lecture on network securitydebashis saha thursday, may 17, 20071 introduction to network/ linux...

Thursday, May 17, 2007

1

Lecture on Network Security Debashis Saha

Introduction to Network/Linux Security

Debashis SahaMIS Group, IIM Calcutta

[email protected]


2


Overview

• What is network security?• Kind of security services one might desire• What kind of attacks should we try to

protect a network against?• What are the available protection

strategies available?• What support can we expect from LINUX?


3


What is network security?

• A network is secure if you can depend on it and its nodes behave as you expect.

• If you do not know what you are protecting, why you are protecting it, and what you are protecting it from, your task will be rather difficult!


4


Kind of security one might desire

• Authentication• Confidentiality (Privacy)• Integrity• Availability• Non-Repudation• Auditing


5


Authentication

• Authentication is the process of reliably verifying the identity of someone (or something) by means of:– A secret (password [one-time], ...)– An object (smart card, ...)– Physical characteristics (fingerprint, retina, ...)– Trust

• Do not mistake authentication for authorization!


6


Integrity Vs Confidentiality

• Integrity– Protecting information from being deleted or altered in any

way without the permission of the owner of that information.

• Confidentiality– Protecting information from being read or copied by

anyone who has not been explicitly authorized by the owner of that information.


7


Availability

If the system is unavailable when anauthorized user needs it, the result canbe as bad as having the information thatresides on the system deleted!


8


Non repudation

The ability of the receiver of something toprove to a third party that the senderreally did send the message.


9


Auditing

The ability to record events that mighthave some security relevance. In suchcases, you need to determine what wasaffected. In some cases, the audit trailmay be extensive enough to allow “undo”operations to help restore the system to acorrect state.


10


Kind of attacks to a Computer

What kind of attacks should we try to protect a computer against ?

• Physical Security– Lockers, BIOS, weather, ...

• Personnel security• Operating System security• Network security


11


Some common network services• DNS• Apache• NFS• NIS/NIS+• Samba• Telnet• FTP• Mail• ... ... ...


12


Network Security: common attacks

• Interception– Modification

• Intrusion– Modification, Fabrication

• Denial of service– Interruption

• Information theft


13


Security tools• Cryptography

• Symmetric Vs Asymmetric (Certificates ...)

• Firewalls & Proxyes• Ipchains/Iptable ...

• TCP Wrappers + UDP Relayers• Pluggable Authentication Module

• It is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users

• Kernel Level Security• Log files (/var/log/*)


14


Cryptography: the solution for privacy

The security is based on the secrecy of the key and sometimes of the alghoritms too.


15


Cryptography Model

Encryption Key, K

Plaintext, P

Plaintext, P

Decryption Key, K'

Encryption, E

Decryption, D

Cyphertext, C


16


Basic Formula

C=EK(P)P=DK'(C)

DK'(EK(P))=P

If K=K', it is symmetric key system,-also known as secret key key system

If KK', it is asymmetric key system-commonly called public key system


17


CryptographySymmetric Vs Asymmetric

• Symmetric (also called private key algorithms)– The same password is used to both

encrypt and decrypt– Faster algorithms– PROBLEM: key management is not easy

• Asymmetric (also called pubblic key algorithms)– The password used to encrypt is

different from the one needed to decrypt– More secure– It allows to have non-repudiation


18


Secret Key System

Alice Bob

DES Key DES Key


19


Data Encryption Standard (DES)

• It is a symmetric algorithm• Designed by IBM for the U.S. Government in 1977• It is based on a 128 bit key (earlier 64)• Hardware Vs Software implementation• How secure is DES?

– How much would a Des-Breaking engine would cost?– Is it possible to make DES harder to break in?– How does it work?


20


Public Key System

Alice Bob

Bob'spublic Key

Bob'sprivate key


21


RSA Algorithm

• Rivest, Shamir & Adleman (1978), MIT

• Most widely used public key algorithm

• Based on principles of number theory

• Keys are calculated in the following way:

1. Choose two large (>10100) primes, p and q2. Compute n=p*q and z=(p-1)*(q-1)3. Choose a number k' which is relatively prime to z4. Find k such that k*k'=1 mod z

C=Pk (mod n) and P=Ck' (mod n)


22


Example

Say p=3 and q=11 so that n=33 and z=20 A suitable value for k' is 7 (prime to 20) k can be found by solving: 7*k=1 (mod 20) Thus, k=3 So encryption: C=P3 (mod 33) And Decryption: P=C7 (mod 33)

Say P=14, then C=143 (mod 33)=2744 (mod 33)=5 Conversely, C7 (mod 33)=78125 (mod 33)=14=P


23


Digital Signature

• An important security strategy for E-Commerce• The receiver can verify the claimed identity of the

sender (authenticated)• The sender cannot later repudiate the contents of the

message• The message cannot be concocted in transit• Can be implemented using public key cryptography


24


Public Key Signature

Say, A wants to send a signed message P to B We know that P=DK'[EK(P)] holds It is assumed that P=EK[DK'(P)] also holds A computes C=EK'A(P) using his private keyand sends it to B openly

B then decrypts C by KA as: DKA(C)=P B, decrypting the message with A's public key,knows that A generated the message

Later A cannot deny having sent C because it canbe opened by KA only and K'A is private to A


25


Security of cryptographic algorithms

• Let us define the lifetime of an information as the amount of time the information should be kept secret.

• An encryptioncan cab be considered secure if the time to break it (for ex. with a brute force attack) is reasonably longer than the lifetime of the information contained in the plain text.

Length of the key on bits(estimated in 1995, Applied Cryptography)

Cost 40 56 64 80 112 128

$ 100K 2.00 s. 35 h. 1 y. 70,000 y. 1014 y. 1019 y.

$ 1M 0.20 s. 3.5 h 37 d. 7,000 y. 1013 y. 1018 y.

$ 10M 0.02 s. 21 min. 4 d. 700 y. 1012 y. 1017 y.


26


Secure Socket Layer (SSL)• It is based on a public encryption

algorithm• It is a protocol developed by Netscape

for secure transactions across the Web• It is stream-based consisting of three phases

– 6In initial handshake phase, secure communications are established– In intermediate data transfer phase, application-to-application dialog

(with data encryption) occurs– In closing handshake phase, connection is terminated

• There are free SSL implementations


27


Firewall(Access Control)


28


What is a Firewall?• A set of related programs that protects

the resources of a private network from users from other networks.

• A mechanism for filtering network packets based on information contained within the IP header.

• Options available– Commercial Firewall Devices (Watchguard, Cisco PIX)– Routers (ACL Lists)– Linux – Software Packages (ZoneAlarm, Black Ice)– Sneaker Net


29


Firewalls• Routers: easy to say “allow everything

but…”• Firewalls: easy to say “allow nothing but…”• This helps because we turn off access to

everything, then evaluate which services are mission-critical and have well-understood risks

• Note: the only difference between a router and a firewall is the design philosophy: – do we prioritize security, or connectivity ?

• configurability, logging


30


Firewall setup• Firewall ensures that the internal network

and the Internet can both talk to the DMZ, but usually not to each other

• The DMZ relays services at the application level, e.g. mail forwarding, web proxying

• The DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.); – it’s easier to secure 20 machines than 20,000

• Now the internal network is “safe” (but not from internal attacks, modems, etc.)


31


Typical firewall setup

DMZ

evil Internet

internal network


32


Downside of firewalls

• single point of failure• difficult to integrate into a mesh

network• highlights flaws in network architecture• can focus politics on the firewall

administrator


33


Firewall using

Packet Filtering


34


Packet Filters .. “Firewalls”

• A “Firewall” can be at any layer between 3-5

• Application-level gateways work at the application layer

• Packet-filters work at the network layer

User Applications

Application

Presentation

Session

Transport

Network

Data Link

Physical


35


Why Filter?• Packets that are filtered increase security.

• Prevent ousiders from using services on a system.

• Prevent malicious attacks such as Denial of Service (DoS) and ping flood attacks.

• Control the flow of information.

• Prevent internal system users from using certain sites or types of protocols.


36


Packet Filtering• Should arriving packet be allowed in? Should a

departing packet be let out?• Filter packet-by-packet, making decisions to

forward/drop a packet based on:– source IP address, destination IP address– TCP/UDP source and destination port numbers– ICMP message type– TCP SYN and ACK bits– ...

Eth

Des

tE

th S

rcE

th H

dr

IP D

est

IP S

rcIP

Hdr

TC

P D

Por

tT

CP

SP

ort

TC

P H

dr

Data


37


Packet “filtering”

• Packet filtering is not just “filtering”• Changing Packets: Filters often able to

rewrite packet headers• Examine/modify IP packet contents

only? Or entire Ethernet frames?• Monitor TCP state?


38


Packet Filtering Limitations

• Cannot Do: Allow only certain users in (requires application-specific information)

• Can do: Allow or deny entire services (protocols)

• Cannot Do: Allow, e.g., only certain files to be ftp’ed


39


Packet Filtering in Linux History

• 1st generation: ipfw (from BSD)• 2nd generation: ipfwadm (Linux 2.0)• 3rd generation: ipchains (Linux 2.2)• 4th generation: iptable (Linux 2.4, 2.6)


40


Packet Traversal in Linux

Input OutputLocalProcesses

ForwardRoutingDecision

Pre-Routing

Post-Routing


41


The Rules Chain Concept• The most common method used by packet filtering for the organization of the filters is the rules chain. A rule chain contains a listing of each filter, or rule, that has been configured on the local system.

•Linux uses four main chains:

• Input – packets traveling to the host

• Output – packets leaving from the host

• Forward – packets received by the host and will be forwarded by the host

• User Defined – special type of chain created by the user that receives packets from the three main chains for processing

• Rules chains allow for complex filtering of data entering or leaving a system while making it easy to install and maintain the rules.


42


Linux Iptables/Netfilter

• In Linux kernel 2.4 and 2.6, we use the netfilter package with iptables commands to setup the firewall.

• The old package called IPchains is deprecated.

• http://www.netfilter.org/


43


Iptables: http://www.netfilter.org/

• What is iptables?

• iptables is the building block of a framework inside the Linux kernel. This framework enables packet filtering, network address translation (NAT), network port translation (NPT), and other packet mangling.

• iptables is a generic table structure for the definition of rulesets. Each rule with an IP table consists of a number of classifiers (iptables matches) and one connection action (iptable target).

• What can I do with iptables?

• build internet firewalls based on stateless and stateful packet filtering

• use NAT and masquerading for sharing internet access

• use NAT to implement transparent proxies

• do further packet manipulation (mangling) like altering the bits of the IP header


44


iptables - Features (1)

• Stateful filtering of TCP & UDP traffic– Ports opened & closed as clients use the Internet– Presents a (mostly) “blank wall” to attackers

• “Related” option for complex applications– Active mode FTP– Multimedia applications (Real Audio, etc.)

• Can filter on fragments


45


iptables - Features (2)

• Improved logging options– User-defined logging prefixes– Log selected packets (e.g., handshake packets)

• Port Address Translation (PAT)• Network Address Translation (NAT)

– Inbound• Redirect to DMZ web server, mail server, etc.

– Outbound• Group outbound traffic and/or use static assignment


46


iPtables “chains”

• A chain is a sequence of filtering rules.• Rules are checked in order. First match

wins. Every chain has a default rule.• If no rules match the packet, chain

policy is applied.• Chains are dynamically inserted/

deleted.


47


Built-in chains

1. INPUT: packets for local processes 1. No output interface

2. OUTPUT: packets produced by local processes

1. No input interface 2. All packets to and from lo (loopback) interface traverse input

and output chains

3. FORWARD: for all transiting packets1. Do not traverse INPUT or OUTPUT2. Has input and output interface

4. PREROUTING5. POSTROUTING


48


Network Address Translation (NAT)


49


Private Network• Private IP network is an IP network that is

not directly connected to the Internet• IP addresses in a private network can be

assigned arbitrarily. – Not registered and not guaranteed to be globally unique

• Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): – 10.0.0.0 – 10.255.255.255– 172.16.0.0 – 172.31.255.255– 192.168.0.0 – 192.168.255.255


50


Private Addresses

H1

R1

H2

10.0.1.3

10.0.1.1

10.0.1.2

H3

R2

H4

10.0.1.310.0.1.2

Private network 1

Internet

H5

10.0.1.1Private network 1

213.168.112.3

128.195.4.119 128.143.71.21


51


Network Address Translation (NAT)

• NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network

• NAT is a method that enables hosts on private networks to communicate with hosts on the Internet

• NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair.


