network security architecture - university of...
TRANSCRIPT
1
Network Security Architecture
2
Additional Reading
“Firewalls and Internet Security: Repelling theWily Hacker”, Cheswick, Bellovin, and Rubin.− New second edition
“Firewall and Internet Security, the SecondHundred (Internet) Years”http://www.cisco.com/warp/public/759/ipj_2-2/ipj_2-2_fis1.html
3
Overview
Network Security Architecture− Wireless− Security Domains− VPN
Firewall Technology− Address Translation− Denial of Service attacks
Intrusion Detection
Both firewalls and IDS are introductions.
4
802.11 or Wi-Fi IEEE standard for wireless communication
− Operates at the physical/data link layer
− Operates at the 2.4 or 5 GHz radio bands
Wireless Access Point is the radio base station
− The access point acts as a gateway to a wired networke.g., ethernet
− Can advertise Service Set Identifier (SSID) or not Doesn't really matter, watcher will learn active
SSIDs
Laptop with wireless card uses 802.11 tocommunicate with the Access Point
5
WEP “Wired Equivalency Privacy” -- early technique for
encrypting wireless communication Authenticated devices use a key and initialization
vector to seed RC4---a stream cipher
V (initialization vector) is changed every frame− Dangers of repeated encryption using the same key stream--
XOR of ciphertexts gives XOR of plaintexts And if some of the plaintext is known, the other is recovered
v
6
Frame transmission RC4(v,k) is stream generated by long-lived key k and
initialization vector v v transmitted in the clear
v is only 24 bits long---since k is long-lived (and usedby all devices)---you are assured of getting repeatedkey sequences− And knowing when you have them! Because v is in the
clear…
7
Security Mechanisms MAC restrictions at the access point
− “white list” : Protects servers from unexpected clients
− Unacceptable in a dynamic environment
− No identity integrity. You can reprogram your card to pose asan “accepted” MAC.
IPSec− To access point or some IPSec gateway beyond
− Protects clients from wireless sniffers
− Used by UIUC wireless networks 802.11i
− Authentication and integrity integral to the 802.11 framework− WEP, WPA, WPA2
8
Network Security Protocols
SSL/TLS− Secure sockets layer / Transport layer security− Used mainly to secure Web traffic
SSH− Secure Shell− Remote login
IPsec− IP-level security suite
8
9
SSL
Mid ‘90s introduced concerns over credit cardtransactions over the Internet
SSL designed to respond to thse concerns,develop e-commerce
Initially designed by Netscape, moved to IETFstandard later
9
10
SSL model
A client and a server Implements a socket interface
− Any socket-based application can be made to run on top ofSSL
Protect against:− Eavesdroppers− MITM attacks
Server has X.509 certificate− Client may have a certificate, too
Provides encryption, and authentication of server
10
11
SSL Handshake, (1)
Client requests “https” connection with server− Passes information to server in message describing
available protocols Key exchange method (e.g., RSA, Diffie-Hellman, DSA) Cipher (e.g., Triple DES, AES) Hash (e.g., HMAC-MD5, HMAC-SHA) Compression algorithms Client nonce
Server responds with messages that− Selects (key xchg, cipher, hash, compression)− Provide server’s certificate− Server nonce
11
12
SSL Handshake, (2) Client verifies server cert
− Likely that cert was signed by a CA whose cert is in thebrowser already
generates pre_master_secret, encrypts using server’spublic key, sends it
Client and server separately compute session key andMAC keys (these from prior random numbers passed)
Client sends MAC of all messages it sent to server inthis handshake
Server sends MAC of all messages it sent to client inthis exchange
12
13
SSL certificates
13
14
SSL history
SSLv2 1994 SSLv3 1996
− Fixed security problems TLS v1.0 1999 TLS v1.1 2006
14
15
SSL key lengths
Earlier versions used 40-bit keys for exportreasons
Later versions switched to 128-bit keys, withan option to use 40-bit ones with legacyservers/clients
Rollback attack:− MITM
15
16
SSL sequence
Negotiate parameters Key exchange Authentication Session
16
17
SSL negotiation
Choice of cipher suites, key exchangealgorithms, protocol versions
E.g. : choice of 40- or 128-bit keys for exportreasons
Rollback attack: MITM chooses least secureparameters
17
18
SSL key exchange
Diffie-Hellman key exchange
RSA-based key exchange− Encrypt secret s with public key of server
18
19
SSL session
Use ChangeCipherSpec message to startencrypting data
Encryption: RC4, also DES, 3DES, AES, ... Authentication: HMAC, using MD5 or SHA1
19
20
SSL session…pushing the bits
20
Blocks, sized up to 18K
Algorithm agreed-up on in handshake
MAC added for authentication
Algorithm, key, agreed-up on in handshake
Passed on to TCP
21
SSL pitfalls
Hard to set up− Expensive certificates− Resource-intensive
Insufficient verification− Do people notice the lock icon?− Do people check the URL?
