An Overview of Network Security Vern Paxson International Computer Science Institute Network Security Themes Much of the field has evolved in an ad hoc manner Security is about policy not about bullet proofing Threat model what you are defending against Lawrence Berkeley National Laboratory EECS UC Berkeley vern icsi berkeley edu vern ee lbl gov Much of the effort concerns raising the bar and trading off resources E g UCB SB1386 personal identity information disclosure E g LBL embarrassing newspaper articles DC Networks connect disparate parties They have different notions of policy and threat models Crucial to keep in mind domains of trust responsibility control Many will not cooperate unless it s in their business interest April 18 2006 Security Dimensions General notion network security ensuring that a network is used as desired intended Network Security Themes con t Network use is always more diverse than you expect Authentication who is this actor Authorization is this actor allowed to do what they request Integrity does a message arrive in its original form This can radically change system design considerations but keep in mind raising the bar and threat model vs bullet proofing Major challenge of manageability Complex policies churn false positives zillions of devices bolt on mechanisms innovating attackers HUGE challenges Who Are The Bad Guys Historically Protections are cryptographic not discussed today Vandals juveniles In it for showing off kicks Historically hugely deriviative script kiddies with slow pace of innovation Historically very prevalent in over the network attacks viruses Same cryptographic protections not discussed today Attacker counterpart sniffing man in the middle Availability can you use the network a service when you want to Often can catch break ins because they set up IRC servers Insiders Attacker counterpart Denial of Service DoS theft of service Already have some form of site access Audit forensics what occurred in the past Abuse misuse that doesn t violate the rules e g spam Historically under reported Threat includes exfiltration of sensitive information Confidentiality is communication free from eavesdropping The problem is fundamentally adversarial Attacker counterpart framing not discussed today Security Dimensions con t Attacker counterpart compromise Accountability Attribution who did this activity Attacker counterpart spoofing Zillions of applications services Rife with weird broken traffic crud Rife with background radiation incessant probing for vuln Breadth of diversity increases with size of user base Exacerbates the problem of false positives Powerful feared 1 Who Are The Bad Guys Today Not terrorists political protesters Espionage Theft of information for commercial national gain Militaries Very hard to gauge but clearly an area of activity Our study of a worse case worm attack launched by a nation state yielded defensible 50B damages Crooks 2 Who Are The Bad Guys Today Not terrorists political protesters Espionage Theft of information for commercial national gain Very hard to gauge but clearly an area of activity Our study of a worse case worm attack launched by a nation state yielded defensible 50B damages Notion is absent from Internet architecture It ensures that packets go to their destination addresses but not that they came from their source addresses Yet absent an alternative much authorization is based on source address What can an attacker achieve by spoofing a source address Denial of service floods that Impersonation of other machines Randomize initial sequence numbers Require tight agreement for RST sequence numbers Principle ensure a large search space Social Engineering Confusing Humans Regarding Authentication Attacks on DNS names E g register www gooogle com Now passively wait for someone to mistype and feed them whatever fake Google experience you wish Attacks on DNS reverse lookups E g you receive a packet from 1 2 3 4 Who is that If you look up the corresponding hostname you really are querying 4 3 2 1 in addr arpa Whoever controls the corresponding name server can return whatever they like Suppose this name server is at 1 2 3 10 and an attacker has compromised both 1 2 3 4 and 1 2 3 10 Then the answer returned might well be www google com Social Engineering con t Powerful technique for targeted attacks E g LBL border router Tear down established connections via TCP RSTs Establish connections if can guess TCP Initial Sequence Number Devious stealth scanning that looks like it comes from someone else Defense deploy network filters that discard packets coming from topologically impossible addresses Defenses against spoofing TCP sequence numbers Can t be attributed to the machine sending them Can t be filtered based on their source Authentication con t and might even be able to pick up replies sent back to the spoofed source if can monitor some of the site s traffic Very worrisome trend in attackers figuring out how to make money with network attacks Fuels innovation and specialization driving an economy Authentication Who is this Actor Even if operating within a filtered site attacker can still hide by spoofing other addresses within the site Crooks Militaries Authentication con t discards outbound packets w sources not in 128 3 16 or 131 243 16 discards inbound packets w these sources Note doesn t prevent spoofing inside the site Note doesn t prevent external hosts spoofing non internal LBL sources Such filtering is fairly widely but not globally deployed E g find out the name and mailstop of one of a company s system administrators mail out a CD of a trojaned system image to a company employee with a note that it contains an important security update Employee trusts the source of the update applies it and now you have a backdoor of arbitrary design into the company Attacks like this are well known to often work More generally the very big problem of phishing is an instance of ongoing social engineering attacks General defense user education Phishing specific defenses active area for startups 3 Authorization Is This Actor Allowed To Do What They Request Much authorization is based on looking up identity in an access control list ACL Can allow disallow traffic based on IP addresses white lists and black lists Can allow disallow traffic based on TCP UDP port numbers Latter assumes can service the service associated with a connection from the port number used by the server Hence strength hinges on strength of
View Full Document
Unlocking...