internet security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Internet Security PowerPoint Presentation
Download Presentation
Internet Security

Loading in 2 Seconds...

play fullscreen
1 / 96

Internet Security - PowerPoint PPT Presentation


  • 271 Views
  • Uploaded on

Internet Security Background on Internet technologies and protocols LANs and WANs IP Addressing, DNS OSI model TCP/IP, UDP Attacks Firewalls Background on Internet Technologies Evolution of Networking Batch Environment - 1950s

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Internet Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
internet security
Internet Security
  • Background on Internet technologies and protocols
    • LANs and WANs
    • IP Addressing, DNS
    • OSI model
    • TCP/IP, UDP
  • Attacks
  • Firewalls
background on internet technologies
Background on Internet Technologies
  • Evolution of Networking
    • Batch Environment - 1950s
      • no direct interaction between users and their programs during execution
    • Time Sharing - 1960s
      • dumb terminals were connected to a central computer system
      • Users were able to interact with the computer and could share its information processing resources
      • Marked the beginning of computer communications
    • Distributed Processing: use of minicomputers - 1970s
      • Users demanded computing closer to their work areas
      • Communication between neighbor processors and applications via networks
    • WAN and LAN- 1980s
slide3
LANs
  • collection of hosts connected by a high speed network
  • designed and developed for communications and resource sharing in a local work environment (room, campus, building)
  • users can access other networks via bridges and gateways

PC 1

Printer

PC 2

PC n

File Server

wans and internetworks
WANs and Internetworks
  • span a large geographic area, cross public property
  • often based on services provided by 3rd party companies, use telephone networks for transmission from one node to another
  • can be used to connect several LANs together
  • Routers attached to each LAN filter the network traffic to and from the WAN
  • LANs can also be connected by special modems or dedicated leased lines

Internetwork

PC 1

Router

PC 2

File Server

PC n

routers
Routers
  • Special purpose computers used for interconnecting networks
  • Essentially a router receives messages originating from one network and sends (routes) them to the other network
  • The process of selecting a network over which to send a message is called routing
  • Ex: computers X and Y can communicate via routers R1, R2 and R3
an example
An example

R1

x

R2

R3

Y

internet
Internet
  • The global Internet consists of thousands of computer networks interconnected by routers.
  • Internet appears as a single, seamless communication system to which many computers can attach.
    • each computer is assigned an address
    • any computer can send a message to any other computer
transmission capacity
Transmission Capacity
  • Speed of transmission is measured in bits per second (bps) or cycles per second (Hertz)
  • Multiplexing: many signals can be sent on a single physical channel
  • Based on the physical medium
    • twisted wire pair, coaxial cable, fiber optic cable, satellite transmission, microwave
    • Dial-up access, Leased circuits, Cable modem, DSL technologies,Wireless access
packet switching
Packet Switching
  • A message is not sent as a single unit, but broken down into small packets that are transmitted individually
  • Each packet has header that contains the info about source, destination and the packer number
  • Packets may travel on different routes
  • May even arrive the destination out of order
  • Good for data communication
packet switches
Packet Switches
  • A WAN is constructed from many switches
  • A switch moves packets from one connection to the other
  • A switch is a dedicated computer, with two types of connections
    • High-speed connections with other switches; they can be: leased phone lines, optical fibers, microwave, satellite.
    • Low-speed connection: used to connect with an individual computer, or a LAN.
switched network

Switch

Switch

Switch

Switched Network

High speed

connection

internet2 http www internet2 edu
Internet2(http://www.internet2.edu/)
  • Is a high speed network that enables communications 100 - 1000 times faster than today’s internet
  • Rutgers, which is part of the Internet2 consortium, has launched RUNet 2000 ($100million)
  • Operates at 10Gbps (compare with the fastest modems now available ~Mbps) 15,000 times faster than a typical home broadband connection
  • Developed by academic and research community: more than 205 universities, NSF, NIH, NASA,.., IBM,DEC,Cisco, Sun, MCI, Sprint, ..
  • In Europe: European Union-funded network, TEN-34 was launched (initially 34Mbps, will later reach 155Mbps)
  • designed to provide a range of broadband network applications: collaborative research, distance learning, video-conferencing, remote medical consultation and diagnoses
internet2 cont d
Internet2 (cont’d)
  • Current telephone uses circuit switching where a piece of network entirely dedicated to a call
  • In contrast, information over Internet is broken down into small data packets, and the packets navigate from junction to junction (routers)
  • Aim of Internet2 is to install “gigapops” (gigabit capacity point of presence) capable of routing packets more quickly through the network (by launching a gigabit switch router to support speeds of 10Gbps)
  • With current Internet, real-time images have the same priority as email; Internet2 will be able to distinguish these two (Current IP is democratic)
  • Although Internet2 is being developed for universities and research labs, in next 5 years it may reach homes (for $30/month with 10Mbps)
ip addressing
IP Addressing
  • Every host on the Internet has a unique IP address.
  • IP protocol (the one in use now) has 32 bits for an address. How many hosts total? 232 = 4,294,987,296.
  • 32 bits must be divided into a Network portion and a Host portion.
  • Typically written in a "dotted decimal" form:128.6.10.4In this case, the network portion is 128.6The host portion is 10.4
ip addressing cont d
IP Addressing (cont’d)
  • How to divide up the addresses ?

