Slides

advertisement
CS526: Information Security
Chris Clifton
November 13, 2003
Network Security
Network Security:
What is the Problem?
• Name examples of security breaches
– Morris Worm
– Email viruses (many)
–…
CS526, Fall 2003
2
Network Security:
What is it?
• What is the purpose
of a network?
–
–
–
–
Move bits
from A
to B
Securely…
A
Network
B
CS526, Fall 2003
3
Securely means
• Confidentiality
A
– Only A and B see bits
• Integrity
Network
– Message intact
– Really from A
– Order?
• Availability
B
– B gets it in time
CS526, Fall 2003
4
Network Security:
What is the Problem?
• Were our examples Network security
failures?
– Morris Worm
– Email viruses (many)
–…
CS526, Fall 2003
5
Network Security:
Mostly Solved!
• Confidentiality
– Encryption
• Integrity
– Digital Signatures
– Retransmission
– Order?
• Availability
– Quality of Service
CS526, Fall 2003
6
Network Security:
What’s all the fuss?
• Firewalls
– Solve poor internal security using the network
• Intrusion Detection
– Detect non-network security breaches
accomplished via the network
– Early start on forensics
CS526, Fall 2003
7
Network Security:
What is interesting?
• Distributed Authentication
– Scaling issues
– Autonomy
• Distributed Cooperation
– Commit
– Fault tolerance
• Availability
– Denial of service
But first: State of practice
CS526, Fall 2003
8
“Typical” corporate network
Demilitarized
Zone (DMZ)
Firewall
Intranet
Mail forwarding
File Server
DNS (DMZ)
Web Server
Web Server
Mail server
DNS (internal)
Firewall
Internet
User machines
User machines
User machines
CS526, Fall 2003
9
Typical network:
Terms
• Network Regions
– Internet
– Intranet
– DMZ
• Network Boundaries
– Firewall
• Filtering firewall: Based on packet headers
• Audit mechanism
– Proxy
• Proxy firewall: Gives external view that hides intranet
CS526, Fall 2003
10
Issues
• IP: Intranet hidden from outside world
– Internal addresses can be real
• Proxy maps between real address and firewall
– Fake addresses: 10.b.c.d, 172.[16-31].c.d,
192.168.c.d
• Network Address Translation Protocol maps internal to
assigned address
• Mail Forwarding
– Hide internal addresses
– Map incoming mail to “real” server
– Additional incoming/outgoing checks
CS526, Fall 2003
11
Firewalls: Configuration
• External Firewall
– What traffic allowed
• External source: IP restrictions
• What type of traffic: Ports (e.g., SMTP, HTTP)
– Proxy between DMZ servers and internet
– Proxy between inner and outer firewall
• Internal Firewall
– Traffic restrictions: Ports, From/to IP
– Proxy between intranet and outside
CS526, Fall 2003
12
DMZ Administration
• Direct console access required?
– Real hassle
• “Special” access
– SSH connections allowed from internal to
DMZ “administration” connections
– Only from specified internal IPs
– Only through internal firewall
CS526, Fall 2003
13
Distributed Authentication
• Authentication has been covered
– But does it scale?
• Scaling Issues:
– Repeat authentication
– Multiple administrators
CS526, Fall 2003
16
Repeat authentication:
Kerberos
• Kerberos developed at MIT in the 1980s
– Project Athena: clusters of publicly available
computers for student/faculty use
– Shared file service – log in anywhere
– Problem: how to ensure user logging in at A
authorized to use resources at B?
• Solution: ticket as credential
–
–
–
–
–
Ticket server
Client
Client address
Valid time
Session key
Encrypted with ticket server’s key
CS526, Fall 2003
17
Kerberos
Authentication Example
• Client sends to Authentication Server
– Client name, Ticket server name
• Authentication Server returns
– Client: {kclient,ticket server} kclient password, ticketclient, ticket server
• Client performs similar exchange with ticket
server
– Ticket contains session key, only ticket server can
decrypt
• Now client has session key and ticket for service
– Message includes ticket and encrypted generation
time as “signature”
CS526, Fall 2003
18
Kerberos:
Problems
• Subject to replay attacks
– Relies on clock synchronization
– “Window of opportunity” based on maximum
message delay
• Standard password attacks
– Password used to decrypt initial authenticator
ticket
– Some fixed fields enable verifying if password
broken
CS526, Fall 2003
19
The Next Problem:
Multiple Administration Domains
• Problem: Many users
– We know how to authenticate
– But how to administer?
