Transcript Chapter8

Firewalls
firewall
isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
public
Internet
administered
network
firewall
Network Security
7-1
Firewalls: Why
Prevent denial of service attacks:
 Denial-of-Service (DoS) attack:
• Send many fake requests to congest link or consume
server resource (CPU, memory)

SYN flooding:
• attacker sends many SYNs to victim; victim has to
allocate connection resource; victim has no resource
left for real connection requests any more.
• Usually with spoofed source IP address
Prevent illegal modification/access of internal data.
 e.g., attacker replaces CIA’s homepage with
something else
Network Security
7-2
Firewalls: Why
Allow only authorized access to inside network


Set of authenticated users
Set of authorized IP addresses
Two types of firewalls:
 application-level
• Checking application level data

packet-filtering
• Checking TCP or IP packets only
Network Security
7-3
Packet Filtering
Should arriving
packet be allowed
in? Departing packet
let out?
 internal network connected to Internet via
router firewall
 router filters packet-by-packet, decision to
forward/drop packet based on:




source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
Network Security
7-4
Packet Filtering
 Example 1: block incoming and outgoing
datagrams with IP protocol field = 17 and with
either source or dest port = 23.
 All incoming and outgoing UDP flows and telnet
connections are blocked.
 Example 2: Block inbound TCP segments with
SYN=1.
 Prevents external clients from making TCP
connections with internal clients, but allows
internal clients to connect to outside.
Example of Windows XP
service pack 2 firewall
Network Security
7-5
Application gateways
 Filters packets on
gateway-to-remote
host telnet session
host-to-gateway
telnet session
application data as well
as on IP/TCP/UDP fields.
 Example: allow select
internal users to telnet
outside.
application
gateway
router and filter
1. Require all telnet users to telnet through gateway.
2. For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating
from gateway.
 Example: block user access to know porn websites

Check if the Web URL is in a “black-list”
Network Security
7-6
Limitations of firewalls and gateways
 IP spoofing: router can’t
know if data “really”
comes from claimed
source


SYN flood attack
UDP traffic
 client software must
know how to contact
application gateway.

e.g., must set IP address
of proxy in Web browser
 Speed constraint on
high-bandwidth link

Application-level firewall is
time consuming
 filters often use all or
nothing policy for UDP


Usually most incoming UDP
ports are blocked
The trouble caused to
real-time Internet video
Network Security
7-7
Limitations of firewalls and gateways
 tradeoff: degree of communication with
outside world, level of security
 Trend --- remote office
Blurred boundary between inside <-> outside
 Employee laptop threat

 many highly protected sites still suffer
from attacks
Network Security
7-8
Internet security threats
Mapping:
before attacking: “case the joint” – find out
what services are implemented on network
 Use ping to determine what hosts have
addresses on network
 Port-scanning: try to establish TCP connection
to each port in sequence (see what happens)
 nmap (http://www.insecure.org/nmap/) mapper:
“network exploration and security auditing”

Countermeasures?
Network Security
7-9
Internet security threats
Mapping: countermeasures
record traffic entering network
 look for suspicious activity (IP addresses, pots
being scanned sequentially)
 Firewall to block incoming TCP/SYN to ports or
computers not providing the services
 Block ping traffic

Network Security 7-10
Internet security threats
Packet sniffing:
broadcast media
 promiscuous NIC reads all packets passing by
 can read all unencrypted data (e.g. passwords)
 e.g.: C sniffs B’s packets

C
A
src:B dest:A
payload
B
Countermeasures?
Network Security
7-11
Internet security threats
Packet sniffing: countermeasures
all hosts in orgnization run software that
checks periodically if host interface in
promiscuous mode.
 one host per segment of broadcast media
(switched Ethernet at hub)

C
A
src:B dest:A
payload
B
Network Security 7-12
Internet security threats
IP Spoofing:
can generate “raw” IP packets directly from
application, putting any value into IP source
address field
 receiver can’t tell if source is spoofed
 e.g.: C pretends to be B