Four Classes of IP addresses:

    • 1.Class A: First bit is 0, next 7 bits define the network, last 24 bits define the hosts. 128 networks with 16,777,216 hosts each.
    • 2.Class B: First two bits are 1 and 0, next 14 bits define the network, last 16 bits define the hosts. 16,384 networks with 65,536 hosts each.
    • 3.Class C: First three bits are 1 1 0, the next 21 bits define the network, last 8 bits define the host. 2,097,152 networks with 256 hosts each.
    • 4.Class D (Multicast): First three bits are 1 1 1, next 29 bits define a multicast address.
ip addressing cont d16
IP Addressing (cont’d)
  • For a network with a large number of hosts (e.g. Class B networks), we can divide the hosts into subnetworks using a subnet mask.
  • The subnet mask indicates which of the 32 bits should be considered the network portion and which should be considered the host portion.
  • A common subnet mask is: 255.255.255.0meaning the first 24 bits define the network and the last 8 bits define the host.
  • Special IP address: 127.0.0.1 called the "localhost"
domain name services
Domain Name Services
  • Each host on the Internet has its own unique IP address - Who can remember all of them ?
  • DNS gives us a means to map an IP address to a "host name" and vice versa.
  • Host names are typically broken down into 4 or 5 parts:
    • 1.A geographic (e.g. country) designation is given at the "highest level":
      • uk us ca au fr it dr zw
    • 2.An organizational designation may be in place of geographic but can also appear in combination:
      • com edu gov mil org net
    • 3.The next level down in the "organizational" level:
      • rutgers microsoft pizzahut plannetreebok
    • 4.Within an organization, there may be several individual hosts, each with their own name:
      • CIMIC andromeda
domain name services cont d
Domain Name Services (cont’d)
  • These parts are assembled from right to left:
    • andromeda.rutgers.edu
    • www.microsoft.com
    • psych.leeds.ed.uk
    • www.whitehouse.gov
  • Resolving Internet Names using DNS
    • Most commonly used IP and host name pairs are kept in a hosts file. See /etc/hosts
    • If not in the hosts file, a primary DNS site is consulted.
    • UDP is used to send a DNS Query message to the designated Name Server on port 53.
    • This is done in a logical fashion. e.g. for host names ending in rutgers.edu, a local Rutgers DNS server can be queried.
domain name services cont d19
Domain Name Services (cont’d)
  • If not found at a local DNS server, additional secondary DNS servers are checked until
      • 1.The connection times out or
      • 2.The request exceeds a predefined hop count
      • 3.The list of DNS servers is exhausted
  • Look at:/etc/resolv.conf on UNIX systems. In Windows, look at the properties of the TCP/IP protocol.
the structure of www
The Structure of WWW
  • A global collection of hypertext pages stored on Internet hosts.
    • Hypertext - Text documents that allow non-linear reading through hypertext links.
    • Normally we read a book in a linear fashion. Page 1, then Page 2, etc.
    • With hypertext, we follow our curiosity by skipping around the document(s) using hypertext links.
      • Hypertext is made up of three distinct parts:
        • Text Pages - The text you read.
        • Anchors - The starting point for a link.
        • Links - A pointer to another text page.
www cont d
WWW(cont’d)
  • URL - Uniform Resource Locator. The address of a hypertext page or other Internet resource.
  • HTML - The HyperText Markup Language. The language used to create hypertext pages for use on the WWW.
  • WWW Browser - A program capable of displaying hypertext pages and navigating the WWW by allowing users to select hypertext links. Examples:
    • Netscape Navigator , NCSA Mosaic, Microsoft Internet Explorer, Mozilla
  • WWW Server - A daemon program (httpd) that responds to requests from a WWW Browser by sending it HTML hypertext pages.
the www client server model
The WWW Client/Server Model
  • WWW Servers are Servers
  • The request protocol used for WWW pages is HTTP - The HyperText Transfer Protocol.
    • 1.HTTP is an application layer protocol.
    • 2.Uses TCP/IP to make a connection.
    • 3.Issues a GET command.
    • 4.HTML Pages are returned.
  • Other protocols can also be used within a WWW Browser:
    • FTP - File Transfer Protocol
    • E-Mail
    • Telnet
url s
URL’s
  • Uniform Resource Locators
    • A three part name for a WWW or Internet resource:protocol://hostname/filename
      • 1.Protocol: The application layer protocol used to access the resource. Examples: HTTP, FTP, GOPHER, MAILTO
      • 2.Host Name: The name of the host (or IP address) where the resource is located.
      • 3.File Name: The directory and file name of the resource.
          • URL Examples
communication architecture
Communication Architecture
  • Why do we need?
    • Communication systems involve heterogeneous technologies
    • change rapidly
    • they are complex (addressing, routing, multiplexing, error control, …)
  • How to cope with the above?
    • modularization
    • standardization
  • International Standards Organization (ISO) developed the Open Systems Interconnection (OSI) reference model (1974)
osi reference model
OSI Reference Model
  • Consists of seven layers
  • Each layer provides a set of functions to the layers above and relies on the functions provided by the layers below
  • Each layer communicates with its peer layer on the other node (protocols)
  • The layer boundaries (interfaces) should be designed in such a way as to minimize the information flow between the boundaries
  • The main idea is to have independent standards for different layers so that changes to one would not cause changes in other layers
osi reference model cont d
OSI Reference Model (cont’d)

