cs526: information security chris clifton november 13, 2003 network security
TRANSCRIPT
CS526: Information SecurityChris Clifton
November 13, 2003
Network Security
CS526, Fall 2003 2
Network Security:What is the Problem?
• Name examples of security breaches– Morris Worm– Email viruses (many)– …
CS526, Fall 2003 3
Network Security:What is it?
• What is the purpose of a network?– Move bits– from A– to B– Securely…
NetworkNetwork
A
B
CS526, Fall 2003 4
Securely means
• Confidentiality– Only A and B see bits
• Integrity– Message intact– Really from A– Order?
• Availability– B gets it in time
NetworkNetwork
A
B
CS526, Fall 2003 5
Network Security:What is the Problem?
• Were our examples Network security failures?– Morris Worm– Email viruses (many)– …
CS526, Fall 2003 6
Network Security:Mostly Solved!
• Confidentiality– Encryption
• Integrity– Digital Signatures– Retransmission– Order?
• Availability– Quality of Service
CS526, Fall 2003 7
Network Security:What’s all the fuss?
• Firewalls– Solve poor internal security using the network
• Intrusion Detection– Detect non-network security breaches
accomplished via the network– Early start on forensics
CS526, Fall 2003 8
Network Security:What is interesting?
• Distributed Authentication– Scaling issues– Autonomy
• Distributed Cooperation– Commit– Fault tolerance
• Availability– Denial of service
But first: State of practice
CS526, Fall 2003 9
“Typical” corporate network
Web Server
Mail forwarding
FirewallMail server DNS (internal)
DNS (DMZ)
InternetInternet
File Server
User machinesUser machines
User machines
Web Server
Firewall DemilitarizedZone (DMZ)
Intranet
CS526, Fall 2003 10
Typical network:Terms
• Network Regions– Internet– Intranet– DMZ
• Network Boundaries– Firewall
• Filtering firewall: Based on packet headers• Audit mechanism
– Proxy• Proxy firewall: Gives external view that hides intranet
CS526, Fall 2003 11
Issues
• IP: Intranet hidden from outside world– Internal addresses can be real
• Proxy maps between real address and firewall
– Fake addresses: 10.b.c.d, 172.[16-31].c.d, 192.168.c.d
• Network Address Translation Protocol maps internal to assigned address
• Mail Forwarding– Hide internal addresses– Map incoming mail to “real” server– Additional incoming/outgoing checks
CS526, Fall 2003 12
Firewalls: Configuration
• External Firewall– What traffic allowed
• External source: IP restrictions• What type of traffic: Ports (e.g., SMTP, HTTP)
– Proxy between DMZ servers and internet– Proxy between inner and outer firewall
• Internal Firewall– Traffic restrictions: Ports, From/to IP– Proxy between intranet and outside
CS526, Fall 2003 13
DMZ Administration
• Direct console access required?– Real hassle
• “Special” access– SSH connections allowed from internal to
DMZ “administration” connections– Only from specified internal IPs– Only through internal firewall
CS526, Fall 2003 16
Distributed Authentication
• Authentication has been covered– But does it scale?
• Scaling Issues:– Repeat authentication– Multiple administrators
CS526, Fall 2003 17
Repeat authentication:Kerberos
• Kerberos developed at MIT in the 1980s– Project Athena: clusters of publicly available
computers for student/faculty use– Shared file service – log in anywhere– Problem: how to ensure user logging in at A
authorized to use resources at B?• Solution: ticket as credential
– Ticket server– Client– Client address– Valid time– Session key
Encrypted with ticket server’s key
CS526, Fall 2003 18
KerberosAuthentication Example
• Client sends to Authentication Server– Client name, Ticket server name
• Authentication Server returns– Client: {kclient,ticket server} kclient password, ticketclient, ticket server
• Client performs similar exchange with ticket server– Ticket contains session key, only ticket server can
decrypt• Now client has session key and ticket for service
– Message includes ticket and encrypted generation time as “signature”
CS526, Fall 2003 19
Kerberos:Problems
• Subject to replay attacks– Relies on clock synchronization– “Window of opportunity” based on maximum
message delay
• Standard password attacks– Password used to decrypt initial authenticator
ticket– Some fixed fields enable verifying if password
broken
CS526, Fall 2003 20
The Next Problem:Multiple Administration Domains
• Problem: Many users– We know how to authenticate– But how to administer?
