Transcript 10/26/05, W - Computer Science

CS 5950/6030 Network Security
Class 24 (W, 10/26/05)
Leszek Lilien
Department of Computer Science
Western Michigan University
Based on Security in Computing. Third Edition by Pfleeger and Pfleeger.
Using some slides courtesy of:
Prof. Aaron Striegel — at U. of Notre Dame
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington
Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands
Slides not created by the above authors are © by Leszek T. Lilien, 2005
Requests to use original slides for non-profit purposes will be gladly granted upon a written request.
4. Protection in General-Purpose OSs
...
4.5. User Authentication
...
Class SKIPPING FOR NOW:
23
5. Designing Trusted OSs
6. Database Security
7. Security in Networks
7.1. Network Concepts
a) Introduction
b) The network
c) Media
d) Protocols—PART 1
2
To help you with your network security projects, we’re skipping
for now two chapters:
5. Designing Trusted OSs
6. Database Security
We’ll cover these chapters later.
3
7. Security in Networks

Network attacks are critical problems due to:
 Widespread use of networks
 Fast changes in network technology

We’ll discuss security issues in network
 Design / Development / Usage

Outline
7.1. Network Concepts
7.2. Threats in Networks
7.3. Network Security Controls
7.4. Tools
7.4.1. Firewalls
7.4.2. Intrusion Detection Systems
7.4.3. Secure E-Mail
7.5. Conclusions
4
7.1. Network Concepts

Outline
a) Introduction
b) The network
c) Media
d) Protocols
e)
f)
g)
h)
i)
5
Types of networks
Topologies
Distributed systems
APIs
Advantages of computing networks
Media (3)
5) Infrared
 Line-of-sight transmission
 Convenient for portable devices
 Typically used in protected space (an office)
6) Satellite
a. Geosynchronous orbit (incl. geostationary orbit over equator)


Speeding satellite seems to be fixed over a point on earth
 22,240 miles (35,786 km) orbit, period: 1 day
For some communication apps, satellites are alternative to
intercontinental cables on the ocean bottom
 Good for TV
 Bad for telephones – Delay: earth-satellite-earth
b. Low earth orbit (LEO)

6
Seen from earth as moving satellites
 ~95 miles (150 km) above the earth, period: 90 minutes
 Cover~660 miles (1000 km) radius
 For full coverage require a satellite constellation
E.g., Iridium has 66 satellites
d. Protocols (1)

Media independence – we don’t care what media used for

Protocols provide abstract view of communications
communications


Protocol stack – layered protocol architecture




7
View in terms of users and data
The ‘how’ details are hiden
Each higher layer uses abstract view (what) provided by
lower layer (which hides the ‘how’ details)
Each lower layer encapsulates higher layer (in an
‘envelope’ consisting of header and/or trailer)
Two popular protocol stacks:
1) Open Systems Interconnection (OSI)
2) Transmission Control Protocol / Internet Protocol (TCP/IP)
Protocols (2)
1) ISO OSI Reference Model (ISO = Int’l Standards Organization)
OSI
Name
Activity
Layer
7
Application User-level messages
6
Presentation Standardized data appearance, blocking,
text compression
Sessions/logical connections among parts
5
Session
of an app; msg sequencing, recovery
4
Transport Flow control, end-to-end error detection &
correction, priority service
Routing, msg  same-sized packets
3
Network
2
Data Link Reliable data delivery over physical
medium; transmission error recovery,
packets  same-sized frames
Actual communication across physical
1
Physical
medium; transmits bits
8
Protocols (7)
OSI is a conceptual model — not actual implementation




9
Shows all activities required for communication
Would be to slow and inefficient with 7 layers
An example implementation: TCP/IP
End of Class 23
10
4. Protection in General-Purpose OSs
...
4.5. User Authentication
...
Class SKIPPING FOR NOW:
23
5. Designing Trusted OSs
6. Database Security
7. Security in Networks
7.1. Network Concepts—PART 1
a) Introduction
b) The network
c) Media
d) Protocols—PART 1
Class
24
11
d)
e)
f)
g)
h)
i)
Protocols—PART 2
Types of networks
Topologies
Distributed systems
APIs
Advantages of computing networks
Protocols (8)
2) Transmission Control Protocol/Internet Protocol (TCP/IP)

Invented for what eventually became Internet

Defined in terms of protocols not layers
but can be represented in terms of four layers:
 Application layer
 Host-to-host (e2e =end-to-end) transport layer
 Internet layer
 Physical layer

12
Actually not TCP/IP but:
TCP/IP/UDP (user datagram protocol)
Protocols (9)
TCP/IP vs. OSI

OSI
Name
Activity
Layer
7
Application User-level data
6
Presentation Standardized data appearance
5
Session
4
3
Transport
Internet
(Network)
Data Link
Physical
2
1
13
Logical connection among parts
Flow control
Routing
Reliable data delivery
Actual communication across physical
medium
[cf. B. Endicott-Popovsky and D. Frincke]
Protocols (10)

TCP/IP
Layer
Action
Application
Prepare messages
from user
interaction
Transport
Convert messages
to packets
Internet
Physical
14
Responsibilities
User interaction,
addressing
Sequencing of packets,
reliability (integrity), error
correction
Convert packets to Flow control, routing
datagrams
Transmit
Actual data
datagrams as
communication
individual bits
Protocols (11)