• Solution: Hierarchical directories
– X.500, LDAP, Active Directory
CS526, Fall 2003
20
X.500: What is it?
• Goal: Global “white pages”
– Lookup anyone, anywhere
– Developed by Telecommunications Industry
– ISO standard directory for OSI networks
• Idea: Distributed Directory
– Application uses Directory User Agent to access a Directory Access
Point
CS526, Fall 2003
21
Issues
• How is name used?
– Access resource given the name
– Build a name to find a resource
– Information about resource
• Do humans need to use name?
– Construct and Recall
• Is resource static?
– Resource may move
– Change in location may change name
• Performance requirements
– Human-scale
CS526, Fall 2003
22
Directory Information Base
(X.501)
• Tree structure
– Root is entire directory
– Levels are “groups”
• Country
• Organization
• Individual
• Entry structure
– Unique name
• Build from tree
– Attributes: Type/value
pairs
– Schema enforces type
rules
• Alias entries
CS526, Fall 2003
23
Directory Entry
• Organization level
– CN=Purdue University
– L=West Lafayette
–…
• Person level
– CN=Chris Clifton
– SN=Clifton
– TITLE=Associate
Professor
–…
CS526, Fall 2003
24
Directory Operations
(X.511)
• Query:
–
–
–
–
–
Read – get selected attributes of an entry
Compare – does an entry match a set of attributes
List – children of an entry
Search – portion of directory for matching entries
Abandon request
• Modification – add, remove, modify entry
– Modify distinguished name
CS526, Fall 2003
25
Distributed Directory
(X.518)
• Directory System Agent
– May have local data
– Can forward requests to other system agents
– Can process requests from user agents and
other system agents
• Referrals
– If DSA can’t handle request, can make
request to other DSA
– Or tell DUA to ask other DSA
CS526, Fall 2003
26
Access Control
• Directory information can be protected
• Two issues:
– Authentication (X.509)
– Access control (X.501)
• Standards specify basic access control
– Individual DSA’s can define their own
CS526, Fall 2003
27
Replication
(X.525)
• Single entries can be replicated to multiple DSAs
– One is “master” for that entry
• Two replication schemes:
– Cache copies – On demand
– Shadow copies – Agreed in advance
• Copies required to enforce access control
– When entry sent, policy must be sent as well
• Modifications at Master only
• Copy can be out of date
– Each entry must be internally consistent
– DSA giving copy must identify as copy
CS526, Fall 2003
28
Protocols
(X.519)
• Directory Access Protocol
– Request/response from DUA to DSA
• Directory System Protocol
– Request/response between DSAs
• Directory Information Shadowing Protocol
– DSA-DSA with shadowing agreement
• Directory Operational binding
management Protocol
– Administrative information between DSAs
CS526, Fall 2003
29
Uses
• Look-up
– Attributes, not just Distinguished Name
– Context
• Humans can construct likely names
• Browsing
• Yellow pages
– Aliases
• Search restriction/relaxation
• Groups
– Multi-valued “member” attribute
• Authentication information contained in directory
– E.g., password attribute
CS526, Fall 2003
30
LDAP vs. X.500
• Lightweight Directory Access Protocol
– Supports X.500 interface
– Doesn’t require OSI protocol
– IETF RFC 2251, 2256
X.500 for the internet crowd
• Useful as generic addressing interface
– Netscape address book
– System logon identification/authentication
–…
CS526, Fall 2003
31
The Next Problem:
Multiple Administration Domains
• Problem: Many users
– We know how to authenticate
– But how to administer?