+--------------+ +--------------+

| application |<--------------------->| application |

+--------------+ +--------------+

| presentation |<--------------------->| presentation |

+--------------+ +--------------+

| session |<--------------------->| session |

+--------------+ +--------------+

| transport |<--------------------->| transport |

+--------------+ +---------+ +--------------+

| network |<---->| network |<---->| network |

+--------------+ +---------+ +--------------+

| data link |<---->|data link|<---->| data link |

+--------------+ +---------+ +--------------+

| physical |<---->|physical |<---->| physical |

+--------------+ +---------+ +--------------+

osi reference model cont d27
OSI Reference Model (cont’d)

User A User B

application

presentation

session

transport

network

data link

physical

physical medium

application

presentation

session

transport

network

data link

physical

Higher

level

protocols

Higher

level

protocols

Lower

level

protocols

Lower

level

protocols

physical layer
Physical Layer
  • The physical layer defines electrical signaling on the transmission channel; how bits are converted into electrical current, light pulses or any other physical form
  • Specific functions
    • connection establishment and termination
    • encoding and transmission of bits
    • Repeating or amplification to increase the range of transmission
data link layer
Data Link Layer
  • Specifies how to organize data into packets, and how to transmit packets over a network. For example, defined in this layer are:
    • maximum packet size,
    • format packet header,
    • checksum computation
  • Defines how the network layer packets are transmitted as bits
  • Examples of data link layer protocols
    • PPP (Point to Point Protocol)
    • Ethernet framing protocol
  • Bridges work at this layer only
  • Other functions
    • Framing and Error detection
      • transmission might get corrupted, bits may be lost (parity, checksum)
      • may lose connection
    • Flow control
      • may send data too fast for a modem
      • data might get delayed a long time in the network
the network layer
The Network Layer
  • Specifies how addresses are formed (IP addresses)
  • How packets are forwarded (store and forward technique)
  • Delivers packets from sending computer to receiving computer (host-to-host)
  • Defines how information from the transport layer is sent over networks and how different hosts are addressed
  • Example of a network layer protocol: the Internet Protocol
  • Device that takes care of the network level functions is router or sometimes a gateway
  • Functions
    • Addressing: Determines which machine to send the packet to
    • Routing: Determines the best set of links
    • Congestion Control: Routes the packets via a different route if one intermediate node gets flooded with packets
the transport layer
The Transport Layer
  • Handles details of reliable transfer
    • format of acks, retransmission times, rules for changing it
  • Essentially, takes care of data transfer, ensuring the integrity of data if desired by the upper layers
  • Provides end-to-end delivery
  • Functions:
    • establishing and terminating connection
    • flow control
    • error detection and correction
    • multiplexing
  • TCP and UDP operate at this layer
the session layer
The Session Layer
  • Specifies how to establish a communication with a remote system e.g.: telnet
    • authentication details; e.g.: passwords
  • Establishes and terminates connections and arranges sessions to logical parts
  • Provides a means of controlling the dialogue between two end users
    • Dialogue management (half versus full duplex)
    • Synchronization and recovery management
  • This layer is not often used in existing systems
  • TCP and RPC provide some functions at this layer
the presentation layer
The Presentation Layer
  • Specifies how to represent data
    • Takes care of data type conversion
      • Different computers use different internal representation (Ex: ASCII, EBDIC) for integers and characters;
      • How to translate from one representation to another
  • An example of protocol residing at this layer: XDR (External Data Representation), which is used by RPC applications to provide interoperability between heterogeneous computer systems
  • Presentation layer functions are, in most systems, handled elsewhere in the network protocols
the application layer
The Application Layer
  • Specifies how one particular application uses a network
    • Specifies request format (how to name a file) and how the application on another machine responds.
  • Defines the protocols to be used between the application programs
  • Examples of protocols at this layer are: protocols for electronic mail (e.g. SMTP), file transfer (e.g. FTP)and remote login,directory look up, http
how layered software works
How layered software works?
  • Each layer solves one part of the problem
  • To do so, each layer on the sending computer adds information to the outgoing data
  • The same layer in the receiving computer uses the additional information to process data (for example:checksums in data layer)
how layered software works37
How layered software works?
  • Layering Principle:

