570 likes | 764 Views
Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006. Communication systems 17 th lecture (last). 1 | 57. Communication systems administrational stuff. Last lecture for this semester
E N D
Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006 Communication systems17th lecture (last) 1 | 57
Communication systemsadministrational stuff • Last lecture for this semester • Friday is written exam starting at 11am sharp, Room 03-026 in this building (attic, end of stairs) • We gave some hints in last practical course on Tuesday • Please bring a fountain/ballpin pen with you (seats, tables, writing paper are provided by us) • Grades in oral or written exams will be sent to the examinations office (an will be available there beginning of winter term) • If you need a special printed paper – please tell us/send an email, so we could prepare it – it will be available at the secretaries of the computing department 2 | 57
Communication systemsadministrational stuff – seminar next semester • Professorship will held a block seminar on “Security, trust and law in the Internet” next winter in cooperation with MPICC (dept. of Prof. Sieber) • Unfortunately the faculty was not able to held the central infrormation block on available seminars soon enough • We expect written seminar papers for the end of October, the three seminar dates are on Friday/Saturday end of November, beginning of December • Seminar could be taken for the field of specialization #6 • Topics like SPAM, cracking, phishing, etc. will be covered • Seminar is in german only! • More information on the several topics could be found on the homepage 3 | 57
Communication systemsLast lecture – SIP and H323 • We talked on and demonstrated (in the practical course) SIP – session initialization protocol and H.323 (both might be part of the written exam questions) • Telephony over IP networks • Only session setup • compression, packet transport left to other services like RTP and RTCP • the latter define container and control protocols for multimedia data streams • H.323 – standard developed by Telcos - ITU • SIP – internet standard, thus they differ definitely in their designs 6 | 57
Communication systemsthis lecture – security in computer networks • We leave the area of telephony and talk of a complete different field again • The topic of this lecture will NOT asked in exam questions :-) • After some overview on the several network layers • IP v4 and v6 on the third OSI layer (network) • TCP, UDP on the fourth OSI layer (transport) • and several protocols for the underlying first and second layer (physical and data link layer) • “security” is a very broad topic not only connected to networks but many other aspects of computers 7 | 57
Communication systemsthis lecture – security in computer networks • This lecture – short introduction into problems of open networks, types and points of possible attacks • more than introduction is not possible • whole lectures may be held on that topic • Security measures do not focus on a single network layer • Different measures try to solve different problems that might occur • There is no single measure, which will solve all security issues at once • There will evolve new types of attacks and new types of counter measures 8 | 57
Communication systemsnetwork insecurity – simple packet snapshot (pract. course) 9 | 57
Communication systemsnetwork insecurity • IP packets are easily readable (if provided with the proper tools) • e.g. ethereal can provide the user/network administrator • with a graphical userinterface for interpreting packets • can grab all packets visible to a machine (promiscous mode in LANs like ethernets) • can sort out TCP streams (check which packets are part of a certain communication) • can interpret most of protocol packets • You should be familiar with this tool (and others like tcpdump) from the several practical courses 10 | 57
Communication systemsnetwork insecurity • why packets are as easily readable? • all communication has to follow standards – otherwise no communication would be possible (think of people talk in different languages with each other) • even not open protocols, like certain implementations of windows network service are interpretable – such the samba service is developed through trial-and-error and reverse engineering • such: no security by obscurity!! • in the beginning of "The Internet” • very few participants in networks • very few computers connected to each other • very few people with deep understanding of networking • not many network analyzation tools available (for free) 11 | 57
Communication systemsnetwork insecurity • restricted computing power of connected machines • protocols should be very simple and should not impose high loads on the machine • encryption technologies were not common knowledge / restricted for export ("strategic technology”) • and: simplicity of TCP/IP protocol suite helped the rapid growth of the Internet and fast adaptation for the different operating systems • by now: the Internet is one of base technologies for information exchange and communication • wide range of businesses directly depend on this network (online shops, auctions, b2b, games, advertisements, porn sites, ... :-)) 12 | 57