Improper use
21
22
IPsec Designed as part of IPv6 suite
− One of the key features v6 was supposed to bring
Backported to IPv4 Two options: AH (authentication) and ESP
(encapsulated security) Two modes: transport and tunnel Readable resource
http://www.unixwiz.net/techtips/iguide-ipsec.html
22
23
Transport vs. Tunnel Mode Grand vision: eventually, all IP packets will be
encrypted and authenticated
Transport mode: add headers to IP to do soMay include encryption, authentication, or both
Reality: Most computers don’t support IPsec (more onwhy later)
Tunnel mode: use IPsec between two gateways torelay IP packets through “untrusted cloud”
23
24
Tunnel Mode
H1H2
PP PP PP
24
25
AH - Authentication Simple design: add header with authentication data
− Security parameters− Authentication data : just an HMAC with
shared key to compute Integrity Check Value (ICV)
25
Different of the HMACarchitecture picture
26
AH Header Next hdr is protocol type of the following header AH Length gives size of AH header SPI -- sort of a switch code indicating which set
of security parameters apply Sequence number --- basically a nonce to
prevent replay attacks HMAC field
27
AH diagram
27
HMAC applied onlyto fields in yellow
28
Piggybacking AH on IPv4 The structure allows IPSec logic to
− peel off the AH header, do verification and/ordecoding,
− Modify “length” and “next protocol” fields to be that ofan AH-free IP packet
− Push the packet up the stack with higher levels nonethe wiser that IPSec was present
29
Tunneling in IPSec Change the source and destination addresses
to be the tunnel endpoints IPSec tunnel endpoints strip off AH header, to
authentication and endcoding Original IP packet is part of the payload, just
released into the local network
30
AH in Tunnel Mode
How todetect
tunnel mode
30
Original IPheader
31
ESP - Encapsulated Security Payload
Encapsulate data− Encapsulate datagram rather than add a header− Encrypt & authenticate
Authentication header based only on encapsulation---not Iaddresses---hold that thought---
31
32
ESP diagram
32
Protocol using TCP is Completely hidden
SPI describes encryption
Padding and pad len supportblock encryption
33
Key management
ESP and AH use session keys Sessions are called Security Associations
− Indexed by protocol, IP address, SPI ISAKMP: Internet Security Association Key
Management Protocol− Authenticates parties− Establishes session keys
Authentication− Big global PKI (DNSSEC??)− Manual configuration
33
34
IPsec redux
Deployment of IPsec limited
Some reasons
− Global PKI infrastructure hard to set up− Fixes a “solved” problem
SSL & SSH work well IPsec success: VPNs
− Use tunnel mode of IPsec
34
35
Perimeter Defense
Is it adequate?− Locating and securing all perimeter points is quite
difficult Less effective for large border
− Inspecting/ensuring that remote connections areadequately protected is difficult
− Insiders attack is often the most damaging
36
Virtual Private Networks
A private network that is configured within apublic network
A VPN “appears” to be dedicated network tocustomer
The customer is actually “sharing” trunks andother physical infrastructure with othercustomers
Security?− Depends on implementing protocol
37
Multiple VPN Technologies
SSL• Confidentiality? Yes• Data integrity? Yes• User authentication?
Yes• Network access
control? No• In addition, limited
traffic
IPSec• Confidentiality? Yes• Data Integrity? Yes• User Authentication?
Yes• Network access
control? Yes• Client configuration
required.
VLAN – Layer 2 tunnellingtechnology
• Confidentiality? No• Data Integrity? No• User authentication?