TCP packet includes:
 Sequence nr
 Acknowledgement nr connecting packets of a session
 Flags
 Source port nr
 Destination port nr

Port – nr of a channel for communication for a particular
(type of) application running on a computer
 Examples of port-application pairs:
 23 – Telnet (remote terminal connection)
 25 – SMTP (e-mail)
 80 – HTTP (web pages)
 161 – SNMP (network mngmt)

App has a waiting process monitoring its port

15
When port receives data, app performs service on it
Protocols (12)

UDP - user datagram protocol (connectionless)
 Faster and smaller than TCP


No error checking/correction
8 bytes of control info (vs. 24 bytes for TCP)

Uses IP => actually UDP/IP

Applications use application-level protocols
- which, in turn, use TCP/IP or UDP/IP
Apps do not use TCP/IP or UDP/IP directly
 Examples - cf. Table 7-3, p.379 (shows 4 protocol layers)
Examples of App Protocols using TCP/IP:

SMTP (e-mail) / HTTP (web pages) / FTP (file transfer) /
Telnet (remote terminal connection)
Examples of App Protocols using UDP/IP:

16
SNMP (network mngmt) / Syslog (entering log records) /
Time (synchronizing network device time)
Protocols (13)

Network addressing scheme
 Address – unique identifier for a single point in the
network
 WAN addressing must be more standardized than LAN
addressing
 LAN addressing:
 Each node has unique address


17
E.g. = address of its NIC (network interface card)
 Network admin may choose arbitrary addresses
WAN addressing:
 Most common: Internet addr. scheme – IP addresses
 32 bits: four 8-bit groups
 In decimal: g1.g2.g3.g4 wher gi  [0, 255]
E.g.: 141.218.143.10
 User-friendly representation
E.g.: cs.wmich.edu (for 141.218.143.10)
Protocols (14)

Parsing IP addresses
 From right to left
 Rightmost part, known as top-level domain


E.g., .com, .edu, .net, .org,. gov,
E.g., .us, .in, .pl

Top-level domain controlled by Internet Registrars
 IRs also control 2nd-level domains (e.g., wmich in
wmich.edu)
 IRs maintain tables of 2nd-level domains within
„their” top-level domains

18
Finding a service on Internet – e.g., cs.wmich.edu
 Host looking for a service queries one of tables at IRs
for wmich.edu
 Host finds numerical IP address for wmich.edu
 Using this IP address, host queries wmich.edu to get
from its table numerical address for cs.wmich.edu
Protocols (15)

19
Dissemination of routing information
 Each host knows all other hosts directly connected to it
 Directly-connected => distance = 1 hop
 Each host passes information about its directly
connected hosts to all its neighbors
 Example – Fig. 7-2 p.366
 System 1 (S1) informs S2 that S1 is 1 hop away from
Clients A, B, and C
 S2 notifies S3 that S2 is 2 hops away from A, B, C
 S3 notifes S2 that S3 is 1 hop away from D, E and S4
 S2 notifies S1 that S2 is 2 hops away from D, E and
S4
 Etc., etc.
e. Types of networks
LANs





WANs




Single control of the whole network
Covers wide area – even the whole globe
Physically exposed – use public communication media
Internetworks (Internets)




20
Small - < 100 users / within 3 km
Locally controlled – by a single organization
Physically protected – no public access to its nodes
Limited scope – supports a single group, dept, project, etc.
Internetwork = network of networks
A.k.a. internet (lower case „i”)
Most popular, largest internet: the Internet (upper case „I”!)
 Internet Society controls (loosely) the Internet – basic rules
 Internet is: federation / enormous / heterogeneous / exposed
f. Topologies


Topology can affect security
Topologies:
 Common bus – Fig.7-11a
Convenient for LAN
All msgs accessible to every node
Star / Hub – Fig.7-11b
 Central „traffic controller” (TC) node





TC can easily monitor all traffic
TC can defeat covert channels

All between source S and destination D on one of the 2 paths
between S and D
Msg read only by TC and destination
Unique path between any 2 nodes
Ring – Fig.7-11c
 All msgs accessible to many node





21
No central control
Natural fault tolerance – 2 paths between any S-D pair
g. Distributed systems
Distributed system = system in which computation is
spread across ≥ 2 computers




Types of DS include:
 Client-server systems
 Clients request services from servers


22
Uses multiple, independent, physically separated
computers
Computers connected directly / via network
Peer-to-peer systems
 Collection of equals – each is a client and a server
Note:
Servers usually protect themselves fr. hostile clients
Clients should also protect themselves – fr. rogue servers
h. APIs
API (Application Programming Interface) = definition of
interfaces to modules / systems



23
Facilitate component reuse
Facilitate using remote services

GSSAPI (Generic Security Services API) = template for
many kinds of security services that a routine could provide
 Template independent of mechanisms, implementation,
etc.
 Callers need credentials to use GSSAPI routines

CAPI (Cryptographic API) = Microsoft API for cryptographic
services
 Independent of implementation, etc.
i. Advantages of computing networks

Networks advantages include:
 Resource sharing



Workload distribution


„Natural” fault tolerance due to redundancy of most of network
resources
Easy expandability

24
Can shift workload to less occupied machines
Increased reliability


For efficient use of common resources
Afffordability of devices that individual users could not afford
Can add nodes easily
End of Class 23
25