Communication systemsnetwork insecurity • inner and intra firm communication moves from the classic communication media telephone and fax over to mail and similar technologies • sending and reception of a wide range of digital objects • e.g. with the “melissa” virus you could observe employees entering their offices at eight and leaving them at half past nine (no mail and online communication was available – most MS operated networks) • production and development heavily depend on networks – most information between firms is directly interchanged between databases over the net • in the future: move of telecommunications into IP networks to avoid duplicated infrastructure and cut communication costs 13 | 57
Communication systemsnetwork insecurity • networks could be attacked on all layers • layer 1 and 2 • e.g. ARP spoofing in broadcast networks for man-in-the-middle attack, redirection of default gateway traffic over the attackers host (fifth lecture) • “dialer” programs – redirection of internet traffic over costly dial-in lines (attack is of course induced via web applications, trojan horses, ...) • layer 3 • IP spoofing – forging of IP addresses for good or malicious reasons (explained later) for motivation of IPsec • attacking router protocols, e.g. RIP (II) for redirecting traffic in LANs 14 | 57
Communication systemsnetwork insecurity • networks could be attacked on all layers • layer 1 and 2 • rather simple within WLANs (unguided media with no distinct boundaries): • spamming with corrupt packets or simply noise (microwave oven) – frequency band is rendered unusable • breaking the weak WEP algorithm • e.g. ARP spoofing in broadcast networks for man-in-the-middle attack, redirection of default gateway traffic over the attackers host (earlier lecture) • “dialer” programs – redirection of internet traffic over costly dial-in lines (attack is of often initiated via web applications, trojan horses, ...) 15 | 57
Communication systemsnetwork insecurity • layer 4 • very simple to send unsolicited UDP packets – connectionless service (such spoof protocols like SNMP, DHCP, DNS, ...) • take over open TCP connections – grab an open telnet, mail, http session to use an authenticated session to a remote host • TCP syn attacs (open as many TCP connections as possible from different hosts and leave them in open state without further communication – type of distributed denial of service DdoS) • dynamic routing protocols (drop in replacement for TCP or UDP) have their weaknesses too ... 16 | 57
Communication systemsnetwork insecurity • application layers (layer 5 – 7) • SPAM attack on productivity in every organization, network / overload mail boxes to stop reception of further email • redirection of users/traffic through modification of DNS replies, DNS caches • crack passwords to gain access to accounts, databases ... • by now: so called “bot-nets” • groups of computers corrupted by some worm or system / service weakness • waiting for special incoming packets for distributed denial of service (DDoS) attacks, SPAM relaying, file exchange, ... 17 | 57
Communication systemsnetwork security measures • different security measures for different network layers and protocols • application layers: e.g. PGP for mail – end-to-end mail encryption - advantages: • PGP/GnuPG available for many OS / mail clients • independent of admin permissions of the underlying OS • key ring could be put to USB stick (or similar) and deployed on more than one machine • disadvantages: • available for mail / filesystem encryption only • mail header (and all protocols below), end-to-end communication visible to every one along the route 18 | 57
Communication systemsnetwork security measures • Transport layer as an extension to service protocols put between TCP and higher level protocol • Secure socket layer (SSL: initially developed by Netscape to secure http connections to allow secure applications prerequisite for online shopping, homebanking, ...) • Transport layer security (TLS, or SSL v3) – modern version of SSL 19 | 57
Communication systemsnetwork security measures • by now implemented to a wide range of TCP applications • Web: https – port 443 • Mailboxes: imap4 – imaps, port 993 • Hierarchical database: ldap – ldaps, port 636 • OpenSSL – open source implementation of the SSL library • SSL requires certificate authorities (CA) to really know how the communication partner is • hierarchical structures of trust are rather costly • information of CA has to be put into application, e.g. Web browser • Rather strong requirement in the rather “unregulated” Internet 20 | 57