Layer N software on the destination computer, must receive the exact message sent by layer N software on the sending computer.

  • For example
    • if one layer adds a header, the corresponding layer has to remove it.
    • If one layer encrypts data, the receiving computer layer has to decrypt it.
once again the purpose of layers
Once Again, The purpose of Layers
  • Each layer can be:
    • Designed
    • Implemented
    • Tested

independently of other layers.

Each Layer can change and evolve independent of other layers

applications
Applications
  • Electronic mail
  • File transfers (FTP)
  • Remote login (TELNET, rlogin)
  • Chat
  • Bulletin boards and Network News
  • Commerce
  • Network news
  • Networked information discovery and retrieval tools
  • Fax over the Internet
  • Games
  • ….
tcp ip protocol stack basic protocols
TCP/IP Protocol StackBasic protocols

Layers 5-7 TELNET FTP SMTP HTTP …..

Layer 4 TCP UDP

Layer 3 IP

Layer 2 Ethernet Token-ring ATM PPP …..

tcp ip protocol stack infrastructure and security protocols
TCP/IP Protocol StackInfrastructure and Security protocols

Layers 5-7 TELNET FTP SMTP HTTP …..

DNS

SSL

RIP

EGP

BGP

Layer 4 TCP UDP

ICMP

IPSEC

Layer 3 IP

ARP

RARP

Layer 2 Ethernet Token-ring ATM PPP …..

ICMP: Internet Control Message Protocol, ARP: Address Resolution Protocol

RARP: Reverse Address Resolution Protocol, DNS: Domain Name Service

RIP: Routing Information Protocol, BGP: Border Gateway Protocol

EGP: External Gateway Protocol, SSL: Secure Socket Layer

tcp ip transmission control protocol internet protocol
TCP/IP(Transmission Control Protocol/Internet Protocol)
  • TCP/IP is the basic communication protocol of the Internet
    • Protocol: the special set of rules for communicating that the end points in a telecommunication connection use when they send signals back and forth.
      • TCP , IP , HTTP, FTP, and other protocols, each with defined set of rules to use with other Internet points relative to a defined set of capabilities.
tcp ip cont d
TCP/IP(Cont’d)
  • TCP:
    • manages the assembling of a message into packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message.
      • A packet is the unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network
  • IP
    • handles the address part of each packet so that it gets to the right destination.
tcp ip cont d44
TCP/IP(Cont’d)
  • Uses the client/server model of communication
  • Communication is primarily point-to-point:
    • Each communication is from one point (or host computer) in the network to another point or host.
  • Higher layer application protocols that use TCP/IP to get to the Internet
    • Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet (Telnet), and the Simple Mail Transfer Protocol (SMTP).
slide45
TCP
  • Adds Port Numbers, packet Sequence Numbers, Acknowledgement Numbers and other fields to IP addresses
    • A Port number refers to a specific application running on a host. e.g. SMTP uses Port 25 while Telnet uses Port 23.
  • TCP Header format
    • source port number
      • source IP address + source port number is a socket: uniquely identifies sender
    • destination port number
      • destination IP address + destination port number is a socket: uniquely identifies receiver
    • SYN, ACK flags
    • sequence number
    • acknowledgement number
tcp cont d
TCP (cont’d)
  • Result is a TCP/IP "stream" - a connection established using handshake and error detection/control through positive acknowledgement.
    • Three-way handshake:
      • 1. A sends a SYN message to B - I'd like to set up a connection and I will start with sequence number s
      • 2. B Replies with a SYN and ACK message to A - Yes I will talk to you.
      • 3. A sends an ACK message to B along with the first piece of data - I got your ACK so here's the start of my data.