Yes• Network access
control? Yes• Not viable over non-
VLAN internetworks
38
Security Domains with VPNs
39
“Typical” corporate network
Web Server
Mail forwarding
Mail server DNS (internal)
DNS (DMZ)
Internet
File Server
User machinesUser machines
User machines
Web Server
DemilitarizedZone (DMZ)
IntranetFirewall
Firewall
40
VPN using IPSec
40
ESP does theencryption
Difficulty with NATmeans ESP+Auth intunnel mode
Requires VPNgateway---view is atunnel between twotrusted networks
41
VPN using IPSec
42
Firewall Goal
Insert after the fact security by wrapping orinterposing a filter on network traffic
Inside Outside
43
Application Proxy Firewall
Firewall software runs in application space on thefirewall
The traffic source must be aware of the proxyand add an additional header
Leverage basic network stack functionality tosanitize application level traffic− Block java or active X− Filter out “bad” URLs− Ensure well formed protocols or block suspect aspects
of protocol
44
Packet Filter Firewall
Operates at Layer 3 in router or HW firewall Has access to the Layer 3 header and Layer 4
header Can block traffic based on source and destination
address, ports, and protocol Does not reconstruct Layer 4 payload, so cannot
do reliable analysis of layer 4 or higher content
45
Stateful Packet Filters Evolved as packet filters aimed for proxy functionality
In addition to Layer 3 reassembly, it can reconstruct layer 4 traffic
Some application layer analysis exists, e.g., for HTTP, FTP, H.323
− Called context-based access control (CBAC) on IOS
− Configured by fixup command on PIX
Some of this analysis is necessary to enable address translation anddynamic access for negotiated data channels
Reconstruction and analysis can be expensive.
− Must be configured on specified traffic streams
− At a minimum the user must tell the Firewall what kind of traffic toexpect on a port
− Degree of reconstruction varies per platform, e.g. IOS does not do IPreassembly
46
Traffic reconstruction
X Y
FTP: X to YGET /etc/passwd
GET command causes firewall to dynamically
open data channel initiate from Y to X
Might have filter for files to block, like /etc/passwd
47
Access Control Lists (ACLs) Used to define traffic streams
− Bind ACL’s to interface and action
Access Control Entry (ACE) contains
− Source address
− Destination Address
− Protocol, e.g., IP, TCP, UDP, ICMP, GRE
− Source Port
− Destination Port
ACL runtime lookup
− Linear
− N-dimensional tree lookup (PIX Turbo ACL)
− Object Groups
− HW classification assists
48
Ingress and Egress Filtering
Ingress filtering
− Filter out packets from invalid addresses before entering yournetwork
Egress filtering
− Filter out packets from invalid addresses before leaving yournetwork
Inside Outside
Owns network X
Egress FilteringBlock outgoing traffic not sourced from network X
Ingress FilteringBlock incoming traffic from
one of the set of invalid networks
49
Denial of Service
Example attacks− Smurf Attack− TCP SYN Attack− Teardrop
DoS general exploits resource limitations− Denial by Consumption− Denial by Disruption− Denial by Reservation
50
TCP SYN Attack
Exploits the three-way handshake
S D
SYNx LISTEN
SYNy , ACKx+1 SYN_RECIEVED
ACKy+1 CONNECTED
Figure 1. Three-way Handshake
S D
Nonexistent (spoofed) SYN LISTEN
SYN SYN SYN_RECEIVED
SYN+ACK
Figure 2. SYN Flooding Attack
51
TCP SYN Attack Solutions
Intermediate Firewall/Router− Limit number of half open connections
Ingress and egress filtering to reduce spoofedaddresses− Does not help against DDoS bot networks
Reactively block attacking addresses− Generally expensive to acquire technology to do
fast enough Fix Protocol - IPv6
52
Teardrop Attack
Send series of fragments that don't fit together− Poor stack implementations would crash− Early windows stacks
Offset 0, len 60
Offset 30, len 90
Offset 41, len 173
53
Address Translation Traditional NAT RFC 3022 Reference RFC
Map real address to alias address
− Real address associated with physical device, generally anunroutable address
− Alias address generally a routeable associated with thetranslation device
Originally motivated by limited access to publicly routable IPaddresses
− Folks didn’t want to pay for addresses and/or hassle withgetting official addresses
54
