer address to machine address (usually IP to ethernet MAC) • See Fig 5.4

  13. Services and Ports • The real goal is for one application (or user) to get information to another application • The applications could be called ‘services’ • Accessing a web page, transferring a file, remote login, etc. • A port is a numbered endpoint for a network connection (see Fig. 5.5)

  14. Ports (continued) • A port is just a number • The number is included with every message intended for a particular application (service) • Each service is assigned a particular port number (HTTP=80, SSL=443, SMTP=25) • When a computer receives a message, it looks for the port number • The message is forwarded to the corresponding service

  15. Network Stack • AKA Protocol Stack • “A set of services that deal with a particular set of network protocols and is arranged so that each layer in the stack can use only the services of the layer below it.” p. 94 • See Fig. 5.6 • Each layer is intended to communicate with a similar layer on a different machine (Fig. 5.7)

  16. TCP/IP Stack • Physical layer – transmission medium (hardware) • Link layer • Moves data between two computers on the same network (LAN) • Data is encapsulated in frames • Examples – Ethernet, Wi-Fi

  17. TCP/IP Stack (continued) • Network layer • Most common protocol here is Internet Protocol (IP) • Moves packets from source computer to destination computer • Handles addressing, routing, network congestion

  18. TCP/IP Stack (continued) • Transport layer • Provides end-to-end connections between machines separated by a wide area network • A common protocol here is Transmission Control Protocol (TCP) • Forces parts of message to arrive in order • Forces retransmission of missing packets • Another common protocol is User Datagram Protocol (UDP)

  19. TCP/IP Stack (continued) • Application layer • Set of protocols used by applications to communicate • http, network time protocol, simple network management protocol (SNMP), Telnet, ftp

  20. HTTP Using the Protocol Stack • Browser application creates an HTTP request message • Browser uses a socket to connect to the server • The socket is a data structure provided by the transport layer. It has a set of system calls to the transport layer. • Browser calls send() to send the http request to the transport layer

  21. HTTP (continued) • Transport layer (TCP) adds a header to the message which is now referred to as a segment • Transport layer sends the message to the network layer (calls a procedure in the network layer) • Network layer (IP) breaks the message into packets (called datagrams) and adds another header • Network layer sends each packet to the link layer (makes a procedure call in the link layer)

  22. HTTP (continued) • Link layer puts the message into an Ethernet or Wi-Fi frame and adds a header • Link layer manipulates the physical hardware and causes the signals to be sent over the ‘wire’ to the nearest switch or router • Which in turn forwards the frames to the next router or switch

  23. HTTP (continued) • When the frames arrive at the destination computer, the physical interface raises an interrupt • The interrupt handler passes control to the link layer which removes the frame header • The link layer passes the message to the network layer • The network layer removes the packet headers

  24. HTTP (continued) • The network layer (IP) passes the message (datagram) up to the transport layer • The transport layer removes its header and passes the message (segment) to the application via the socket • If there are any errors, the transport layer may ask for retransmission

  25. Networking and Operating Systems • Users do not manipulate the network stack directly • The operating system provides a network interface/network services • Developers write applications that use sockets, RPC, DCOM or other services

  26. Networking and Operating Systems (continued) • Putting networking into the operating system means that • There is a simple interface • Network code runs in kernel mode as part of the OS and fewer context switches are needed • Adds complexity to the OS • Opens the door to attacks

  27. Enterprise Network Architecture • Network architecture – arrangement of computers on a network • Goal - minimize risk of attack • Specific applications bind to specific ports • Anyone can send network packets to any port on a computer hooked to a network

  28. Reducing Risk of Attack • Shutdown as many services as possible • Install a firewall (see Fig 5.8) • Firewall stands between enterprise network and the world • It filters out packets • Defense in depth • Individual computers can also have firewalls

  29. Reducing Risk of Attack (continued) • A firewall blocking all traffic may be too restrictive • DMZ • Part of the enterprise network is behind a firewall and part of it is not (DMZ) • The DMZ provides limited services

