Network Defense Khaled Harras School of Computer Science Carnegie Mellon University 15-349 Computer and Network Security Fall 2012 Some material borrowed from Hui Zhang and Adrian Perrig and google images 1 What did we talk about? 2 Review Why are networks vulnerable? » Anonymity, distance, multiple attack points, sharing, complexity, heterogeneity, vague routes, insecure protocols Why attack networks? » Challenge, fame, money, and ideology How to prepare for war? » Reconnaissance: Port Scanning » Intelligence: Social Engineering, Dumpster diving, Eavesdropping on people, befriending, documentation, blogs…etc » Interception: Eavesdropping, wiretapping. Depends on Medium. » Attacks: Authentication, Spoofing (Masquerading, Phishing, Man-inthe-middle), Web vulnerabilities, and DoS 3 Summarize Threat List Intercepting data in traffic Accessing/modifying programs or data at remote hosts Modifying data in transit Inserting communications User impersonation Blocking selected or all traffic Running remote programs 4 Wear your security hats… Today, we’re the good guys! Revisit each attack… How do we defend? 5 Network Segmentation & Redundancy Segmentation » Web server handles http requests » Application code server » Database Redundancy » Avoid putting all eggs in one basket » Avoid single points of failure » Minimizing risk through distribution and replication » Ex: Database information can have multiple redundant servers, or data can be distributed over these servers 6 Encryption – Where? Source: www.tcpipguide.com 7 Encryption Very effective and versatile » Good encryption with bad design = disaster! » As secure as the key management structure » Securely distribute keys Link Encryption » Performed at the lower layer » Clear text exposed to all intermediate hosts » Works best if we are worried about the transmission line » All hosts must share key End-to-End Encryption » Performed at higher layers » Protected across hosts » Selective usage 8 Firewalls Traditionally, protects cities against raids/hits Acts as an access control device between two networks Filters traffic between inside (trusted) and outside (dangerous) networks They can do many functionalities, will talk in more detail next lecture 9 Virtual Private Networks (VPNs) Perimeter-based defense is relatively easy How to “feel” like being on the local network when you are not? Use Firewalls to implement VPNs through which a user requests such a session Negotiate encryption key between them, and an encrypted tunnel is created Virtual, LAN based IPs can be given -> IP within IP 10 Individual Secure Connections SSH SSH – Secure Shell » SSH versions 1 and 2 provide authenticated/encrypted path to remote system shells » SSH replaces Telnet, rlogin, rsh for remote access » Negotiates encryption algorithms (AES, DES…etc) and authentication (Public key and Kerberos) » Guarantees Integrity as well. Detects if data is altered in transit. 11 Individual Secure Connections SSL SSL – Secure Socket Layer » TLS (transport layer security) is really SSL v3.1 » Provides server and optional client authentication, as well as encrypted communication » Most widely used secure communication protocol on the Internet » Does it protect against key loggers? 12 IPSec Where was the bottleneck in layers? Operates on Layer3 (where did SSL and SSH Operate?) Similar to SSL » Supports authentication and confidentiality » Independent of cryptographic protocols Optional in IPv4, mandatory in IPv6 (why?) Uses security association which consists of: » Internet key exchange for key management » Authentication Header (AH) to provide integrity » Encapsulating Security Payload (ESP) to provide confidentiality 13 IPSec – Transport Mode Source: www.tcpipguide.com 14 IPSec 15 IPSec – Tunnel Mode Source: www.tcpipguide.com 16 Wireless Security Each Access Point (AP) is identified by its Service Set Identifier (SSID) Default names, default announcement (open mode) Client calls for connection, AP’s respond Stealth mode, client targets a specific SSID in its call Link Layer Encryption is needed for protection against sniffers » WEP: Wired Equivalent Privacy. 64 or 128-bit encryption key. Not that strong. » WPA: Wifi Protected Access. 17 Wireless Security – WPA vs WEP WEP (Wired Equivalent Privacy) uses unchanged encryption key until user changes it on both sides. WPA (Wifi Protected Access) uses changes key on every packet batch using Temporal Key Integrity Program (TKIP) WEP uses encryption key for authentication. WPA uses extensible authentication protocol (EAP) by which authentication is done via password, certificate or other. WEP uses RC4. Has many flaws. Both support RC4, but WPA2 adds AES. 18 Next Lecture… More on Firewalls and Intrusion Detection Systems 19