15-744: Computer NetworkingSecurityOverviewBasic IPDenial of ServiceBandwidth DOS AttacksRoutingSlide 8ICMPTCPSequence Number Guessing AttackSlide 12DNSSlide 14FirewallsTypical Firewall TopologyTypes of FirewallsSlide 18Slide 19Slide 20Slide 21IP TracebackSlide 23Edge SamplingSlide 25Trusted IntermediariesKey Distribution Center (KDC)Slide 28KerberosSlide 30Slide 31Certification AuthoritiesSlide 33Certificate ContentsSecure Sockets Layer (SSL)SSL (continued)Next Lecture: QOS & IntServ15-744: Computer NetworkingL-17 SecurityL -17; 11-6-02© Srinivasan Seshan, 2002 2Security•Denial of service•IPSec•Firewalls•Assigned reading•[SWKA00] Practical Network Support for IP Traceback•[B89] Security Problems in the TCP/IP Protocol SuiteL -17; 11-6-02© Srinivasan Seshan, 2002 3Overview•Security holes•Firewalls•Denial of service traceback•AuthenticationL -17; 11-6-02© Srinivasan Seshan, 2002 4Basic IP•End hosts create IP packets and routers process them purely based on destination address alone (not quite in reality)•Problem – End host may lie about other fields and not affect delivery•Source address – host may trick destination into believing that packet is from trusted source•Many applications use IP address as a simple authentication method•Solution – reverse path forwarding checks, better authentication•Fragmentation – can consume memory resources or otherwise trick destination/firewalls•Solution – disallow fragmentsL -17; 11-6-02© Srinivasan Seshan, 2002 5Denial of Service•Objective of attack: make a service unusable, usually by overloading the server or network•Example: SYN flooding attack•Send SYN packets with bogus source address•Server responds with SYNACK keeps state about TCP half-open connection•Eventually server memory is exhausted with this state•Solution: SYN cookies – make the SYNACK contents purely a function of SYN contents, therefore, it can be recomputed on reception of next ACK•More recent attacks have used bandwidth floods•How do we stop these?L -17; 11-6-02© Srinivasan Seshan, 2002 6Bandwidth DOS Attacks•Possible solutions•Ingress filtering – examine packets to identify bogus source addresses•Link testing – how routers either explicitly identify which hops are involved in attack or use controlled flooding and a network map to perturb attack traffic•Logging – log packets at key routers and post-process to identify attacker’s path•ICMP traceback – sample occasional packets and copy path info into special ICMP messages•IP tracebackL -17; 11-6-02© Srinivasan Seshan, 2002 7Routing•Source routing•Destinations are expected to reverse source route for replies•Problem – Can force packets to be routed through convenient monitoring point •Solution – Disallow source routing – doesn’t work well anyway!L -17; 11-6-02© Srinivasan Seshan, 2002 8Routing•Routing protocol•Malicious hosts may advertise routes into network•Problem – Bogus routes may enable host to monitor traffic or deny service to others•Solutions•Use policy mechanisms to only accept routes from or to certain networks/entities•In link state routing, can use something like source routing to force packets onto valid route•Routing registries and certificatesL -17; 11-6-02© Srinivasan Seshan, 2002 9ICMP•Reports errors and other conditions from network to end hosts•End hosts take actions to respond to error•Problem•An entity can easily forge a variety of ICMP error messages•Redirect – informs end-hosts that it should be using different first hop route•Fragmentation – can confuse path MTU discovery•Destination unreachable – can cause transport connections to be droppedL -17; 11-6-02© Srinivasan Seshan, 2002 10TCP•Each TCP connection has an agreed upon/negotiated set of associated state•Starting sequence numbers, port numbers•Knowing these parameters is sometimes used to provide some sense of security•Problem•Easy to guess these values•Listening ports #’s are well known and connecting port #’s are typically allocated sequentially•Starting sequence number are chosen in predictable way•Solution – make sequence number selection more randomL -17; 11-6-02© Srinivasan Seshan, 2002 11Sequence Number Guessing AttackAttacker Victim: SYN(ISNx), SRC=Trusted HostVictim Trusted Host: SYN(ISNs), ACK(ISNx)Attacker Victim: ACK(ISNguess of s), SRC=Trusted HostAttacker Victim: ACK(ISNguess of s), SRC=T, data = “rm -r /”•Attacker must also make sure that Trusted Host does not respond to SYNACK•Can repeat until guess is accurateL -17; 11-6-02© Srinivasan Seshan, 2002 12TCP•TCP senders assume that receivers behave in certain ways (e.g. when they send acks, etc.)•Congestion control is typically done on a “packet” basis while the rest of TCP is based on bytes•Problem – misbehaving receiver can trick sender into ignoring congestion control•Ack every byte in packet!•Send extra duplicate acks•Ack before the data is received (needs some application level retransmission – e.g. HTTP 1.1 range requests)•Solutions•Make congestion control byte oriented•Add nonces to packets – acks return nonce to truly indicate receptionL -17; 11-6-02© Srinivasan Seshan, 2002 13DNS•Users/hosts typically trust the host-address mapping provided by DNS•Problems •Zone transfers can provide useful list of target hosts•Interception of requests or comprise of DNS servers can result in bogus responses•Solution – authenticated requests/responsesL -17; 11-6-02© Srinivasan Seshan, 2002 14Overview•Security holes•Firewalls•Denial of service traceback•AuthenticationL -17; 11-6-02© Srinivasan Seshan, 2002 15Firewalls•Basic problem – many network applications and protocols have security problems that are fixed over time•Difficult for users to keep up with changes and keep host secure•Solution•Administrators limit access to end hosts by using a firewall•Firewall and limited number of machines at site are kept up-to-date by administratorsL -17; 11-6-02© Srinivasan Seshan, 2002 16Typical Firewall TopologyIntranetDMZInternetFirewallFirewallWeb server, email server, web proxy, etcL -17; 11-6-02© Srinivasan Seshan, 2002 17Types of Firewalls•Proxy•End host connects to proxy and asks it to perform actions on its behalf•Policy determines if action is secure or insecure•Transport level relays (SOCKS)•Ask proxy to create, accept TCP (or
View Full Document
Unlocking...