• Solution: Hierarchical directories– X.500, LDAP, Active Directory
CS526, Fall 2003 21
X.500: What is it?
• Goal: Global “white pages”– Lookup anyone, anywhere– Developed by Telecommunications Industry– ISO standard directory for OSI networks
• Idea: Distributed Directory– Application uses Directory User Agent to access a Directory Access
Point
CS526, Fall 2003 22
Issues
• How is name used?– Access resource given the name– Build a name to find a resource– Information about resource
• Do humans need to use name?– Construct and Recall
• Is resource static?– Resource may move– Change in location may change name
• Performance requirements– Human-scale
CS526, Fall 2003 23
Directory Information Base(X.501)
• Tree structure– Root is entire directory– Levels are “groups”
• Country• Organization• Individual
• Entry structure– Unique name
• Build from tree– Attributes: Type/value
pairs– Schema enforces type
rules• Alias entries
CS526, Fall 2003 24
Directory Entry
• Organization level– CN=Purdue University– L=West Lafayette– …
• Person level– CN=Chris Clifton– SN=Clifton– TITLE=Associate
Professor– …
CS526, Fall 2003 25
Directory Operations(X.511)
• Query:– Read – get selected attributes of an entry– Compare – does an entry match a set of attributes– List – children of an entry– Search – portion of directory for matching entries– Abandon request
• Modification – add, remove, modify entry– Modify distinguished name
CS526, Fall 2003 26
Distributed Directory(X.518)
• Directory System Agent– May have local data– Can forward requests to other system agents– Can process requests from user agents and
other system agents
• Referrals– If DSA can’t handle request, can make
request to other DSA– Or tell DUA to ask other DSA
CS526, Fall 2003 27
Access Control
• Directory information can be protected
• Two issues:– Authentication (X.509)– Access control (X.501)
• Standards specify basic access control– Individual DSA’s can define their own
CS526, Fall 2003 28
Replication(X.525)
• Single entries can be replicated to multiple DSAs– One is “master” for that entry
• Two replication schemes:– Cache copies – On demand– Shadow copies – Agreed in advance
• Copies required to enforce access control– When entry sent, policy must be sent as well
• Modifications at Master only• Copy can be out of date
– Each entry must be internally consistent– DSA giving copy must identify as copy
CS526, Fall 2003 29
Protocols(X.519)
• Directory Access Protocol– Request/response from DUA to DSA
• Directory System Protocol– Request/response between DSAs
• Directory Information Shadowing Protocol– DSA-DSA with shadowing agreement
• Directory Operational binding management Protocol– Administrative information between DSAs
CS526, Fall 2003 30
Uses
• Look-up– Attributes, not just Distinguished Name– Context
• Humans can construct likely names• Browsing• Yellow pages
– Aliases
• Search restriction/relaxation• Groups
– Multi-valued “member” attribute
• Authentication information contained in directory– E.g., password attribute
CS526, Fall 2003 31
LDAP vs. X.500
• Lightweight Directory Access Protocol– Supports X.500 interface– Doesn’t require OSI protocol– IETF RFC 2251, 2256X.500 for the internet crowd
• Useful as generic addressing interface– Netscape address book– System logon identification/authentication– …
CS526, Fall 2003 32
The Next Problem:Multiple Administration Domains
• Problem: Many users– We know how to authenticate– But how to administer?
• Solution: Hierarchical directories– X.500, LDAP, Active Directory
• Still not enough– Is every administrator in the hierarchy enforcing our
policy?– Think this is an interesting area of research?
Talk to Prof. Ninghui Li
CS526: Information SecurityChris Clifton
November 18, 2003
Network Security
CS526, Fall 2003 35
Attacks and Defense
• Confidentiality on the network manageable– Encryption to protect transmission– Public key cryptography / key management to
verify recipient
• Integrity reducible to single system– Digital signatures verify source– Commit protocols handle network failure
• What about Availability?