SYN(A)

initiator

responder

SYN(B),ACK(A)

ACK(B)

tcp cont d47
TCP (cont’d)
  • Useful for when error correction is required and connection will last a long time (e.g. large data transfer).
  • Large data is broken into chunks and sent separately. Can arrive in any order. Discards duplicates.
  • Provides flow control.
user datagram protocol udp
User Datagram Protocol (UDP)
  • Adds Port Numbers to IP addresses
    • A Port number refers to a specific application running on a host. e.g. SMTP uses Port 25 while Telnet uses Port 23.
  • UPP header format
    • source port number
      • source IP address + source port number is a socket: uniquely identifies sender
    • destination port number
      • destination IP address + destination port number is a socket: uniquely identifies receiver
  • Also an optional Checksum - Error checking
  • No handshaking or error control
  • Also called a "Connectionless" protocol
  • Often referred to as "Unreliable" - meaning error control can't be relied upon.
  • Useful for situations where overhead is a concern. Small data requests such as queries, etc.
tcp udp port numbers and services
TCP/UDP Port Numbers and Services
  • TCP and UDP add Port Numbers to the IP addresses.
  • Each port corresponds to a specific application or service.
  • Ports 1 - 1024 are generally considered privileged ports. That is, on UNIX systems, one needs to have special permissions to run services on these ports.
  • Above 1024, any port number can be used.
  • Internet assigned numbers committee agrees on some standard port numbers.
tcp udp port numbers and services cont d
TCP/UDP Port Numbers and Services (cont’d)
  • The following are some well known services and their assigned IP port numbers.
    • Service Port Protocol
    • Day Time 13 TCP/UDP
    • FTP 21 TCP
    • Telnet 23 TCP
    • SMTP Mail 25 TCP
    • DNS 53 UDP
    • HTTP/WWW 80 TCP
internet security51
Internet Security
  • Background on Internet technologies and protocols
    • LANs and WANs
    • IP Addressing, DNS
    • OSI model
    • TCP/IP, UDP
  • Attacks
  • Firewalls
    • benefits, limitations
    • various types
attacks
Attacks
  • Public, private, and government networks have been penetrated by unauthorized users and rogue programs
  • Increased volume of security breaches
  • Computer Emergency Response Team (CERT) reports a tremendous increase in cracking incidents
  • Insider attack
    • The insider is already an authorized user
    • insider acquires privileged access
      • exploiting bugs in privileged systems programs
      • exploiting poorly configured privileges
    • install backdoors/trojan horses to facilitate subsequent acquisition of privileged access
    • Exploitation of software bugs
  • Outsider attack
    • acquire access to an authorized account
    • perpetrate an insider attack
attacks53
Attacks
  • outsider/insider attack
    • password-based attacks
    • attacks that exploit trusted access
    • spoof network protocols to effectively acquire access to an authorized account (IP spoofing)
      • Unauthorized access to resources
      • Disclosure, modification, and destruction of resources
      • Compromised system used as hostile attack facility
      • Masquerade as authorized user or end system
      • E-Mail forgery
      • Importation of malicious or infected code
    • Session hijacking
    • Network sniffing/packet sniffing
      • User IDs, passwords, and other information are often stolen on Internet
  • Denial of service attack
    • flooding network ports
attacks54
Attacks
  • Infrastructure attacks
    • router attacks
      • modify router configurations
    • domain name server attacks
    • internet service attacks
      • web sites, ftp archives
contributing factors
Contributing Factors
  • Lack of awareness of Internet threats and risks
    • Security measures are often not considered until an Enterprise has been penetrated by malicious users
  • Wide-open network policies
    • Many Internet sites allow wide-open Internet access
  • Vast majority of Internet traffic is unencrypted
    • Network traffic can be monitored and captured
  • Lack of security in TCP/IP protocol suite
    • Most TCP/IP protocols not built with security in mind
    • Work is actively progressing within the Internet Engineering Task Force (IETF)
  • Complexity of security management and administration
  • Exploitation of software (e.g., protocol implementation) bugs
    • Example: Sendmail bugs
  • Cracker skills keep improving
who is perpetrating these attacks
Who is perpetrating these attacks?
  • People with lots of free time
  • Former/disgruntled employees
  • Current/disgruntled employees
  • Current/former/disgruntled customers
  • Governments
tcp syn flooding attack
TCP SYN Flooding attack
  • TCP 3 way handshake
    • send SYN packet with random IP source address
    • return SYN-ACK packet is lost
    • this half open connection stays for a fairly long period of time
  • Denial of service attack
  • Basis for IP spoofing attack