• Solution: Hierarchical directories
– X.500, LDAP, Active Directory
• Still not enough
– Is every administrator in the hierarchy enforcing our
policy?
– Think this is an interesting area of research?
Talk to Prof. Ninghui Li
CS526, Fall 2003
32
CS526: Information Security
Chris Clifton
November 18, 2003
Network Security
Attacks and Defense
• Confidentiality on the network manageable
– Encryption to protect transmission
– Public key cryptography / key management to
verify recipient
• Integrity reducible to single system
– Digital signatures verify source
– Commit protocols handle network failure
• What about Availability?
CS526, Fall 2003
35
Network Attacks
• Flooding
– Overwhelm TCP stack on target machine
– Prevents legitimate connections
• Routing
– Misdirect traffic
• Spoofing
– Imitate legitimate source
– But we know how to handle this!
CS526, Fall 2003
36
What is a Flood attack?
• Limit availability by
– Overwhelming service
– by following service’s protocol
• Perhaps not exactly
• Examples
– SYN flood
• Overwhelms TCP stack
– Email attacks
CS526, Fall 2003
37
Syn Flood
• TCP connection multistep
– SYN to initiate
– SYN+ACK to respond
– ACK gets agreement
• Sequence numbers then
incremented for future
messages
– Ensures message order
– Retransmit if lost
– Verifies party really initiated
connection
– We’ll get back to this
CS526, Fall 2003
38
Syn Flood
• Implementation
–
–
–
–
Receive SYN
Allocate connection
Acknowledge
Wait for response
• See the problem?
Time?
– What if no response
– And many SYNs
• All space for connections
allocated
– None for legitimate ones
CS526, Fall 2003
39
Solution Ideas
• Limit connections from one source?
– But source is in packet, can be faked
• Ignore connections from illegitimate
sources
– If you know who is legitimate
– Can figure it quickly
– And the attacker doesn’t know this
• Drop oldest connection attempts
– Adaptive timeout
CS526, Fall 2003
40
Network Solutions
• TCP intercept
– Router establishes connection to client
– When connected establish with server
• Synkill
–
–
–
–
Monitor machine as “firewall”
Good addresses: history of successful connections
Bad addresses: previous timeout attempt
Block and terminate attempts from bad addresses
CS526, Fall 2003
41
Protocol solutions
• Problem: Server maintaining state
– Runs out of space
• Solution: Don’t maintain state on server
– How does it know sequence numbers?
– Encrypt in SYN response
• h(source,destination,random)+sequence+time
– Client increments this and ACKs
– Server subtracts h(), time to get sequence
• Knows if this is in valid range
CS526, Fall 2003
42
Service-Level Flooding
• Overload server
– Processing
– Storage
• Typically “garbage” requests using legitimate
protocol
– Large emails to victim
– Many http connections
– Heavy use of scripts
• Often exploit flaws in service implementation
– Self-replicating attacks
CS526, Fall 2003
43
Solutions
• Limit traffic from any source
– Still open to distributed attacks
• Quality of Service
– Guarantee service to known good sites
• Careful Programming
– Don’t allow service to defeat itself
• Throttling
– Limit traffic to any service
– Protects other services on same host
CS526, Fall 2003
44
IP-Spoofing
• Start with SYN flood to
spoofed client
• Open connection from
spoofing client to server
• Real client fails to
respond
S
– Should terminate
• Spoofing client sends
ACK
– Must guess Sequence
Number
CS526, Fall 2003
45
CS526: Information Security
Chris Clifton
November 18, 2003
Network Security
(slides courtesy Wenke Lee)
Note to 1st year SFS students
(only)
• Interested in Summer internship?
• Independent study or thesis next year?
• Did the ITSEC/Common Criteria lectures
interest you?
• If so, please talk to me after class
CS526, Fall 2003
47
Routing
Routers/
Switches
SRC
DST
I want to know
the shortest path
So, the routers must
exchange
local
information!
