Unformatted text preview:

6.857 Lecture: Network SecurityNovember 15, 2005Readings:•In this lecture:• The layered model; vulnerabilities at each layer• Network security standards: certificates, SSL/TLS, IPsec, IKE• Firewalls1 The Layered ModelRecall from 6.033 that networks are abstracted into a “layered model,” where each layerprovides an abstract interface that can be stacked on top of many different types of lowerlayers. Using a coarse separation, these layers can be described as the following (from lowest-to highest-level):1. Link or “media access control” (MAC) layer; e.g., ethernet, token ring, wireless2. Network layer; e.g., Internet Protocol (IP)3. Transport layer; e.g., Transmission Control Protocol (TCP), Universal Datagram Pro-tocol (UDP)4. End-to-end or application layer; e.g., SSH, HTTPWe will briefly review the function of each layer, and talk about the vulnerabilities thatshould be addressed when building a secure system.11.1 Link layerThe link layer is responsible for moving bits from one place to another over a single link. Thislink is usually a physical medium, and hence of an analog nature. Ethernet, for example,specifies how bits should be encoded as voltages on a wire, and how to deal with collisions(more than one link endpoint attempting to send at the same time).The security of the link layer is usually a question of physical security of the actual linkmedium: can an ethernet wire be cut or spliced? Can wireless frequencies be jammed? Howeasy is it to become a link endpoint? What are the consequences of using a broadcast linkversus pairwise links?One example of a security exploit at the link layer is a packet sniffer on an Ethernetnetwork. Ethernet is a broadcast medium, so any host on the network can in principle seeall the packets sent and received over the wire. Packet sniffing software (e.g., ethereal) putsthe Ethernet card in “promiscuous mode,” which causes the card to report every packet to theoperating system. This can be used to eavesdrop on any data that is sent in the clear, whichmay include passwords, email traffic, web pages, or other sensitive information. (Packetsniffers are also used for many legitimate reasons, such as debugging network software.)Packet sniffing can also be done on wireless networks, which can be even easier to listen inon, given that there is no need to physically “plug in” to a network port.1.2 Network layerThe network layer is responsible solely for moving packets of data from one location toanother, where the locations may be spanned by several links. Therefore the network layeris concerned chiefly with examining the addresses of the endpoints, and routing packets overseveral links in an attempt to deliver a packet to its destination address. It does not provideany guarantees about delivery, acknowledgement of receipt, etc.The security of the network layer is generally a question of the security of the addressingand routing system: can routers be accidentally or maliciously misconfigured? Can a sourceaddress be spoofed? Can the address-lookup procedure be compromised?In IP, an attack called “IP spoofing” is very easy. It stems from the fact that routers areusually only concerned with delivering a packet to its destination; they typically don’t lookat the s ource IP address in the packet header. A malicious source host can therefore declareany IP address, the router will deliver it the packet, and the destination host will believethat it came from the spoofed source.It’s not immediately clear why this attack is useful — after all, if the destination hostreplies to the declared source address, the attacker will probably not receive that reply.However, in many applications there may be subtle security flaws if one incorrectly assumesthat the source address in the IP header is correct (we’ll see one example below).IP spoofing must be prevented near the source, and largely depends on networks actingas “good neighbors.” Routers at the border of a network should check that the sourceIP address of each outgoing packet belongs to the router’s internal network. This preventsspoofing attacks from originating from within the router’s network, but it doesn’t do anything2to prevent attacks from outside. Also, the router can check that the source address of eachincoming packet is not from its internal network. This might filter out a few attacks comingfrom outside the router’s network, but it cannot stop all of them (spoofed addresses can stillbe from outside the attacked network).[maybe BGP security, maybe DNS poisoning]1.3 Transport layerThe transport layer is responsible for providing some guarantees about a communicationstream between two systems on the network. Such guarantees might be: packets are re-ceived in the order in which they are sent, every packet will attempt to be delivered untilit is received, packets will be acknowledged when they are delivered, etc. TCP providesguarantees like these.The transport layer can contain a lot of complexity, and hence it may be difficult toreason about its security. For example, the transport layer might need to guard against“session hijacking,” in w hich an attacker inserts well-crafted bad packets into a connection,causing the bogus packets to be accepted and the legitimate ones to be ignored.Here is a well-known attack that exploits both the network and transport layers, calleda “SYN flood.” First, some background: every TCP session starts off with a “handshake”protocol, to ensure that both sides of the connection can access each other. The handshakegoes as follows:1. Client sends Server a SYN message.2. Server sends Client a SYN-ACK message.3. Client responds with an ACK message.4. Client and Server exchange service-specific data.A basic SYN attack works as follows: a client sends a SYN message, the server replieswith SYN-ACK, but the client never responds. At this point the connection is “half-open,”because it is open from the server’s point of view, and the server will not time-out the con-nection for several seconds. The server maintains in its memory a data structure describingthe set of all open connections, and this structure is of a finite size. The attack consists offlooding the server with thousands of SYN messages, causing the data structure to overflow(potentially crashing the machine) or leaving the server unable to respond to any legitimatenew TCP connections when the set fills up.As the attack has been described so far, there is


View Full Document

MIT 6 857 - Lecture: Network Security

Documents in this Course
Load more
Download Lecture: Network Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture: Network Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture: Network Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?