Layer 2 DesignL2 Control protocols - 802.1q, STP and ARP802.1q for Ethernet switches to exchange VLAN info Primary Issues: VLAN hoppingSpanning Tree Protocol for L2 loop avoidance Primary Issues: No authentication on bridge PDUs Attacks: Cause link failure; pretend to be root of tree. Defense: Control participation in STP (switch level)
Layer 2 DesignARP for MAC <-- IP mapping Primary Issues: gARP messages for high availability Defense: VLANs, static ARP entriesDHCP for IP allocation Issues: MAC Spoofing, rogue DHCP server allow/deny for specific ports to respond to DHCP requests
Layer 2 DesignWireless Networks – Medium Access Boundary is diffused (not hard) Intruders do not have to intercept wires – all messages are broadcast (in a shared medium) Unauthenticated access modes may cause problems Contention resolution – Fairness issues Easy to limit / eliminate availability
IP Addressing DesignSubnetting Administrative / Physical separation Primary Issues: Access Control Defense: VLANs, Level 3 ACLs (Access Control Lists)
Ingress / Egress FilteringPrivate address traffic not seen outside.Incoming traffic only from outside worldFiltering at edge or close to edge - not necessarilyonly at the firewall.
NATPrivate addresses translated to public addressesIncoming traffic - reverse translationstatic, 1-1, many-1avoid using NAT (many-1) for security
ICMP Design Issuesping messages essential for admin. - turning off is not a solution except in specific cases. Primary issue - Echo request/reply messages - variable length data field ping-of-death attacks, DoS attacks, buffer overflows covert channels (w/ software on host) Solutions: “Explicitly permit - implicitly deny” Permit ICMP echo request/reply messages w/ networks of necessity and for required users Deny all other echo messages
ICMP - Design IssuesOther required ICMP messages (some types of ) Destination Unreachable messages TTL 0 messages needed by traceroutelCMP filtering ACLs for permitting specific messages (seen above) and for denying all others
Routing - IssuesPossible attacks: Traffic Redirection Traffic sent to a black-hole Router DoS (Denial of Service) - Attack on Availability Routing protocol DoS Unauthorized router prefix origination
Routing - IssuesAttack methods & possible solutions: Configuration modification of routers Secure routers - Device Hardening Rogue Router Introduction Add message authentication to routing protocol Use ACLs to block routing protocol message types from unwanted networks Spoofing / Modifying of routing messages Message authentication; TCP seq. #s help; Sending malformed or excess packets DoS mitigation for excess; no easy soln. for malformed packets
Router - DeviceDisable Unneeded Services hardening No DNS lookup for router no echo or fingering services no bootp service (if not needed) no source routing and directed broadcast no ICMP redirectsPassword EncryptionAuthentication Use hashed passwordsUse secure protocols (say SSH) for line accessSetup usernames and access controls
Routing Protocol - Message Auth. Passwords with routing update messages MD5 digest authentication with secret keying Protocol Specific: Avoid RIP v1. - has no auth. mechanism OSPF (widely userd for interior gateways) - supports keyed MD5 BGP (widely used for cross-domain routing) - supports keyed MD5 through TCP option
Routing - IssuesAsymmetric Routing & State-AwareSecurity Asymetric traffic - different paths for request and return; per packet routing Can happen at switches, over the Internet or at ISP. Causes problems for state-aware security devices and mechanisms - Firewalls, IDS etc.
Routing - IssuesAsymmetric Routing - Solutions Use Symmetric Routing hard to do and impractical Load balance per flow (rather than per packet) cannot avoid request-return asymmetry. Manipulate flows using NAT or routing Use state-sharing security devices - e.g exchange info. bet. firewalls significant traffic overhead Use stateless security features - e.g. ACLs works only for easy situations - simple traffic categorizations
Transport Protocol - Design Issues Denial Of Service attacks easy to launch and cannot be completely stopped. network flooding (consume bw) vs. transport flooding (consume host resources) Network Flooding Detection: thru’ Network Intrusion Detection, routers and firewalls (i.e. their log data) Stopping: often thru’ Service provider only; stops good as well as bad traffic
Transport Protocol - Design Issues Stopping Network Flooding Basic ACL: drop all traffic destined for an IP address; configure this throughout the ISP’s network. Black Hole Filtering: Propagate static routes to divert traffic to a black hole. Faster than basic ACL approach; much less CPU impact. Sinkhole Routing: Traffic diverted to a specific location so that it can be studied.
Transport Protocol - Design Issues Trace Back (DoS) Manual ACL trace back : create an ACL with broad permits that are made more specific as more information about attack is gained. Backscatter Trace back : combine black hole and sinkhole routing black hole routing results in ICMP unreachable messages use a chunk of unallocated IP addresses for internal routing within ISP to forward to a sinkhole. Tracebacks are useless if the attacker is spoofing a legitimately allocated address.
Transport Protocol - Design Issues DoS Mitigation QoS techniques - limit traffic by type (UDP 10 Mbps, ICMP 200Kbps etc.) ; use token system for traffic to limit it; application specific filtering (e.g. in ecommerce scenarios UDP traffic is needed) use a distributed design content delivery networks
Transport Protocol - Design Issues (back to) Denial Of Service attacks easy to launch and cannot be completely stopped. network flooding (consume bw) vs. transport flooding (consume host resources) Transport Flooding TCP SYN flooding - use a SYN packet (part of a 3-way handshake) but never respond to the acknowledgment; TCP is connection oriented : connections kept open for a time; connection queues overflow;
Transport Protocol - Design Issues SYN cookies host specific method of mitigating SYN flooding attacks; avoid storing SYN packets in queue; use challenge-response model for handshake. TCP intercept network-level protection for SYN floods intercept connection requests at an intermediate node which transparently forwards TCP packets to server; SYN packets are acked ASAP; if client does not respond use a backoff protocol; (e.g PIX firewalls)