lecture on network securitydebashis saha thursday, may 17, 20071 introduction to network/ linux...
Post on 18-Dec-2015
216 views
TRANSCRIPT
Thursday, May 17, 2007
1
Lecture on Network Security Debashis Saha
Introduction to Network/Linux Security
Debashis SahaMIS Group, IIM Calcutta
Thursday, May 17, 2007
2
Lecture on Network Security Debashis Saha
Overview
• What is network security?• Kind of security services one might desire• What kind of attacks should we try to
protect a network against?• What are the available protection
strategies available?• What support can we expect from LINUX?
Thursday, May 17, 2007
3
Lecture on Network Security Debashis Saha
What is network security?
• A network is secure if you can depend on it and its nodes behave as you expect.
• If you do not know what you are protecting, why you are protecting it, and what you are protecting it from, your task will be rather difficult!
Thursday, May 17, 2007
4
Lecture on Network Security Debashis Saha
Kind of security one might desire
• Authentication• Confidentiality (Privacy)• Integrity• Availability• Non-Repudation• Auditing
Thursday, May 17, 2007
5
Lecture on Network Security Debashis Saha
Authentication
• Authentication is the process of reliably verifying the identity of someone (or something) by means of:– A secret (password [one-time], ...)– An object (smart card, ...)– Physical characteristics (fingerprint, retina, ...)– Trust
• Do not mistake authentication for authorization!
Thursday, May 17, 2007
6
Lecture on Network Security Debashis Saha
Integrity Vs Confidentiality
• Integrity– Protecting information from being deleted or altered in any
way without the permission of the owner of that information.
• Confidentiality– Protecting information from being read or copied by
anyone who has not been explicitly authorized by the owner of that information.
Thursday, May 17, 2007
7
Lecture on Network Security Debashis Saha
Availability
If the system is unavailable when anauthorized user needs it, the result canbe as bad as having the information thatresides on the system deleted!
Thursday, May 17, 2007
8
Lecture on Network Security Debashis Saha
Non repudation
The ability of the receiver of something toprove to a third party that the senderreally did send the message.
Thursday, May 17, 2007
9
Lecture on Network Security Debashis Saha
Auditing
The ability to record events that mighthave some security relevance. In suchcases, you need to determine what wasaffected. In some cases, the audit trailmay be extensive enough to allow “undo”operations to help restore the system to acorrect state.
Thursday, May 17, 2007
10
Lecture on Network Security Debashis Saha
Kind of attacks to a Computer
What kind of attacks should we try to protect a computer against ?
• Physical Security– Lockers, BIOS, weather, ...
• Personnel security• Operating System security• Network security
Thursday, May 17, 2007
11
Lecture on Network Security Debashis Saha
Some common network services• DNS• Apache• NFS• NIS/NIS+• Samba• Telnet• FTP• Mail• ... ... ...
Thursday, May 17, 2007
12
Lecture on Network Security Debashis Saha
Network Security: common attacks
• Interception– Modification
• Intrusion– Modification, Fabrication
• Denial of service– Interruption
• Information theft
Thursday, May 17, 2007
13
Lecture on Network Security Debashis Saha
Security tools• Cryptography
• Symmetric Vs Asymmetric (Certificates ...)
• Firewalls & Proxyes• Ipchains/Iptable ...
• TCP Wrappers + UDP Relayers• Pluggable Authentication Module
• It is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users
• Kernel Level Security• Log files (/var/log/*)
Thursday, May 17, 2007
14
Lecture on Network Security Debashis Saha
Cryptography: the solution for privacy
The security is based on the secrecy of the key and sometimes of the alghoritms too.
Thursday, May 17, 2007
15
Lecture on Network Security Debashis Saha
Cryptography Model
Encryption Key, K
Plaintext, P
Plaintext, P
Decryption Key, K'
Encryption, E
Decryption, D
Cyphertext, C
Thursday, May 17, 2007
16
Lecture on Network Security Debashis Saha
Basic Formula
C=EK(P)P=DK'(C)
DK'(EK(P))=P
If K=K', it is symmetric key system,-also known as secret key key system
If KK', it is asymmetric key system-commonly called public key system
Thursday, May 17, 2007
17
Lecture on Network Security Debashis Saha
CryptographySymmetric Vs Asymmetric
• Symmetric (also called private key algorithms)– The same password is used to both
encrypt and decrypt– Faster algorithms– PROBLEM: key management is not easy
• Asymmetric (also called pubblic key algorithms)– The password used to encrypt is
different from the one needed to decrypt– More secure– It allows to have non-repudiation
Thursday, May 17, 2007
18
Lecture on Network Security Debashis Saha
Secret Key System
Alice Bob
DES Key DES Key
Thursday, May 17, 2007
19
Lecture on Network Security Debashis Saha
Data Encryption Standard (DES)
• It is a symmetric algorithm• Designed by IBM for the U.S. Government in 1977• It is based on a 128 bit key (earlier 64)• Hardware Vs Software implementation• How secure is DES?