  30. Protocols • Most applications interact with the network • Updates • Get info from Internet • Enterprise applications are spread across multiple computers • Data flows across network • Network security protocols used for protection

  31. Network Security Protocols • Authenticate users across a network • Create private channels • Ensure integrity via hashes

  32. SSL/TLS • Secure Sockets Layer (SSL) • Transport Layer Security (TLS) – more recent version of SSL • Adds security to traditional TCP sockets • Developed by Netscape in the mid 1990’s • Runs on top of TCP, not part of OS • Interface is similar to sockets so transition was easy

  33. SSL/TLS (continued) • Provides “authenticated, private, tamper-evident channel between two machines on a public network”, p. 100 • Still in common use for e-commerce applications

  34. SSL/TLS Server-side Sessions • User requests a secure connection from SSL-enabled Web service (https://cs.metrostate.edu) • Server presents its certificate to client • Client’s browser checks certificate – Was it issued by trusted third party? Has it expired? Does the server have its own private key? • Client and server exchange more random information

  35. SSL/TLS Server-side Sessions (continued) • Client and server agree on a shared symmetric key • All subsequent data is encrypted for privacy and hashed for integrity

  36. IPSec • IP Security • Protocols that secure traffic at the IP layer • Does not run in user space, is part of OS kernel • Application developers do not deal with IPSec directly • IPSec is used by people who write OS code, routers, and specialized security devices that check every network packet

  37. VPN’s • IPSec used to implement Virtual Private Networks • VPN Modes • Transport mode • Payload is encrypted, header is not • Datagram can easily be transported from end to end • Tunnel mode • Entire packet (header and payload) is encrypted and placed inside another IP datagram

  38. Tunnel Mode (continued) • Used when networks communicate • Router-to-router • Host-to-network • Destination unencrypts original datagram, reads the header and re-routes • Used when part of the route is vulnerable

  39. DNSSEC • DNS – mapping hostnames to IP addresses • Attacks • Domain cache poisoning – attacker fools NS into accepting and then propagating bad data • Domain cache hijacking – attacker fools human registrar into thinking attacker owns host • Attacker impersonates NS • Attacker changes mapping data in transit

  40. SBGP • Border Gateway Protocol (BGP) is used to send routing information between enterprises • Attacks • Forge routing information • Create instabilities (thrashing) in routing updates

  41. Securing BGP • Path authentication • How to detect if a peer is lying about a path • Origin authentication • How to detect and verify the owner of an IP address • Solution: Have each part on path digitally sign • Problems: Crypto is slow

  42. Attacks • Scanning • Sniffing • Spoofing • Exploiting

  43. Scanning • Reconnaisance – scan target’s environment • First stage of attack • Can reveal • Basic network topology • OS’s • Ports and services • Starts by sending a packet to each possible port

  44. Scanning (continued) • Reveals which ports are open and which are closed • Specific ports are assigned to specific applications (by convention) so this reveals what services are running • Reveals other ports that may also be open and assigned to proprietary applications

  45. Banner Grabbing • Protocols have standard responses which can reveal what service is running on a particular port • A given response can be checked against a database of responses to deduce the service or application

  46. Scanning (continued) • Scanning a TCP port generates a response • The operating system can be inferred from the format of this response • nmap is a popular scanning tool • White hat scanning is called ‘penetration testing’

  47. ping sweeping • ping packets are sent to an arbitrary range of IP addresses • If the IP address is valid and ping is enabled, the attacker can get the IP addresses of machines on your network

  48. traceroute • traceroute can be used to find out the path that packets take through a network • After enough packets have been sent, network topology can be deduced

  49. Results of Scanning • What the target environment looks like • Path to target computer • OS • Services running

  50. Sniffing • A network sniffer is a piece of software which captures a copy of all network traffic • Possible data • Usernames • Passwords • Locations of machines • Locations of services

More Related