14d
Regional Training Course on Information Security for Nuclear Organizations Managers
15-18, December 2008
Network Security
Presenter : Youngdoo Kang
This session covers,
• Introduction of Network Security Objectives
• Layered Models and Network Attacks
• Tools and Techniques for Network Security
• Considerations
Unfortunately, we have just 20’
It’s for Nuclear Organizations Managers
2
Intro - Network Security Objectives
Network (networks)
• Nodes & links (WAN, LAN, MAN… “clouds”)
• Convenient venue for attack
A “cornerstone” for Information & Computer Security
• As a channel for attacks
• As a target for attackers
• As a defense against attacks
3
Intro - Network Security Objectives
Access Control
Network = #1 entry point of IT systems… so good point
to enforce access control!
Confidentiality
The data has to be delivered only to the right recipient,
protected from eavesdropping
Integrity
Protect against unauthorized modifications on the wire
Availability:
A key business requirement, a prime and easy target
4
Layered Models and Network Attacks
Two commonly used models
The OSI Reference Model
• OSI = Open System Interconnect
• 7 layers
• International standard ISO/IEC 7498-1, conceptual
The TCP/IP model
• 4 layers
• “Real world” model
Choice: OSI model as a reference
Anyway, they can match
Concepts/technologies can encompass several layers
5
Layered Models and Network Attacks
OSI Reference Model TCP/IP Model and protocols
Application 7 HTTP FTP Telnet
Application
Presentation 6 SNMP SMTP
Session 5
Transport 4 Transport TCP UDP
Network 3 Internetwork IP ICMP DHCP
Data Link 2 LLC ARP
Network Access
Physical 1 MAC
6
Layered Models and Network Attacks
Simply, general network architecture
System System
Send Receive Receive Send
A B
Packet Packet Layer N (upper layer)
Application
Application Application
Layer (i)
Presentation Presentation L3 Header
Session Session Layer 2
7 Layers Transport Transport L2 Header
Network Network Layer 1
Data Link Data Link L1 Header Tail
Physical Physical
Physical communication
Communication Medium
7
Layered Models and Network Attacks
Each layer has vulnerabilities;
• Layer 1
Wiretapping : interrupt directly the physical cable,
• Layer 2
Eavesdropping : share the media (e.g., CSMA) and every
node can receive data
• Layer 3
Spoofing : ack, nak
• Layer 4
Syn Flood attack : overflow
• ...
8
Layered Models and Network Attacks
Application 7
Main roles and functions Presentation 6
• Data transfer across ≠ networks
Session 5
• Routing between segments
Transport 4
• Forwarding, Addressing
• Congestion control Network 3
• Packet sequencing Data Link 2
Main examples Physical 1
• Internet Protocol (IP), IP Sec
• Routing protocols (RIP, OSPF, BGP…)
• ICMP (Internet Control Management Protocol) – ping etc.
9
Layered Models and Network Attacks
C
A B
SYN Flood attack (layer 4)
• Half open connections !
• Resource exhaustion
Some DoS on the stack implementation
• Land attack: set source IP@ = destination IP@
• Teardrop attack: contradictory length, fragmentation
• Smurf attack: targeted a “ping” avalanche
10
Layered Models and Network Attacks
Wiretapping (from layer 1)
• Interrupt directly the physical wire, and then listen…
Eavesdropping (layer 2)
• Ethernet shares the LAN media
• Everyone receives Ethernet frames
• Only the recipient consider it
• Promiscuous mode: listen everything
11
Generic Plant Network Architecture
12
Tools and Techniques for Network Security
Firewall
IDS / IPS
Graded approach / zone model
Segmentation
One-way communication
…
13
Firewall
Basic Definition
• In building construction, keep a fire from spreading
from one part of the building to another
• In network security, a component (or a set) that
restricts access between two networks
Functions
• Gatekeeper, controlling traffic that crosses inbound
and outbound
• separation between (less) un-trusted networks (e.g.
Internet) and (more) trusted networks
Un-trusted Trusted and protected
Network Internal Network
let pass or block ?
14
IDS and IPS
Intrusion Detection System vs Prevention Systems
• IDS is “passive”, installed on derivation
• IPS is “active”, installed on the wire
Network IDS/IPS and Host IDS/IPS
• On the hosts or servers / On the network (with sensors)
Approaches
• Signature based vs Anomaly based
• Hybrid
• Remember the FAR/FRR for biometrics?
Software, dedicated appliance or add-ons
15
Zone Model of Protection
• A possible practical implementation of the
graded approach is to categorize computer
systems into logical zones, where graded
protective principles are applied for each zone.
• The assignment of computer systems to
different levels and zones should be based on
their relevance to safety and security.
Nonetheless, the risk assessment process
should be allowed to feed back into and
influence the graded approach.
16
Zone Levels
Example – NPP Zones
Zone 1 – Protection and limitation systems
• This zone comprises all computers which belong to safety relevant digital and
software based I&C systems. These systems acquire and calculate process data and
output control commands to the plant process
Zone 2 - Process-control and Process-computing systems (operational and
technical support systems)
• This zone comprises all computers which belong to digital electro-technical and
digital I&C systems. Unlike systems of zone 1, these computers are not relevant to
safety or do not work with any direct control to the plant process
Zone 3 - Administrative computer systems
• This zone comprises all computers and IT systems that are used for administrative
purposes.