CS526, Fall 2003 36
Network Attacks
• Flooding– Overwhelm TCP stack on target machine– Prevents legitimate connections
• Routing– Misdirect traffic
• Spoofing– Imitate legitimate source– But we know how to handle this!
CS526, Fall 2003 37
What is a Flood attack?
• Limit availability by– Overwhelming service– by following service’s protocol
• Perhaps not exactly
• Examples– SYN flood
• Overwhelms TCP stack
– Email attacks
CS526, Fall 2003 38
Syn Flood
• TCP connection multi-step– SYN to initiate– SYN+ACK to respond– ACK gets agreement
• Sequence numbers then incremented for future messages– Ensures message order– Retransmit if lost– Verifies party really initiated
connection– We’ll get back to this
CS526, Fall 2003 39
Syn Flood
• Implementation– Receive SYN– Allocate connection– Acknowledge– Wait for response
• See the problem?– What if no response– And many SYNs
• All space for connections allocated– None for legitimate ones
Time?
CS526, Fall 2003 40
Solution Ideas
• Limit connections from one source?– But source is in packet, can be faked
• Ignore connections from illegitimate sources– If you know who is legitimate– Can figure it quickly– And the attacker doesn’t know this
• Drop oldest connection attempts– Adaptive timeout
CS526, Fall 2003 41
Network Solutions
• TCP intercept– Router establishes connection to client– When connected establish with server
• Synkill– Monitor machine as “firewall”– Good addresses: history of successful connections– Bad addresses: previous timeout attempt– Block and terminate attempts from bad addresses
CS526, Fall 2003 42
Protocol solutions
• Problem: Server maintaining state– Runs out of space
• Solution: Don’t maintain state on server– How does it know sequence numbers?– Encrypt in SYN response
• h(source,destination,random)+sequence+time
– Client increments this and ACKs– Server subtracts h(), time to get sequence
• Knows if this is in valid range
CS526, Fall 2003 43
Service-Level Flooding
• Overload server– Processing– Storage
• Typically “garbage” requests using legitimate protocol– Large emails to victim– Many http connections– Heavy use of scripts
• Often exploit flaws in service implementation– Self-replicating attacks
CS526, Fall 2003 44
Solutions
• Limit traffic from any source– Still open to distributed attacks
• Quality of Service– Guarantee service to known good sites
• Careful Programming– Don’t allow service to defeat itself
• Throttling– Limit traffic to any service– Protects other services on same host
CS526, Fall 2003 45
IP-Spoofing
• Start with SYN flood to spoofed client
• Open connection from spoofing client to server
• Real client fails to respond– Should terminate
• Spoofing client sends ACK– Must guess Sequence
Number
S
CS526: Information SecurityChris Clifton
November 18, 2003
Network Security
(slides courtesy Wenke Lee)
CS526, Fall 2003 47
Note to 1st year SFS students(only)
• Interested in Summer internship?
• Independent study or thesis next year?
• Did the ITSEC/Common Criteria lectures interest you?
• If so, please talk to me after class
CS526, Fall 2003 50
Routing
I want to knowthe shortest path
Routers/Switches
So, the routers must exchange local information!
SRC
DST
CS526, Fall 2003 51
IP Routing
• Routing is based on network addresses• Routers use forwarding table
– Destination, next hop, network interface, metric
– Table look-up for each packet– Need to recognize address structure
• Routing information exchange allows computation of new routes, which is used to update the forwarding table
CS526, Fall 2003 52
Routing Protocol Framework - Information Model
FIB
RIB
NPDU Header (Network Protocol Data Unit)
(Dest, NextHop, Routing Metrics)
Forwarding Algorithm
OSPF
RIBRIB
RIPv2 BGP4
FIB
ForwardingDecision
ForwardingInformationBase
CS526, Fall 2003 53
Routing Information
• Link State: I have these links to XYZ (routers or networks); their current status is … (e.g., delay)
• Distance Vector: I can get to XYZ (networks) in m hops
CS526, Fall 2003 54
A
B
C
Every node sends its neighbor a vector: the # of hops of reaching each other node.