SYN(A)

initiator

responder

SYN(B),ACK(A)

ACK(B)

syn flooding
SYN Flooding
  • Upper limit of how many concurrent SYN requests TCP can process for a given socket (called the backlog)
  • length of the queue where incoming (as yet incomplete) connections are kept
  • Queue limit applies to both
    • the number of incomplete connections (the 3-way handshake is not complete)
    • the number of completed connections that have not been pulled from the queue by the application by way of the accept() system call.
  • If backlog limit reached, TCP silently discards all incoming SYN requests until the pending connections can be dealt with
ip spoofing
IP Spoofing
  • send SYN packet with spoofed IP address
  • SYN flood real source so it drops SYN-ACK packet
  • guess sequence number and send ACK packet to target
    • target will continue to accept packets and response packets will be dropped

SYN(A)

initiator

responder

SYN(B),ACK(A)

ACK(B)

ip spoofing61
IP Spoofing
  • First, choose the target host
  • Discover a pattern of trust, along with a trusted host
  • Disable the trusted host
  • Sample the target's TCP sequence numbers
  • Impersonate the trusted host
  • Guess the sequence numbers
  • Make a connection attempt to a service that only requires address-based authentication
  • If successful, the attacker executes a simple command to leave a backdoor
patterns of trust
Patterns of trust
  • After choosing a target, must determine the patterns of trust
    • It is necessary to assume the target host *does* in fact trust somebody. If it didn't, the attack ends here
  • Figuring out who a host trusts may or may not be easy
  • A 'showmount -e' may show where filesystems are exported
  • rpcinfo can give out valuable information as well
  • With sufficient background information, it should not be too difficult
  • If all else fails, trying neighboring IP addresses in a brute force effort may be a viable option
syn flooding63
SYN Flooding
  • The attacking host sends several SYN requests to the TCP port she desires disabled
  • The attacking host also must make sure that the source IP-address is spoofed to be that of another, currently unreachable host (the target TCP will be sending it's response to this address)
  • IP may inform TCP that the host is unreachable, but TCP considers these errors to be transient and leaves the resolution of them up to IP (reroute the packets, etc) effectively ignoring them.)
  • IP-address must be unreachable because the attacker does not want any host to receive the SYN/ACKs that will be coming from the target TCP (this would result in a RST being sent to the target TCP, which would foil our attack).
sequence number sampling and prediction
Sequence number sampling and prediction
  • Attacker needs to get an idea of where in the 32-bit sequence number space the target's TCP is
  • Connect to a TCP port on the target (SMTP is a good choice) just prior to launching the attack and completes the three-way handshake.
  • Same as normal connection, except that attacker saves the value of the Initial Sequence Number sent by the target host
  • Repeat process several times and the final ISN sent is stored
  • The attacker needs to get an idea of what the RTT (round-trip time) from the target to her host is like. (repeat and average)
  • Necessary to accuraetly predict the next ISN
  • Baseline (the last ISN sent), incrementation speed (128,000/second and 64,000 per connect), datagram travel time – guess the next ISN
  • Immediately proceed to the next phase of the attack
    • Another TCP connection on attack port, ISN predicted would be off by 64,000
session hijacking
Session Hijacking
  • Send SYN packet with spoofed source IP address and appropriate sequence number to one end
  • SYN-flood that end
  • send ACK packets to target at the other end
packet sniffing
Packet Sniffing
  • Shared media network
    • a program that monitors and analyzes network traffic, detecting bottlenecks and problems
    • packets can be intercepted at any point
