1 / 57

Communication systems 17 th lecture (last)

Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006. Communication systems 17 th lecture (last). 1 | 57. Communication systems administrational stuff. Last lecture for this semester

burian
Download Presentation

Communication systems 17 th lecture (last)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006 Communication systems17th lecture (last) 1 | 57

  2. Communication systemsadministrational stuff • Last lecture for this semester • Friday is written exam starting at 11am sharp, Room 03-026 in this building (attic, end of stairs) • We gave some hints in last practical course on Tuesday • Please bring a fountain/ballpin pen with you (seats, tables, writing paper are provided by us) • Grades in oral or written exams will be sent to the examinations office (an will be available there beginning of winter term) • If you need a special printed paper – please tell us/send an email, so we could prepare it – it will be available at the secretaries of the computing department 2 | 57

  3. Communication systemsadministrational stuff – seminar next semester • Professorship will held a block seminar on “Security, trust and law in the Internet” next winter in cooperation with MPICC (dept. of Prof. Sieber) • Unfortunately the faculty was not able to held the central infrormation block on available seminars soon enough • We expect written seminar papers for the end of October, the three seminar dates are on Friday/Saturday end of November, beginning of December • Seminar could be taken for the field of specialization #6 • Topics like SPAM, cracking, phishing, etc. will be covered • Seminar is in german only! • More information on the several topics could be found on the homepage 3 | 57

  4. 4 | 57

  5. 5 | 57

  6. Communication systemsLast lecture – SIP and H323 • We talked on and demonstrated (in the practical course) SIP – session initialization protocol and H.323 (both might be part of the written exam questions) • Telephony over IP networks • Only session setup • compression, packet transport left to other services like RTP and RTCP • the latter define container and control protocols for multimedia data streams • H.323 – standard developed by Telcos - ITU • SIP – internet standard, thus they differ definitely in their designs 6 | 57

  7. Communication systemsthis lecture – security in computer networks • We leave the area of telephony and talk of a complete different field again • The topic of this lecture will NOT asked in exam questions :-) • After some overview on the several network layers • IP v4 and v6 on the third OSI layer (network) • TCP, UDP on the fourth OSI layer (transport) • and several protocols for the underlying first and second layer (physical and data link layer) • “security” is a very broad topic not only connected to networks but many other aspects of computers 7 | 57

  8. Communication systemsthis lecture – security in computer networks • This lecture – short introduction into problems of open networks, types and points of possible attacks • more than introduction is not possible • whole lectures may be held on that topic • Security measures do not focus on a single network layer • Different measures try to solve different problems that might occur • There is no single measure, which will solve all security issues at once • There will evolve new types of attacks and new types of counter measures 8 | 57

  9. Communication systemsnetwork insecurity – simple packet snapshot (pract. course) 9 | 57

  10. Communication systemsnetwork insecurity • IP packets are easily readable (if provided with the proper tools) • e.g. ethereal can provide the user/network administrator • with a graphical userinterface for interpreting packets • can grab all packets visible to a machine (promiscous mode in LANs like ethernets) • can sort out TCP streams (check which packets are part of a certain communication) • can interpret most of protocol packets • You should be familiar with this tool (and others like tcpdump) from the several practical courses 10 | 57

  11. Communication systemsnetwork insecurity • why packets are as easily readable? • all communication has to follow standards – otherwise no communication would be possible (think of people talk in different languages with each other) • even not open protocols, like certain implementations of windows network service are interpretable – such the samba service is developed through trial-and-error and reverse engineering • such: no security by obscurity!! • in the beginning of "The Internet” • very few participants in networks • very few computers connected to each other • very few people with deep understanding of networking • not many network analyzation tools available (for free) 11 | 57

  12. Communication systemsnetwork insecurity • restricted computing power of connected machines • protocols should be very simple and should not impose high loads on the machine • encryption technologies were not common knowledge / restricted for export ("strategic technology”) • and: simplicity of TCP/IP protocol suite helped the rapid growth of the Internet and fast adaptation for the different operating systems • by now: the Internet is one of base technologies for information exchange and communication • wide range of businesses directly depend on this network (online shops, auctions, b2b, games, advertisements, porn sites, ... :-)) 12 | 57