Address Translation Later folks said this also added security
− By hiding structure of internal network
− Obscuring access to internal machines
Adds complexity to firewall technology
− Must dig around in data stream to rewrite references to IPaddresses and ports
− Limits how quickly new protocols can be firewalled
55
Address Hiding (NAPT) NAPT = Network Address Port Translation
Many to few dynamic mapping
− Packets from a large pool of private addresses aremapped to a small pool of public addresses at runtime
Port remapping makes this sharing morescalable
− Two real addresses can be rewritten to the same aliasaddress
− Rewrite the source port to differentiate the streams
Traffic must be initiated from “inside”, e.g. theprivate address
56
NAT example
EnforcingDevice
192.168.1.0/24128.128.1.0/26
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from inside to DMZ192.168.1.5 to 128.274.1.5
inside
DMZ
outside
Src=192.168.1.1Dst=microsoft.com
Src=128.274.1.1Dst=microsoft.com
57
Static Mapping
One-to-one fixed mapping− One real address is mapped to one alias address at
configuration time− Traffic can be initiated from either side
Used to statically map out small set of serversfrom a network that is otherwise hidden
Static port remapping is also available
58
NAT example
EnforcingDevice
192.168.1.0/24128.128.1.0/26
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from inside to DMZ192.168.1.5 to 128.274.1.5
inside
DMZ
outside
Src=192.168.1.5Dst=10.10.10.1
Src=128.274.1.5Dst=10.10.10.1
192.168.1.5
128.274.15
59
NAT and IPSec AH don’t mix Recall the diagram illustrating the fields covered by AH AH header created at the sender, src/dest IP
addresses changed by NAT
60
FW Runtime Characteristics
Firewalls track streams of traffic
− TCP streams are obvious
− Creates pseudo UDP streams for UCP packets betweenthe same addresses and ports that arrive near enough toeach other
Processing first packet in stream is moreexpensive
− Must evaluate ACLs and calculate address translations
− Subsequent packets get session data from a table
61
Multi-legged Firewalls Historically firewalls have protected inside from outside
− Still true for the most part with personal and home firewalls
− No longer sufficient for larger enterprises
PIX security level solution
− Outbound = traffic from low security level interface to high securitylevel interface
− Inbound = traffic from high security level interface to low securitylevel interface
− Different requirements for inbound and outbound traffic
IOS divides interfaces into inside and outside groups
− Address translation can only be defined between inside and outsidegroups
Routing conflicts with address translation
− Address translation specifies both interfaces
− Must be evaluated before the routing, better be consistent
62
Four Legged FW
Static translation from DMZ to Customer
− 10.10.10.10.1 to 128.1.1.1
But routing table wants to route 128.1.1.1 from DMZ to outside interface
− Static translation interface selection will winEnforcingDevice192.168.1.1
10.10.10.0/24
Internet
InsideSL=100
DMZSL=50
OutsideSL=0
10.10.20.0/2410.10.30.0/24
PartnerSL=75
CustomerSL=25
63
Identity Aware Firewall Use TACACS+ or Radius to authenticate,
authorize, account for user with respect to FW− For administration of FW
− For traffic passing through FW
PIX cut-through proxy allows authentication on oneprotocol to cover other protocols from same source
Authorization for executing commands on thedevice
Download or enable ACL’s
XAuth to integrate AAA with VPN authenticationand other security mechanisms
64
AAA Scenario
X Y
outside Inside
TACACS or RadiusAAA Server
Traffic from X must be authenticated via HTTP
User Joe should use ACL EngAccess
65
Is the Firewall Dead? End-to-end security (encryption) renders firewalls useless
− Tunnels hide information that firewalls would filter or sanitize
− With IPSec decrypting and re-encrypting is viable
Blurring security domain perimeters
− Who are you protecting from whom
− Dynamic entities due to DHCP and laptops
− More dynamic business arrangements, short termpartnerships, outsourcing
Total Cost of Ownership (TCO) is too high
− Managing firewalls for a large network is expensive
Perhaps personal or distributed firewalls are the answer?