    • login packets travelling over the Internet can be captured
    • intruder can find hostname, username, password and gain access to the system
    • can also obtain sensitive information
internet security67
Internet Security
  • Background on Internet technologies and protocols
    • LANs and WANs
    • OSI model
    • TCP/IP, UDP, DNS
  • Attacks
  • Firewalls
    • benefits, limitations
    • various types
internet firewalls
Internet Firewalls
  • What we need
    • Make some services available within the company such as Telnet/Rlogin and FTP between the company's hosts.
    • Disallow outside users from gaining access to the company's internal hosts via Telnet, FTP, etc.
    • Allow users within the company to access other services on the Internet such as WWW and FTP.
    • Allow users from the Internet to visit the company's WWW home pages.
    • Allow the exchange of e-mail with others on the Internet.
slide69
But,
  • It is difficult to restrict traffic in only one direction
  • Recall that the TCP/IP protocol sends acknowledgements to make sure data arrives whole.
  • What we need is a more sophisticated gatekeeper that can distinguish what services to allow and which to block.
  • The general term for this is a Firewall.
firewalls
Firewalls
  • Filter between private network and internet
  • Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network)
  • May be separate computer system; a software service running on existing router or server; or a separate network containing supporting devices
proxy servers
Proxy Servers
  • Proxy servers: Software servers that handle all communications originating from inside an organization
    • May improve performance considerably, by caching most frequently asked pages.
most rudimentary firewall
Most rudimentary firewall
  • Network adapter input filters
  • Examines
    • source or destination addresses
    • other information in the incoming packet
      • Matches IP addresses
      • port numbers for UDP and TCP
      • protocol of the traffic - TCP, UDP, and generic routing encapsulation (GRE)
  • Blocks packet or allows it through
  • Applies only to incoming traffic
  • Cannot control outgoing traffic
basic internet firewalls
Basic Internet Firewalls
  • A basic firewall is a router or host with 2 network interfaces.
    • One interface is connected to the Internet - the Host side.
    • The second is connected to the company's internal network.
  • Two overall policies:
    • Anything not explicitly denied is allowed.
    • Anything not explicitly allowed is denied.
benefits
Benefits
  • Secure and carefully administer firewall machines to allow controlled interaction with the external internet
  • internal machines can be administered with varying degrees of care
  • does work
basic limitations
Basic Limitations
  • Connections that bypass firewall may be dangerous
  • services through firewall introduce vulnerabilities
  • insiders can exercise internal vulnerabilities
  • not possible to safely squeeze everything that users desire through a firewall
    • users settle for degraded service
    • tolerate increased vulnerability
  • performance may suffer
  • single point of failure
types of firewalls
Types of Firewalls
  • Packet Filtering firewall
    • IP layer
  • application gateway firewall
    • application layer
  • circuit relay firewalls
    • TCP layer
  • combinations of these
packet filtering firewall
Packet filtering firewall
  • Special software examines the network traffic (TCP, UDP and IP packets) and selectively blocks or allows IP packets
  • Each IP packet contains
    • 32 bit source IP address, 32 bit destination IP address, 8 bit protocol field, additional header fields, data
    • typically several 100 bytes long
    • an IP packet carries TCP or UDP header data
    • TCP/UDP header in data part of IP packets carries
      • 16 bit source port number, 16 bit destination port number
    • TCP header also carries
      • SYN: first packet in a TCP connection
      • ACK: packet from an existing connection