  13. Communication systemsnetwork insecurity • inner and intra firm communication moves from the classic communication media telephone and fax over to mail and similar technologies • sending and reception of a wide range of digital objects • e.g. with the “melissa” virus you could observe employees entering their offices at eight and leaving them at half past nine (no mail and online communication was available – most MS operated networks) • production and development heavily depend on networks – most information between firms is directly interchanged between databases over the net • in the future: move of telecommunications into IP networks to avoid duplicated infrastructure and cut communication costs 13 | 57

  14. Communication systemsnetwork insecurity • networks could be attacked on all layers • layer 1 and 2 • e.g. ARP spoofing in broadcast networks for man-in-the-middle attack, redirection of default gateway traffic over the attackers host (fifth lecture) • “dialer” programs – redirection of internet traffic over costly dial-in lines (attack is of course induced via web applications, trojan horses, ...) • layer 3 • IP spoofing – forging of IP addresses for good or malicious reasons (explained later) for motivation of IPsec • attacking router protocols, e.g. RIP (II) for redirecting traffic in LANs 14 | 57

  15. Communication systemsnetwork insecurity • networks could be attacked on all layers • layer 1 and 2 • rather simple within WLANs (unguided media with no distinct boundaries): • spamming with corrupt packets or simply noise (microwave oven) – frequency band is rendered unusable • breaking the weak WEP algorithm • e.g. ARP spoofing in broadcast networks for man-in-the-middle attack, redirection of default gateway traffic over the attackers host (earlier lecture) • “dialer” programs – redirection of internet traffic over costly dial-in lines (attack is of often initiated via web applications, trojan horses, ...) 15 | 57

  16. Communication systemsnetwork insecurity • layer 4 • very simple to send unsolicited UDP packets – connectionless service (such spoof protocols like SNMP, DHCP, DNS, ...) • take over open TCP connections – grab an open telnet, mail, http session to use an authenticated session to a remote host • TCP syn attacs (open as many TCP connections as possible from different hosts and leave them in open state without further communication – type of distributed denial of service DdoS) • dynamic routing protocols (drop in replacement for TCP or UDP) have their weaknesses too ... 16 | 57

  17. Communication systemsnetwork insecurity • application layers (layer 5 – 7) • SPAM attack on productivity in every organization, network / overload mail boxes to stop reception of further email • redirection of users/traffic through modification of DNS replies, DNS caches • crack passwords to gain access to accounts, databases ... • by now: so called “bot-nets” • groups of computers corrupted by some worm or system / service weakness • waiting for special incoming packets for distributed denial of service (DDoS) attacks, SPAM relaying, file exchange, ... 17 | 57

  18. Communication systemsnetwork security measures • different security measures for different network layers and protocols • application layers: e.g. PGP for mail – end-to-end mail encryption - advantages: • PGP/GnuPG available for many OS / mail clients • independent of admin permissions of the underlying OS • key ring could be put to USB stick (or similar) and deployed on more than one machine • disadvantages: • available for mail / filesystem encryption only • mail header (and all protocols below), end-to-end communication visible to every one along the route 18 | 57

  19. Communication systemsnetwork security measures • Transport layer as an extension to service protocols put between TCP and higher level protocol • Secure socket layer (SSL: initially developed by Netscape to secure http connections to allow secure applications prerequisite for online shopping, homebanking, ...) • Transport layer security (TLS, or SSL v3) – modern version of SSL 19 | 57

  20. Communication systemsnetwork security measures • by now implemented to a wide range of TCP applications • Web: https – port 443 • Mailboxes: imap4 – imaps, port 993 • Hierarchical database: ldap – ldaps, port 636 • OpenSSL – open source implementation of the SSL library • SSL requires certificate authorities (CA) to really know how the communication partner is • hierarchical structures of trust are rather costly • information of CA has to be put into application, e.g. Web browser • Rather strong requirement in the rather “unregulated” Internet 20 | 57