− “Implementing a Distributed Firewall”http://www1.cs.columbia.edu/~angelos/Papers/df.pdf
66
Intrusion Detection Holy Grail: Detect and correct “bad” system
behavior
Detection can be viewed in two parts
− Anomaly detection: Use statistical techniques todetermine unusual behavior
− Mis-use detection: Use signatures to determineoccurrence of known attacks
Detection can be performed on host data (HIDS),network data (NIDS), or a hybrid of both
67
Intrusion Handling Preparation for attack
Identification of the attack
Containment of the attack
− Gather information about the attacker
− Honeypots
Eradication
− Broadly quarantine the system so it can do no more harm
− BGP blackholing
− Tighten firewalls
− Cleanse the corrupted system
Followup phase
− Gather evidence and take action against the attacker
68
Honey Pots
Reconnaissance for the good guys Deploy a fake system
− Observe it being attacked Resource management
− Cannot be completely passive Must provide enough information to keep attacker
interested− Must ensure that bait does not run away
Scale− Host, network, dark address space
69
IDS Architecture
Agents run at the lowest level gathering data. Performsome basic processing.
Agents send data to a Director that performs moresignificant processing of the data. Potentially there is ahierarchy of agents and directors
− Director has information from multiple sources and canperform a time-based correlation to derive more significantactions
Directors invoke Notifiers to perform some action inresponse to a detected attack
− Popup a window on a screen
− Send an email or a page
− Send a new syslog message elsewhere.
− Adjust a firewall or some other policy to block future actionfrom the attacker
70
Data Sources
Direct data− Network packets− System calls
Indirect data− Syslog data, Windows event logs− Events from other intrusion detection systems− Netflow information generated by routers about
network traffic
71
Mis-use/Signature Detection
Fixed signatures are used in most deployed IDS products
− E.g., Cisco, ISS, Snort
Like virus scanners, part of the value of the product is the team ofpeople producing new signatures for newly observed malevolentbehavior
The static signature mechanism has obvious problems in that adedicated attacker can adjust his behaviour to avoid matching thesignature.
The volume of signatures can result in many false positives
− Must tune the IDS to match the characteristics of your network
− E.g., what might be unusual in a network of Unix systemsmight be normal in a network of Windows Systems (or visaversa)
− Can result in IDS tuned too low to miss real events
− Can hide real attacks in the mass of false positives
72
Example Signature
Signature for port sweep− A set of TCP packets attempting to connect to a
sequence of ports on the same device in a fixedamount of time
In some environments, the admin might runnmap periodically to get an inventory of what ison the network− You would not want to activate this signature in that
case
73
Anomaly/statistical detection
Seems like using statistics will result in a more adaptableand self-tuning system
− Statistics, neural networks, data mining, etc.
How do you characterize normal?
− Create training data from observing “good” runs
E.g., Forrest’s program system call analysis
− Use visualization to rely on your eyes
How do you adjust to real changes in behaviour?
− Gradual changes can be easily addressed. Gradually adjustexpected changes over time
− Rapid changes can occur. E.g., different behaviour after workhours or changing to a work on the next project
74
Host Based IDS
Tripwire – Very basic detection of changes toinstalled binaries
More recent HIDS. Look at patterns of actionsof system calls, file activity, etc. to permit, deny,or query operations− Cisco Security Agent− Symantec− McAfee Entercept
75
Classical NIDS deployment
NIDS Agent
Outside Inside
Management
Promiscuous Interface
NIDS Director
76
NIDS Remediation Options
Log the event Drop the connection Reset the connection Change the configuration of a nearby router or
firewall to block future connections
77
Intrusion Protection Systems (IPS) Another name for inline NIDS
Latest buzz among the current NIDS vendors
Requires very fast signature handling− Slow signature handling will not only miss attacks but it
will also cause the delay of valid traffic
− Specialized hardware required for high volume gateways
When IDS is inline, the intrusion detector cantake direct steps to remediate.
If you move IDS into the network processingpath, how is this different from really cleverfirewalling?
78
Summary
Identification of security domains basis ofperimeter security control− Firewall is the main enforcer
Intrusion detection introduces deeper analysisand potential for more dynamic enforcement
Intermediate enforcement can handle someDenial of Service attacks