1 / 24

Security Mechanisms for a Cooperative Firewall

Security Mechanisms for a Cooperative Firewall. Hammad Kabir Supervisor: Prof. Raimo Kantola Instructor: Jose Costa-Requena. February 2014. Outline. Research Background Research Objectives Conceptual Framework (Customer Edge Switching) Literature Review

galeno
Download Presentation

Security Mechanisms for a Cooperative Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Mechanisms for a Cooperative Firewall • Hammad Kabir • Supervisor: Prof. RaimoKantola • Instructor: Jose Costa-Requena • February 2014

  2. Outline • Research Background • Research Objectives • Conceptual Framework (Customer Edge Switching) • Literature Review • Circular Pool vulnerabilities • CES-to-CES communication vulnerabilities • Security Models • Results and Discussion • Conclusions and Future Work • References

  3. Research Background • NAT deployment at network edges introduced the reachability problem in the Internet. • Various NAT traversal proposals: STUN, TURN and ICE [3] have been proposed, which either had the long connection setup time or keep-alive signaling that depletes the mobile battery. • A solution proposed at COMNET department of Aalto University: Customer Edge Switching 12/02/2014

  4. Research Objectives Research Problem • While the CES architecture solves many of the current Internet issues i.e. reachability problem, IPv4 address space depletion [1] [2], the prototype only offers minimal security through policy based admission control to the communicating end points. • Security has generally been considered out of scope. Research Scope • To identify the security vulnerabilities present within the CES architecture. • Present a security model that secures CES against the attacks launched on these vulnerabilities. • Evaluate the security models based on a set of test cases (attacks), to demonstrate their effectiveness. 12/02/2014

  5. Customer Edge Switching Customer Edge Traversal Protocol (CETP)

  6. Private Realm Gateway (PRGW) • Principle: • A component in CES to support backward compatibility with legacy networks • Outgoing connection is established in a similar manner to NAT • For an inbound connection, the domain in private network is reached through address received • from CES, after performing name resolution for the destination domain.

  7. Circular Pool Model • When a DNS request is received from a legacy host, the PRGW makes use of circular pool functionality and returns an address from the pool of public IP addresses, towards the sender, in the DNS response. • The address returned is marked in the ‘waiting’ state. • After a data packet is received at this address, the address is returned to the circular pool for future connection establishments. • Since the circular pool only assigns the addresses that are not in ‘waiting’ state to establish a new connection. If all of the circular pool addresses are reserved when a DNS query is received, the circular pool cannot serve the request and the request is dropped. This state of circular pool is called blocking state. • This state is not permanent, and it does not affect ongoing connections in CES. • An attacker can exploit this vulnerability in different ways, to launch DoS attacks on the circular pool. 12/02/2014

  8. Denial of Service (DoS) in CPOOL • An attacker sends DNS queries to different domains behind the CES through various DNS servers to • reserve all the circular pool addresses. • Damage: CES reaches the blocking state, and it cannot serve new incoming connection requests. 12/02/2014

  9. Connection Hijacking in CPOOL • Legitimate host reserves an address from the circular pool and a state is created with ‘waiting’ status • Before the legitimate host could return, an attacker sending attack packets can take over the state and • hijacks the connection • Results in DoS to the legitimate user. 12/02/2014

  10. CETP connection establishment • After DNS response, the outbound CES (oCES) encodes CETP packet according to the sender policy and • forwards it towards the inbound CES (iCES) to negotiate the connection establishment. • The CETP transaction between the oCES and the iCES is uniquely identified with the (SST, DST) pair chosen by the oCES and the iCES, respectively. • The connection establishment succeeds after both end points can successfully fulfill each other requirements, in either 1 RTT or 2 RTT. 12/02/2014

  11. CETP Attack-1 • Vulnerability: • A legacy host with CETP attack module forwards spoofed CETP packets towards CES-B. • Damage: • The attacker opens a connection in the iCES by sending a spoofed CETP packet. • For a bot-controlled legacy host, this can result in a DoS attack on the inbound CES. 12/02/2014

  12. CETP Attack -2 • Vulnerability: • A non-spoofing legacy host can imitate as a legitimate CES, if the sender legitimacy is not determined • Damage: • The attacker successfully establishes a connection with the victim behind CES-B 12/02/2014

