advanced research issues in security securing key
play

Advanced Research Issues In Security: Securing Key Internet - PowerPoint PPT Presentation

Jan 14, 2023 •232 likes •556 views

Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 18 Page 1 CS 236 Online Outline Routing security DNS security Lecture 18 Page 2

  1. Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 18 Page 1 CS 236 Online

  2. Outline • Routing security • DNS security Lecture 18 Page 2 CS 236 Online

  3. Routing Security • Routing protocols control how packets flow through the Internet • If they aren’t protected, attackers can alter packet flows at their whim • Most routing protocols were not built with security in mind Lecture 18 Page 3 CS 236 Online

  4. Routing Protocol Security Threats • Threats to routing data secrecy – Usually not critical • Threats to routing protocol integrity – Very important, since tampering with routing integrity can be bad • Threats to routing protocol availability – Potential to disrupt Internet service Lecture 18 Page 4 CS 236 Online

  5. What Could Really Go Wrong? • Packets could be routed through an attacker • Packets could be dropped – Routing loops, blackhole routing, etc. • Some users’ service could be degraded • The Internet’s overall effectiveness could be degraded – Slow response to failures – Total overload of some links • Many types of defenses against other attacks presume correct routing Lecture 18 Page 5 CS 236 Online

  6. Where Does the Threat Occur? • At routers, mostly • Most routers are well-protected – But . . . – Several vulnerabilities have been found in routers • Also, should we always trust those running routers? Lecture 18 Page 6 CS 236 Online

  7. Different Types of Routing Protocols • Link state – Tell everyone the state of your links • Distance vector – Tell nodes how far away things are • Path vector – Tell nodes the complete path between various points • On demand protocols – Figure out routing once you know you two nodes need to communicate Lecture 18 Page 7 CS 236 Online

  8. Popular Routing Protocols • BGP – Path vector protocol used in core Internet routing – Arguably most important protocol to secure • RIP – Distance vector protocol for small networks • OSPF • ISIS • Ad hoc routing protocols Lecture 18 Page 8 CS 236 Online

  9. Fundamental Operations To Be Protected • One router tells another router something about routing – A path, a distance, contents of local routing table, etc. • A router updates its routing information • A router gathers information to decide on routing Lecture 18 Page 9 CS 236 Online

  10. Protecting BGP • BGP is probably the most important protocol to protect • Handles basic Internet routing • Works at autonomous system (AS) level – Rather than router level Lecture 18 Page 10 CS 236 Online

  11. BGP Issues • BGP is spoken (mostly) between routers in autonomous systems • On direct network links to their partner • Over TCP sessions that are established with known partners – Easily encrypted, if desired • Isn’t that enough to give reasonable security? Lecture 18 Page 11 CS 236 Online

  12. A Counterexample • Pakistan became upset with YouTube over posting of “blasphemous” video (2008) • Responded by injecting a BGP update that sent all traffic to YouTube to a site in Pakistan – Which probably dropped it all • Rendered YouTube unavailable worldwide (well, 2/3s of world) – Probably due to error, not malice Lecture 18 Page 12 CS 236 Online

  13. How Did This Happen? • Pakistan injected a BGP update advertising a path to YouTube – Which they had no right to do • It got automatically propagated by BGP • Everyone knows YouTube isn’t in Pakistan • But the routing protocol didn’t • Security required to prevent other future incidents Lecture 18 Page 13 CS 236 Online

  14. Another Example • In 2010, China rerouted a lot of US traffic through its servers – Traffic purely internal to the US – Lots of military, government, commercial traffic • Based on bogus BGP route advertisements • Possibly errors, not attacks, but . . . Lecture 18 Page 14 CS 236 Online

  15. A Side Issues on This Story • Much Internet design assumes major parties play by the rules • Pakistan didn’t • Not desirable to base Internet’s security on this assumption • Though sometimes not many other choices Lecture 18 Page 15 CS 236 Online

  16. Basic BGP Security Issue A B,A C,B,A D,C,B,A 1.2.3.* 1.2.3.* 1.2.3.* 1.2.3.* A B C D E 1.2.3.* A 1.2.3.* What do we need to protect? F G A wants to tell everyone how to get to 1.2.3.* Lecture 18 Page 16 CS 236 Online

  17. Well, What Could Go Wrong? A D,F 1.2.3.* 1.2.3.* A B C D E What if A doesn’t own What if router D 1.2.3.*? F G alters the path? What if router A isn’t authorized to advertise 1.2.3.*? Lecture 18 Page 17 CS 236 Online

  18. Two Sub-Problems • Security of Origin (SOA) – Who is allowed to advertise a path to an IP prefix? • Path Validation (PV) – Is the path someone gives to me indeed a correct path? Lecture 18 Page 18 CS 236 Online

  19. How Do We Solve These Problems? • SOA - Advertising routers must prove prefix ownership – And right to advertise paths to that prefix • PV - Paths must be signed by routers on them – Must avoid cut-and-paste and replay attacks Lecture 18 Page 19 CS 236 Online

