Network Defense
Khaled Harras
School of Computer Science
Carnegie Mellon University
15-349 Computer and Network Security
Fall 2012
Some material borrowed from Hui Zhang and Adrian Perrig and google images
1
What did we talk about?
2
Review

Why are networks vulnerable?
» Anonymity, distance, multiple attack points, sharing, complexity,
heterogeneity, vague routes, insecure protocols

Why attack networks?
» Challenge, fame, money, and ideology

How to prepare for war?
» Reconnaissance: Port Scanning
» Intelligence: Social Engineering, Dumpster diving, Eavesdropping on
people, befriending, documentation, blogs…etc
» Interception: Eavesdropping, wiretapping. Depends on Medium.
» Attacks: Authentication, Spoofing (Masquerading, Phishing, Man-inthe-middle), Web vulnerabilities, and DoS
3
Summarize Threat List







Intercepting data in traffic
Accessing/modifying programs or data at remote
hosts
Modifying data in transit
Inserting communications
User impersonation
Blocking selected or all traffic
Running remote programs
4
Wear your security hats…
Today, we’re the good guys!
Revisit each attack…
How do we defend?
5
Network Segmentation &
Redundancy

Segmentation
» Web server handles http
requests
» Application code server
» Database

Redundancy
» Avoid putting all eggs in one
basket
» Avoid single points of failure
» Minimizing risk through
distribution and replication
» Ex: Database information can
have multiple redundant servers,
or data can be distributed over
these servers
6
Encryption – Where?
Source: www.tcpipguide.com
7
Encryption

Very effective and versatile
» Good encryption with bad design
= disaster!
» As secure as the key management
structure
» Securely distribute keys

Link Encryption
» Performed at the lower layer
» Clear text exposed to all
intermediate hosts
» Works best if we are worried
about the transmission line
» All hosts must share key

End-to-End Encryption
» Performed at higher layers
» Protected across hosts
» Selective usage
8
Firewalls




Traditionally, protects
cities against raids/hits
Acts as an access
control device between
two networks
Filters traffic between
inside (trusted) and
outside (dangerous)
networks
They can do many
functionalities, will talk
in more detail next
lecture
9
Virtual Private Networks (VPNs)





Perimeter-based defense is
relatively easy
How to “feel” like being on the
local network when you are
not?
Use Firewalls to implement
VPNs through which a user
requests such a session
Negotiate encryption key
between them, and an
encrypted tunnel is created
Virtual, LAN based IPs can be
given -> IP within IP
10
Individual Secure Connections
SSH

SSH – Secure Shell
» SSH versions 1 and 2 provide
authenticated/encrypted path
to remote system shells
» SSH replaces Telnet, rlogin,
rsh for remote access
» Negotiates encryption
algorithms (AES, DES…etc)
and authentication (Public key
and Kerberos)
» Guarantees Integrity as well.
Detects if data is altered in
transit.
11
Individual Secure
Connections SSL

SSL – Secure Socket
Layer
» TLS (transport layer
security) is really SSL v3.1
» Provides server and
optional client
authentication, as well as
encrypted communication
» Most widely used secure
communication protocol
on the Internet
» Does it protect against key
loggers?
12
IPSec



Where was the bottleneck in layers?
Operates on Layer3 (where did SSL and SSH
Operate?)
Similar to SSL
» Supports authentication and confidentiality
» Independent of cryptographic protocols


Optional in IPv4, mandatory in IPv6 (why?)
Uses security association which consists of:
» Internet key exchange for key management
» Authentication Header (AH) to provide integrity
» Encapsulating Security Payload (ESP) to provide
confidentiality
13
IPSec – Transport Mode
Source: www.tcpipguide.com
14
IPSec
15
IPSec – Tunnel Mode
Source: www.tcpipguide.com
16
Wireless Security





Each Access Point (AP) is
identified by its Service Set
Identifier (SSID)
Default names, default
announcement (open mode)
Client calls for connection, AP’s
respond
Stealth mode, client targets a
specific SSID in its call
Link Layer Encryption is needed
for protection against sniffers
» WEP: Wired Equivalent Privacy. 64 or
128-bit encryption key. Not that strong.
» WPA: Wifi Protected Access.
17
Wireless Security – WPA vs WEP




WEP (Wired Equivalent Privacy) uses unchanged
encryption key until user changes it on both sides.
WPA (Wifi Protected Access) uses changes key on
every packet batch using Temporal Key Integrity
Program (TKIP)
WEP uses encryption key for authentication. WPA
uses extensible authentication protocol (EAP) by
which authentication is done via password,
certificate or other.
WEP uses RC4. Has many flaws. Both support RC4,
but WPA2 adds AES.
18
Next Lecture…
More on Firewalls and
Intrusion Detection Systems
19