Transcript SCORE: A Scalable Architecture for Implementing Resource

CSCE 522
Network Security
CSCE 522 - Farkas
1
Reading

Pfleeger and Pfleeger: Chapter 6
CSCE 522 - Farkas
2
Overview of TCP/IP
Layers
CSCE 522 - Farkas
3
Internet Challenge

Interconnected networks differ (protocols,
interfaces, services, etc.)
 Solutions:
Reengineer and develop one global packet switching network
standard: not economically feasible
2. Have every host implement the protocols of every network it
wants to communicate with: too complex, very high
engineering cost
3. Add an extra layer: internetworking layer

Hosts: one higher-level protocol

Connecting networks use the same protocol

Interface between the new protocol and network
1.
CSCE 522 - Farkas
4
Layering

Organize a network system into logically
distinct entities
– the service provided by one entity is based only
on the service provided by the lower level
entity
CSCE 522 - Farkas
5
TCP/IP Protocol Stack
Application Layer
Transport Layer
Internetwork Layer
Network Access Layer
• Each layer interacts with
neighboring layers above
and below
• Each layer can be defined
independently
• Complexity of the
networking is hidden from
the application
CSCE 522 - Farkas
6
Layering

Advantages
– Modularity – protocols easier to manage and maintain
– Abstract functionality –lower layers can be changed
without affecting the upper layers
– Reuse – upper layers can reuse the functionality
provided by lower layers

Disadvantages
– Information hiding – inefficient implementations
CSCE 522 - Farkas
7
ISO OSI Reference
Model
ISO – International Standard Organization
 OSI – Open System Interconnection
 Goal: a general open standard

– allow vendors to enter the market by using their
own implementation and protocols
CSCE 522 - Farkas
8
OSI vs. TCP/IP

OSI: conceptually define: service, interface, protocol
 Internet: provide a successful implementation
Application
Presentation
Session
Transport
Network
Datalink
Physical
Application
Transport
Internet
Network
Access
CSCE 522 - Farkas
Telnet
FTP DNS
TCP
UDP
IP
LAN
Packet
radio
9
Network Access Layer

Responsible for packet transmission on the physical
media
 Transmission between two devices that are
physically connected
 The goal of the physical layer is to move
information across one “hop”
 For example: Ethernet, token ring, Asynchronous
Transfer Mode (ATM)
CSCE 522 - Farkas
10
Network Layer

Provides connectionless and unreliable service
 Routing (routers): determine the path a path
has to traverse to reach its destination
 Defines addressing mechanism
– Identify each destination unambiguously
– Hosts should conform to the addressing
mechanism
CSCE 522 - Farkas
11
IP Addresses – Network layer

IP provides logical address space and a corresponding
addressing schema
 IP address is a globally unique or private number
associated with a host network interface
 Every system which will send packets directly out
across the Internet must have a unique IP address
 IP addresses are based on where the hosts are connected
 IP addresses are controlled by a single organization address ranges are assigned
 They are running out of space!
CSCE 522 - Farkas
12
Routing Protocols
• Enable routing decisions to be made
• Manage and periodically update routing tables,
stored at each router
•Router : “which way” to send the packet
•Protocol types:
•Reachability
•Distance vector
CSCE 522 - Farkas
13
The Domain Name
System
 Each
system connected to the Internet also has one
or more logical addresses.
 Unlike IP addresses, the domain address have no
routing information - they are organized based on
administrative units
 There are no limitations on the mapping from
domain addresses to IP addresses
CSCE 522 - Farkas
14
Domain Name
Resolution
 Domain
Name Resolution: looking up a logical
name and finding a physical IP address
 There is a hierarchy of domain name servers
 Each client system uses one domain name server
which in turn queries up and down the hierarchy to
find the address
 If your server does not know the address, it goes up
the hierarchy possibly to the top and works its way
back down
CSCE 522 - Farkas
15
Transport Layer

Provides services to the application layer
 Services:
– Connection-oriented or connectionless transport
– Reliable or unreliable transport
– Security : new compared to the other two services.
May provide: authenticity, confidentiality, integrity

