Telecommunications and Network Security Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Domain Agenda • • • • • • • • • • • Networks Network Security Physical Data Link Network Transport Session Presentation Application Telephony Services OSI Model • The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization. • It is a way of sub-dividing a communications system into smaller parts called layers. A layer is a collection of conceptually similar functions that provide services to the layer above it and receives services from the layer below it. • On each layer an instance provides services to the instances at the layer above and requests service from the layer below. OSI Reference Model • • • • • • • Layer 7: Layer 6: Layer 5: Layer 4: Layer 3: Layer 2: Layer 1: Application Presentation Session Transport Network Data Link Physical TCP/IP • In the TCP/IP model of the Internet, protocols are not as rigidly designed into strict layers as the OSI model. • TCP/IP does recognize four broad layers of functionality which are derived from the operating scope of their contained protocols, namely the scope of the software application, the end-to-end transport connection, the internetworking range, and lastly the scope of the direct links to other nodes on the local network. • The Internet Application Layer includes the OSI Application Layer, Presentation Layer, and most of the Session Layer. Its end-to-end Transport Layer includes the graceful close function of the OSI Session Layer as well as the OSI Transport Layer. The internetworking layer is a subset of the OSI Network Layer (see above), while the Link Layer includes the OSI Data Link and Physical Layers, as well as parts of OSI's Network Layer. Network Security • Issues and Concerns – Non-repudiation – Redundancy • Risks – Network is the key asset in many organizations – Network Attacks • Attacks – Network as a channel for attacks – Network as the target of attack Network Security • Defense in Depth – Series of hurdles – Collection of controls • Security controls: – Are built around social, organizational, procedural and technical activities – Will be based on the organization’s security policy • Security Objectives and Attacks – Business risk vs. Security solutions – Attack scenarios – Network entry point • Inbound vs. Outbound attacks • Methodology of Attack – Attack trees – Path of least resistance • Acquisition Target Related Issues – Attacks start by gathering intelligence – Controls • Limit information on a network; Distract an attacker • Analysis – Analyze target for security weaknesses • Access – Obtain access to the system – Manage user privileges – Monitor access • Target Appropriation – Escalation of privileges – Attacker may seek sustained control of the system – Controls against privilege escalation Network Security Tools • Tools automate the attack processes • Network security is more than just technical implementations • Scanners – Discovery scanning – Compliance scanning – Vulnerability scanning Layer 1: Physical Layer • Bits are converted into signals • All signal processing is handled here • Physical topologies Communication Technology • Analog Communication – Analog signals use frequency and amplitude – Transmitted on wires or with wireless devices • Digital communications – – – – Uses different electronic states Can be transmitted over most media Integrity of digital communication is easier Digital communication brings quantitative and qualitative enhancements Network Topology • • • • Even small networks are complex Network topology and layout affect scalability and security Wireless networks also have a topology Ring Topology – Closed-loop topology – Advantages • Deterministic – Disadvantages • Single point of failure Network Topology • Bus Topology – LAN with a central cable to which all nodes connect – Advantages • Scalable; Permits node failure – Disadvantages • Bus failure • Tree Topology – Devices connect to a branch on the network – Advantages • Scalable; Permits node failure – Disadvantages • Failures split the network Network Topology • Mesh Topology – Every node network is connected to every other node in the network – Advantages • Redundancy – Disadvantages • Expensive; Complex; Scalability • Star Topology – All of the nodes connect