Communication systemsnetwork security measures • Advantages of SSL/TLS: • Library functions which could be relatively easily applied to every TCP application • Freely available for all common OS • Relatively wide spread through use with HTTP communication • Relatively mature (some security flaws where detected and fixed) • For not SSL enabled / rather old applications or protocols secure tunnels via SSH (secure shell) could be established • Some certificate authorities are available 21 | 57
Communication systemsnetwork security measures • Disadvantages of SSL/TLS: • Not available for applications using UDP (or more difficult to apply), no SSH tunnels possible • Incompatibilities with/of older versions of SSL • CA are rather expensive and not really compatible with each other • e.g. University of Freiburg uses some CA but would pay extra money to enable every virtual web / mail host to use authorized certificate (e.g. examine the certificate of the mail server ...) • Every CA has to be known to the web browsers and protocols using SSL 22 | 57
Communication systemsnetwork security measures • By now many universities and scientific organizations use the services of DFN CA • This CA is available free of charge to the members of that network • The Root certificate is integrated into the popular open source browsers (of course not into IE – M$ will most probably charge for that :-)) • There is a more “general” solution to link encryption and authentication than SSL/TLS 23 | 57
Communication systemsnetwork security measures • Network layer: IP sec protocol • Mostly in parallel to the SSL development need for secured IP connections was stated • IETF created work group which should backport IP v6 security features to IP v4 networks • Many participants in that workgroup • Long processes • Many incompatibilities between different vendors 24 | 57
Communication systemsnetwork security measures • Data link layer: PPTP or L2TP • PPTP (point-to-point-tunneling-protocol) is a Microsoft development for security enhancements to the PPP • PPP allows to transport more than one network layer protocol (e.g. IPX) beside IP • PPTP was cracked some years ago – some security issues not solved ... • PPTP is available to other operating systems too • L2TP (layer-2-tunneling-protocol) is prepared for adding security features too – but some issues not solved • For layer 2 tunneling OpenVPN (open source project available for OS with tun/tap network device) 25 | 57
Communication systemsnetwork security measures • OpenVPN uses the SSL library to encrypt traffic, could be used for securing layer 2 and IP connections • Uses UDP packets for easy crossing of masquerading routers • Could deploy TCP connections, connections over HTTP proxies too • Disadvantages: only point-to-point connections by now • need to setup of several connection endpoints on a server with the older 1.N versions • multipoint connections to the same server port would be available with the 2.0 version • Not an officially standardized protocol, but in broad use in many setups 26 | 57
Communication systemsnetwork security measures – summary 27 | 57
Communication systemsnetwork insecurity – address spoofing • Talked on ARP and ARP spoofing earlier this lecture / practical course • Without authentication it is impossible to say which communication partner generated a certain packet • Same problem on higher layers too • Same problems with WEP (lecture on Wireless LAN), layer 2 security measures ... • IP spoofing is creation of IP packets using some other IP address as source 28 | 57
Communication systemsIP insecurity – IP spoofing • IP source and destination addresses could be easily modified (you have only to recompute the headers checksum after it)– e.g. useful for IP masquerading (hide whole networks behind a masq. router – common technique for home LANs) • Tools to do so: iptables (Linux firewall package - example given in one of the practical courses), wincap, sendpacket, raw socket, ... 29 | 57
Communication systemsIP insecurity – IP spoofing • forging source IP address causes responses to be misdirected, meaning that no normal network connection might be created • originates in packet switched type of IP networks • IP routing is done on a hop by hop basis • delivery route is determined by the routers that participate in the delivery process • routers use the “destination IP” address in order to forward packets through the Internet, but “ignore” the source address field – point of attack for IP spoofing • or asymmetric routing – packet is sent out on one interface and received over another 30 | 57
Communication systemsIP insecurity – IP address spoofing in special scenarios • prerequisite for some type of SAT connections (incoming via SAT, outgoing via Modem / ISDN) • user makes request using return channel • ISP receives data from Internet and sends it out through satellite • user receives data through satellite receiver (card) 31 | 57