– How much would a Des-Breaking engine would cost?– Is it possible to make DES harder to break in?– How does it work?
Thursday, May 17, 2007
20
Lecture on Network Security Debashis Saha
Public Key System
Alice Bob
Bob'spublic Key
Bob'sprivate key
Thursday, May 17, 2007
21
Lecture on Network Security Debashis Saha
RSA Algorithm
• Rivest, Shamir & Adleman (1978), MIT
• Most widely used public key algorithm
• Based on principles of number theory
• Keys are calculated in the following way:
1. Choose two large (>10100) primes, p and q2. Compute n=p*q and z=(p-1)*(q-1)3. Choose a number k' which is relatively prime to z4. Find k such that k*k'=1 mod z
C=Pk (mod n) and P=Ck' (mod n)
Thursday, May 17, 2007
22
Lecture on Network Security Debashis Saha
Example
Say p=3 and q=11 so that n=33 and z=20 A suitable value for k' is 7 (prime to 20) k can be found by solving: 7*k=1 (mod 20) Thus, k=3 So encryption: C=P3 (mod 33) And Decryption: P=C7 (mod 33)
Say P=14, then C=143 (mod 33)=2744 (mod 33)=5 Conversely, C7 (mod 33)=78125 (mod 33)=14=P
Thursday, May 17, 2007
23
Lecture on Network Security Debashis Saha
Digital Signature
• An important security strategy for E-Commerce• The receiver can verify the claimed identity of the
sender (authenticated)• The sender cannot later repudiate the contents of the
message• The message cannot be concocted in transit• Can be implemented using public key cryptography
Thursday, May 17, 2007
24
Lecture on Network Security Debashis Saha
Public Key Signature
Say, A wants to send a signed message P to B We know that P=DK'[EK(P)] holds It is assumed that P=EK[DK'(P)] also holds A computes C=EK'A(P) using his private keyand sends it to B openly
B then decrypts C by KA as: DKA(C)=P B, decrypting the message with A's public key,knows that A generated the message
Later A cannot deny having sent C because it canbe opened by KA only and K'A is private to A
Thursday, May 17, 2007
25
Lecture on Network Security Debashis Saha
Security of cryptographic algorithms
• Let us define the lifetime of an information as the amount of time the information should be kept secret.
• An encryptioncan cab be considered secure if the time to break it (for ex. with a brute force attack) is reasonably longer than the lifetime of the information contained in the plain text.
Length of the key on bits(estimated in 1995, Applied Cryptography)
Cost 40 56 64 80 112 128
$ 100K 2.00 s. 35 h. 1 y. 70,000 y. 1014 y. 1019 y.
$ 1M 0.20 s. 3.5 h 37 d. 7,000 y. 1013 y. 1018 y.
$ 10M 0.02 s. 21 min. 4 d. 700 y. 1012 y. 1017 y.
Thursday, May 17, 2007
26
Lecture on Network Security Debashis Saha
Secure Socket Layer (SSL)• It is based on a public encryption
algorithm• It is a protocol developed by Netscape
for secure transactions across the Web• It is stream-based consisting of three phases
– 6In initial handshake phase, secure communications are established– In intermediate data transfer phase, application-to-application dialog
(with data encryption) occurs– In closing handshake phase, connection is terminated
• There are free SSL implementations
Thursday, May 17, 2007
28
Lecture on Network Security Debashis Saha
What is a Firewall?• A set of related programs that protects
the resources of a private network from users from other networks.
• A mechanism for filtering network packets based on information contained within the IP header.
• Options available– Commercial Firewall Devices (Watchguard, Cisco PIX)– Routers (ACL Lists)– Linux – Software Packages (ZoneAlarm, Black Ice)– Sneaker Net
Thursday, May 17, 2007
29
Lecture on Network Security Debashis Saha
Firewalls• Routers: easy to say “allow everything
but…”• Firewalls: easy to say “allow nothing but…”• This helps because we turn off access to
everything, then evaluate which services are mission-critical and have well-understood risks
• Note: the only difference between a router and a firewall is the design philosophy: – do we prioritize security, or connectivity ?