to a central device – Advantages • Permits node/cable failure; Scalable – Disadvantages • Single point of failure Cable Selection Considerations • • • • • Throughput Distance between devices Data sensitivity Environment Twisted Pair – One of the simplest and cheapest cabling technologies – Unshielded (UTP) or shielded (STP) Unshielded Twisted Pair (UTP) Category Transmission Rate Use Category 1 < 1 Mbps Analog voice and basic interface rate (BRI) in Integrated Services Digital Network (ISDN) Category 2 < 4 Mbps 4 Mpbs IBM Token Ring LAN Category 3 16 Mbps 10 Base-T Ethernet Category 4 20 Mbps 16 Mbps Token Ring Category 5 100 Mbps 100 Base-TX and Asynchronous Transfer Mode (ATM) Category 5e 1000 Mbps 1000 Base-T Ethernet Category 6 1000 Mbps 1000 Base-T Ethernet Coaxial Cable (Coax) • Conducting wire is thicker than twister pair – Bandwidth – Length • Expensive and physically stiff Fiber Optics • Three components – Light source – Optical fiber cable • Two types – Light detector • Advantages • Disadvantages Wireless Transmission Technologies • • • • • • • 802.11 – WLAN 806.16 – WMAN, WiMAX Satellite Bluetooth IrDA Microwave Optical Wireless Multiplexing Technologies Technology Principle Objective Direct Sequence Spread Spectrum (DSSS) Spread transmission over a wider-frequency band Signal less susceptible to noise Frequency-Hopping Spread Spectrum (FHSS) Spread signal over rapidly changing frequencies Interference Orthogonal-Frequency Division Multiplexing (OFDM) Signal is subdivided into subfrequency bands Physical Layer: Equipment Agenda • • • • • • Patch panel Modem Cable modem Digital subscriber line Hub and repeater Wireless access points Physical Layer: Equipment Agenda • Patch Panels – Provide a physical cross-connect point for devices – Alternative to directly connecting devices – Centralized management • Modem – Convert a digital signal to analog – Provide little security • War dialing – Unauthorized modems Physical Layer: Equipment Agenda • Cable Modem – PCF Ethernet NIC connects to a cable modem – Modem and head-end exchange cryptographic keys – Cable modems increase the need to observe good security practices • Digital Subscriber Line – Use CAT-3 cables and the local loop • • • • Asymmetric Digital Subscriber Line (ADSL) Rate-Adaptive DSL (RADSL) Symmetric Digital Subscriber Line (SDSL) Very high bit rate DSL (VDSL) Physical Layer: Equipment Agenda • Hubs – Used to implement a physical star/logical bus topology – All devised can read and potentially modify the traffic of other devices • Repeaters – Allow greater distances between devices • Wireless Access Points (WAPS) – Access Point (AP) – Multiple Input Multiple Output (MIMO) Standard Connections • Types of connectors – – – – RJ-11 RJ-45 BNC RS-232 • Cabling standards – TIA/EIA-568 Physical Layer Threats and Controls • Attacking – Wire – Wireless – Equipment: Modems • Controls – Wire • Shielding • Conduit • Faraday cage – Wireless • Encryption • Authentication – Equipment • Locked doors and cabinets Layer 2: Data Link Layer • • • • • Connects layer 1 and 3 Converts data from a signal into a frame Transmits frames to devices Linker-Layer encryption Determines network transmission format Synchronous/Asynchronous Communications • Synchronous – Timing mechanism synchronizes data transmission – Robust error checking – Practical for high-speed, high-volume data • Asynchronous – Clocking mechanism is not used – Surrounds each byte with bits that mark the beginning and end of transmission Unicast, Multicast and Broadcast Transmissions • Multicasts • Broadcasts – Do not use reliable sessions • Unicast Unicast – Point-to-Point • • • • ISDN (Integrated Services Digital Network) T’s (T Carriers) E’s (E Carriers) OC’s (Optical Carriers) Integrated Service Digital Network (ISDN) B (Bearer) Channel 64kBit/s D (Delta) Channel 16KBit/s BRI (Basic Rate Interface) 2*B+I*D = 144kBit/s PRI (Primary Rate Interface) North America 23*B+I*D = 1.55MBit/s (TI) PRI Europe and Australia 30*B+I*D = 2MBit/s (EI “T” Carrier Channel Multiplex Ratio Bandwidth T1 1xT1 1.544 Mbps T2 4xT1 6.312 Mbps T3 7xT2 = 28xT1 44.736 Mbps T4 6xT3 = 168xT2 274.176 Mbps “E” Carrier Channel Multiplex Ratio Bandwidth E1 1xE1 2.058 Mbps E2 4xE1 8.848 Mbps E3 4xE2 = 16xE1 34.304 Mbps E4 4xE3 = 64xE2 