bishop: chapter 26 network security based on notes by prashanth reddy pasham
TRANSCRIPT
Bishop: Chapter 26Network Security
Based on notes byPrashanth Reddy Pasham
Network Security 2
Outline
Introduction Policy Development Network Organization
Firewalls DMZ
Availability and Network Flooding
Network Security 3
Introduction How to develop a network infrastructure from
security requirements? Know security requirements it leads to the development of security policy. which in turn suggests the form of the network
1. security goals policy2. network policy functionalities3. distribution of functionalities to various parts of the
network network diagram4. Functionality of each part host configuration
Network Security 4
Introduction
Goals of Drib’s Security policy Data related to company plans is to be kept secret
available only to those who need to know Customer data should be available only to those who
fill the order Releasing sensitive data requires the consent of the
company’s officials and lawyers. Our goal is to design a network infrastructure that
will meet these requirements
Network Security 5
Policy Development
Policies Must provide public access to some information Limit access to other information even within the
company. Drib requires a policy that minimizes the threat or
data being leaked to unauthorized entities. Unauthorized?
Network Security 6
Policy Development Drib has three internal organizations
Customer Service Group(CSG) Deals with customers Maintains all customer data Serves as interface between the other groups and clients of the drib
Development Group(DG) Develops, modifies, maintains products Rely on CSG for the description of customer complaints, suggestions,
ideas. No direct talk with customers
Corporate group(CG) Handles Drib's debentures, lawsuits, patents and other corporate level
work. Policy describes the way information is to flow among these groups
Network Security 7
Policy Development Data Classes
Public Data(PD) Available to anyone Includes product specifications, price information and marketing
literature. Development data for existing products(DDEP)
Available only internally Company lawyers, officers and developers
Development data for future products(DDFP) Available only to developers may change, as may various aspects of development.
Corporate data(CoD) Information about corporate functions
Customer data(CuD) Credit card information
Network Security 8
Policy Development User Classes
Outsiders Developers Corporation executives Employees
See table on page 776 for user rights Availability: global, 24/7 Consistency check
Does the policy described above meets the goals of the Drib?
Network Security 9
Network Organization
Mail Server
Outer FirewallMail server
InternalDNS Server(internal)
DNS Server(DMZ)
InternetInternet
Web Server
Inner FirewallDemilitarized Zone (DMZ)
Intranet
Corporate data subnet Customer data subnet
Development subnet
Log Server
Network Security 10
Network Organization Network Regions
Internet Internal Network( Intranet) DMZ
Network Boundaries Firewall
Filtering firewall: Based on packet headers ex: preventing BackOrifice
Proxy Proxy firewall: Gives external view that hides intranet ex: mail proxy
Network Security 11
Analysis of Network Infrastructure Conceal the addresses of the internal
network Internal addresses can be real Fake addresses: 10.b.c.d, 172.[16-31].c.d,
192.168.c.d Network Address Translation Protocol maps
internal to assigned address Mail Server
Hide internal addresses Map incoming mail to “real” server Additional incoming/outgoing checks
Network Security 12
Firewalls: Configuration Outer Firewall
What traffic allowed External source: IP restrictions What type of traffic: Ports (e.g., SMTP,
HTTP) Proxy between DMZ servers and internet
Internal Firewall Traffic restrictions: Ports, From/to IP Proxy between intranet and outside
Network Security 13
In the DMZ DMZ Mail Server
performs address and content checking on all electronic mail messages
When it receives a letter from the Internet, it performs the following Steps
reassembles the message into a set of headers, a letter, and any attachments
scans the letter and attachments for any computer virus or malicious logic.
Restore the attachments to transmit Rescan it for any violation of SMTP specification
Scans the recipient address lines. Addresses that directed the mail to the drib are
rewritten to direct the mail to the internal mail server
Network Security 14
In the DMZ
DMZ Mail Server When it receives a outgoing letter from
the internal mail server Steps 1 and 2 are the same In step 3 the mail proxy scans the header
lines. All lines that mention internal hosts are
rewritten to identify the host as “drib.org”, the name of the outside firewall.