• configurability, logging
Thursday, May 17, 2007
30
Lecture on Network Security Debashis Saha
Firewall setup• Firewall ensures that the internal network
and the Internet can both talk to the DMZ, but usually not to each other
• The DMZ relays services at the application level, e.g. mail forwarding, web proxying
• The DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.); – it’s easier to secure 20 machines than 20,000
• Now the internal network is “safe” (but not from internal attacks, modems, etc.)
Thursday, May 17, 2007
31
Lecture on Network Security Debashis Saha
Typical firewall setup
DMZ
evil Internet
internal network
Thursday, May 17, 2007
32
Lecture on Network Security Debashis Saha
Downside of firewalls
• single point of failure• difficult to integrate into a mesh
network• highlights flaws in network architecture• can focus politics on the firewall
administrator
Thursday, May 17, 2007
34
Lecture on Network Security Debashis Saha
Packet Filters .. “Firewalls”
• A “Firewall” can be at any layer between 3-5
• Application-level gateways work at the application layer
• Packet-filters work at the network layer
User Applications
Application
Presentation
Session
Transport
Network
Data Link
Physical
Thursday, May 17, 2007
35
Lecture on Network Security Debashis Saha
Why Filter?• Packets that are filtered increase security.
• Prevent ousiders from using services on a system.
• Prevent malicious attacks such as Denial of Service (DoS) and ping flood attacks.
• Control the flow of information.
• Prevent internal system users from using certain sites or types of protocols.
Thursday, May 17, 2007
36
Lecture on Network Security Debashis Saha
Packet Filtering• Should arriving packet be allowed in? Should a
departing packet be let out?• Filter packet-by-packet, making decisions to
forward/drop a packet based on:– source IP address, destination IP address– TCP/UDP source and destination port numbers– ICMP message type– TCP SYN and ACK bits– ...
Eth
Des
tE
th S
rcE
th H
dr
IP D
est
IP S
rcIP
Hdr
TC
P D
Por
tT
CP
SP
ort
TC
P H
dr
Data
Thursday, May 17, 2007
37
Lecture on Network Security Debashis Saha
Packet “filtering”
• Packet filtering is not just “filtering”• Changing Packets: Filters often able to
rewrite packet headers• Examine/modify IP packet contents
only? Or entire Ethernet frames?• Monitor TCP state?
Thursday, May 17, 2007
38
Lecture on Network Security Debashis Saha
Packet Filtering Limitations
• Cannot Do: Allow only certain users in (requires application-specific information)
• Can do: Allow or deny entire services (protocols)
• Cannot Do: Allow, e.g., only certain files to be ftp’ed
Thursday, May 17, 2007
39
Lecture on Network Security Debashis Saha
Packet Filtering in Linux History
• 1st generation: ipfw (from BSD)• 2nd generation: ipfwadm (Linux 2.0)• 3rd generation: ipchains (Linux 2.2)• 4th generation: iptable (Linux 2.4, 2.6)
Thursday, May 17, 2007
40
Lecture on Network Security Debashis Saha
Packet Traversal in Linux
Input OutputLocalProcesses
ForwardRoutingDecision
Pre-Routing
Post-Routing
Thursday, May 17, 2007
41
Lecture on Network Security Debashis Saha
The Rules Chain Concept• The most common method used by packet filtering for the organization of the filters is the rules chain. A rule chain contains a listing of each filter, or rule, that has been configured on the local system.
•Linux uses four main chains:
• Input – packets traveling to the host
• Output – packets leaving from the host
• Forward – packets received by the host and will be forwarded by the host
• User Defined – special type of chain created by the user that receives packets from the three main chains for processing
• Rules chains allow for complex filtering of data entering or leaving a system while making it easy to install and maintain the rules.
Thursday, May 17, 2007
42
Lecture on Network Security Debashis Saha
Linux Iptables/Netfilter
• In Linux kernel 2.4 and 2.6, we use the netfilter package with iptables commands to setup the firewall.
• The old package called IPchains is deprecated.
• http://www.netfilter.org/
Thursday, May 17, 2007
43
Lecture on Network Security Debashis Saha
Iptables: http://www.netfilter.org/
• What is iptables?
• iptables is the building block of a framework inside the Linux kernel. This framework enables packet filtering, network address translation (NAT), network port translation (NPT), and other packet mangling.
• iptables is a generic table structure for the definition of rulesets. Each rule with an IP table consists of a number of classifiers (iptables matches) and one connection action (iptable target).
• What can I do with iptables?