139.264 Mbps “OC” Optical Carrier STS Optical Level Bandwidth OC1 51.84 Mbps OC3 155.52 Mbps OC12 622.08 Mbps OC48 2488.32 Mbps OC192 9953.28 Mbps Circuit-switched vs. Packet-switched Networks • Circuit-switched – Dedicated circuit between endpoints – Endpoints have exclusive use of the circuits and its bandwidth • Packet-switched – Data is divided into packets and transmitted on a shared network – Each packet can be independently routed on the network • Switched vs. Permanent Virtual Circuits – Permanent Virtual Circuits (PVC) – Switched Virtual Circuits (SVC) Carrier Sense Multiple Access • Only one device may transmit at a time • There are two variations – Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) – Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Polling to Avoid Contention • Slave device needs permission from a master device • Used mostly in mainframe protocols • Optional function of the IEEE 802.1 1 standard Token Passing • A token is a special frame that circulates through the ring • Device must possess the token to transmit • Token passing is used in Token Ring (IEEE 802.5) and FDDI Bridges and Switches • Bridges – Layer 2 devices that filter traffic between segments based on MAC addresses – Can connect LANs with unlike media types – Simple bridges do not reformat frames • Switches – – – – Multi-port devices to connect LAN hosts Forward frames only to the specified MAC address Increasingly sophisticated Also forward broadcasts Multiplexer/Demultiplexer • Combining or splitting signals • Technologies – TDM – Time – FDM – Frequency – WDM – Wave Wireless Local Area Networks • Allow mobile users to remain connected • Extend LANs beyond physical boundaries Wireless Standards : IEEE 802 • • • • • • • • 802.1 1b 802.1 1a 802.1 1g 802.1 1n / Multiple Input Multiple Output 802.1 1i / Security 802.1 6 / WiMAX 802.1 5 / Bluetooth 802.1 x / Port security Ethernet (IEEE 802.3) • Most popular LAN architecture • Support bus, star, and point-to-point topologies • Currently supports speed up to 10000 Mbps Protocols • Address Resolution Protocols (ARP) – ARP (RFC 826) – RARP (RFC 903) – ARP Cache Poisoning • Point-to-Point Protocol (PPP) – RFC 1331 • Encapsulation • Link Control Protocol (LCP) • Network Control Protocols • Password Authentication Protocol (PAP) – Identification and authentication of remote entity – Uses a clear text, reusable (static) password – Supported by most network devices Challenge Handshake Authentication Protocol • CHAP – – – – Periodically re-validates users Standard password database is unencrypted Password is sent as a one-way hash CHAP Process • MSCHAP • The Nonce Extensible Authentication Protocol (EAP) • • • • Provides a pointer to authentication EAP – Transport level security Wireless needs EAP PEAP - (Protected EAP) Link Layer Threats • Confidentiality – Sniffing for reconnaissance – Offline brute force – Unapproved wireless • Integrity – Modify packets – Man-in-the-middle – Force weaker authentication • Availability – Denial of service – War driving • Transition from wireless to wired Wired and Wireless Link-Layer Controls • Encryption – PPP Encryption Control Protocol (ECP) • Authentication – PAP – CHAP – EAP • Tunneling – EAP-TTLS • Radio frequency management Wireless Encryption Summary 802.1x Dynamic WEP Wi-Fi Protected Access Wi-Fi Protected Access 2 Access Control 802.1X 8021X or preshared key 802.1X or preshared key Authentication EAP methods EAP methods or pre-shared key EAP methods or pre-shared key Encryption WEP TKIP (RC4) CCMP (AES Counter Mode) Integrity None Michael MIC CCMP (AES CBC-MAC) Metropolitan Area Network (MAN) • Optimization for city • Use wireless infrastructure, fiber optics or ethernet to connect sites together • Still needs security • Switched Multi-megabit Data Service (SMDS) • SONET/SDH Layer 3: Network Layer • Moves information between two hosts that are not physically connected • Uses logical addressing LAN/WAN • Local Area Network (LAN) – LANs service a relatively small area – Most LANs have connectivity to other networks – VLANs are software-based LAN segments implemented by switching technology • Wide Area Network (WAN) – A WAN is a network connecting local networks or access points – Connections are often shared and tunneled through other