  21. Communication systemsnetwork security measures • Advantages of SSL/TLS: • Library functions which could be relatively easily applied to every TCP application • Freely available for all common OS • Relatively wide spread through use with HTTP communication • Relatively mature (some security flaws where detected and fixed) • For not SSL enabled / rather old applications or protocols secure tunnels via SSH (secure shell) could be established • Some certificate authorities are available 21 | 57

  22. Communication systemsnetwork security measures • Disadvantages of SSL/TLS: • Not available for applications using UDP (or more difficult to apply), no SSH tunnels possible • Incompatibilities with/of older versions of SSL • CA are rather expensive and not really compatible with each other • e.g. University of Freiburg uses some CA but would pay extra money to enable every virtual web / mail host to use authorized certificate (e.g. examine the certificate of the mail server ...) • Every CA has to be known to the web browsers and protocols using SSL 22 | 57

  23. Communication systemsnetwork security measures • By now many universities and scientific organizations use the services of DFN CA • This CA is available free of charge to the members of that network • The Root certificate is integrated into the popular open source browsers (of course not into IE – M$ will most probably charge for that :-)) • There is a more “general” solution to link encryption and authentication than SSL/TLS 23 | 57

  24. Communication systemsnetwork security measures • Network layer: IP sec protocol • Mostly in parallel to the SSL development need for secured IP connections was stated • IETF created work group which should backport IP v6 security features to IP v4 networks • Many participants in that workgroup • Long processes • Many incompatibilities between different vendors 24 | 57

  25. Communication systemsnetwork security measures • Data link layer: PPTP or L2TP • PPTP (point-to-point-tunneling-protocol) is a Microsoft development for security enhancements to the PPP • PPP allows to transport more than one network layer protocol (e.g. IPX) beside IP • PPTP was cracked some years ago – some security issues not solved ... • PPTP is available to other operating systems too • L2TP (layer-2-tunneling-protocol) is prepared for adding security features too – but some issues not solved • For layer 2 tunneling OpenVPN (open source project available for OS with tun/tap network device) 25 | 57

  26. Communication systemsnetwork security measures • OpenVPN uses the SSL library to encrypt traffic, could be used for securing layer 2 and IP connections • Uses UDP packets for easy crossing of masquerading routers • Could deploy TCP connections, connections over HTTP proxies too • Disadvantages: only point-to-point connections by now • need to setup of several connection endpoints on a server with the older 1.N versions • multipoint connections to the same server port would be available with the 2.0 version • Not an officially standardized protocol, but in broad use in many setups 26 | 57

  27. Communication systemsnetwork security measures – summary 27 | 57

  28. Communication systemsnetwork insecurity – address spoofing • Talked on ARP and ARP spoofing earlier this lecture / practical course • Without authentication it is impossible to say which communication partner generated a certain packet • Same problem on higher layers too • Same problems with WEP (lecture on Wireless LAN), layer 2 security measures ... • IP spoofing is creation of IP packets using some other IP address as source 28 | 57

  29. Communication systemsIP insecurity – IP spoofing • IP source and destination addresses could be easily modified (you have only to recompute the headers checksum after it)– e.g. useful for IP masquerading (hide whole networks behind a masq. router – common technique for home LANs) • Tools to do so: iptables (Linux firewall package - example given in one of the practical courses), wincap, sendpacket, raw socket, ... 29 | 57

  30. Communication systemsIP insecurity – IP spoofing • forging source IP address causes responses to be misdirected, meaning that no normal network connection might be created • originates in packet switched type of IP networks • IP routing is done on a hop by hop basis • delivery route is determined by the routers that participate in the delivery process • routers use the “destination IP” address in order to forward packets through the Internet, but “ignore” the source address field – point of attack for IP spoofing • or asymmetric routing – packet is sent out on one interface and received over another 30 | 57

  31. Communication systemsIP insecurity – IP address spoofing in special scenarios • prerequisite for some type of SAT connections (incoming via SAT, outgoing via Modem / ISDN) • user makes request using return channel • ISP receives data from Internet and sends it out through satellite • user receives data through satellite receiver (card) 31 | 57