Communication systemsIP sec – IP v4 insecurity • IP v4 does not implement any security (easy IP spoofing, easy rewriting of packets, no encryption) • As we will see firewalls does not secure outgoing or inbound traffic but shields the internal LAN • For secure communication over an insecure network (not because of lost packets or connections - but special agencies listening on routers and wires) encryption will be needed • If hosts in an secured internetwork should interoperate as easily as in the classical Internet a standard for secure communication is needed 32 | 57
Communication systemsIP sec – IP v4 insecurity • IP and transportation headers must be easily readable for routers and network engines • But packet payload is easily readable too, if the proper tools for analysis are applied (i.e. Ethereal) • Example of HTTP post packet (login to a wellknown free mail provider: ID and password could be identified without problem) 33 | 57
Communication systemsIP sec - overview • IP level security -> IPsec • IPSEC is Internet Protocol SECurity • The level above the network layer is the place where IPsec was put - No alteration to the IP was needed, simply the transportation protocol was interchanged (or and additional security header introduced) • It uses strong cryptography to provide both authentication and encryption services • Authentication ensures that packets are from the right sender and have not been altered in transit • Encryption prevents unauthorized reading of packet contents • Topic covered in other lectures: Telematics/Internet-Working 34 | 57
Communication systemsIP sec – VPNs • It allows multiple access for e.g. teleworkers to the company LAN • Without VPN • costly separate infrastructure would be needed • often inflexible • Construction of a VPN • connection of all participating parties to the internet • VPN client asks for secure connection from the server • authentication via username/password, shared secret, key cards ... • after validation tunnel is set up with special IP routes 35 | 57
Communication systemsIP sec – VPN problems • Problems with VPN gateways • gateway machines reachable over the public internet • could be attacked for break-in, denial of service • security could be increased through combination of authentication methods • Security at tunnel end point • split tunnel – unencrypted interface to the internet needed (transport medium for encrypted traffic) • user machine is not secured against attacks from the internet • “hardened tunnel” - no connection/routing to the local LAN is allowed, user end point machine obtains a private IP from the internal network 36 | 57
Communication systems network security – other directions to look • By now we discussed encryption and authentication measures put to different protocol layers to improve security • We ensure this way, that nobody can read/alter the packets of a communication during transit • We do not secure a machine that way – vulnerability to attacks, DoS have to be abated some other way • Completely other path of thought • not to protect own traffic from sniffing ... • but allow or block traffic at gateway, router, end system ... • Traffic / packet filtering on different levels is another concept to increase security – parts of it will be discussed next part of lecture ... 37 | 57
Communication systemsnetwork security – “the magic device”: firewall • Take a completely new track now ... • Firewalls are traffic / packet filters that operate on different layers of our OSI protocol stack • Try for a definition: “A Firewall is a network security device designed to restrict access to resources (information or services) according to a security policy” • Important remark is to be made here: • Firewalls are not a “magic solution” to network security problems, nor are they a complete solution for remote attacks or unauthorized access to data!! • Firewalls could be circumvented in several ways and may increase the complexity of network and this way decrease the level of security! 38 | 57
Communication systems network security – firewalls • A Firewall is a often a network security device, but can be or simply is implemented directly into the end systems • It serves to connect two parts of a network a control the traffic (data) which is allowed to flow between them • Often installed between an entire organization's network and the Internet • A Firewall is always the single path of communication between protected and unprotected networks • Of course there are special cases of multiple Firewalls, redundant connections, fault-tolerant failover etc. • A Firewall can only filter traffic which passes through it • If traffic can get to a network by other means, the Firewall cannot block it 39 | 57
Communication systemsnetwork security – firewalls • Types of firewalling concepts: • (MAC / ethernet frame filter) • Packet filter • Circuit-level proxy • Stateful packet filter • Application-level proxy • Filtering on data link layer • ethernet packets contain source and destination addresses: MAC • allow only frames to be delivered from known sources, block frames with unknown MACs 40 | 57