Distribution of Routes - Distance Vector
CS526, Fall 2003 55
A node sends to itsA node sends to itsneighbors the state of itsneighbors the state of itsdirectly connected links: up/down anddirectly connected links: up/down andcosts. Each node that receives the costs. Each node that receives the information forwards it to all its information forwards it to all its neighbors.neighbors.
Link State
CS526, Fall 2003 62
Routing Information ExchangeRouting Information Exchange correctness of Routing Information Basecorrectness of Routing Information Base
Interface between RIB and FIBInterface between RIB and FIB configuration, FIB update etc.configuration, FIB update etc.
Kernel-Level (IP): Packet ForwardingKernel-Level (IP): Packet Forwarding Is the packet forwarded according to the FIB?Is the packet forwarded according to the FIB?
Routing Security
CS526, Fall 2003 63
RIP
• Routing information protocol is a simple distance vector protocol
• Initialization:– When the routing daemon is initialized, it sends
requests through each network interface– Neighboring routers will reply with routing table
information
• Updates:– Routers advertise tables with neighbors periodically
(~30 seconds); or triggered by route changes.
CS526, Fall 2003 64
RIP - Cont’d
• To prevent route oscillation, existing routes are retained until a new one is discovered with strictly lower cost
• Split-Horizon Update– Routers do not advertise a route on an
interface from which it learned of the route in the first place!
CS526, Fall 2003 65
Properties: RIP
• Good news travels fast; Bad news travels slowly
• Routing loop, routing inconsistency, and slow convergence
• Security:– Ripv2 provides simple password
authentication– Black hole routers possible
CS526, Fall 2003 66
Route Convergence - good news
A: 0 A: 1 A: 2 A: 3 A: 4 A: 51 1 1 1 1
G1G1 G2G2 G3G3 G4G4 G5G5
•G1 happily advertises route to network A with distance 1G1 happily advertises route to network A with distance 1•G2-G5 quickly learns the good news and install the routesG2-G5 quickly learns the good news and install the routes
CS526, Fall 2003 67
A: 0 A: 3 A: 2 A: 3 A: 4 A: 51 1 1 18
G1G1 G2G2 G3G3 G4G4 G5G5
• G1’s link to A goes downG1’s link to A goes down• G1 learns a ‘better’ route via G2G1 learns a ‘better’ route via G2• Packets going to A through G2 will loop between G2 and G1Packets going to A through G2 will loop between G2 and G1• G1 and G2 will find the cost of their routes to A slowly count G1 and G2 will find the cost of their routes to A slowly count to to infinityinfinity• Use a number, e.g., 16, to approximate infinityUse a number, e.g., 16, to approximate infinity• Split horizon only prevents loops involving two nodesSplit horizon only prevents loops involving two nodes
Route Convergence - bad news
CS526, Fall 2003 68
A: 3 hopsB: 2 hopsC: 2 hops
Black Hole
A
B
C
You: G
YourNeighbor: H
A: 1 hop
•C lies easily about routes to A C lies easily about routes to A •Your neighbor and you look into the ‘routes’Your neighbor and you look into the ‘routes’
Who won’t jump on a better route?Who won’t jump on a better route?
D
E
F
CS526, Fall 2003 69
Food for Thought...
• RIP implicitly assumes: every router is trusted and so are routing information packets
• Every router is entitled to tell others ‘I have a short cut to Pluto that is just one hop’
• Is it possible to prevent RIP black hole attacks?
• Is is possible to detect RIP black routers?