  32. Communication systemsIP sec – IP v4 insecurity • IP v4 does not implement any security (easy IP spoofing, easy rewriting of packets, no encryption) • As we will see firewalls does not secure outgoing or inbound traffic but shields the internal LAN • For secure communication over an insecure network (not because of lost packets or connections - but special agencies listening on routers and wires) encryption will be needed • If hosts in an secured internetwork should interoperate as easily as in the classical Internet a standard for secure communication is needed 32 | 57

  33. Communication systemsIP sec – IP v4 insecurity • IP and transportation headers must be easily readable for routers and network engines • But packet payload is easily readable too, if the proper tools for analysis are applied (i.e. Ethereal) • Example of HTTP post packet (login to a wellknown free mail provider: ID and password could be identified without problem) 33 | 57

  34. Communication systemsIP sec - overview • IP level security -> IPsec • IPSEC is Internet Protocol SECurity • The level above the network layer is the place where IPsec was put - No alteration to the IP was needed, simply the transportation protocol was interchanged (or and additional security header introduced) • It uses strong cryptography to provide both authentication and encryption services • Authentication ensures that packets are from the right sender and have not been altered in transit • Encryption prevents unauthorized reading of packet contents • Topic covered in other lectures: Telematics/Internet-Working 34 | 57

  35. Communication systemsIP sec – VPNs • It allows multiple access for e.g. teleworkers to the company LAN • Without VPN • costly separate infrastructure would be needed • often inflexible • Construction of a VPN • connection of all participating parties to the internet • VPN client asks for secure connection from the server • authentication via username/password, shared secret, key cards ... • after validation tunnel is set up with special IP routes 35 | 57

  36. Communication systemsIP sec – VPN problems • Problems with VPN gateways • gateway machines reachable over the public internet • could be attacked for break-in, denial of service • security could be increased through combination of authentication methods • Security at tunnel end point • split tunnel – unencrypted interface to the internet needed (transport medium for encrypted traffic) • user machine is not secured against attacks from the internet • “hardened tunnel” - no connection/routing to the local LAN is allowed, user end point machine obtains a private IP from the internal network 36 | 57

  37. Communication systems network security – other directions to look • By now we discussed encryption and authentication measures put to different protocol layers to improve security • We ensure this way, that nobody can read/alter the packets of a communication during transit • We do not secure a machine that way – vulnerability to attacks, DoS have to be abated some other way • Completely other path of thought • not to protect own traffic from sniffing ... • but allow or block traffic at gateway, router, end system ... • Traffic / packet filtering on different levels is another concept to increase security – parts of it will be discussed next part of lecture ... 37 | 57

  38. Communication systemsnetwork security – “the magic device”: firewall • Take a completely new track now ... • Firewalls are traffic / packet filters that operate on different layers of our OSI protocol stack • Try for a definition: “A Firewall is a network security device designed to restrict access to resources (information or services) according to a security policy” • Important remark is to be made here: • Firewalls are not a “magic solution” to network security problems, nor are they a complete solution for remote attacks or unauthorized access to data!! • Firewalls could be circumvented in several ways and may increase the complexity of network and this way decrease the level of security! 38 | 57

  39. Communication systems network security – firewalls • A Firewall is a often a network security device, but can be or simply is implemented directly into the end systems • It serves to connect two parts of a network a control the traffic (data) which is allowed to flow between them • Often installed between an entire organization's network and the Internet • A Firewall is always the single path of communication between protected and unprotected networks • Of course there are special cases of multiple Firewalls, redundant connections, fault-tolerant failover etc. • A Firewall can only filter traffic which passes through it • If traffic can get to a network by other means, the Firewall cannot block it 39 | 57

  40. Communication systemsnetwork security – firewalls • Types of firewalling concepts: • (MAC / ethernet frame filter) • Packet filter • Circuit-level proxy • Stateful packet filter • Application-level proxy • Filtering on data link layer • ethernet packets contain source and destination addresses: MAC • allow only frames to be delivered from known sources, block frames with unknown MACs 40 | 57