CS526, Fall 2003
50
IP Routing
• Routing is based on network addresses
• Routers use forwarding table
– Destination, next hop, network interface,
metric
– Table look-up for each packet
– Need to recognize address structure
• Routing information exchange allows
computation of new routes, which is used
to update the forwarding table
CS526, Fall 2003
51
Routing Protocol
Framework - Information Model
OSPF
RIPv2
RIB
Forwarding
Information
Base
FIB
FIB
RIB
BGP4
RIB
(Dest, NextHop, Routing Metrics)
Forwarding Algorithm
NPDU Header (Network Protocol Data Unit)
CS526, Fall 2003
Forwarding
Decision
52
Routing Information
• Link State: I have these links to XYZ
(routers or networks); their current status
is … (e.g., delay)
• Distance Vector: I can get to XYZ
(networks) in m hops
CS526, Fall 2003
53
Distribution of Routes Distance Vector
Every node sends its neighbor
a vector: the # of hops of
B
reaching each
other node.
A
C
CS526, Fall 2003
54
Link State
A node sends to its
neighbors the state of its
directly connected links: up/down and
costs. Each node that receives the
information forwards it to all its
neighbors.
CS526, Fall 2003
55
Routing Security

Routing Information Exchange
 correctness

of Routing Information Base
Interface between RIB and FIB
 configuration,

FIB update etc.
Kernel-Level (IP): Packet Forwarding
 Is
the packet forwarded according to the FIB?
CS526, Fall 2003
62
RIP
• Routing information protocol is a simple distance
vector protocol
• Initialization:
– When the routing daemon is initialized, it sends
requests through each network interface
– Neighboring routers will reply with routing table
information
• Updates:
– Routers advertise tables with neighbors periodically
(~30 seconds); or triggered by route changes.
CS526, Fall 2003
63
RIP - Cont’d
• To prevent route oscillation, existing routes
are retained until a new one is discovered
with strictly lower cost
• Split-Horizon Update
– Routers do not advertise a route on an
interface from which it learned of the route in
the first place!
CS526, Fall 2003
64
Properties: RIP
• Good news travels fast; Bad news travels
slowly
• Routing loop, routing inconsistency, and
slow convergence
• Security:
– Ripv2 provides simple password
authentication
– Black hole routers possible
CS526, Fall 2003
65
Route Convergence - good
news
A: 0
1
A: 1
G1
1
A: 2
G2
1
A: 3
G3
1
A: 4
G4
1
A: 5
G5
•G1 happily advertises route to network A with distance 1
•G2-G5 quickly learns the good news and install the routes
CS526, Fall 2003
66
A: 0
8
Route Convergence - bad
news
A: 3
G1
1
A: 2
G2
1
A: 3
G3
1
A: 4
G4
1
A: 5
G5
• G1’s link to A goes down
• G1 learns a ‘better’ route via G2
• Packets going to A through G2 will loop between G2 and G1
• G1 and G2 will find the cost of their routes to A slowly count
to infinity
• Use a number, e.g., 16, to approximate infinity
• Split horizon only prevents loops involving two nodes
CS526, Fall 2003
67
BlackD Hole
B
A: 3 hops
B: 2 hops
C: 2 hops
You: G
E
A
F
Your
Neighbor: H
Who won’t jump on a better route?
C
A: 1 hop
•C lies easily about routes to A
CS526, Fall 2003
•Your neighbor and you look into the ‘routes’
68
Food for Thought...
• RIP implicitly assumes: every router is
trusted and so are routing information
packets
• Every router is entitled to tell others ‘I have
a short cut to Pluto that is just one hop’
• Is it possible to prevent RIP black hole
attacks?
• Is is possible to detect RIP black routers?