C
A
src:B dest:A
Countermeasures?
payload
B
Network Security 7-13
Internet security threats
IP Spoofing: egress filtering
routers should not forward outgoing packets
with invalid source addresses (e.g., datagram
source address not in router’s network)
 great, but egress filtering can not be mandated
for all networks

C
A
src:B dest:A
payload
B
Network Security 7-14
Internet security threats
Denial of service (DOS):
flood of maliciously generated packets “swamp”
receiver
 Distributed DOS (DDOS): multiple coordinated
sources swamp receiver
 e.g., C and remote host SYN-attack A

C
A
SYN
SYN
SYN
SYN
SYN
B
Countermeasures?
SYN
SYN
Network Security 7-15
Internet security threats
Denial of service (DOS): countermeasures

filter out flooded packets (e.g., SYN) before
reaaching host
• Cooperation with source routers
• Detect spoofed SYN based on TTL values

traceback to source of floods (most likely an
innocent, compromised machine)
C
A
SYN
SYN
SYN
SYN
SYN
B
SYN
SYN
Network Security 7-16
Secure e-mail (suppose K+B known)

Alice wants to send confidential e-mail, m, to Bob.
KS
m
K (.)
S
KS(m )
+
KS
+
.
K B( )
+
Internet
+
KB(KS )
KB
Alice:




generates random symmetric private key, KS.
encrypts message with KS (for efficiency)
also encrypts KS with Bob’s public key.
sends both KS(m) and KB(KS) to Bob.
Network Security 7-17
Secure e-mail (suppose K+B known)

Alice wants to send confidential e-mail, m, to Bob.
KS
m
K (.)
S
+
KS
+
.
K B( )
+
KS(m )
KS(m )
+
KB(KS )
.
KS( )
-
Internet
+
KB(KS )
KB
m
KS
-
.
K B( )
-
KB
Bob:
 uses his private key to decrypt and recover KS
 uses KS to decrypt KS(m) to recover m
Network Security 7-18
Secure e-mail (continued)
• Alice wants to provide sender authentication
message integrity.
+
-
KA
m
H(.)
-
.
KA( )
-
-
KA(H(m))
KA(H(m))
+
Internet
m
KA
+
.
KA( )
m
H(m )
compare
.
H( )
H(m )
• Alice digitally signs message.
• sends both message (in the clear) and digital signature.
Network Security 7-19
Secure e-mail (continued)
• Alice wants to provide secrecy, sender authentication,
message integrity.
-
KA
m
.
H( )
-
.
KA( )
-
KA(H(m))
+
KS
.
KS( )
+
m
KS
+
.
K B( )
+
Internet
+
KB(KS )
KB
Alice uses three keys: her private key, Bob’s public
key, newly created symmetric key
Network Security 7-20
Pretty good privacy (PGP)
 Internet e-mail encryption
scheme, de-facto standard.
 uses symmetric key
cryptography, public key
cryptography, hash
function, and digital
signature as described.
 provides secrecy, sender
authentication, integrity.
 inventor, Phil Zimmerman,
was target of 3-year
federal investigation.
A PGP signed message:
---BEGIN PGP SIGNED MESSAGE--Hash: SHA1
Bob:My husband is out of town
tonight.Passionately yours,
Alice
---BEGIN PGP SIGNATURE--Version: PGP 5.0
Charset: noconv
yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ
hFEvZP9t6n7G6m5Gw2
---END PGP SIGNATURE---
Network Security 7-21
Secure sockets layer (SSL)
 transport layer
security to any TCPbased app using SSL
services.
 used between Web
browsers, servers for
e-commerce (https).
 security services:



server authentication
data encryption
client authentication
(optional)
 server authentication:
 SSL-enabled browser
includes public keys for
trusted CAs.
 Browser requests
server certificate,
issued by trusted CA.
 Browser uses CA’s
public key to extract
server’s public key from
certificate.
 check your browser’s
security menu to see
its trusted CAs.
Network Security 7-22
SSL (continued)
Encrypted SSL session:
 Browser generates
symmetric session key,
encrypts it with server’s
public key, sends
encrypted key to server.
 Using private key, server
decrypts session key.
 Browser, server know
session key

All data sent into TCP
socket (by client or server)
encrypted with session key.
 SSL: basis of IETF
Transport Layer
Security (TLS).
 SSL can be used for
non-Web applications,
e.g., IMAP.
 Client authentication
can be done with client
certificates.