• build internet firewalls based on stateless and stateful packet filtering
• use NAT and masquerading for sharing internet access
• use NAT to implement transparent proxies
• do further packet manipulation (mangling) like altering the bits of the IP header
Thursday, May 17, 2007
44
Lecture on Network Security Debashis Saha
iptables - Features (1)
• Stateful filtering of TCP & UDP traffic– Ports opened & closed as clients use the Internet– Presents a (mostly) “blank wall” to attackers
• “Related” option for complex applications– Active mode FTP– Multimedia applications (Real Audio, etc.)
• Can filter on fragments
Thursday, May 17, 2007
45
Lecture on Network Security Debashis Saha
iptables - Features (2)
• Improved logging options– User-defined logging prefixes– Log selected packets (e.g., handshake packets)
• Port Address Translation (PAT)• Network Address Translation (NAT)
– Inbound• Redirect to DMZ web server, mail server, etc.
– Outbound• Group outbound traffic and/or use static assignment
Thursday, May 17, 2007
46
Lecture on Network Security Debashis Saha
iPtables “chains”
• A chain is a sequence of filtering rules.• Rules are checked in order. First match
wins. Every chain has a default rule.• If no rules match the packet, chain
policy is applied.• Chains are dynamically inserted/
deleted.
Thursday, May 17, 2007
47
Lecture on Network Security Debashis Saha
Built-in chains
1. INPUT: packets for local processes 1. No output interface
2. OUTPUT: packets produced by local processes
1. No input interface 2. All packets to and from lo (loopback) interface traverse input
and output chains
3. FORWARD: for all transiting packets1. Do not traverse INPUT or OUTPUT2. Has input and output interface
4. PREROUTING5. POSTROUTING
Thursday, May 17, 2007
48
Lecture on Network Security Debashis Saha
Network Address Translation (NAT)
Thursday, May 17, 2007
49
Lecture on Network Security Debashis Saha
Private Network• Private IP network is an IP network that is
not directly connected to the Internet• IP addresses in a private network can be
assigned arbitrarily. – Not registered and not guaranteed to be globally unique
• Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): – 10.0.0.0 – 10.255.255.255– 172.16.0.0 – 172.31.255.255– 192.168.0.0 – 192.168.255.255
Thursday, May 17, 2007
50
Lecture on Network Security Debashis Saha
Private Addresses
H1
R1
H2
10.0.1.3
10.0.1.1
10.0.1.2
H3
R2
H4
10.0.1.310.0.1.2
Private network 1
Internet
H5
10.0.1.1Private network 1
213.168.112.3
128.195.4.119 128.143.71.21
Thursday, May 17, 2007
51
Lecture on Network Security Debashis Saha
Network Address Translation (NAT)
• NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network
• NAT is a method that enables hosts on private networks to communicate with hosts on the Internet
• NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair.
Thursday, May 17, 2007
52
Lecture on Network Security Debashis Saha
Basic operation of NAT
• NAT device has address translation table
H1
private address: 10.0.1.2public address: 128.143.71.21
H5
Privatenetwork
Internet
Source = 10.0.1.2Destination = 213.168.112.3
Source = 128.143.71.21Destination = 213.168.112.3
public address: 213.168.112.3NATdevice
Source = 213.168.112.3Destination = 128.143.71.21
Source = 213.168.112.3Destination = 10.0.1.2
PrivateAddress
PublicAddress
10.0.1.2 128.143.71.21
Thursday, May 17, 2007
53
Lecture on Network Security Debashis Saha
Main uses of NAT
• Pooling of IP addresses
• Supporting migration between network service providers
• IP masquerading
• Load balancing of servers
Thursday, May 17, 2007
54
Lecture on Network Security Debashis Saha
Pooling of IP addresses• Scenario: Corporate network has many
hosts but only a small number of public IP addresses
• NAT solution:– Corporate network is managed with a private address
space– NAT device, located at the boundary between the
corporate network and the public Internet, manages a pool of public IP addresses
– When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host
Thursday, May 17, 2007
55
Lecture on Network Security Debashis Saha
Pooling of IP addresses
H1
private address: 10.0.1.2public address:
H5
Privatenetwork
Internet
Source = 10.0.1.2Destination = 213.168.112.3
Source = 128.143.71.21Destination = 213.168.112.3
public address: 213.168.112.3NATdevice
PrivateAddress
PublicAddress
10.0.1.2
Pool of addresses: 128.143.71.0-128.143.71.30
Thursday, May 17, 2007
56
Lecture on Network Security Debashis Saha
Supporting migration between network service providers
• Scenario: In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network.
• NAT solution:– Assign private addresses to the hosts of the corporate network– NAT device has static address translation entries which bind
the private address of a host to the public address. – Migration to a new network service provider merely requires
an update of the NAT device. The migration is not noticeable to the hosts on the network.