52


Basic operation of NAT

• NAT device has address translation table

H1

private address: 10.0.1.2public address: 128.143.71.21

H5

Privatenetwork

Internet

Source = 10.0.1.2Destination = 213.168.112.3


public address: 213.168.112.3NATdevice



PrivateAddress

PublicAddress

10.0.1.2 128.143.71.21


53


Main uses of NAT

• Pooling of IP addresses

• Supporting migration between network service providers

• IP masquerading

• Load balancing of servers


54


Pooling of IP addresses• Scenario: Corporate network has many

hosts but only a small number of public IP addresses

• NAT solution:– Corporate network is managed with a private address

space– NAT device, located at the boundary between the

corporate network and the public Internet, manages a pool of public IP addresses

– When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host


55


Pooling of IP addresses

H1

private address: 10.0.1.2public address:

H5

Privatenetwork

Internet



public address: 213.168.112.3NATdevice

PrivateAddress

PublicAddress

10.0.1.2

Pool of addresses: 128.143.71.0-128.143.71.30


56


Supporting migration between network service providers

• Scenario: In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network.

• NAT solution:– Assign private addresses to the hosts of the corporate network– NAT device has static address translation entries which bind

the private address of a host to the public address. – Migration to a new network service provider merely requires

an update of the NAT device. The migration is not noticeable to the hosts on the network.

Note:– The difference to the use of NAT with IP address pooling is that

the mapping of public and private IP addresses is static.


57


Supporting migration between network service providers

H1

private address: 10.0.1.2public address: 128.143.71.21

128.195.4.120


NATdevice

PrivateAddress

PublicAddress

10.0.1.2128.143.71.21128.195.4.120

128.143.71.21

128.195.4.120



ISP 2allocates address block

128.195.4.0/24 to privatenetwork:

Privatenetwork

ISP 1allocates address block

128.143.71.0/24 to privatenetwork:


58


IP masquerading

• Also called: Network address and port translation (NAPT), port address translation (PAT).

• Scenario: Single public IP address is mapped to multiple hosts in a private network.

• NAT solution:– Assign private addresses to the hosts of the

corporate network– NAT device modifies the port numbers for outgoing

traffic


59


IP masquerading

H1

private address: 10.0.1.2

Private network

Source = 10.0.1.2Source port = 2001


NATdevice

PrivateAddress

PublicAddress

10.0.1.2/2001 128.143.71.21/2100

10.0.1.3/3020 128.143.71.21/4444

H2

private address: 10.0.1.3


Internet

Source = 128.143.71.21Destination = 4444

128.143.71.21


60


Load balancing of servers• Scenario: Balance the load on a set of

identical servers, which are accessible from a single IP address

• NAT solution:– Here, the servers are assigned private addresses – NAT device acts as a proxy for requests to the server

from the public network– The NAT device changes the destination IP address

of arriving packets to one of the private addresses for a server

– A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion.


61


Load balancing of servers

Private network


NATdevice

PrivateAddress

PublicAddress

10.0.1.2 128.143.71.21

Inside network

10.0.1.4 128.143.71.21

Internet128.143.71.21

S1

S2

S3

10.0.1.4

10.0.1.3

10.0.1.2

PublicAddress

128.195.4.120

Outside network

213.168.12.3



62


Concerns about NAT

• Performance:– Modifying the IP header by changing the IP address

requires that NAT boxes recalculate the IP header checksum

– Modifying port number requires that NAT boxes recalculate TCP checksum

• Fragmentation– Care must be taken that a datagram that is

fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments.


63


Concerns about NAT

• End-to-end connectivity:– NAT destroys universal end-to-end reachability of

hosts on the Internet. – A host in the public Internet often cannot initiate

communication to a host in a private network. – The problem is worse, when two hosts that are in a

private network need to communicate with each other.


64


Concerns about NAT

• IP address in application data:– Applications that carry IP addresses in the payload of

the application data generally do not work across a private-public network boundary.

– Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address translation table.


65


Configuring NAT in Linux

• Linux uses Netfilter/iptable package to add filtering rules to the IP module Incoming

datagram

filterINPUT

Destinationis local?

filterFORW ARD

natOUTPUT

To application From application

Outgoingdatagram

natPOSTROUTING

(SNAT)

No

Yes filterOUTPUT

natPREROUTING

(DNAT)


66


Configuring NAT with iptable• First example:

iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.143.71.21

• Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.128.71.0–128.143.71.30

• ISP migration: iptables –t nat –R POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.195.4.0–128.195.4.254

• IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE

• Load balancing:iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4


67


Thank You

For further queries, mail to:

[email protected]

lecture on network securitydebashis saha thursday, may 17, 20071 introduction to network/ linux...

Documents

network securitydebashis

personnel security

security relevance

kind of security services

physical security lockers

kind of attacks

authentication authentication

authorized user