Академический Документы
Профессиональный Документы
Культура Документы
CS 155
Firewall
Packet filter (stateless, stateful), Application layer
proxies
Intrusion detection
Anomaly and misuse detection
Last lecture
Basic network protocols
TCP/IP
No SRC authentication: cant tell where packet is
from
Packet sniffing
Connection spoofing, sequence numbers
Application
Application protocol
TCP protocol
Transport
Application
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Dat
a
Link
Network
Access
Dat
a
Link
Link
Key
management
A, (ga mod p)
, signB(m1,m2)
B, (gb mod p)
signA(m1,m2)
m2
Link-layer connectivity
Link Layer
802.11i Protocol
Supplicant
UnAuth/UnAsso
Auth/Assoc
c
802.1X
Blocked
802.1X
No
MSK
PMK
UnBlocked
Key Blocked
No Key
New
PTK/GTK
GTK
Authenticator
UnAuth/UnAsso
Auth/Assoc
c
802.1X
Blocked
802.1X
No
PMK
UnBlocked
Key Blocked
No Key
New
PTK/GTK
GTK
Authenti
ca-tion
Server
(RADIUS
)
MSKKey
No
802.11
Association
EAP/802.1X/RADIUS
Authentication
4-Way
Handshake
Group Key
Handshake
Data Communication
MSK
TCP/IP connectivity
Credit: Checkpoint
IPSEC
Security extensions for IPv4 and IPv6
IP Authentication Header (AH)
Confidentiality of payload
message
segment
Network (IP)
packet
Link Layer
frame
IP Header
TCP
data
TCP
data
IP TCP
data
ETH IP TCP
data
Link (Ethernet)
Header
TCP
data
ETF
Link (Ethernet)
Trailer
http://www.tcpipguide.com/free/t_IPSecModesTransportandTunnel.htm
Key
management
A, (ga mod p)
, signB(m1,m2)
B, (gb mod p)
signA(m1,m2)
m2
Mobility
Authentication is a
requirement
Early proposals
weak
Perimeter
security
Internet
Router
Alternate 1: Dual-Homed
Host
Examples
servers
Issues
Stateful filtering
Encapsulation: address translation, other
complications
Fragmentation
Source/Destination Address
Forgery
Permanent assignment
23 for Telnet
80 for HTTP
Variable use
traffic
Telnet
Telnet Server
Telnet Client
23
1234
234
1
T
R
O
P
ACK
Server acknowledges
FTP
FTP Server
Client opens
command channel to
server; tells server
second port number
Server
acknowledges
Server opens data
channel to clients
second port
Client
acknowledges
20
Data
FTP Client
21
Command
5150
5151
T
R
O
P
5151
OK
DATA C
HANNE
L
TCP ACK
Normal IP Fragmentation
Abnormal Fragmentation
First packet
Fragmentation Offset = 0.
DF bit = 0 : "May Fragment"
MF bit = 1 : "More Fragments"
Destination Port = 25. TCP port 25 is allowed, so firewall allows
packet
Second packet
What happens
Application
Application protocol
TCP protocol
Transport
Application
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Dat
a
Link
Network
Access
Dat
a
Link
Link
Remember SSL/TLS
Version, Crypto choice, nonce
Version, Choice, nonce,
Signed certificate
containing servers
public key Ks
Secret key K
encrypted with
servers key Ks
switch to negotiated cipher
Hash of sequence of messages
Hash of sequence of messages
data transmission
Proxying Firewall
Application-level proxies
FTP
proxy
SMTP
proxy
FTP
SMTP
daemon daemon
Network Connection
Application-level proxies
Enforce policy for specific protocols
SMTP (E-Mail)
NNTP (Net news)
DNS (Domain Name System) NTP (Network Time
Protocol
Can be host-based
Usually at enterprise gateway
Firewall references
Elizabeth D. Zwicky
Simon Cooper
D. Brent Chapman
William R Cheswick
Steven M Bellovin
Aviel D Rubin
Application protocol
TCP protocol
Transport
Network
Link
IP protocol
Dat
a
Link
IP
Networ
k
Access
Application
Transport
IP protocol
Network
Dat
a
Link
Link
Intrusion detection
Infrastructure protocols
BGP
DNS
Intrusion detection
Many intrusion detection systems
Example: Snort
http://www.snort.org/
From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS
Techniques with Snort, Apache, MySQL, PHP, and ACID.
Snort components
Packet Decoder
Preprocessor:
rule options
Additional examples
destination ip address
Destination port
Source port #
Rule options
Alert will be generated if criteria met
Snort challenges
Misuse detection avoid known
intrusions
Difficulties in anomaly
detection
Lack of training data
Data drift
INFRASTRUCTURE
PROTOCOLS: BGP, DNS
BGP example
1
27
265
7265
7
7
265
327
3
265
27
65
27
3265
627
BGP example
1
27
2
7
3
27
27
7
AS
Host1
Host2
Hostn
Address blocks
Address Attestation
Indicates that the final AS listed in the UPDATE
is authorized by the owner of those address
blocks to advertise the address blocks in the
UPDATE
Includes identification of:
owners certificate
AS to be advertising the address blocks
address blocks
expiration date
Route Attestation
Indicates that the speaker or its AS authorizes
the listeners AS to use the route in the
UPDATE
Includes identification of:
Validating a Route
To validate a route from ASn, ASn+1
needs:
INFRASTRUCTURE
PROTOCOLS: BGP, DNS
"com. NS a.gtld.net"
"a.gtld.net A 192.5.6.30"
"example.com. NS a.iana.net"
"a.iana.net A 192.0.34.43"
"www.example.com A 1.2.3.4"
"www.example.com A 1.2.3.4"
DNS is Insecure
Packets sent over UDP, < 512 bytes
16-bit TXID, UDP Src port are only
security
Resolver accepts packet if above match
Packet from whom? Was it
manipulated?
Cache poisoning
DNSSEC Goal
The Domain Name System (DNS) security
extensions provide origin authentication and
integrity assurance services for DNS data,
including mechanisms for authenticated denial
of existence of DNS data.
-RFC 4033
DNSSEC
Basically no change to packet format
DNSSEC Lookup
Query: "www.example.com A?"
Reply
"com. NS a.gtld.net"
"a.gtld.net A 192.5.6.30"
7
8
Added by DNSSEC
"com. DS"
"RRSIG(DS) by ."
"com. DNSKEY"
"example.com. NS a.iana.net"
"RRSIG(DNSKEY) by com."
"a.iana.net A 192.0.34.43"
"example.com. DS"
"RRSIG(DS) by com."
"example.com DNSKEY"
"www.example.com A 1.2.3.4" "RRSIG(DNSKEY) by example.com."
"RRSIG(A) by example.com."
"www.example.com A 1.2.3.4"
Last Hop?
Authenticated Denial-ofExistence
Most DNS lookups result in denial-of-existence
NSEC (Next SECure)
NSEC3
Insecure Sub-Namespace
NSEC3 Opt-out
"Does not assert the existence or nonexistence of the insecure delegations that it
may cover"(RFC 5155)
Only thing asserting this is insecure glue
records
DNSSEC cannot
stop this attack
www.evil.com?
171.64.7.115 TTL = 0
Firewall
[DWF96, R01]
corporate
web server
192.168.0.100
ns.evil.com
DNS server
192.168.0.100
www.evil.com
web server
171.64.7.115
Server-side defenses
Firewall defenses
Summary
Network protocol security
Firewall
Packet filter (stateless, stateful), Application layer
proxies
Traffic shaping
Intrusion detection
Anomaly and misuse detection