Zone 4 - External systems
• This zone comprises all computers and IT systems that are assigned to external
applications.
17
One-way Communication
No handshaking / No acknowledgement
Non reliable communications
Highest Lower
Security Zone Security Zone
Application File deposit
server server
FTP FTP
Server Server
One-way
Specific protocol
18
Remote Access
• A major concern
• Famous example of Davis-Besse NPP (2003)
• More and more requested by users…
• …and by third parties!
• Sometimes, no choice
• A clear policy is needed
• Integrated in the graded approach / zone
model
19
Remote Access Policy
• Indications from the IAEA draft guide
• Level 1: “don’t even think about it”
• Level 2 & 3: “only if absolutely necessary” //R.A
o may be allowed on a case-by-case access
o for a defined working period
o must be protected with strong measures, and
o Respect a defined security policy (contractual)
• Level 4: “Go for it, but pay attention”
o allowed for authorized users provided that
appropriate controls are in place
20
Consideration on Wireless
• Wireless is attractive
to get rid off this…
• To avoid costs of new wires in existing buildings
• General trend in I.T. but also for industrial
environments (ref. EPRI, WINA, ISA…)
21
Wireless Technologies
From ISA100 ORLN presentation (Wayne W. Manges, Apr 2007)
22
Wireless security
• Channel Security
• Confidentiality & Integrity: ~ OK (e.g. 802.11i)
o Use the latest technologies (forget WEP)
• Availability: still a problem…
• Big issues
o Denial of Service
o Easy access to the media
• Still some unresolved security problem…
• EMI/RFI issue…
23
Defensive model with defense in depth to
SCADA - INL
IDS
Zone
Firewall
DMZ
Network
segmentation
...
24
Network Architecture examples 2/2
From ISA-d99.00.01 Draft
25
Questions?
26
Supplement
27
Layered Models and Network Attacks
Application 7
Main role and functions
• Portal to network based services for applications Presentation 6
Session 5
Main examples
• HTTP, FTP, Telnet, SMTP… Transport 4
Crafted malicious codes
• Worms, spywares,… Network 3
• Cf. Don’s presentation Data Link 2
Direct connections to applications
• This is what network is about Physical 1
• Unprotected / No Access Control
Buffer overflows, exploited remotely
• Malicious inputs, stack overflow, underun…
28
Layered Models and Network Attacks
Application 7
Main role and functions Presentation 6
• Handles encoding, encryption, etc... Session 5
• Protocol Conversion, Data Transport 4
Translation, Encryption, ...
Network 3
Data Link 2
Main examples Physical 1
• Formats: ASCII, EBCDIC, GIF, JPEG, ZIP…
• In fact, encryption and compression often done elsewhere
Some phishing attacks are based on encoding
29
Layered Models and Network Attacks
Application 7
Main role and functions Presentation 6
• Creates, maintains and stops logical
Session 5
persistent connections between hosts
• Synchronization: keeps track of long Transport 4
messages Network 3
• Duplex / half-duplex / simplex
Data Link 2
Main examples
Physical 1
• NFS, SQL, RPC, (SSL/TLS)
SSL / TLS session hijacking
30
Layered Models and Network Attacks
Application 7
Main role and functions Presentation 6
• Ensures End-to-end connection Session 5
• Manage upper layers data flows Transport 4
• Manipulate “Packets” Network 3
Data Link 2
Main examples Physical 1
• TCP (Transmission Control Protocol) – connection
oriented, reliable
• UDP (User Datagram Protocol) – connectionless
31
Layered Models and Network Attacks
Application 7
Main roles and functions Presentation 6
• Data transfer across ≠ networks
Session 5
• Routing between segments
Transport 4
• Forwarding, Addressing
• Congestion control Network 3
• Packet sequencing Data Link 2
Main examples Physical 1
• Internet Protocol (IP), IP Sec
• Routing protocols (RIP, OSPF, BGP…)
• ICMP (Internet Control Management Protocol) – ping etc.
32
Layered Models and Network Attacks
C
A B
SYN Flood attack (layer 4)
• Half open connections !
• Resource exhaustion
Some DoS on the stack implementation
• Land attack: set source IP@ = destination IP@
• Teardrop attack: contradictory length, fragmentation
• Smurf attack: targeted a “ping” avalanche
33
Layered Models and Network Attacks
Application 7
Main roles and functions Presentation 6
• Machine to Machine data transfer, Session 5
on the same segment Transport 4
• Frame creation and sequence Network 3
• Error detection and correction Data Link 2
Physical 1
Main examples
• Ethernet, ISDN, ATM, but also protocols
like ARP, L2TP… Wireless (WiFi)
34
Layered Models and Network Attacks
Application 7
Main roles and functions Presentation 6
• Specifies the physical signals Session 5
o E.g. Voltage Levels, bits per sec. Transport 4
• Network interfaces and cabling Network 3
Data Link 2
Main examples Physical 1
• RS232, Ethernet/100bT, Coax
• USB, Firewire (encompass several layers)
35