CS526, Fall 2003 70
One possible improvement
• Predecessor is the second-to-last network is the path from the source to the destination
• Inclusion of predecessor allows implicit reconstruction of the whole path
• Helps to validate the integrity of distance
CS526, Fall 2003 71
Predecessor
A
B
C
You: G
YourNeighbor: H
A: 1 hop
D
E
F
A: BA: B
A: B
A: B
A: B
A: FA: B
A: B 4B: D 3C: C 1D: G 2E: G 2F: B 4G: G 1
CS526, Fall 2003 72
OSPF
• Link State routing protocol (RFC1583)
• Routers are organized in domains and areas
• Hello message for neighbor acquisition
• Link State information are flooded through the whole area
• A topology database is maintained by every router
CS526, Fall 2003 73
Important LSA Fields
• Advertising router ID (originator)
• Advertised link or network ID
• Sequence number [0x80000001,0x7fffffff]
• Age [0, 60 minutes]
CS526, Fall 2003 74
When to Originate a LSA?
• Upon link state changes, or
• Upon timer expiration
CS526, Fall 2003 75
How do you know one LSA is fresher than How do you know one LSA is fresher than the other?the other?
An LSA originated by you will be received An LSA originated by you will be received by every router; will you receive the LSA by every router; will you receive the LSA originated by you?originated by you?
Will the sequence number wrap-around Will the sequence number wrap-around cause any problem? (i.e., == 0x7fffffff)cause any problem? (i.e., == 0x7fffffff)
Age ==> 1 hourAge ==> 1 hour
Questions to Ask:
CS526, Fall 2003 76
ATM
0x80000001
Next: 0x80000002Only accept LSAs withnewer/larger Seq#.
Sequence #: old vs. new LSAs
CS526, Fall 2003 77
Sequence# & Self-Stabilization
ATM
(1). 0x90001112
(2). router crashes.
(3). 0x80000001.
(4). 0x90001112 an old copy still exists!
(5). 0x90001113
up
up
CS526, Fall 2003 78
ATM
(1) 0x7FFFFFFF MaxSeq#
(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.
Specified behavior when Seq# wraps around: (1),(2),(3)Specified behavior when Seq# wraps around: (1),(2),(3)
Flushing via Premature Aging
CS526, Fall 2003 79
Attack the Routing Infrastructure(Vicious Advertising Routers)
up
up up
up
Flooding
EVIL!
1. up ==> down2. not exist ==> up
Impact varies depending on how critical the link is to the world!Impact varies depending on how critical the link is to the world!
CS526, Fall 2003 80
up
up
down
Flooding
EVIL!All the linkscan be attacked
down
Authentication, please come to the rescue!Authentication, please come to the rescue!
Attack the Routing Infrastructure(Vicious Intermediate Routers)
CS526, Fall 2003 81
ATMSeq#
If attackers can just change the content of LSAs without If attackers can just change the content of LSAs without being detected, the routers must use all LSAs with care!being detected, the routers must use all LSAs with care!
Exchanging without LSA Signature?
CS526, Fall 2003 82
ATMSeq#
(1) 0x90001112
(2) 0x90001113seq++ attack
(3) 0x90001114 fight-back
Fight-Back - Originator Reaction
CS526, Fall 2003 83
Signature - How Critical?
• Observations:– Prolonged fight-back will not happen in real attacks– What’s preventing the attacker from using
LS_seq=MaxSeq?
• Can you prevent false LSA without signature?• Can you determine who did it after you realize
that you’ve been fooled without signature?• What needs to be signed by whom anyway?
CS526, Fall 2003 84
OSPF Security Strength
• In most benign cases, if something goes wrong, the advertising router will detect it and try to correct it by generating new LSAs
• The attackers have to persistently inject bad LSAs in order for it to ‘stick’
• Self-Stabilization Protocols: force the attackers to perform persistent attacks
CS526, Fall 2003 85
Detection of Hit-and-Run vs. Persistent Attacks
• Hit-and-Run Attacks: Hard to Detect/Isolate– Inject one (or very few) bad packet but cause
lasting damaging effect
• Persistent Attacks: – Attackers have to continuously inject attack
packets in order to inflict significant damages
• OSPF type of Link State protocols are resilient to hit-and-run attacks
CS526, Fall 2003 86
Secure Protocol/system Design?
• If we can force the attackers to launch “persistent attacks,” we have a better chance to detect and isolate the attack sources
• OSPF flooding coupled with periodic LSA does a fairly good job because it is refreshing link state persistently!
• What other implications do ‘flooding’ have on security?