Not widely used since
too many clients
Network Security 7-23
How SSL works?
Three-way handshake
Request server certificate
K-CA(K+B)
KB+
Server B
Client
Certificate from CA
K+B(KA-B)
Symmetric session key
KA-B(m)
time
Network Security 7-24
IPsec: Network Layer Security
 Network-layer secrecy:
sending host encrypts the data in IP datagram
 Applicable toTCP and UDP segments; ICMP and SNMP
messages.
 IP header in clear text, the other is in encrypted text
 Network-layer authentication
 destination host can authenticate source IP address
 Also use a similar public key authority for public key
distribution

Network Security 7-25
IEEE 802.11 security
 Packet sniffing is unavoidable
 War-driving: drive around Bay area, see what 802.11 networks
available?
 More than 9000 accessible from public roadways
 85% use no encryption/authentication
 packet-sniffing and various attacks easy!
 Wired Equivalent Privacy (WEP): authentication as in protocol
ap4.0 (require shared symmetric key)
 host requests authentication from access point
 access point sends 128 bit nonce
 host encrypts nonce using shared symmetric key
 access point decrypts nonce, authenticates host
Network Security 7-26
802.11 WEP Security Concern
 40 bits in encryption is too short
 RC4 is not properly used in 802.11
 A more sure protocol is just standardized,
802.11i
Network Security 7-27
Internet Worm propagation
 Find new targets
 IP random scanning

Compromise
targets


Exploit
vulnerability
Newly infected
join infection army
Network Security 7-28
Worm Infection Incidents
 Code Red (Jul. 2001) : 360,000 infected in 14 hours
 Slammer (Jan. 2003) : 75,000 infected in 10 minutes
Congested parts of Internet (ATMs down…)
 Blaster (Aug. 2003) : 150,000 ~ 8 million infected
DDOS attack (shut down domain windowsupdate.com)
 Witty (Mar. 2004) : 12,000 infected in half an hour
Attack vulnerability in ISS security products
 Sasser (May 2004) : 500,000 infected within two days
Infection faster than human response !
Network Security 7-29
Email Virus and Attacks
 Email Viruses:
 Executable code in email attachment
 Social engineering trick to fool users to click attachment
• Sender is your friend (faked email header information)
• Email appears to come from security, failed report, etc
 Infection procedure:
 Set up SMTP engine
 Find all email addresses to send email to
• Avoid some email domains
Network Security 7-30
Email Spam
 You know how easy to fake sender info
 Money is the driving force
 Sending millions of spam email costs pennies
 Using many compromised machines sending spam
 Defense is not perfect
 Most email servers have spam filters
• Check your cs.ucf email header!


Email users do not tolerate false alarms
10% going through will be good enough for spammers!
Network Security 7-31
Honeypot and HoneyNet
 Honeypot: A honeypot is a fictitious
vulnerable IT system used for the purpose of
being attacked, probed, exploited and
compromised



Attract attack
Analyze attacking code, attacking behavior
Find out how to defend
 HoneyNet: a network (physical/virtual) of
honeypots


Covering a large number of IP addresses
Monitor more attacking incidents
Network Security 7-32
New Attack Trend --- Botnet
 Botnet: a network of infected hosts controlled by an attacker


Each host is installed with “bot”
Hosts can be compromised by any mechansims
• Email, worm scan, network share, malicious web…

Attacks: DDoS (extortion), spam, phishing, ads abuse, new attack
attacker
controller
controller
bot
bot
bot
Network Security 7-33