Network Security 15
In the DMZ
DMZ WWW Server Identifies itself as “www.drib.org” and uses
IP address of the outside firewall DMZ DNS Server
It contain entries for DMZ mail, Web and log hosts Internal trusted administrative host Outer firewall Inner firewall
DMZ Log Server
Network Security 16
Availability and Network Flooding Flooding
Overwhelm TCP stack on target machine
Prevents legitimate connections Limit availability by
Overwhelming service Examples
SYN flood Overwhelms TCP stack
Network Security 17
SYN flood A form of DOS attack The attacker initiates large number of
TCP SYN packets and refuses to execute the 3rd part of the TCP three-way handshake for those packets
If the packets come from multiple sources (the attacking machines) but have the same destination (the victim machine) DDOS
Network Security 18
Syn Flood A: the initiator; B: the destination TCP connection multi-step
A: SYN to initiate B: SYN+ACK to respond C: ACK gets agreement
Sequence numbers then incremented for future messages
Ensures message order Retransmit if lost Verifies party really initiated
connection
Network Security 19
Syn Flood Implementation: A, the attacker;
B: the victim B
Receives SYN Allocate connection Acknowledge Wait for response
See the problem? What if no response And many SYNs
All space for connections allocated
None left for legitimate ones
Time?
Network Security 20
Solution Ideas
Limit connections from one source? But source is in packet, can be faked
Ignore connections from illegitimate sources If you know who is legitimate Can figure it quickly And the attacker doesn’t know this
Drop oldest connection attempts
Network Security 21
Two Approaches to Counter SYN Flood
A. Using intermediate hosts to eliminate SYN flood
B. Relying on TCP state and memory allocations
Network Security 22
A. Intermediate Hosts Basic idea
Using routers to divert or eliminate illegitimate traffic
Resources on the target are not consumed by the attacks.
Network Security 23
A. Intermediate Hosts Approaches
a) Only legitimate handshakes can reach the firewall.
e.g., Cisco routers’ “TCP intercept mode”
b) Network traffic monitor/tracker e.g., Synkill [Schuba, etc. 1997]
Network Security 24
A. Intermediate Hosts TCP intercept
Router establishes connection to client When connected establish with server If the client never sends the ACK (before
timing out), then the initial SYN packet is part of an attack handshake.
The target never sees the illegitimate SYN packets.
The router uses short time-outs to protect itself.
Network Security 25
A. Intermediate Hosts Synkill
An active monitor that analyzes packets being sent to some set of systems (potential victim targets)
Monitor machine as “firewall” Classification of IP addresses into classes
Good addresses: history of successful connections Bad addresses: previous timeout attempt New addresses
Block and terminate attempts from bad addresses
Dynamically managed classes Question: How if a good IP turns bad ?
Network Security 26
B. TCP State and Memory Allocations
Problem: Server maintaining state
Runs out of space Solutions
a) Don’t maintain state on server; let the client track the state. the SYN cookie approach
b) The adaptive time-out approach
Network Security 27
B. TCP State and Memory Allocations
a) The SYN cookie approach: The server does not maintain state of
connections Q: How does the server know the
sequence numbers? Ans: The state is encoded in the initial
sequence number of the ACK; the server retrieves this info from the client’s ACK packet.
Network Security 28
B. TCP State and Memory Allocations
a) The SYN cookie approach: The SYN cookie is encoded in the SYN
response h(source,destination,random)
+sequence+time See p.795 for the formula.
Client increments this and ACKs Server subtracts h(), time to get
sequence Knows if this is in valid range
Network Security 29
B. TCP State and Memory Allocations
b) The adaptive time-out approach Assumption: There is a fixed amount of
space for the state of pending connections
Varies the times before the time-outs, depending on the amount of space available for new pending connections
As the amount of available space decreases, so does the amount of time before the system begins to time out connections.
Network Security 30
Summary
A brief overview Many issues and techniques in
Network Security One or more new courses are
needed!