connections Storage Area Network (SAN) • • • • Hard drive space problem Server of servers Fiber backbone Switched Public Switched Telephone Networks (PSTNs) • PSTNs are circuit-switched networks • PSTNs are subject to attacks X.25 • • • • Suite of protocols for unreliable networks Has a strong focus on error correction Users and host connect through a packet-switched network Most organizations now opt for frame relay and ATM instead of X.25 for packet switching Frame Relay • • • • Network cloud of switches Customers share resources in the cloud The cloud is assumed to be reliable Customers are charged only for bandwidth used Asynchronous Transfer Mode (ATM) • ATM is connection-oriented – Uses virtual circuits – Guarantees QoS but not the delivery of cells – Types of virtual circuits Multi-Protocol Label Switching (MPLS) • • • • • Bandwidth management and scalability Permits traffic-engineering Provides QoS and defense against network attacks Operates at Layer 2 and 3 Operates over most other packet switching technologies such as Frame Relay and ATM Comparing Broadband Wireless 802.11 WiFi Bandwith 802.16 WiMAX 802.20 Mobile-Fi UMTS 3G 11-54 Mbps shared Share up to 70 Mbps Up to 1.5 Mbps each 384 Kbps – 2 Mbps Range (LOS) Range (NLOS) 100 meters 30 meters 30 – 50 km 2 – 5 km (‘07) 3 – 8 km Coverage is overlaid on wireless infrastructure Mobility Portable Fixed (Mobile – 16e) Full mobility Full mobility Frequency/ Spectrum 2.4 GHz for 802.1 1b/g 5.2 GHz for 802.11a 2 - 11 GHz for 802.16a 11-60 GHz for 802.16 < 3.5 GHz Existing wireless Licensing Unlicensed Both Licensed Licensed Standardization 802.11a,b and g standardized 802.16, 802.16a and 802.16 REVd standardized, other under development 802.20 in development Part of GSM standard Availability On the market today Products available today Standards coming Currently being deployed Wireless Optics • Two laser transceivers communicate at speeds comparable to SONET • Wireless optics transmissions are hard to intercept • Wireless optics can be unreliable during inclement weather • Avoids the licensing requirements of Microwave in most regions Network Usage: Definitions • Intranet • Extranet – Granting access to external organizations • Internet Other Aspects • Virtual Private Network – Remote access through VPN – LAN to LAN configuration • Secure Remote Access – Remote access through modems, ISPs, WAN connections • Traffic Shaping – Quality of Service (QoS) – Depends on all carriers agreeing on priority handling rules • Routers – Network routing Firewalls • Filtering – Filtering by address – Filtering by service • • • • • Static Packet Filtering Stateful inspection or dynamic packet filtering Personal firewalls Enforce administrative security policies Separate trusted networks from untrusted networks – Firewalls should be placed between security domains • Proxy Firewalls – Circuit-level policy – Application-level policy Firewalls Firewall Type OSI Model Layer Characteristics Packet filtering Network layer Routers using ACLs dictate acceptable access to a network Looks at destination and source addresses, ports and services requested Application-level proxy Application layer Deconstructs packets and makes granular access control decisions Requires one proxy per service Firewalls (cont.) Firewall Type OSI Model Layer Characteristics Circuit- level proxy Session layer Deconstructs packets Protects wider range of protocols and services than applevel proxies, but are not as detailed as a level of control Stateful Network layer Keeps track of each conversation using a state table Looks at state and context of packets Network Partitioning • • • • • Boundary routers Dual-homed host Bastion Host Demilitarized Zone (DMZ) Three-legged firewall End Systems • • • • • • • Servers and mainframes Operating systems Notebooks Workstations Smart phones Personal digital assistants Network Attached Storage (NAS) Internet Protocol (IP) • Internet Protocol (IP) is responsible for routing packets over a network • Unreliable protocol • IP will subdivide packets • IPv4 address structure Internet Protocol (cont.) Internet Protocol Address Structure Class Range of First Octet Number of Octets for Network Number Number of Hosts in Network A 1 – 127 1 16,777,216 B 128 – 191 2 65,536 C 192 – 223 3 