1 / 20

Network Security

Network Security. IS250 Spring 2010 John Chuang. Outline. What is Network Security? Security properties Cryptographic techniques Availability (or lack thereof) Denial of service (DoS) attacks DDoS and botnets Operational security Firewalls Intrusion detection systems

lucie
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security IS250 Spring 2010 John Chuang

  2. Outline • What is Network Security? • Security properties • Cryptographic techniques • Availability (or lack thereof) • Denial of service (DoS) attacks • DDoS and botnets • Operational security • Firewalls • Intrusion detection systems • Virtual private networks John Chuang

  3. Securing the Network Stack • Application (layer 7):various security protocols • Transport (layer 4):Transport Layer Security (TLS) • Network (layer 3):IPsec • Data Link (layer 2): Wired Equivalent Privacy (WEP); 802.11i • Physical (layer 1): control of access to cables; perimeter security; acoustic security; … HTTPS, SSH, PGP, S-BGP, DNSSEC,… TLS IPsec WEP; 802.11i; … Physical layer security Unfortunately, IP address spoofing (forging of source address) is still unsolved, and source of many network security problems. John Chuang

  4. Eavesdropping passwords, credit card numbers, etc. Data tampering Impersonation Replay attack Man-in-the-middle attack (e.g., IP address spoofing) Phishing attack Unauthorized access System vulnerabilities Password guessing (e.g., dictionary attack) Social engineering (e.g., bribe, black-mail) Denial-of-Service attack Spam Malware: Trojan horses, viruses, worms … Attacks • Wide ranging scope • Some common attacks: John Chuang

  5. Security Properties “CIA” and “AAA” • Confidentiality • Prevents eavesdropping • Integrity • Prevents modification of data • Authentication • Proves your identity to a third party; prevents impersonation • Accountability (non-repudiation) • Enables failure analysis; serves as deterrent • Authorization • Prevents misuse • Availability • Safeguards against denial-of-service John Chuang

  6. Encryption Symmetric-key (e.g., AES) Asymmetric-key (e.g., RSA) Cryptographic hash (message digest) e.g., MD5, SHA-1 Digital signature Confidentiality Authentication Integrity Non-Repudiation Cryptographic Techniques John Chuang

  7. Outline • What is Network Security? • Security properties • Cryptographic techniques • Availability (or lack thereof) • Denial of service (DoS) attacks • DDoS and botnets • Operational security • Firewalls • Intrusion detection systems • Virtual private networks John Chuang

  8. Availability • Denial-of-Service (DoS) Attack: • Make a computer resource or service unavailable to users by overwhelming the computational and/or communication resources of the victim system • DoS statistics (Moore et al., Usenix 2001): • Prevalence: 13,000 DoS attacks recorded in 3 weeks • Duration: an attack can last for hours • Intensity: 600,000 packets per second • 2008 ISP Infrastructure Security Report (Arbor, 2008) • Largest DDoS attack peak traffic volume of 40Gbps John Chuang

  9. TCP SYN Flood Attack • Recall TCP session establishment • A  B: SYN • B  A: SYN + ACK • A  B: ACK • B has to keep state for every half-open connection, and an idle connection is closed only after long timeout • An attacker sends many SYN messages (with spoofed source IP addresses) to victim B • Legitimate clients cannot establish TCP session with B John Chuang

  10. http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gifhttp://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif Smurf Attack • ICMP Echo Request attack • Attacker sends ICMP Echo Request (ping) messages to IP broadcast addresses (e.g., 128.32.255.255) • These ping messages have spoofed IP source address of target victim • Hosts receiving the Echo Request messages will respond with Echo Response (pong) messages • Target is flooded with ICMP Echo Response (pong) messages • This is an example of a reflected attack John Chuang

  11. Distributed DoS (DDoS) Attack • Attacker takes over machines via viruses and launches DoS attacks from these “zombies” or “bots” • Largest botnets can have millions of bots • Defensive approaches: filtering, traceback • Misaligned incentives an important contributor • Many owners unaware that their machine is a zombie • Owners not motivated to diligently patch their machines to protect against malware in the absence of perceived harm John Chuang

  12. Botnets Source: Cisco • (Application layer overlay) network of bots (Trojan horses) under the command & control of botnet operator • Botnet operators may control millions of machines and use them to launch DDoS attacks, send spam, perform keylogging, commit click fraud,… • Estimate: 70-90% of spam come from botnets • Underground market for botnet service • e.g., $500 for a DDoS attack using 10K bots • e.g., sites asked to pay $10-50k in extortion John Chuang

  13. Outline • What is Network Security? • Security properties • Cryptographic techniques • Availability (or lack thereof) • Denial of service (DoS) attacks • DDoS and botnets • Operational security • Firewalls • Intrusion detection systems • Virtual private networks John Chuang

  14. http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gifhttp://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif Firewall • A firewall isolates an organization’s internal network from the public Internet • All traffic must pass through firewall • Only authorized traffic, as defined by local security policy, can pass • Two basic types: packet filter, application gateway John Chuang

  15. Firewall Policy Examples John Chuang

  16. Filters packets on application data as well as on IP/TCP/UDP fields Example: allow select internal users to telnet outside require all telnet users to telnet through gateway for authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections router filter blocks all telnet connections not originating from gateway Application Gateway gateway-to-remote host telnet session host-to-gateway telnet session application gateway router and filter Source: Kurose and Ross, Computer Networking, 5th Edition John Chuang

  17. Intrusion Detection System Monitors and reports suspicious traffic by performing deep packet inspection Signature-based or Anomaly-based application gateway firewall Internet internal network IDS sensors Web server DNS server FTP server demilitarized zone (DMZ) John Chuang Source: Kurose and Ross, Computer Networking, 5th Edition

  18. Virtual Private Networks • Problem: • build a corporate intranet for an organization with multiple sites • Solutions: • Public internet connections (low cost) • Private (dedicated) network connections (confidential) • Virtual Private Network (both confidentiality and low cost) • Implemented in software John Chuang

  19. VPN Source: Doug Comer • VPN software in router at each site gives appearance of a private network • Implementation: • Obtain internet connection for each site • Choose router at each site to run VPN software • Configure VPN software in each router to know about the VPN routers at other sites • VPN software acts as a packet filter; next hop for outgoing datagram is another VPN router • Outgoing datagrams encrypted using IPsec John Chuang

  20. IPSec (RFC 2402, 2406) • Transport mode: payload encrypted; not header • Tunneling mode: entire packet encrypted; then encapsulated in separate packet (to keep source/destination addresses confidential) • Example: • Datagram from host x at site 1 to host y at site 2 • Router R1 on site 1 encrypts, encapsulates in new datagram for transmission to router R2on site 2 John Chuang Source: Doug Comer

More Related