Note:– The difference to the use of NAT with IP address pooling is that
the mapping of public and private IP addresses is static.
Thursday, May 17, 2007
57
Lecture on Network Security Debashis Saha
Supporting migration between network service providers
H1
private address: 10.0.1.2public address: 128.143.71.21
128.195.4.120
Source = 10.0.1.2Destination = 213.168.112.3
NATdevice
PrivateAddress
PublicAddress
10.0.1.2128.143.71.21128.195.4.120
128.143.71.21
128.195.4.120
Source = 128.143.71.21Destination = 213.168.112.3
Source = 128.195.4.120Destination = 213.168.112.3
ISP 2allocates address block
128.195.4.0/24 to privatenetwork:
Privatenetwork
ISP 1allocates address block
128.143.71.0/24 to privatenetwork:
Thursday, May 17, 2007
58
Lecture on Network Security Debashis Saha
IP masquerading
• Also called: Network address and port translation (NAPT), port address translation (PAT).
• Scenario: Single public IP address is mapped to multiple hosts in a private network.
• NAT solution:– Assign private addresses to the hosts of the
corporate network– NAT device modifies the port numbers for outgoing
traffic
Thursday, May 17, 2007
59
Lecture on Network Security Debashis Saha
IP masquerading
H1
private address: 10.0.1.2
Private network
Source = 10.0.1.2Source port = 2001
Source = 128.143.71.21Source port = 2100
NATdevice
PrivateAddress
PublicAddress
10.0.1.2/2001 128.143.71.21/2100
10.0.1.3/3020 128.143.71.21/4444
H2
private address: 10.0.1.3
Source = 10.0.1.3Source port = 3020
Internet
Source = 128.143.71.21Destination = 4444
128.143.71.21
Thursday, May 17, 2007
60
Lecture on Network Security Debashis Saha
Load balancing of servers• Scenario: Balance the load on a set of
identical servers, which are accessible from a single IP address
• NAT solution:– Here, the servers are assigned private addresses – NAT device acts as a proxy for requests to the server
from the public network– The NAT device changes the destination IP address
of arriving packets to one of the private addresses for a server
– A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion.
Thursday, May 17, 2007
61
Lecture on Network Security Debashis Saha
Load balancing of servers
Private network
Source = 213.168.12.3Destination = 128.143.71.21
NATdevice
PrivateAddress
PublicAddress
10.0.1.2 128.143.71.21
Inside network
10.0.1.4 128.143.71.21
Internet128.143.71.21
S1
S2
S3
10.0.1.4
10.0.1.3
10.0.1.2
PublicAddress
128.195.4.120
Outside network
213.168.12.3
Source = 128.195.4.120Destination = 128.143.71.21
Thursday, May 17, 2007
62
Lecture on Network Security Debashis Saha
Concerns about NAT
• Performance:– Modifying the IP header by changing the IP address
requires that NAT boxes recalculate the IP header checksum
– Modifying port number requires that NAT boxes recalculate TCP checksum
• Fragmentation– Care must be taken that a datagram that is
fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments.
Thursday, May 17, 2007
63
Lecture on Network Security Debashis Saha
Concerns about NAT
• End-to-end connectivity:– NAT destroys universal end-to-end reachability of
hosts on the Internet. – A host in the public Internet often cannot initiate
communication to a host in a private network. – The problem is worse, when two hosts that are in a
private network need to communicate with each other.
Thursday, May 17, 2007
64
Lecture on Network Security Debashis Saha
Concerns about NAT
• IP address in application data:– Applications that carry IP addresses in the payload of
the application data generally do not work across a private-public network boundary.
– Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address translation table.
Thursday, May 17, 2007
65
Lecture on Network Security Debashis Saha
Configuring NAT in Linux
• Linux uses Netfilter/iptable package to add filtering rules to the IP module Incoming
datagram
filterINPUT
Destinationis local?
filterFORW ARD
natOUTPUT
To application From application
Outgoingdatagram
natPOSTROUTING
(SNAT)
No
Yes filterOUTPUT
natPREROUTING
(DNAT)
Thursday, May 17, 2007
66
Lecture on Network Security Debashis Saha
Configuring NAT with iptable• First example:
iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.143.71.21
• Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.128.71.0–128.143.71.30
• ISP migration: iptables –t nat –R POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.195.4.0–128.195.4.254
• IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE
• Load balancing:iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4
Thursday, May 17, 2007
67
Lecture on Network Security Debashis Saha
Thank You
For further queries, mail to: