MIS219: An Introduction to Data Communication & Networks (DCN)
Download
Report
Transcript MIS219: An Introduction to Data Communication & Networks (DCN)
Lecture on Network Security
Debashis Saha
Introduction to Network/
Linux Security
Debashis Saha
MIS Group, IIM Calcutta
[email protected]
Thursday, May 17, 2007
1
Lecture on Network Security
Debashis Saha
Overview
• What is network security?
• Kind of security services one might desire
• What kind of attacks should we try to
protect a network against?
• What are the available protection strategies
available?
• What support can we expect from LINUX?
Thursday, May 17, 2007
2
Lecture on Network Security
Debashis Saha
What is network security?
• A network is secure if you can depend on it
and its nodes behave as you expect.
• If you do not know what you are
protecting, why you are protecting it, and
what you are protecting it from, your task
will be rather difficult!
Thursday, May 17, 2007
3
Lecture on Network Security
Debashis Saha
Kind of security one might
desire
•
•
•
•
•
•
Thursday, May 17, 2007
Authentication
Confidentiality (Privacy)
Integrity
Availability
Non-Repudation
Auditing
4
Lecture on Network Security
Debashis Saha
Authentication
• Authentication is the process of reliably verifying
the identity of someone (or something) by means
of:
–
–
–
–
A secret (password [one-time], ...)
An object (smart card, ...)
Physical characteristics (fingerprint, retina, ...)
Trust
• Do not mistake authentication for authorization!
Thursday, May 17, 2007
5
Lecture on Network Security
Debashis Saha
Integrity Vs Confidentiality
• Integrity
– Protecting information from being deleted or altered in any way
without the permission of the owner of that information.
• Confidentiality
– Protecting information from being read or copied by anyone who
has not been explicitly authorized by the owner of that
information.
Thursday, May 17, 2007
6
Lecture on Network Security
Debashis Saha
Availability
If the system is unavailable when an
authorized user needs it, the result can
be as bad as having the information that
resides on the system deleted!
Thursday, May 17, 2007
7
Lecture on Network Security
Debashis Saha
Non repudation
The ability of the receiver of something to
prove to a third party that the sender
really did send the message.
Thursday, May 17, 2007
8
Lecture on Network Security
Debashis Saha
Auditing
The ability to record events that might
have some security relevance. In such
cases, you need to determine what was
affected. In some cases, the audit trail
may be extensive enough to allow “undo”
operations to help restore the system to a
correct state.
Thursday, May 17, 2007
9
Lecture on Network Security
Debashis Saha
Kind of attacks to a Computer
What kind of attacks should we try to
protect a computer against ?
• Physical Security
– Lockers, BIOS, weather, ...
• Personnel security
• Operating System security
• Network security
Thursday, May 17, 2007
10
Lecture on Network Security
Some common network
services
•
•
•
•
•
•
•
•
•
Thursday, May 17, 2007
Debashis Saha
DNS
Apache
NFS
NIS/NIS+
Samba
Telnet
FTP
Mail
... ... ...
11
Lecture on Network Security
Network Security: common
attacks
Debashis Saha
• Interception
– Modification
• Intrusion
– Modification, Fabrication
• Denial of service
– Interruption
• Information theft
Thursday, May 17, 2007
12
Lecture on Network Security
Debashis Saha
Security tools
• Cryptography
• Symmetric Vs Asymmetric (Certificates ...)
• Firewalls & Proxyes
• Ipchains/Iptable ...
• TCP Wrappers + UDP Relayers
• Pluggable Authentication Module
• It is a suite of shared libraries that enable the local system
administrator to choose how applications authenticate users
• Kernel Level Security
• Log files (/var/log/*)
Thursday, May 17, 2007
13
Lecture on Network Security
Debashis Saha
Cryptography: the solution for
privacy
The security is based on the secrecy of the key and sometimes of the
alghoritms too.
Thursday, May 17, 2007
14
Lecture on Network Security
Debashis Saha
Cryptography Model
Encryption Key, K
Plaintext, P
Encryption, E
Cyphertext, C
Plaintext, P
Decryption, D
Decryption Key, K'
Thursday, May 17, 2007
15
Lecture on Network Security
Debashis Saha
Basic Formula
C=EK(P)
P=DK'(C)
DK'(EK(P))=P
If K=K', it is symmetric key system,also known as secret key key system
If KK', it is asymmetric key systemcommonly called public key system
Thursday, May 17, 2007
16
Lecture on Network Security
Cryptography
Debashis Saha
Symmetric Vs Asymmetric
• Symmetric (also called private key algorithms)
– The same password is used to both encrypt
and decrypt
– Faster algorithms
– PROBLEM: key management is not easy
• Asymmetric (also called pubblic key algorithms)
– The password used to encrypt is different
from the one needed to decrypt
– More secure
– It allows to have non-repudiation
Thursday, May 17, 2007
17
Lecture on Network Security
Debashis Saha
Secret Key System
DES Key
Alice
Thursday, May 17, 2007
DES Key
Bob
18
Lecture on Network Security
Debashis Saha
Data Encryption Standard (DES)
•
•
•
•
•
It is a symmetric algorithm
Designed by IBM for the U.S. Government in 1977
It is based on a 128 bit key (earlier 64)
Hardware Vs Software implementation
How secure is DES?
– How much would a Des-Breaking engine would cost?
– Is it possible to make DES harder to break in?
– How does it work?
Thursday, May 17, 2007
19
Lecture on Network Security
Debashis Saha
Public Key System
Bob's
public Key
Alice
Thursday, May 17, 2007
Bob's
private key
Bob
20
Lecture on Network Security
Debashis Saha
RSA Algorithm
•
•
•
•
1.
2.
3.
4.
Rivest, Shamir & Adleman (1978), MIT
Most widely used public key algorithm
Based on principles of number theory
Keys are calculated in the following way:
100
Choose two large (>10 ) primes, p and q
Compute n=p*q and z=(p-1)*(q-1)
Choose a number k' which is relatively prime to z
Find k such that k*k'=1 mod z
C=Pk (mod n) and P=Ck' (mod n)
Thursday, May 17, 2007
21
Lecture on Network Security
Example
Debashis Saha
Say p=3 and q=11 so that n=33 and z=20
A suitable value for k' is 7 (prime to 20)
k can be found by solving: 7*k=1 (mod 20)
Thus, k=3
3
So encryption:
C=P (mod 33)
7
And Decryption: P=C (mod 33)
Say P=14, then C=143 (mod 33)=2744 (mod 33)=5
7
Conversely, C (mod 33)=78125 (mod 33)=14=P
Thursday, May 17, 2007
22
Lecture on Network Security
Debashis Saha
Digital Signature
• An important security strategy for E-Commerce
• The receiver can verify the claimed identity of the
sender (authenticated)
• The sender cannot later repudiate the contents of the
message
• The message cannot be concocted in transit
• Can be implemented using public key cryptography
Thursday, May 17, 2007
23
Lecture on Network Security
Debashis Saha
Public Key Signature
Say, A wants to send a signed message P to B
We know that P=DK'[EK(P)] holds
It is assumed that P=EK[DK'(P)] also holds
A computes C=EK'A(P) using his private key
and sends it to B openly
B then decrypts C by KA as: DKA(C)=P
B, decrypting the message with A's public key,
knows that A generated the message
Later A cannot deny having sent C because it can
be opened by KA only and K'A is private to A
Thursday, May 17, 2007
24
Lecture on Network Security
Security of cryptographic
algorithms
Debashis Saha
• Let us define the lifetime of an information as the amount of
time the information should be kept secret.
• An encryptioncan cab be considered secure if the time to break
it (for ex. with a brute force attack) is reasonably longer than
the lifetime of the information contained in the plain text.
Cost
Length of the key on bits
(estimated in 1995, Applied Cryptography)
40
56
64
80
112
128
$ 100K
2.00 s.
35 h.
1 y.
70,000 y.
1014 y.
1019 y.
$ 1M
0.20 s.
3.5 h
37 d.
7,000 y.
1013 y.
1018 y.
$ 10M
0.02 s.
21 min.
4 d.
700 y.
1012 y.
1017 y.
Thursday, May 17, 2007
25
Lecture on Network Security
Debashis Saha
Secure Socket Layer (SSL)
• It is based on a public encryption
algorithm
• It is a protocol developed by Netscape for
secure transactions across the Web
• It is stream-based consisting of three phases
– 6In initial handshake phase, secure communications are established
– In intermediate data transfer phase, application-to-application dialog
(with data encryption) occurs
– In closing handshake phase, connection is terminated
• There are free SSL implementations
Thursday, May 17, 2007
26
Lecture on Network Security
Debashis Saha
Firewall
(Access Control)
Thursday, May 17, 2007
27
Lecture on Network Security
Debashis Saha
What is a Firewall?
• A set of related programs that protects
the resources of a private network from
users from other networks.
• A mechanism for filtering network packets
based on information contained within the
IP header.
• Options available
–
–
–
–
–
Commercial Firewall Devices (Watchguard, Cisco PIX)
Routers (ACL Lists)
Linux
Software Packages (ZoneAlarm, Black Ice)
Sneaker Net
Thursday, May 17, 2007
28
Lecture on Network Security
Debashis Saha
Firewalls
• Routers: easy to say “allow everything but…”
• Firewalls: easy to say “allow nothing but…”
• This helps because we turn off access to
everything, then evaluate which services are
mission-critical and have well-understood
risks
• Note: the only difference between a router
and a firewall is the design philosophy:
– do we prioritize security, or connectivity ?
• configurability, logging
Thursday, May 17, 2007
29
Lecture on Network Security
Debashis Saha
Firewall setup
• Firewall ensures that the internal network and
the Internet can both talk to the DMZ, but
usually not to each other
• The DMZ relays services at the application
level, e.g. mail forwarding, web proxying
• The DMZ machines and firewall are centrally
administered by people focused on security
full-time (installing patches, etc.);
– it’s easier to secure 20 machines than 20,000
• Now the internal network is “safe” (but not
from internal attacks, modems, etc.)
Thursday, May 17, 2007
30
Lecture on Network Security
Debashis Saha
Typical firewall setup
evil Internet
DMZ
Thursday, May 17, 2007
internal network
31
Lecture on Network Security
Debashis Saha
Downside of firewalls
•
•
•
•
single point of failure
difficult to integrate into a mesh network
highlights flaws in network architecture
can focus politics on the firewall
administrator
Thursday, May 17, 2007
32
Lecture on Network Security
Debashis Saha
Firewall
using
Packet Filtering
Thursday, May 17, 2007
33
Lecture on Network Security
Debashis Saha
Packet Filters .. “Firewalls”
• A “Firewall” can be at
any layer between 3-5
• Application-level
gateways work at the
application layer
• Packet-filters work at
the network layer
User Applications
Application
Presentation
Session
Transport
Network
Data Link
Physical
Thursday, May 17, 2007
34
Lecture on Network Security
Debashis Saha
Why Filter?
• Packets that are filtered increase security.
• Prevent ousiders from using services on a system.
• Prevent malicious attacks such as Denial of Service
(DoS) and ping flood attacks.
• Control the flow of information.
• Prevent internal system users from using certain sites
or types of protocols.
Thursday, May 17, 2007
35
Lecture on Network Security
Debashis Saha
Packet Filtering
• Should arriving packet be allowed in? Should a
departing packet be let out?
• Filter packet-by-packet, making decisions to
forward/drop a packet based on:
–
–
–
–
–
source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
...
Data
Thursday, May 17, 2007
36
Lecture on Network Security
Debashis Saha
Packet “filtering”
• Packet filtering is not just “filtering”
• Changing Packets: Filters often able to
rewrite packet headers
• Examine/modify IP packet contents only?
Or entire Ethernet frames?
• Monitor TCP state?
Thursday, May 17, 2007
37
Lecture on Network Security
Debashis Saha
Packet Filtering Limitations
• Cannot Do: Allow only certain users in
(requires application-specific information)
• Can do: Allow or deny entire services
(protocols)
• Cannot Do: Allow, e.g., only certain files to
be ftp’ed
Thursday, May 17, 2007
38
Lecture on Network Security
Packet Filtering in Linux
History
•
•
•
•
Debashis Saha
1st generation: ipfw (from BSD)
2nd generation: ipfwadm (Linux 2.0)
3rd generation: ipchains (Linux 2.2)
4th generation: iptable (Linux 2.4, 2.6)
Thursday, May 17, 2007
39
Lecture on Network Security
Debashis Saha
Packet Traversal in Linux
PreRouting
Routing
Decision
Input
Thursday, May 17, 2007
Forward
Local
Processes
PostRouting
Output
40
Lecture on Network Security
Debashis Saha
The Rules Chain Concept
• The most common method used by packet filtering for the organization of the
filters is the rules chain. A rule chain contains a listing of each filter, or rule,
that has been configured on the local system.
•Linux uses four main chains:
• Input – packets traveling to the host
• Output – packets leaving from the host
• Forward – packets received by the host and will be forwarded by the
host
• User Defined – special type of chain created by the user that receives
packets from the three main chains for processing
• Rules chains allow for complex filtering of data entering or leaving a
system while making it easy to install and maintain the rules.
Thursday, May 17, 2007
41
Lecture on Network Security
Debashis Saha
Linux Iptables/Netfilter
• In Linux kernel 2.4 and 2.6, we use the
netfilter package with iptables
commands to setup the firewall.
• The old package called IPchains is
deprecated.
• http://www.netfilter.org/
Thursday, May 17, 2007
42
Lecture on Network Security
Debashis Saha
Iptables: http://www.netfilter.org/
• What is iptables?
• iptables is the building block of a framework inside the Linux kernel.
This framework enables packet filtering, network address translation
(NAT), network port translation (NPT), and other packet mangling.
• iptables is a generic table structure for the definition of rulesets. Each rule
with an IP table consists of a number of classifiers (iptables matches) and
one connection action (iptable target).
• What can I do with iptables?
• build internet firewalls based on stateless and stateful packet filtering
• use NAT and masquerading for sharing internet access
• use NAT to implement transparent proxies
• do further packet manipulation (mangling) like altering the bits of the IP
header
Thursday, May 17, 2007
43
Lecture on Network Security
Debashis Saha
iptables - Features (1)
• Stateful filtering of TCP & UDP traffic
– Ports opened & closed as clients use the Internet
– Presents a (mostly) “blank wall” to attackers
• “Related” option for complex applications
– Active mode FTP
– Multimedia applications (Real Audio, etc.)
• Can filter on fragments
Thursday, May 17, 2007
44
Lecture on Network Security
Debashis Saha
iptables - Features (2)
• Improved logging options
– User-defined logging prefixes
– Log selected packets (e.g., handshake packets)
• Port Address Translation (PAT)
• Network Address Translation (NAT)
– Inbound
• Redirect to DMZ web server, mail server, etc.
– Outbound
• Group outbound traffic and/or use static assignment
Thursday, May 17, 2007
45
Lecture on Network Security
Debashis Saha
iPtables “chains”
• A chain is a sequence of filtering rules.
• Rules are checked in order. First match
wins. Every chain has a default rule.
• If no rules match the packet, chain policy
is applied.
• Chains are dynamically inserted/ deleted.
Thursday, May 17, 2007
46
Lecture on Network Security
Debashis Saha
Built-in chains
1.
INPUT: packets for local processes
1.
No output interface
1.
2.
No input interface
All packets to and from lo (loopback) interface traverse input and
output chains
2. OUTPUT: packets produced by local processes
3. FORWARD: for all transiting packets
1.
2.
Do not traverse INPUT or OUTPUT
Has input and output interface
4. PREROUTING
5. POSTROUTING
Thursday, May 17, 2007
47
Lecture on Network Security
Debashis Saha
Network Address Translation
(NAT)
Thursday, May 17, 2007
48
Lecture on Network Security
Debashis Saha
Private Network
• Private IP network is an IP network that is not
directly connected to the Internet
• IP addresses in a private network can be
assigned arbitrarily.
– Not registered and not guaranteed to be globally unique
• Generally, private networks use addresses
from the following experimental address
ranges (non-routable addresses):
– 10.0.0.0 – 10.255.255.255
– 172.16.0.0 – 172.31.255.255
– 192.168.0.0 – 192.168.255.255
Thursday, May 17, 2007
49
Lecture on Network Security
Debashis Saha
Private Addresses
H1
H3
H2
10.0.1.2
H4
10.0.1.2
10.0.1.3
10.0.1.1
10.0.1.3
10.0.1.1
Private network 1
Private network 1
Internet
R1 128.195.4.119
128.143.71.21
R2
213.168.112.3
H5
Thursday, May 17, 2007
50
Lecture on Network Security
Debashis Saha
Network Address Translation
(NAT)
• NAT is a router function where IP addresses
(and possibly port numbers) of IP datagrams
are replaced at the boundary of a private
network
• NAT is a method that enables hosts on private
networks to communicate with hosts on the
Internet
• NAT is run on routers that connect private
networks to the public Internet, to replace
the IP address-port pair of an IP packet with
another IP address-port pair.
Thursday, May 17, 2007
51
Lecture on Network Security
Debashis Saha
Basic operation of NAT
• NAT device has address translation table
Thursday, May 17, 2007
52
Lecture on Network Security
Debashis Saha
Main uses of NAT
• Pooling of IP addresses
• Supporting migration between network
service providers
• IP masquerading
• Load balancing of servers
Thursday, May 17, 2007
53
Lecture on Network Security
Debashis Saha
Pooling of IP addresses
• Scenario: Corporate network has many
hosts but only a small number of public IP
addresses
• NAT solution:
– Corporate network is managed with a private address
space
– NAT device, located at the boundary between the
corporate network and the public Internet, manages a
pool of public IP addresses
– When a host from the corporate network sends an IP
datagram to a host in the public Internet, the NAT
device picks a public IP address from the address pool,
and binds this address to the private address of the host
Thursday, May 17, 2007
54
Lecture on Network Security
Debashis Saha
Pooling of IP addresses
Private
network
Internet
Source
= 10.0.1.2
Destination = 213.168.112.3
Source
= 128.143.71.21
Destination = 213.168.112.3
NAT
device
private address: 10.0.1.2
public address:
H1
public address:
213.168.112.3
H5
Private
Address
Public
Address
10.0.1.2
Pool of addresses: 128.143.71.0-128.143.71.30
Thursday, May 17, 2007
55
Lecture on Network Security
Debashis Saha
Supporting migration between
network service providers
• Scenario: In CIDR, the IP addresses in a
corporate network are obtained from the service
provider. Changing the service provider requires
changing all IP addresses in the network.
