Class 12

1. Class 12 CSCI 6433 David C. Roberts

2. Agenda • Software-defined networking • Internet Security • The Internet of Things • Summary

3. Software-Defined Networking

4. SDN • Evolved from work at Stanford and Berkeley in 2008 • Decouples control plane, where decisions are made about traffic, from data plane, the systems that actually forward data • OpenFlow is a method for the control plane to communicate with the data plane • This is different from a system of routers that use the destination address to forward a datagram to its destination

5. Traffic Engineering • Network operators often want to choose paths based on the type of traffic, not just destination address • MPLS can be used to select a path for a type of traffic that may not be the shortest path • Traffic engineering technologies have evolved to allow a given class of traffic to follow a prescribed path rather than requiring that all datagrams follow the same path

6. Approaches to Flow Control • Use a connection-oriented network infrastructure • Application contacts network to ask for a connection • Network chooses the path, makes the connection • Impose routing overlays on a packet-switched infrastructure • Routine overlay imposes a virtual network technology • Routing overlay creates a set of tunnels that act like point-to-point network connections

7. SDN: A New Approach • Use high-speed classification hardware to avoid the overhead associated with classifying packets • Use high-speed hardware to perform packet forwarding to avoid software delays • Instead of using routing protocols to choose routes, allow managers to specify how to handle each case • Use management applications instead of humans to configure the network and control devices, so that the network will scale

8. Separating Data and Control • Network device has two functions: • Control mechanisms—call this the control plane • Mechanisms that handle packets—call this the data plane

9. How SDN is Implemented

10. Multiple Computers

11. OpenFlow Technology • OpenFlow has intelligence in an external controller • OpenFlow switch is a switch that accepts OpenFlow protocol • OpenFlow is not an IETF standard; see openflowswitch.org • OpenFlow allows a switch to handle both production and specialized traffic

12. Basics of OpenFlow • Controller-switch interface • TCP used to communicate • Secure channel is used • Does not require direct physical connection • Items that can be configured • Type 0 OpenFlow switch does classification and forwarding using a flow table • Flow table has patterns to be matched and actions to be taken

13. Uses of OpenFlow • Experimental protocol between 2hosts • Layer 2 VLAN crossing a wide area • Source-based IP forwarding • On-demand VPN connection between 2 sites

14. Limitations of OpenFlow • Limited Devices: primarily switches • Ethernet Only: focused on Ethernet frames • IPv4 focus: later extended to IPv6, which has widened applicability Many switch vendors have added OpenFlow modules to their products.

15. Summary • OpenFlow adds significant capability at the link level • Separates control plane from data plane processing • Intelligence is in an external controller

16. Internet Security

17. First… • A general comment about security. • The greatest security weakness is… • People! • Often, technical weaknesses are exploited by obtaining help from people.

18. Information Policy • Information policy is essential for security • Who is allowed to access what information • Rules associated with dissemination • Rules for acting on violations • People are always the weak links in security • Policy weaknesses cause mistakes • Policy weaknesses can be exploited

19. Tonight we talk about Internet security, so we’ll omit people from the discussion. But understand that people are the weakest link, and that security policy is required in order for technical protections to work.

20. Agenda • The Problem • Attacks • Security measures

21. Early vs. later design Later designs tend to have protection features • DNS • SMTP • HTTP The “guts” don’t have good security • IP • Network Layer

22. Attacks • Malware • Denial-of-service attack • Social engineering • Eavesdropping • Password guessing • War dialing—software and modem calls desktop computers, looks for paths into corporate networks • Denial of service attacks—overwhelms capacity of a computer so that it can’t process legitimate work • Protocol-based attacks—exploiting weaknesses in protocols • Source Quench • ARP Spoofing • Host attacks—exploiting weaknesses in hosts

23. Malware • Viruses—program that can replicate itself and spread to other computers • Trojan horse—program that appears to be harmless but hides malicious functions • Spyware—program that collects information with the user’s knowledge • Worm—standalone malware that replicates itself in order to spread to other computers • Bot—program that runs an automated task over the Internet

24. Internet Protocol security • Network layer security • IPsec Protocol • TLS (formerly known as SSL) • Email security • Background • Pretty Good Privacy (PGP) • Multipurpose Internet Mail Extensions (MIME) • Message Authentication Code • Firewalls • Role of firewalls in Internet security and web security • Types of firewalls • Packet filters • Circuit-level gateways • Application-level gateways

25. Ipsec core protocols

26. IPsec Authentication Header

27. IPsec Encapsulating Security Payload

28. IPSecImplementation • Two methods: • Router implementation: implement for pairs of routers that route datagrams outside the organization (“bump in the wire”) • End Host Implementation: enables end-to-end security between any two devices on the network (“bump in the stack”)

29. IPSec “bump in the wire”

30. IPSec“bump in the stack”

31. IpSec Modes • Transport Mode: protocol protects the message passed from the transport layer • Tunnel Mode: protocol protects a complete encapsulated IP diagram after the IP header has been applied