256 D 224 – 239 Multicast E 240 - 255 Reserved Subnetting and Valid Subnets • Subnetting • Supernetting • Classless Inter-Domain Routing (CIDR) Dynamic Host Configuration Protocol (DHCP) • Dynamically assigns IP addresses to hosts • Client does not have to request a new lease every time it boots IPv6 • • • • A larger IP address field Improved security A more concise IP packet header Improved quality of service (QoS) Internetwork Packet Exchange (IPX) • Vendor specific • Retired Internet Control Message Protocols (ICMP) • ICMP redirect attacks • Traceroute exploitation • Ping scanning Internet Group Management Protocol (IGMP) • Used for multicast messages • Sets up multicast groups Virtual Private Network (VPN) • • • • • Secure shell (SSH) SSL/TLS SOCKS High Assurance Internet Protocol Encryptor (HAIPE) IP Security (IPSEC) – see next slide IPSEC Authentication and Confidentiality for VPNs • • • • • • Authentication Header (AH) Encapsulating Security Payload (ESP) Security Parameter Index (SPI) Security Associations Transport Mode / Tunnel Mode Internet Key Exchange ((IKE) Tunneling Protocols • Tunneling Protocols – Point-to-point Tunneling Protocol (PPTP) – Layer 2 Tunneling Protocol (L2TP) • Routing Protocols – – – – – – – – Routing Information Protocol (RIP) Virtual Router Redundancy Protocol (VRRP) Open Shortest Path First (OSPF) Exterior Gateway Protocol (EGP) Border Gateway Protocol (BGP) Intermediate System-to-Intermediate System (ISIS) Interior Gateway Routing Protocol (IGRP) Enhanced IGRP (EIGRP) Risks and Attacks • Key shortcoming in IP is its lack of authentication • Shortcomings in implementation • IP Fragmentation Attacks – Teardrop attack – Overlapping fragment attacks • IP Address Spoofing – Overlapping fragment attacks – Packets are sent with a bogus source address – Takes advantage of a protocol flaw • Encryption as a Threat – External attackers – Internal attackers Risks and Attacks • • • • Network Eavesdropping Sniffing the wire Encryption IP allows the sender to specify the path – Attackers can abuse source routing, thereby gaining access to an internal network Risks and Attacks • Source-routing Exploitation – IP allows the sender to specify the path • Attackers can abuse source routing, thereby gaining access to an internal network • Smurf and Fraggle attacks – Smurf attack mis-uses the ICMP Echo Request – Fraggle attack used UDP instead of ICMP – Ping of death Controls • Policy • Inbound and outbound traffic controls • Network partitioning Layer 4: Transport Layer • End-to-end transport between peer hosts • Connection oriented and connectionless protocols Protocols • Transmission Control Protocol (TCP) – Well-known ports – Registered ports – Dynamic and/or private ports • User Datagram Protocol (UDP) – Fast – Low overhead – No error correction/replay protection • Sequenced Packet Exchange (SPX) – Novell’s protocol – Replaced by TCP Transport Layer Security (TLS) • Mutual authentication • Encryption • Integrity Attacks • SYN Flood • Port Scanning – – – – FIN, NULL and XMAS Scanning SYN Scanning TCP Sequence Number Attacks Session Hijacking • Denial of Service Controls • • • • SYN proxies Honeypots and honeynets Tarpits Continuous or periodic authentication Layer 5: Session Layer • • • • Client server model Middleware and three-tiered architecture Mainframe Centralized systems Protocols • Real-time protocol – RTP • RTP control protocol – RTCP • Remote procedure calls - RPC RPC Threats and Controls • Threats – Unauthorized sessions – Invalid RPC exchanges • Controls – Secure RPC Layer 6: Presentation Layer • Ensures a common format for data • Services for encryption and compression Standards • Mainframe to PC Translation – Extended Binary Coded Decimal Interchange Code (EBCDIC) – American Standard Code for Information Interchange (ASCII) – Gateway • Video and Audio Compression – Codec • Compression / decompression – Conserves bandwidth and storage Compression Protocols Audio Compression ISO/IEC MPEG – I Layer III (MP3) MPEG-I Layer I & II AAC: HE_ACC v2 aacPlus v2 ITU-T G.711 G.722 G.723 G.726 G.728 G.729 Video Compression ISO/IEC MJPEG MPEG-I & II MPEG-4 ASP & AVC ITU-T H.261 – H.264 Threats and Controls • Availability Threat – Lack of interoperability • Controls – Organizational standards Layer 