Network Security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Security

  1. 1. Bishop: Chapter 26 Network Security Based on notes by Prashanth Reddy Pasham
  2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Policy Development </li></ul><ul><li>Network Organization </li></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul><ul><ul><ul><li>DMZ </li></ul></ul></ul><ul><li>Availability and Network Flooding </li></ul>
  3. 3. Introduction <ul><li>How to develop a network infrastructure from security requirements? </li></ul><ul><ul><ul><li>Know security requirements </li></ul></ul></ul><ul><ul><ul><li>it leads to the development of security policy. </li></ul></ul></ul><ul><ul><ul><li>which in turn suggests the form of the network </li></ul></ul></ul><ul><li>security goals  policy </li></ul><ul><li>network policy  functionalities </li></ul><ul><li>distribution of functionalities to various parts of the network  network diagram </li></ul><ul><li>Functionality of each part  host configuration </li></ul>
  4. 4. Introduction <ul><li>Goals of Drib’s Security policy </li></ul><ul><ul><li>Data related to company plans is to be kept secret </li></ul></ul><ul><ul><ul><li>available only to those who need to know </li></ul></ul></ul><ul><ul><li>Customer data should be available only to those who fill the order </li></ul></ul><ul><ul><li>Releasing sensitive data requires the consent of the company’s officials and lawyers. </li></ul></ul><ul><li>Our goal is to design a network infrastructure that will meet these requirements </li></ul>
  5. 5. Policy Development <ul><li>Policies </li></ul><ul><ul><li>Must provide public access to some information </li></ul></ul><ul><ul><li>Limit access to other information even within the company. </li></ul></ul><ul><li>Drib requires a policy that minimizes the threat or data being leaked to unauthorized entities. </li></ul><ul><li>Unauthorized? </li></ul>
  6. 6. Policy Development <ul><li>Drib has three internal organizations </li></ul><ul><ul><li>Customer Service Group(CSG) </li></ul></ul><ul><ul><ul><li>Deals with customers </li></ul></ul></ul><ul><ul><ul><li>Maintains all customer data </li></ul></ul></ul><ul><ul><ul><li>Serves as interface between the other groups and clients of the drib </li></ul></ul></ul><ul><ul><li>Development Group(DG) </li></ul></ul><ul><ul><ul><li>Develops, modifies, maintains products </li></ul></ul></ul><ul><ul><ul><li>Rely on CSG for the description of customer complaints, suggestions, ideas. </li></ul></ul></ul><ul><ul><ul><li>No direct talk with customers </li></ul></ul></ul><ul><ul><li>Corporate group(CG) </li></ul></ul><ul><ul><ul><li>Handles Drib's debentures, lawsuits, patents and other corporate level work. </li></ul></ul></ul><ul><li>Policy describes the way information is to flow among these groups </li></ul>
  7. 7. Policy Development <ul><li>Data Classes </li></ul><ul><ul><li>Public Data(PD) </li></ul></ul><ul><ul><ul><li>Available to anyone </li></ul></ul></ul><ul><ul><ul><li>Includes product specifications, price information and marketing literature. </li></ul></ul></ul><ul><ul><li>Development data for existing products(DDEP) </li></ul></ul><ul><ul><ul><li>Available only internally </li></ul></ul></ul><ul><ul><ul><li>Company lawyers, officers and developers </li></ul></ul></ul><ul><ul><li>Development data for future products(DDFP) </li></ul></ul><ul><ul><ul><li>Available only to developers </li></ul></ul></ul><ul><ul><ul><li>may change, as may various aspects of development. </li></ul></ul></ul><ul><ul><li>Corporate data(CoD) </li></ul></ul><ul><ul><ul><li>Information about corporate functions </li></ul></ul></ul><ul><ul><li>Customer data(CuD) </li></ul></ul><ul><ul><ul><li>Credit card information </li></ul></ul></ul>
  8. 8. Policy Development <ul><li>User Classes </li></ul><ul><ul><li>Outsiders </li></ul></ul><ul><ul><li>Developers </li></ul></ul><ul><ul><li>Corporation executives </li></ul></ul><ul><ul><li>Employees </li></ul></ul><ul><li>See table on page 776 for user rights </li></ul><ul><li>Availability: global, 24/7 </li></ul><ul><li>Consistency check </li></ul><ul><ul><li>Does the policy described above meets the goals of the Drib? </li></ul></ul>
  9. 9. Network Organization Mail Server Outer Firewall Mail server Internal DNS Server(internal) DNS Server(DMZ) Internet Web Server Inner Firewall Demilitarized Zone (DMZ) Intranet Corporate data subnet Customer data subnet Development subnet Log Server
  10. 10. Network Organization <ul><li>Network Regions </li></ul><ul><ul><li>Internet </li></ul></ul><ul><ul><li>Internal Network( Intranet) </li></ul></ul><ul><ul><li>DMZ </li></ul></ul><ul><li>Network Boundaries </li></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><ul><li>Filtering firewall: Based on packet headers </li></ul></ul></ul><ul><ul><ul><li>ex: preventing BackOrifice </li></ul></ul></ul><ul><ul><li>Proxy </li></ul></ul><ul><ul><ul><li>Proxy firewall: Gives external view that hides intranet </li></ul></ul></ul><ul><ul><ul><li>ex: mail proxy </li></ul></ul></ul>
  11. 11. Analysis of Network Infrastructure <ul><li>Conceal the addresses of the internal network </li></ul><ul><ul><li>Internal addresses can be real </li></ul></ul><ul><ul><li>Fake addresses: 10.b.c.d, 172.[16-31].c.d, 192.168.c.d </li></ul></ul><ul><ul><ul><li>Network Address Translation Protocol maps internal to assigned address </li></ul></ul></ul><ul><li>Mail Server </li></ul><ul><ul><li>Hide internal addresses </li></ul></ul><ul><ul><li>Map incoming mail to “real” server </li></ul></ul><ul><ul><li>Additional incoming/outgoing checks </li></ul></ul>
  12. 12. Firewalls: Configuration <ul><li>Outer Firewall </li></ul><ul><ul><li>What traffic allowed </li></ul></ul><ul><ul><ul><li>External source: IP restrictions </li></ul></ul></ul><ul><ul><ul><li>What type of traffic: Ports (e.g., SMTP, HTTP) </li></ul></ul></ul><ul><ul><li>Proxy between DMZ servers and internet </li></ul></ul><ul><li>Internal Firewall </li></ul><ul><ul><li>Traffic restrictions: Ports, From/to IP </li></ul></ul><ul><ul><li>Proxy between intranet and outside </li></ul></ul>
  13. 13. In the DMZ <ul><li>DMZ Mail Server </li></ul><ul><ul><ul><li>performs address and content checking on all electronic mail messages </li></ul></ul></ul><ul><ul><ul><li>When it receives a letter from the Internet, it performs the following Steps </li></ul></ul></ul><ul><ul><ul><ul><li>reassembles the message into a set of headers, a letter, and any attachments </li></ul></ul></ul></ul><ul><ul><ul><ul><li>scans the letter and attachments for any computer virus or malicious logic. </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Restore the attachments to transmit </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Rescan it for any violation of SMTP specification </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Scans the recipient address lines. </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Addresses that directed the mail to the drib are rewritten to direct the mail to the internal mail server </li></ul></ul></ul></ul></ul>
  14. 14. In the DMZ <ul><li>DMZ Mail Server </li></ul><ul><ul><ul><li>When it receives a outgoing letter from the internal mail server </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Steps 1 and 2 are the same </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>In step 3 the mail proxy scans the header lines. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>All lines that mention internal hosts are rewritten to identify the host as “”, the name of the outside firewall. </li></ul></ul></ul></ul></ul>
  15. 15. In the DMZ <ul><li>DMZ WWW Server </li></ul><ul><ul><li>Identifies itself as “” and uses IP address of the outside firewall </li></ul></ul><ul><li>DMZ DNS Server </li></ul><ul><ul><li>It contain entries for </li></ul></ul><ul><ul><ul><ul><li>DMZ mail, Web and log hosts </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Internal trusted administrative host </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Outer firewall </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Inner firewall </li></ul></ul></ul></ul><ul><li>DMZ Log Server </li></ul>
  16. 16. Availability and Network Flooding <ul><li>Flooding </li></ul><ul><ul><li>Overwhelm TCP stack on target machine </li></ul></ul><ul><ul><li>Prevents legitimate connections </li></ul></ul><ul><li>Limit availability by </li></ul><ul><ul><li>Overwhelming service </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>SYN flood </li></ul></ul><ul><ul><ul><li>Overwhelms TCP stack </li></ul></ul></ul>
  17. 17. SYN flood <ul><ul><li>A form of DOS attack </li></ul></ul><ul><ul><li>The attacker initiates large number of TCP SYN packets and refuses to execute the 3 rd part of the TCP three-way handshake for those packets </li></ul></ul><ul><ul><li>If the packets come from multiple sources (the attacking machines) but have the same destination (the victim machine)  DDOS </li></ul></ul>
  18. 18. Syn Flood <ul><li>A: the initiator; B: the destination </li></ul><ul><li>TCP connection multi-step </li></ul><ul><ul><li>A: SYN to initiate </li></ul></ul><ul><ul><li>B: SYN+ACK to respond </li></ul></ul><ul><ul><li>C: ACK gets agreement </li></ul></ul><ul><li>Sequence numbers then incremented for future messages </li></ul><ul><ul><li>Ensures message order </li></ul></ul><ul><ul><li>Retransmit if lost </li></ul></ul><ul><ul><li>Verifies party really initiated connection </li></ul></ul>
  19. 19. Syn Flood <ul><li>Implementation: A, the attacker; B: the victim </li></ul><ul><ul><li>B </li></ul></ul><ul><ul><ul><li>Receives SYN </li></ul></ul></ul><ul><ul><ul><li>Allocate connection </li></ul></ul></ul><ul><ul><ul><li>Acknowledge </li></ul></ul></ul><ul><ul><ul><li>Wait for response </li></ul></ul></ul><ul><li>See the problem? </li></ul><ul><ul><li>What if no response </li></ul></ul><ul><ul><li>And many SYNs </li></ul></ul><ul><li>All space for connections allocated </li></ul><ul><ul><li>None left for legitimate ones </li></ul></ul>Time?
  20. 20. Solution Ideas <ul><li>Limit connections from one source? </li></ul><ul><ul><li>But source is in packet, can be faked </li></ul></ul><ul><li>Ignore connections from illegitimate sources </li></ul><ul><ul><li>If you know who is legitimate </li></ul></ul><ul><ul><li>Can figure it quickly </li></ul></ul><ul><ul><li>And the attacker doesn’t know this </li></ul></ul><ul><li>Drop oldest connection attempts </li></ul>
  21. 21. Two Approaches to Counter SYN Flood <ul><li>Using intermediate hosts to eliminate SYN flood </li></ul><ul><li>Relying on TCP state and memory allocations </li></ul>
  22. 22. A. Intermediate Hosts <ul><li>Basic idea </li></ul><ul><ul><li>Using routers to divert or eliminate illegitimate traffic </li></ul></ul><ul><ul><li>Resources on the target are not consumed by the attacks. </li></ul></ul>