  13. CETP Attack -3 • Vulnerability: • The attack can affect all the communications for which the routing infrastructure is compromised. • Damage: • A successful MITM attack can compromise the integrity of the messages exchanged. • A MITM attacker can either passively eavesdrop on a communication • It can masquerade as a legitimate source and steal the victim’s information. 12/02/2014

  14. Principle of Security Mechanisms • A light weight attack should consume minimal processing at an inbound CES. • Heavy verification mechanisms on attack packets generated with minimal processing give the attacker an advantage, where the attacker can flood the CES with huge attack volumes and force the CES into a denial-of-service (DoS) state. • The CES architecture must eliminate source address spoofing before admitting a packet for connection establishment. • Heavy verification mechanisms executed, after eliminating spoofing, must guarantee the legitimacy of the CETP packet source. • With spoofing eliminated, a failure in heavy verification mechanisms must enable the CES to attribute an attack to the packet source. • The response to light weight received packets should be small, to prevent network traffic amplification. The detailed response can be sent after spoofing has been eliminated. 12/02/2014

  15. Inbound CES Security Model • Cookie mechanism • Protects against spoofing attacks • Protects against replay attacks • Signature Verification • Protects against MITM attacks • Authenticates the sender • Based on the certificate from a CA • HSS verification • Authenticates the sender • A connection succeeds only if • the sender is a non-spoofing source • And, the sender is authenticated as a legitimate CES • It fulfills all the policy requirements of the destination 12/02/2014

  16. Outbound CES Security Model • A connection succeeds only if the inbound packet matches • (SST, DST=0) pair in the oCES • And, the sender is authenticated as a legitimate CES 12/02/2014

  17. Consequence of security 12/02/2014

  18. Performance Analysis 12/02/2014

  19. Circular Pool security • Protects against DoS attacks • Upper limit on ‘waiting’ connection requests to a destination • Upper limit on ‘waiting’ connection requests from a source • Greylisting a DNS source generating attack traffic • A dedicated set of resource for whitelisted sources • Resources for whitelisted DNS sources, even under DDoS 12/02/2014

  20. Circular Pool security • Protections against Connection Hijacking attempts • Drop a UDP packet received for claiming a ‘waiting’ connection state • A UDP packet must be accepted after prior secure signaling i.e. SIP, from the source • Since it is difficult to eliminate spoofing on a received UDP packet • Blacklisting an IP source generating the attack traffic • TCP-relay to eliminate spoofing on the inbound traffic [4]. • Bot-detection method, to spot a non-spoofing legacy host generating the attack traffic 12/02/2014

  21. Circular Pool Evaluation • Test case with a legitimate host and an attacker generating SYN segments at average 20 connection/sec. • Reduction in the volume of the carried traffic, after the security. • Before security, • all the offered traffic was carried in to the CPOOL and processed for connection establishment. • After the security: • SYN segments accepted for connection establishment reduce drastically once the bot-controlled host is identified. 12/02/2014

  22. Conclusion and Future work • Conclusion: • Security vulnerabilities have been identified • Security models proposed to secure the CES architecture have been evaluated • The performance analysis indicates that CES is secured against network attacks without introducing • significant delay • Future Work: • Implementation of TCP-Relay method to eliminate spoofing on the received packets • Exploring DNS/TCP to avoid spoofing in the received DNS requests • Faster Control plane/Data plane using C/C++, to further reduce the connection setup delay • Secure signaling for UDP flows 12/02/2014

  23. References [1] J. S. Llorente, "Private Realm Gateway," Master Thesis, Aalto University, School of Electrical Engineering, 2012. [2] M. Pahlevan, "Signalling and Policy Enforcement for Cooperative Firewalls," Aalto University, School of Electrical Engineering Thesis, 2013. [3] N. Beijar, Z. Yan, M. Pahlavan, and R. Kantola. (2012, Mar.) Customer Edge Traversal Protocol. [Online]. http://www.re2ee.org/ [4] W. Eddy, "TCP SYN Flooding Attacks and Common Mitigations," RFC 4987, 2007. 12/02/2014

  24. Thank You Questions? 12/02/2014

More Related