• NAT solution:
– Assign private addresses to the hosts of the corporate network
– NAT device has static address translation entries which bind
the private address of a host to the public address.
– Migration to a new network service provider merely requires an
update of the NAT device. The migration is not noticeable to
the hosts on the network.
Note:
– The difference to the use of NAT with IP address pooling is
that the mapping of public and private IP addresses is static.
Thursday, May 17, 2007
56
Lecture on Network Security
Debashis Saha
Supporting migration between
network service providers
Thursday, May 17, 2007
57
Lecture on Network Security
Debashis Saha
IP masquerading
• Also called: Network address and port
translation (NAPT), port address
translation (PAT).
• Scenario: Single public IP address is
mapped to multiple hosts in a private
network.
• NAT solution:
– Assign private addresses to the hosts of the corporate
network
– NAT device modifies the port numbers for outgoing
traffic
Thursday, May 17, 2007
58
Lecture on Network Security
Debashis Saha
IP masquerading
Thursday, May 17, 2007
59
Lecture on Network Security
Debashis Saha
Load balancing of servers
• Scenario: Balance the load on a set of
identical servers, which are accessible
from a single IP address
• NAT solution:
– Here, the servers are assigned private addresses
– NAT device acts as a proxy for requests to the server
from the public network
– The NAT device changes the destination IP address of
arriving packets to one of the private addresses for a
server
– A sensible strategy for balancing the load of the servers
is to assign the addresses of the servers in a round-robin
fashion.
Thursday, May 17, 2007
60
Lecture on Network Security
Debashis Saha
Load balancing of servers
Thursday, May 17, 2007
61
Lecture on Network Security
Debashis Saha
Concerns about NAT
• Performance:
– Modifying the IP header by changing the IP address
requires that NAT boxes recalculate the IP header
checksum
– Modifying port number requires that NAT boxes
recalculate TCP checksum
• Fragmentation
– Care must be taken that a datagram that is fragmented
before it reaches the NAT device, is not assigned a
different IP address or different port numbers for each
of the fragments.
Thursday, May 17, 2007
62
Lecture on Network Security
Debashis Saha
Concerns about NAT
• End-to-end connectivity:
– NAT destroys universal end-to-end reachability of hosts
on the Internet.
– A host in the public Internet often cannot initiate
communication to a host in a private network.
– The problem is worse, when two hosts that are in a
private network need to communicate with each other.
Thursday, May 17, 2007
63
Lecture on Network Security
Debashis Saha
Concerns about NAT
• IP address in application data:
– Applications that carry IP addresses in the payload of
the application data generally do not work across a
private-public network boundary.
– Some NAT devices inspect the payload of widely used
application layer protocols and, if an IP address is
detected in the application-layer header or the
application payload, translate the address according to
the address translation table.
Thursday, May 17, 2007
64
Lecture on Network Security
Debashis Saha
Configuring NAT in Linux
• Linux uses
Netfilter/
iptable
package
to add
filtering
rules to
the IP
module
To application
From application
filter
INPUT
nat
OUTPUT
Destination
is local?
nat
PREROUTING
(DNAT)
Incoming
datagram
Thursday, May 17, 2007
filter
OUTPUT
Yes
No
filter
FORWARD
nat
POSTROUTING
(SNAT)
Outgoing
datagram
65
Lecture on Network Security
Debashis Saha
Configuring NAT with iptable
•
•
•
•
•
First example:
iptables –t nat –A POSTROUTING –s 10.0.1.2
–j SNAT --to-source 128.143.71.21
Pooling of IP addresses:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.128.71.0–128.143.71.30
ISP migration:
iptables –t nat –R POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.195.4.0–128.195.4.254
IP masquerading:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–o eth1 –j MASQUERADE
Load balancing:
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4
Thursday, May 17, 2007
66
Lecture on Network Security
Debashis Saha
Thank You
For further queries, mail to:
[email protected]
Thursday, May 17, 2007
67