Network Security
IS250
Spring 2010
John Chuang
Outline
What is Network Security?
- Security properties
- Cryptographic techniques
Availability (or lack thereof)
- Denial of service (DoS) attacks
- DDoS and botnets
Operational security
- Firewalls
- Intrusion detection systems
- Virtual private networks
John Chuang 2
Securing the Network Stack
Application (layer 7): various HTTPS, SSH, PGP, S-BGP,
security protocols DNSSEC,…
Transport (layer 4): Transport
Layer Security (TLS) TLS
Network (layer 3): IPsec
Data Link (layer 2): Wired
IPsec
Equivalent Privacy (WEP); 802.11i
Physical (layer 1): control of WEP; 802.11i; …
access to cables; perimeter
security; acoustic security; … Physical layer security
Unfortunately, IP address spoofing (forging of source address) is still
unsolved, and source of many network security problems.
John Chuang 3
Attacks
Wide ranging scope
Some common attacks:
Eavesdropping Unauthorized access
- passwords, credit card - System vulnerabilities
numbers, etc. - Password guessing (e.g.,
dictionary attack)
Data tampering
- Social engineering (e.g.,
Impersonation bribe, black-mail)
- Replay attack Denial-of-Service attack
- Man-in-the-middle attack Spam
(e.g., IP address spoofing) Malware: Trojan horses,
- Phishing attack viruses, worms
…
John Chuang 4
Security Properties
“CIA” and “AAA”
Confidentiality
- Prevents eavesdropping
Integrity
- Prevents modification of data
Authentication
- Proves your identity to a third party; prevents impersonation
Accountability (non-repudiation)
- Enables failure analysis; serves as deterrent
Authorization
- Prevents misuse
Availability
- Safeguards against denial-of-service
John Chuang 5
Cryptographic Techniques
Encryption Confidentiality
- Symmetric-key (e.g., AES)
- Asymmetric-key (e.g., RSA)
Authentication
Cryptographic hash
(message digest) Integrity
- e.g., MD5, SHA-1
Digital signature Non-Repudiation
John Chuang 6
Outline
What is Network Security?
- Security properties
- Cryptographic techniques
Availability (or lack thereof)
- Denial of service (DoS) attacks
- DDoS and botnets
Operational security
- Firewalls
- Intrusion detection systems
- Virtual private networks
John Chuang 11
Availability
Denial-of-Service (DoS) Attack:
- Make a computer resource or service unavailable to users by
overwhelming the computational and/or communication resources of
the victim system
DoS statistics (Moore et al., Usenix 2001):
- Prevalence: 13,000 DoS attacks recorded in 3 weeks
- Duration: an attack can last for hours
- Intensity: 600,000 packets per second
2008 ISP Infrastructure Security Report (Arbor, 2008)
- Largest DDoS attack peak traffic volume of 40Gbps
John Chuang 12
TCP SYN Flood Attack
Recall TCP session establishment
- A B: SYN
- B A: SYN + ACK
- A B: ACK
B has to keep state for every
half-open connection, and an
idle connection is closed only
after long timeout
An attacker sends many SYN
messages (with spoofed source
IP addresses) to victim B
Legitimate clients cannot
establish TCP session with B
John Chuang 13
http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif
Smurf Attack
ICMP Echo Request attack
Attacker sends ICMP Echo
Request (ping) messages to
IP broadcast addresses
(e.g., 128.32.255.255)
These ping messages have spoofed IP source address of
target victim
Hosts receiving the Echo Request messages will respond
with Echo Response (pong) messages
Target is flooded with ICMP Echo Response (pong)
messages
This is an example of a reflected attack
John Chuang 14
Distributed DoS
(DDoS) Attack
Attacker takes over
machines via viruses
and launches DoS
attacks from these “zombies” or “bots”
Largest botnets can have millions of bots
Defensive approaches: filtering, traceback
Misaligned incentives an important contributor
- Many owners unaware that their machine is a zombie
- Owners not motivated to diligently patch their
machines to protect against malware in the absence
of perceived harm
John Chuang 15
Botnets
(Application layer overlay) network of bots (Trojan
horses) under the command & control of botnet
operator
Botnet operators may control millions of machines and
use them to launch DDoS attacks, send spam, perform
keylogging, commit click fraud,…
- Estimate: 70-90% of spam come from botnets
Underground market for botnet service
- e.g., $500 for a DDoS attack using 10K bots
- e.g., sites asked to pay $10-50k in extortion
John Chuang 16
Outline
What is Network Security?
- Security properties
- Cryptographic techniques
Availability (or lack thereof)
- Denial of service (DoS) attacks
- DDoS and botnets
Operational security
- Firewalls
- Intrusion detection systems
- Virtual private networks
John Chuang 17
http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif
Firewall
A firewall isolates an organization’s internal network from
the public Internet
- All traffic must pass through firewall
- Only authorized traffic, as defined by local security policy, can
pass
Two basic types: packet filter, application gateway
John Chuang 18
Firewall Policy Examples
Policy Firewall Setting
No outside web access Drop all outgoing packets to any
IP address, destination port 80
No incoming TCP connections, Drop all incoming TCP SYN
except to public web server at IP packets to any IP except 1.2.3.4,
address 1.2.3.4 port 80
Allow DNS packets to leave Allow outgoing UDP packets to
network any IP address, destination port
53
Prevent your network from being Drop all outgoing ICMP TTL
tracerouted expired traffic
Prevent your network from being Drop all ICMP ping packets going
used for a Smurf attack to a broadcast address
John Chuang 19
Application Gateway
gateway-to-remote
host telnet session
host-to-gateway
Filters packets on telnet session
application data as application router and filter
well as on gateway
IP/TCP/UDP fields
Source: Kurose and Ross, Computer Networking, 5th Edition
Example: allow select internal users to telnet outside
1. require all telnet users to telnet through gateway
2. for authorized users, gateway sets up telnet connection to destination host.
Gateway relays data between 2 connections
3. router filter blocks all telnet connections not originating from gateway
John Chuang 20
Intrusion Detection System
Monitors and reports suspicious traffic by
performing deep packet inspection
- Signature-based or Anomaly-based
application firewall
gateway
Internet
internal
network
IDS
Web
sensors
server DNS
FTP server
server demilitarized zone (DMZ)
John Chuang Source: Kurose and Ross, Computer Networking, 5th Edition 21
Virtual Private Networks
Problem:
- build a corporate intranet for an organization with multiple
sites
Solutions:
- Public internet connections (low cost)
- Private (dedicated) network connections (confidential)
- Virtual Private Network (both confidentiality and low cost)
- Implemented in software
John Chuang 22
VPN
VPN software in router at each site gives
appearance of a private network
Implementation:
- Obtain internet connection for each site
- Choose router at each site to run VPN software
- Configure VPN software in each router to know about
the VPN routers at other sites
- VPN software acts as a packet filter; next hop for
outgoing datagram is another VPN router
- Outgoing datagrams encrypted using IPsec
John Chuang 23
IPSec (RFC 2402, 2406)
Transport mode: payload encrypted; not header
Tunneling mode: entire packet encrypted; then
encapsulated in separate packet (to keep
source/destination addresses confidential)
Example:
- Datagram from host x at
site 1 to host y at site 2
- Router R1 on site 1 encrypts,
encapsulates in new datagram
for transmission to router R2
on site 2
John Chuang Source: Doug Comer 24