Communication systems network security – firewalls • Filtering on network layer • Source & destination IP addresses • Source address • Destination address • Both are numerical – it is not easy for a Firewall to deal with machine or domain names • e.g. www.hotmail.com • Request: client = source, server = destination • Response: server = source, client = destination 41 | 57
Communication systems network security – firewalls • Filtering on transport level • This is where we deal with (mostly) TCP and UDP port numbers • e.g.: 25 SMTP – sending email (TCP) • 110 POP3 – collecting email (TCP) • 143 IMAP – collecting email (TCP) • 389 LDAP – directory service (TCP) • 636 LDAPS – TLS secured directory service (TCP) • 80 HTTP – web pages (TCP) • 443 HTTPS – secure web pages (TCP) • 53 DNS – name lookups (UDP) • 68, 69 DHCP – dynamic end system IP config (UDP) 42 | 57
Communication systemsnetwork security – firewalls • Most Firewalls and their administrators assume that the port number defines the service – not necessarily • who could stop me from sending or receiving mail over the HTTP port • who could stop users from tunneling all their IP traffic over an open port (AOL left UDP 53 completely open for DNS traffic some year ago :-)) • Here we get major problem: If users are blocked from using a service and try to avoid the blocking firewall they might find a way through – the admin still thinks all is fine with the network, but the situation might be even worse than without firewall at all ... 43 | 57
Communication systems network security – firewalls • Layer 7 – Application • There is where we find all the 'interesting' stuff ... • Web requests • Images • Executable files • Viruses • Email addresses • Email contents • Usernames • Passwords 44 | 57
Communication systems network security – firewalls • packet filter – a special router that have the ability to throw packets away independently of network congestion • Examines TCP/IP headers of every packet going through the Firewall, in either direction • Choice of whether to allow or block packet based on: • (MAC source & destination) • IP source & destination addresses (layer 3) • TCP / UDP source & destination ports (layer 4) • Stateful filter • Same as a packet filter, except initial packets in one direction are remembered, and replies are automatically allowed fo • Simpler rules than simple port based packet filter 45 | 57
Communication systems network security – firewalls • Packet filter use rules specify which packets are allowed through the Firewall, and which are dropped • Rules must allow for packets in both directions • Rules may specify source / destination IP addresses, and source / destination TCP / UDP port numbers • Certain (common) protocols are very difficult to support securely (e.g. FTP, IRC, SIP, ...) • Low level of security • Stateful packet filter • Packet filter which understands requests and replies (e.g.: for TCP: SYN, SYN-ACK, ACK) 46 | 57
Communication systems network security – firewalls • Stateful packet filter • Rules need only specify packets in one direction (from client to server – the direction of the first packet in a connection) • Replies and further packets in the communication are automatically processed • Supports wider range of protocols than simple packet filter (eg: FTP, IRC, H323) • Medium-high level of security 47 | 57
Communication systems network security – firewalls • Layer-7 proxy server – application level proxy • Client and server in one box • For every supported application protocol • SMTP, POP3, HTTP, SSH, FTP, NNTP, Q3A, ... • Packets are received and processed by server • New packets generated by client • Prevents the need for direct network connection of clients, no client packet is directly routed into the Internet, no packet from Internet is directly handed to the client • Special proxy protocol supported by many applications which offers authentication: socks5 48 | 57
Communication systems network security – firewalls • Complete server & client implementation in one box for every protocol which can be expected through it • Client connects to Firewall • Firewall validates request • Firewall connects to server • Response comes back through Firewall and is also processed through client/server • Large amount of processing per connection • High level of security • And: lot of funny stuff could be tried with filtering (SPAM, Ads, porno sites, ...) 49 | 57
Communication systems network security – firewall taxonomy • Packet filters, circuit-level proxies and stateful packet filters are like telephone call-barring by number • block or allow mobile calls • block or allow international calls • block or allow 0190/0900 calls • from different internal extensions • Application level proxy is like telephone call monitoring by listening to the conversations • conversations may still be encoded, or in a foreign language !! 50 | 57