Network Security IS250 Spring 2010 John Chuang Outline What is Network Security? - Security properties - Cryptographic techniques Availability (or lack thereof) - Denial of service (DoS) attacks - DDoS and botnets Operational security - Firewalls - Intrusion detection systems - Virtual private networks John Chuang 2 Securing the Network Stack Application (layer 7): various security protocols Transport (layer 4): Transport Layer Security (TLS) Network (layer 3): IPsec Data Link (layer 2): Wired Equivalent Privacy (WEP); 802.11i Physical (layer 1): control of access to cables; perimeter security; acoustic security; … HTTPS, SSH, PGP, S-BGP, DNSSEC,… TLS IPsec WEP; 802.11i; … Physical layer security Unfortunately, IP address spoofing (forging of source address) is still unsolved, and source of many network security problems. John Chuang 3 Attacks Wide ranging scope Some common attacks: Eavesdropping - passwords, credit card numbers, etc. Data tampering Impersonation - Replay attack - Man-in-the-middle attack (e.g., IP address spoofing) - Phishing attack John Chuang Unauthorized access - System vulnerabilities - Password guessing (e.g., dictionary attack) - Social engineering (e.g., bribe, black-mail) Denial-of-Service attack Spam Malware: Trojan horses, viruses, worms … 4 Security Properties “CIA” and “AAA” Confidentiality - Prevents eavesdropping Integrity - Prevents modification of data Authentication - Proves your identity to a third party; prevents impersonation Accountability (non-repudiation) - Enables failure analysis; serves as deterrent Authorization - Prevents misuse Availability - Safeguards against denial-of-service John Chuang 5 Cryptographic Techniques Encryption - Symmetric-key (e.g., AES) - Asymmetric-key (e.g., RSA) Cryptographic hash (message digest) Confidentiality Authentication Integrity - e.g., MD5, SHA-1 Digital signature John Chuang Non-Repudiation 6 Outline What is Network Security? - Security properties - Cryptographic techniques Availability (or lack thereof) - Denial of service (DoS) attacks - DDoS and botnets Operational security - Firewalls - Intrusion detection systems - Virtual private networks John Chuang 11 Availability Denial-of-Service (DoS) Attack: - Make a computer resource or service unavailable to users by overwhelming the computational and/or communication resources of the victim system DoS statistics (Moore et al., Usenix 2001): - Prevalence: 13,000 DoS attacks recorded in 3 weeks - Duration: an attack can last for hours - Intensity: 600,000 packets per second 2008 ISP Infrastructure Security Report (Arbor, 2008) - Largest DDoS attack peak traffic volume of 40Gbps John Chuang 12 TCP SYN Flood Attack Recall TCP session establishment - A B: SYN - B A: SYN + ACK - A B: ACK B has to keep state for every half-open connection, and an idle connection is closed only after long timeout An attacker sends many SYN messages (with spoofed source IP addresses) to victim B Legitimate clients cannot establish TCP session with B John Chuang 13 http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif Smurf Attack ICMP Echo Request attack Attacker sends ICMP Echo Request (ping) messages to IP broadcast addresses (e.g., 128.32.255.255) These ping messages have spoofed IP source address of target victim Hosts receiving the Echo Request messages will respond with Echo Response (pong) messages Target is flooded with ICMP Echo Response (pong) messages This is an example of a reflected attack John Chuang 14 Distributed DoS (DDoS) Attack Attacker takes over machines via viruses and launches DoS attacks from these “zombies” or “bots” Largest botnets can have millions of bots Defensive approaches: filtering, traceback Misaligned incentives an important contributor - Many owners unaware that their machine is a zombie - Owners not motivated to diligently patch their machines to protect against malware in the absence of perceived harm John Chuang 15 Botnets (Application layer overlay) network of bots (Trojan horses) under the command & control of botnet operator Botnet operators may control millions of machines and use them to launch DDoS attacks, send spam, perform keylogging, commit click fraud,… - Estimate: 70-90% of spam come from botnets Underground market for botnet service - e.g., $500 for a DDoS attack using 10K bots - e.g., sites asked to pay $10-50k in extortion John Chuang 16 Outline What is Network Security? - Security properties - Cryptographic techniques Availability (or lack thereof) - Denial of service (DoS) attacks - DDoS and botnets Operational security - Firewalls - Intrusion detection systems - Virtual private networks John Chuang 17 http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif Firewall A firewall isolates an organization’s internal network from the public Internet - All traffic must pass through firewall - Only authorized traffic, as defined by local security policy, can pass Two basic types: packet filter, application gateway John Chuang 18 Firewall Policy Examples Policy Firewall Setting No outside web access Drop all outgoing packets to any IP address, destination port 80 No incoming TCP connections, except to public web server at IP address 1.2.3.4 Drop all incoming TCP SYN packets to any IP except 1.2.3.4, port 80 Allow DNS packets to leave network Allow outgoing UDP packets to any IP address, destination port 53 Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Prevent your network from being used for a Smurf attack Drop all ICMP ping packets going to a broadcast address John Chuang 19 Application Gateway Filters packets on application data as well as on IP/TCP/UDP fields host-to-gateway telnet session application gateway gateway-to-remote host telnet session router and filter Source: Kurose and Ross, Computer Networking, 5th Edition Example: allow select internal users to telnet outside 1. 2. 3. require all telnet users to telnet through gateway for authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections router filter blocks all telnet connections not originating from gateway John Chuang 20 Intrusion Detection System Monitors and reports suspicious traffic by performing deep packet inspection - Signature-based or Anomaly-based application gateway firewall Internet internal network IDS sensors Web server FTP server John Chuang DNS server demilitarized zone (DMZ) Source: Kurose and Ross, Computer Networking, 5th Edition 21 Virtual Private Networks Problem: - build a corporate intranet for an organization with multiple sites Solutions: - Public internet connections (low cost) - Private (dedicated) network connections (confidential) - Virtual Private Network (both confidentiality and low cost) - Implemented in software John Chuang 22 VPN VPN software in router at each site gives appearance of a private network Implementation: - Obtain internet connection for each site - Choose router at each site to run VPN software - Configure VPN software in each router to know about the VPN routers at other sites - VPN software acts as a packet filter; next hop for outgoing datagram is another VPN router - Outgoing datagrams encrypted using IPsec John Chuang 23 IPSec (RFC 2402, 2406) Transport mode: payload encrypted; not header Tunneling mode: entire packet encrypted; then encapsulated in separate packet (to keep source/destination addresses confidential) Example: - Datagram from host x at site 1 to host y at site 2 - Router R1 on site 1 encrypts, encapsulates in new datagram for transmission to router R2 on site 2 John Chuang Source: Doug Comer 24