CS526, Fall 2003
69
One possible improvement
• Predecessor is the second-to-last network
is the path from the source to the
destination
• Inclusion of predecessor allows implicit
reconstruction of the whole path
• Helps to validate the integrity of distance
CS526, Fall 2003
70
Predecessor
D
A: B
A: B
B
A: B
You: G
E
A
F
A: B
A: B
A: F
C
A: B
A: 1 hop
CS526, Fall 2003
Your
Neighbor: H
A: B 4
B: D 3
C: C 1
D: G 2
E: G 2
71
F: B 4
G: G 1
OSPF
• Link State routing protocol (RFC1583)
• Routers are organized in domains and
areas
• Hello message for neighbor acquisition
• Link State information are flooded through
the whole area
• A topology database is maintained by
every router
CS526, Fall 2003
72
Important LSA Fields
•
•
•
•
Advertising router ID (originator)
Advertised link or network ID
Sequence number [0x80000001,0x7fffffff]
Age [0, 60 minutes]
CS526, Fall 2003
73
When to Originate a LSA?
• Upon link state changes, or
• Upon timer expiration
CS526, Fall 2003
74
Questions to Ask:
How do you know one LSA is fresher than
the other?
 An LSA originated by you will be received
by every router; will you receive the LSA
originated by you?
 Will the sequence number wrap-around
cause any problem? (i.e., == 0x7fffffff)
 Age ==> 1 hour

CS526, Fall 2003
75
Sequence #: old vs. new LSAs
0x80000001
ATM
Next: 0x80000002
Only accept LSAs with
newer/larger Seq#.
CS526, Fall 2003
76
Sequence# & Self-Stabilization
(1). 0x90001112
up
(2). router crashes.
(3). 0x80000001.
ATM
(5). 0x90001113
up
(4). 0x90001112
an old copy still exists!
CS526, Fall 2003
77
Flushing via Premature Aging
Specified behavior when Seq# wraps around: (1),(2),(3)
(1) 0x7FFFFFFF
MaxSeq#
ATM
(2) 0x7FFFFFF with
MaxAge to purge
this entry.
CS526, Fall 2003
(3) 0x80000001.
78
Attack the Routing Infrastructure
(Vicious Advertising Routers)
Flooding
up
up
EVIL!
1. up ==> down
2. not exist ==> up
up
up
Impact varies depending on how critical the link is to the world!
CS526, Fall 2003
79
Attack the Routing Infrastructure
(Vicious Intermediate Routers)
Flooding
up
All the links
can be attacked
down
EVIL!
up
down
Authentication, please come to the rescue!
CS526, Fall 2003
80
Exchanging without LSA
Signature?
If attackers can just change the content of LSAs without
being detected, the routers must use all LSAs with care!
Seq#
ATM
CS526, Fall 2003
81
Fight-Back - Originator
Reaction
Seq#
(1) 0x90001112
(3) 0x90001114
fight-back
ATM
(2) 0x90001113
seq++ attack
CS526, Fall 2003
82
Signature - How Critical?
• Observations:
– Prolonged fight-back will not happen in real attacks
– What’s preventing the attacker from using
LS_seq=MaxSeq?
• Can you prevent false LSA without signature?
• Can you determine who did it after you realize
that you’ve been fooled without signature?
• What needs to be signed by whom anyway?
CS526, Fall 2003
83
OSPF Security Strength
• In most benign cases, if something goes
wrong, the advertising router will detect it
and try to correct it by generating new
LSAs
• The attackers have to persistently inject
bad LSAs in order for it to ‘stick’
• Self-Stabilization Protocols: force the
attackers to perform persistent attacks
CS526, Fall 2003
84
Detection of Hit-and-Run vs.
Persistent Attacks
• Hit-and-Run Attacks: Hard to
Detect/Isolate
– Inject one (or very few) bad packet but cause
lasting damaging effect
• Persistent Attacks:
– Attackers have to continuously inject attack
packets in order to inflict significant damages
• OSPF type of Link State protocols are
resilient to hit-and-run attacks
CS526, Fall 2003
85
Secure Protocol/system
Design?
• If we can force the attackers to launch
“persistent attacks,” we have a better
chance to detect and isolate the attack
sources
• OSPF flooding coupled with periodic LSA
does a fairly good job because it is
refreshing link state persistently!
• What other implications do ‘flooding’ have
on security?
CS526, Fall 2003
86
Download