Application has to choose the services it requires
from the transport layer
 Limitations of combinations, e.g., connectionless
and reliable transport is invalid
CSCE 522 - Farkas
16
Application Layer

Provides services for an application to send
and recieve data over the network, e.g.,
telnet (port 23), mail (port 25), finger (port 79)

Interface to the transport layer
– Operating system dependent
– Socket interface – most popular
CSCE 522 - Farkas
17
Communication Between
Layers
Application Data
Application layer
Application layer
Transport payload
Transport layer
Network layer
Transport layer
Network
Payload
Network layer
Network layer
Network layer
Data Link layer Data Link Data Link layer
Payload
Data Link layer
Data Link layer
Router
Host B
Host A
Router
CSCE 522 - Farkas
18
Networks Threats
CSCE 522 - Farkas
19
Network Threats 1.

Reconnaissance
– Port scan: which ports and services are running,
which OS is installed, applications and their
versions
– Social engineering: can access sensitive
information up to login credentials
– Intelligence: open source vs. espionage
– Bulletin boards, chats, documentations, etc.
CSCE 522 - Farkas
20
Threats in Transit



Passive attacks: wiretap, traffic monitoring, packet sniffer,
etc.
Protocol Flaws: RFC number used to report new
vulnerabilities
Impersonation
– Nonexistent authentication, guessing authentication
information, well-known authentication
– Eavesdropping and wiretapping
– Spoofing and masquerading
– Session hijacking, man-in-the-middle
CSCE 522 - Farkas
21
Message Confidentiality
Threats

Mis-delivery
– Target not available, promiscuous-mode

Exposure
– Eavesdropping
– Traffic analysis
CSCE 522 - Farkas
22
Message Integrity Threats

Falsification of Messages
 Noise
 Malformed Packets
 Protocol failures
CSCE 522 - Farkas
23
Denial of Service Threats



Transmission failure
– Multiple reasons, intentional accidental
Connection flooding: attacker sends as much data as the
victim can handle, preventing other from acess
– E.g., ping of death, smurf, syn flooding, etc.
Traffic redirection: routers forward packets to wrong
address
– Corrupted router, incorrect DNS entry, etc.
CSCE 522 - Farkas
24
How to address these threats?
CSCE 522 - Farkas
25
Security -- At What Level?

Secure traffic at various levels in the network
 Where to implement security? -- Depends on the
security requirements of the application and the
user
 Basic services that need to be implemented:





Key management
Confidentiality
Nonrepudiation
Integrity/authentication
Authorization
CSCE 522 - Farkas
26
Network Access Layer (Data Link)
Security
Dedicated link between hosts/routers  hardware
devices for encryption
 Advantages:

– Speed

Disadvantages:
– Not scaelable
– Works well only on dedicates links
– Two hardware devices need to be physically connected
CSCE 522 - Farkas
27
Internetwork Layer Security
IP Security (IPSec)
 Advantages:
– Overhead involved with key negotiation
decreases <-- multiple protocols can share the
same key management infrastructure
– Ability to build VPN and intranet
– Provides per flow or per connection security
 Disadvantages:
– Difficult to handle low granularity security,
e.g., nonrepudation, user-based security,
CSCE 522 - Farkas
28
Transport Layer Security


Advantages:
– Does not require enhancement to each application
Disadvantages:
– Difficult to obtain user context
– Implemented on an end system (Transport Layer
Security)
– Protocol specific
 Implemented for each protocol
 Must maintain context for a connection
CSCE 522 - Farkas
29
Application Layer
Security

Advantages:
– Executing in the context of the user --> easy access to user’s
credentials
– Complete access to data --> easier to ensure nonrepudation
– Application can be extended to provide security (do not depend on
the operating system)
– Application understand data --> fine tune security

Disadvantages:
– Implemented in end hosts
– Security mechanisms have to be implemented for each application
-->
– expensive
– greated probability of making mistake
CSCE 522 - Farkas
30
Application Example

E-mail client using PGP
 Extended capabilities
– Ability to look up public keys of the users
– Ability to provide securiy services such as
encryption/decrytion, nonrepudation, and
authentication for e-mail messages
CSCE 522 - Farkas
31