32. Transport mode

33. Tunnel mode

34. TLS (formerly SSL) • SSL was originally developed by Netscape through Version 3.0 • Now called Transport Layer Security (TLS) • Encryption takes place at the application layer • Uses asymmetric cryptography for key exchange, symmetric cryptography for information protection, message authentication codes for message integrity

35. Uses of SSL • Variations of TLS are now in use in • HTTP • SMTP • Internet faxing • VOIP

36. Connecting • Some protocols use a different port number (i.e., port 443 for HTTPS) • Others use regular port number, have the client request switching the connection to TLS (i.e., STARTTLS command for SMTP) • Once connection is made, then asymmetric cryptography is used to negotiate the session and authenticate • Then symmetric cryptography is used to protect the data transfer

37. SMTP Security • SMTP-AUTH extension (RFC 2554) defines authentication methods for SMTP • SMTP-AUTH provides a method to specify a security mechanism, authenticate the exchange and negotiate a security profile • Felt to be too complex for widespread adoption • Anti-Spam Research Group of the ITEF is working on flexible, lightweight, scalable methods for source authentication

38. Security Techniques • Perimeter security—provide some kind of network boundary and divide service and network availability between “inside” and “outside”, determining the services and networks available to outsiders, extent to which outsiders can use resources • Encryption—used to hide data, used for many aspects of security • Authentication and authorization—reliably identify authorized users and allow access • Intrusion detection—detecting actions that attempt to compromise confidentiality, integrity or availability of a resource

39. Internet Security • Security is difficult because datagram contents cannot be trusted • Datagrams pass through uncontrolled intermediaries, can be changed • Authentication based on source addresses can’t be trusted • Strong authentication based on encryption is more trustworthy • Encryption protects information in transit from change or access • A trusted key authority is needed if encryption is to offer more than protection of information while in transit.

40. Intrusion detection • Detecting all possible intrusion attempts is not computable; too many computations, always one more method • Typically heuristics, clustering algorithms, statistics are used as the basis for techniques • Network IDS (NIDS) examines traffic at all layers, analyzes for suspicious activity • WLAN IDS also looks for attempts to connect to rogue devices • Host-based IDS (HIDS) analyze traffic and system-specific settings. Installed, configured on each machine.

41. IDS Types • Signature-based—relies on known traffic patterns, looks for anomalous patterns. Can be fooled by attack that is a small change from normal traffic. Usually very effective. • Anomaly-based—detects any traffic that is incorrect or otherwise not normal. • Stateful protocol inspection—like anomaly-based detection, but can examine traffic at network, transport layer and vendor-specific traffic at the application layer

42. SMTP Security • Easy to spoof an email address • Many security changes to SMTP have been resisted; some popular features: • Checking IP address of a device attempting connection against a “white list” • Limiting commands such as EXPN to prevent unauthorized users from determining the e-mail addresses of users on mailing lists. • Checking validity of envelope information before accepting a message for delivery. • Limiting the size of e-mail messages that may be sent or the number that may be sent in a given period of time. • Logging all access to the server to keep records of server use and check for abuse. • Encryption can be used along with MIME encoding

43. Firewalls • Housing—separates garage from house or one apartment from another • Automobiles—separates engine from passenger compartment • Firewalls are intended to keep a fire localized until residents can escape and help can arrive

44. Firewalls • Often must protect a network from unwanted communication • Internet firewall is the common mechanism for internet access control • Firewall placed at the connection to external networks, partitions into two regions, inside and outside • Firewalls must be placed at all Internet connections, forming a security perimeter • A firewall is a router with filtering capabilities

45. Firewall Properties • Single point connection between 2 or more networks where all traffic must pass • Traffic can be controlled through the device • All traffic is logged

46. Firewall Implementation • Routers usually have a function called packet filter—will block datagrams by source, by application, etc. • This is most often stateless filtering • Often, packet filter is a board in the router • No TCP/IP standard for packet filters, left up to vendors

47. Types of Packet Filters • Static—filter rules must be changed manually • Dynamic—outside process changes the rules dynamically • Stateful inspection—dynamic, but including detailed inspection of data contained in the IP packet Dynamic and stateful firewalls keep a dynamic state table to make changes to the filtering rules based on events

48. Packet Filtering Example

49. Stateful Firewalls • Allows clients inside firewall to use services outside the firewall by keeping track of the state of network connections • Watches outgoing connections, passes only packets that follow known connection patterns • Techniques: • Soft state—timer removes inactive state information after a timeout • Connection monitoring—firewall watches packets, removes information when flow terminates

50. Application Firewalls • Firewall function at the application level • Provides multiple application proxies • Understand the operation of an application • Check messages and ensure that they follow the pattern of the application • Bad messages are not passed on • Proxies can sometimes be tricked; important to install new software releases promptly