IP header TCP header application data

IP header UDP header application data

packet filtering firewall79
Packet filtering firewall
  • IP packets are filtered based on
    • source IP address + source port number
    • destination IP address + destination port number
    • protocol field: TCP or UDP
    • TCP protocol flag: SYN or ACK
  • packet filtering can be very effective for simple services
  • never allow packet with source address of internal machine to enter from external internet

Internal network

Packet

filtering router

External Internet

Allow only packets with source address Mail gateway

Mail gateway

Allow only TCP ACK packets with source port 25 to destination port 1023

Allow only packets with destination address Mail gateway, destination port 25

packet filtering firewall81
Packet filtering firewall
  • Example: Drop any TCP/IP packets coming from the Internet to port 23 (Telnet) of any internal host.
  • The allow/deny policy lists must be maintained and grow quite complex.
  • Assume company LAN uses IP addresses: 200.10.10.*
  • Asterisk ( * ) means "any"

Source IP Source Port Destination IP Destination Port Allow?

200.10.10.* * * 23 No

* * 200.10.10.* 23 No

packet filtering firewall82
Packet filtering firewall

Internal network 1

1

Packet

filtering router

External Internet

  • 1: Allow packets with destination in internal networks 2 and 3
  • 2: Allow packets with destination in internal networks 1 and 3
  • 3:Allow packets with any destination
  • 4: Allow TCP packets with destination address Mail gateway, destination port 25
  • Allow only TCP ACK packets with source port 25 with destination Mail gateway, port 1023

4

Internal network 2

2

Mail gateway

(internal network 3)

3

packet filtering firewall83
Packet filtering firewall
  • packet filtering firewall when connection to Internet is via an external service provider
  • packet filtering is effective for coarse grained controls
  • not very effective for fine grained control
    • can do: allow incoming telnet from a particular host
    • cannot do: allow incoming telnet from a particular user
  • Vulnerabilities
    • IP source address can be spoofed
    • IP source routing
    • filtering hard to configure correctly
    • remote router management uses cleartext passwords

External Internet

Packet

filtering firewall host

Internal network

External

router

packet filtering firewall84
Packet Filtering Firewall
  • Stateless
    • Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed
    • Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event
  • Stateful
    • Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table
attacks solutions
Attacks & Solutions?
  • Packet fragmentation
  • Source routing
  • TTL attacks
packet filtering advantages
Packet filtering - Advantages
  • Generally faster since fewer evaluations performed
  • Easily implemented as hardware solutions
  • A single rule can help protect an entire network by prohibiting connections between specific Internet sources and internal computers.
  • Do not require client computers to be specifically configured
  • In conjunction with network address translation, you can use packet filter firewalls to shield internal IP addresses from external users
packet filtering disadvantages
Packet filtering - Disadvantages
  • Do not understand application layer protocols.
  • Cannot restrict access to protocol subsets - less secure than application layer and circuit level firewalls
  • Packet filters - typically stateless
  • Limited abilities to manipulate information within a packet.
  • No value-added features, such as HTTP object caching, URL filtering, and authentication – since no knowledge of protocols
  • Little or no audit event generation and alerting mechanisms.
  • Difficult to test "accept" and "deny" rules.
circuit gateways
Circuit Gateways
  • Circuit gateway firewall operates at transport layer
  • Look at sessions, instead of packets or connections
  • Built in support for protocols with secondary connections, such as FTP, RTP
  • Like filtering firewalls, do not usually look at data traffic flowing between two networks, but prevent direct connections between one network and another
  • Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels
  • Mitigates risk of network reconnaissance, DoS and IP spoofing
application gateway firewall
Application gateway firewall

External Internet

Application gateway firewall host

Internal network

External

router

  • Proxies or relays
    • Allow incoming Telnet from our users who are travelling
      • user telnets to gateway machine
      • gateway does strong authentication and establishes telnet relay to internal machine
      • user to internal machine telnet session is relayed through the gateway
    • Once established, relays do not examine traffic
    • Outgoing telnet can similarly be relayed through the gateway
      • user telnets to gateway machine
      • gateway establishes telnet relay to external machine
      • user to external machine telnet session is relayed through the gateway
application gateway firewall91
Application gateway firewall
  • Outgoing ftp requires incoming call
    • inside user initiates ftp connection to outside machine
    • when a file is transferred outside machine initiates a tcp connection to inside machine to effect the transfer
  • allowing incoming tcp calls to internal machines is dangerous
    • use gateway as a proxy for outgoing ftp
  • Proxies and relays have to be implemented for each service
    • proxies for sophisticated services such as X windows, NFS, WWW, Gopher exist
application gateway firewall92
Application gateway firewall
  • Packet filtering and application gateway can be bundled on the same host

Protocol Source IP Source Port Destination IP Destination Port Allow?

tcp 200.10.10.* * * 23 No

udp * * 200.10.10.* 23 No

  • application gateways work better for TCP based services
    • recall that UDP is connectionless
  • better for control over individual service relative to packet filters
  • allow filtering of application protocols
    • disallow PUT for FTP from internal clients
    • disallow Java applets
    • filter email attachments for viruses
application layer filtering
Application Layer Filtering
  • Most sophisticated level of firewall traffic inspection
  • Analyze a data stream for a particular application, provide application-specific processing
    • inspecting
    • screening or blocking
    • redirecting
    • and modifying data
  • Inspect many different protocols
  • Works on clear-text traffic – what about encrypted data?
options
Options
  • Terminating the SSL traffic at the firewall
  • Regenerating SSL traffic from the firewall to the exposed Web service
  • Allowing the SSL traffic to pass through the firewall to the back-end server
software vs hardware the soho firewall debate
Software vs. Hardware: the SOHO Firewall Debate
  • Which firewall type should the residential user implement?
  • Where would you rather defend against a hacker?
  • With the software option, hacker is inside your computer
  • With the hardware device, even if hacker manages to crash firewall system, computer and information are still safely behind the now disabled connection
content filters
Content Filters
  • Software filter—not a firewall—that allows administrators to restrict content access from within network
  • Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations
  • Primary focus to restrict internal access to external material
  • Most common content filters restrict users from accessing non-business Web sites or deny incoming span