  41. Communication systems network security – firewalls • Filtering on network layer • Source & destination IP addresses • Source address • Destination address • Both are numerical – it is not easy for a Firewall to deal with machine or domain names • e.g. www.hotmail.com • Request: client = source, server = destination • Response: server = source, client = destination 41 | 57

  42. Communication systems network security – firewalls • Filtering on transport level • This is where we deal with (mostly) TCP and UDP port numbers • e.g.: 25 SMTP – sending email (TCP) • 110 POP3 – collecting email (TCP) • 143 IMAP – collecting email (TCP) • 389 LDAP – directory service (TCP) • 636 LDAPS – TLS secured directory service (TCP) • 80 HTTP – web pages (TCP) • 443 HTTPS – secure web pages (TCP) • 53 DNS – name lookups (UDP) • 68, 69 DHCP – dynamic end system IP config (UDP) 42 | 57

  43. Communication systemsnetwork security – firewalls • Most Firewalls and their administrators assume that the port number defines the service – not necessarily • who could stop me from sending or receiving mail over the HTTP port • who could stop users from tunneling all their IP traffic over an open port (AOL left UDP 53 completely open for DNS traffic some year ago :-)) • Here we get major problem: If users are blocked from using a service and try to avoid the blocking firewall they might find a way through – the admin still thinks all is fine with the network, but the situation might be even worse than without firewall at all ... 43 | 57

  44. Communication systems network security – firewalls • Layer 7 – Application • There is where we find all the 'interesting' stuff ... • Web requests • Images • Executable files • Viruses • Email addresses • Email contents • Usernames • Passwords 44 | 57

  45. Communication systems network security – firewalls • packet filter – a special router that have the ability to throw packets away independently of network congestion • Examines TCP/IP headers of every packet going through the Firewall, in either direction • Choice of whether to allow or block packet based on: • (MAC source & destination) • IP source & destination addresses (layer 3) • TCP / UDP source & destination ports (layer 4) • Stateful filter • Same as a packet filter, except initial packets in one direction are remembered, and replies are automatically allowed fo • Simpler rules than simple port based packet filter 45 | 57

  46. Communication systems network security – firewalls • Packet filter use rules specify which packets are allowed through the Firewall, and which are dropped • Rules must allow for packets in both directions • Rules may specify source / destination IP addresses, and source / destination TCP / UDP port numbers • Certain (common) protocols are very difficult to support securely (e.g. FTP, IRC, SIP, ...) • Low level of security • Stateful packet filter • Packet filter which understands requests and replies (e.g.: for TCP: SYN, SYN-ACK, ACK) 46 | 57

  47. Communication systems network security – firewalls • Stateful packet filter • Rules need only specify packets in one direction (from client to server – the direction of the first packet in a connection) • Replies and further packets in the communication are automatically processed • Supports wider range of protocols than simple packet filter (eg: FTP, IRC, H323) • Medium-high level of security 47 | 57

  48. Communication systems network security – firewalls • Layer-7 proxy server – application level proxy • Client and server in one box • For every supported application protocol • SMTP, POP3, HTTP, SSH, FTP, NNTP, Q3A, ... • Packets are received and processed by server • New packets generated by client • Prevents the need for direct network connection of clients, no client packet is directly routed into the Internet, no packet from Internet is directly handed to the client • Special proxy protocol supported by many applications which offers authentication: socks5 48 | 57

  49. Communication systems network security – firewalls • Complete server & client implementation in one box for every protocol which can be expected through it • Client connects to Firewall • Firewall validates request • Firewall connects to server • Response comes back through Firewall and is also processed through client/server • Large amount of processing per connection • High level of security • And: lot of funny stuff could be tried with filtering (SPAM, Ads, porno sites, ...) 49 | 57

  50. Communication systems network security – firewall taxonomy • Packet filters, circuit-level proxies and stateful packet filters are like telephone call-barring by number • block or allow mobile calls • block or allow international calls • block or allow 0190/0900 calls • from different internal extensions • Application level proxy is like telephone call monitoring by listening to the conversations • conversations may still be encoded, or in a foreign language !! 50 | 57

More Related