7: Application Layer • The application layer is NOT the Graphical User Interface (GUI) • Performs communications between peer applications Implementations • Client/Server – – – – – – Telephony/voice Video Instant messaging Email World wide web File transfer • Peer-to-peer – Sharing • Multi-tier – Web front-end – Database back-end – Web 2.0 Protocols Examples FTP File Transfer Protocol HTTP HyperText Transfer Protocol IMAP Internet Message Access Protocol IRC Internet Relay Chat MIME Multipurpose Internet Mail Extensions POP3 Post Office Protocol (version 3) Rlogin Remote Login in UNIX Systems SOAP Simple Object Access Protocol SSH TELNET Secure Shell Terminal Emulation Protocol Threats and Controls • Vulnerabilities as of September 2007 – 35,000 • Verified exploits – +10,000 • Controls – STOP IT! • Don’t use application-layer protocols that are too risky? – Update / patch Telephony • Voice Over IP – Reduced cost – Converged technology security • Mobile Telephony – Cellular service – Analog • Advanced Mobile Phone Service (AMPS) – Digital • Global Service for Mobile Communications (GSM) • General Packet Radio Service (GPRS) • Universal Mobile Telecommunications System (UMTS) – Data Mobile Multiplexing Technologies Technology Principle Objective Frequency Division Multiple Access (FDMA) Divide frequency into sub bands Open several low bandwidth channels Time Division Multiple Access (TDMA) Split transmission by time slices Multiplexing between participants Code Division Multiple Access (CDMA) Multiplex several signals into one signal Multiplexing is performed on a digital level Protocols • VoIP Protocols – H.323 • SIP • Mobile Telephony Protocols – Proprietary Applications and Services – Wireless Application Protocol (WAP) • Mobile internet browsing Telephony Threats and Controls • Threats – IP Telephony Network Issues – IP Telephony Vulnerabilities • Controls – Authentication – Firewalls – Modem control • Good practices for VoIP telephony – – – – – Encryption Hardening Patches Authentication Physical protection General Threats • • • • Authenticity Eavesdropping Social engineering Tunneling firewalls Services • • • • • • Authentication Directory Configuration Communication Storage Printing Authentication • Centralized Remote User Authentication – Network Access Server send authentication requests to the Centralized Authentication Server. • Kerberos Authentication – RFC 1510 – Principals (client and server) are treated as equals – Key Distribution Server (KDC) • Authentication server (AS) – Ticket granting server (TGS) Directory Services • • • • Domain Name Service (DNS) Lightweight Directory Access Protocol (LDAP) Network Basic Input Output System (NetBios) Network Information Service (NIS/NIS+) Configuration Services • • • • Simple Network Management Protocol (SNMP) Dynamic Host Configuration Protocol (DHCP) Network Time Protocol (NTP) Finger User Information Protocol Communication Services • Synchronous Messaging – Instant Messaging (IM) – Internet Relay Chat (IRC) • Asynchronous Messaging – – – – Simple Mail Transfer Protocol (SMTP) Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Network News Transfer Protocol (NNTP) Remote Communication Services • • • • TCP/IP Terminal Emulation Protocol (TELNET) Remote Login (RLOGIN), Remote Shell (RSH), Remote Copy (RCP) X Window System (XII) Video and multimedia Storage Server Services • Common Internet File System (CIFS ) /Server Message Block (SMB) • Network File System (NFS) • Secure NFS (SNFS) Storage Data Services • • • • • • File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) Hypertext Transfer Protocol (HTTP) HTTP over TLS (HTTPS) Secure Hypertext Transfer Protocol (S-HTTP) Proxies Printing Services • Internet Printer Protocol (IPP) • Line Printer Daemon (LPD) and Line Printer Remote (LPR) • Common UNIX Printing System (CUPS) DNS Threats • Spoofing • Query manipulation – Hosts file manipulation – Social engineering • Information disclosure • Domain litigation • Cyber squatting Other Threats • Email Threats – Spoofing – Open Mail Relay Servers – Spam and Filtering • • • • Instant messaging Threats File sharing SPIM Service Message Block (SMB) Threats – Buffer overflows Controls • • • • DNS security extensions (DNSSEC) Mail filtering IM policy Turn off SMB