  23. 23. A. Intermediate Hosts <ul><li>Approaches </li></ul><ul><ul><li>Only legitimate handshakes can reach the firewall. </li></ul></ul><ul><ul><ul><li>e.g., Cisco routers’ “TCP intercept mode” </li></ul></ul></ul><ul><ul><li>Network traffic monitor/tracker </li></ul></ul><ul><ul><ul><li>e.g., Synkill [Schuba, etc. 1997] </li></ul></ul></ul>
  24. 24. A. Intermediate Hosts <ul><li>TCP intercept </li></ul><ul><ul><li>Router establishes connection to client </li></ul></ul><ul><ul><li>When connected establish with server </li></ul></ul><ul><ul><li>If the client never sends the ACK (before timing out), then the initial SYN packet is part of an attack handshake. </li></ul></ul><ul><ul><li>The target never sees the illegitimate SYN packets. </li></ul></ul><ul><ul><li>The router uses short time-outs to protect itself. </li></ul></ul>
  25. 25. A. Intermediate Hosts <ul><li>Synkill </li></ul><ul><ul><li>An active monitor that analyzes packets being sent to some set of systems (potential victim targets) </li></ul></ul><ul><ul><li>Monitor machine as “firewall” </li></ul></ul><ul><ul><li>Classification of IP addresses into classes </li></ul></ul><ul><ul><ul><li>Good addresses: history of successful connections </li></ul></ul></ul><ul><ul><ul><li>Bad addresses: previous timeout attempt </li></ul></ul></ul><ul><ul><ul><li>New addresses </li></ul></ul></ul><ul><ul><li>Block and terminate attempts from bad addresses </li></ul></ul><ul><ul><li>Dynamically managed classes </li></ul></ul><ul><ul><li>Question: How if a good IP turns bad ? </li></ul></ul>
  26. 26. B. TCP State and Memory Allocations <ul><li>Problem: Server maintaining state </li></ul><ul><ul><li>Runs out of space </li></ul></ul><ul><li>Solutions </li></ul><ul><ul><li>Don’t maintain state on server; let the client track the state.  the SYN cookie approach </li></ul></ul><ul><ul><li>The adaptive time-out approach </li></ul></ul>
  27. 27. B. TCP State and Memory Allocations <ul><ul><li>The SYN cookie approach: </li></ul></ul><ul><ul><ul><li>The server does not maintain state of connections </li></ul></ul></ul><ul><ul><ul><li>Q: How does the server know the sequence numbers? </li></ul></ul></ul><ul><ul><ul><li>Ans: The state is encoded in the initial sequence number of the ACK; the server retrieves this info from the client’s ACK packet. </li></ul></ul></ul>
  28. 28. B. TCP State and Memory Allocations <ul><ul><li>The SYN cookie approach: </li></ul></ul><ul><ul><ul><li>The SYN cookie is encoded in the SYN response </li></ul></ul></ul><ul><ul><ul><ul><li>h(source,destination,random)+sequence+time </li></ul></ul></ul></ul><ul><ul><ul><ul><li>See p.795 for the formula. </li></ul></ul></ul></ul><ul><ul><ul><li>Client increments this and ACKs </li></ul></ul></ul><ul><ul><ul><li>Server subtracts h(), time to get sequence </li></ul></ul></ul><ul><ul><ul><ul><li>Knows if this is in valid range </li></ul></ul></ul></ul>
  29. 29. B. TCP State and Memory Allocations <ul><ul><li>The adaptive time-out approach </li></ul></ul><ul><ul><ul><li>Assumption: There is a fixed amount of space for the state of pending connections </li></ul></ul></ul><ul><ul><ul><li>Varies the times before the time-outs, depending on the amount of space available for new pending connections </li></ul></ul></ul><ul><ul><ul><li>As the amount of available space decreases, so does the amount of time before the system begins to time out connections. </li></ul></ul></ul>
  30. 30. Summary <ul><ul><li>A brief overview </li></ul></ul><ul><ul><li>Many issues and techniques in Network Security </li></ul></ul><ul><ul><li>One or more new courses are needed! </li></ul></ul>