  20. S-BGP • One example solution • A protocol designed to solve most of the routing security issues for BGP • Intended to be workable with existing BGP protocol • Key idea is to tie updates to those who are allowed to make them – And to those who build them Lecture 18 Page 20 CS 236 Online

  21. Some S-BGP Constraints • Can’t change BGP protocol – Or packet format • Can’t have messages larger than max BGP size • Must be deployable in reasonable way Lecture 18 Page 21 CS 236 Online

  22. An S-BGP Example A 1.2.3.* A B C D E 1.2.3.* A can provide a How can B know F G certificate that A should proving advertise ownership 1.2.3.*? Lecture 18 Page 22 CS 236 Online

  23. Securing BGP Updates A B,A C,B,A D,C,B,A 1.2.3.* 1.2.3.* 1.2.3.* 1.2.3.* A B C D E 1.2.3.* What are these signatures F G actually attesting to? A wants to tell everyone how to get to 1.2.3.* Lecture 18 Page 23 CS 236 Online

  24. Who Needs To Prove What? • A needs to prove (to B-E) that he owns the prefix • B needs to prove (to C-E) that A wants the prefix path to go through B • C needs to prove (to D-E) the same • D needs to prove (to E) the same Lecture 18 Page 24 CS 236 Online

  25. So What Does A Sign? • A clearly must provide proof he owns the prefix • He also must prove he originated the update • And only A can prove that he intended the path to go through B • So he has to sign for all of that Lecture 18 Page 25 CS 236 Online

  26. Address Attestations in S-BGP • These are used to prove ownership of IP prefix spaces • IP prefix owner provides attestation that a particular AS can originate its BGP updates • That AS includes attestation in updates Lecture 18 Page 26 CS 236 Online

  27. Route Attestations • To prove that path for a prefix should go through an AS • The previous AS on the path makes this attestation – E.g., B attests that C is the next AS hop Lecture 18 Page 27 CS 236 Online

  28. How Are These Signatures Done? • Via public key cryptography • Certificates issued by proper authorities – ICANN at the top – Hierarchical below ICANN • Certificates not carried with updates – Otherwise, messages would be too big – Off-line delivery method proposed Lecture 18 Page 28 CS 236 Online

  29. S-BGP and IPSec • S-BGP generates the attestations itself • But it uses IPSec to deliver the BGP messages • Doing so prevents injections of replayed messages • Also helps with some TCP-based attacks – E.g., SYN floods Lecture 18 Page 29 CS 236 Online

  30. S-BGP Status • Not getting traction in networking community • Probably not going to be the ultimate solution • IETF working group is looking at various protocols with similar approaches Lecture 18 Page 30 CS 236 Online

  31. Other BGP Security Approaches • Filter BGP updates from your neighbors – Don’t accept advertisements for prefixes they don’t own – Requires authoritative knowledge of who owns prefixes • Use Resource PKI to distribute certificates on who owns what prefixes • Sanity check routes • Continuous monitoring of routing system Lecture 18 Page 31 CS 236 Online

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches, Fixes, Revisions Antivirus Software Post-Install Security Checklist: Windows/UNIX File System Security Issues Chapter 10 User

361 views • 8 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Securing Your Cloud with Xen Projects Advanced Security Features Russell Pavlicek, Xen Project

Securing Your Cloud with Xen Projects Advanced Security Features Russell Pavlicek, Xen Project

Introduction Network path Bootloader Device model Xen Conclusion Securing Your Cloud with Xen Projects Advanced Security Features Russell Pavlicek, Xen Project Evangelist CloudOpen North America 2013 Introduction Network path

553 views • 32 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It?

Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It?

Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It? Security Implications, and an Example Some Emerging Use of Technology Whats Needed Web 2.0 Non-Technical Issues A Modest

395 views • 18 slides
Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not a characteristic. It s is also an growing problem that requires an continually evolving solution. A good measure of secure application is it

782 views • 74 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof.

Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof.

Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof. Raluca Ada Popa Feb 27, 2018 Some slides credit David Wagner Announcements Midterm grades released Regrades: Read the follow-ups on the

1.75k views • 156 slides
Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great

Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great

Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great potential in a wide range of fields Numbers of IoT devices is increasing at high speed Security issues is emerging and posing a challenging

413 views • 5 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Where to put the

Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Where to put the

Real-Time Communication Security: SSL/TLS Guevara Noubir noubir@ccs.neu.edu Network Security Reading Assignment: chapters 16, 19 Network Security SSL TLS 1 Some Issues with Real-time Communication Session key establishment

312 views • 8 slides
Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Networking 101 By: Stefan Jagroop The Internet The Internet is governed by a series of

Networking 101 By: Stefan Jagroop The Internet The Internet is governed by a series of

Networking 101 By: Stefan Jagroop The Internet The Internet is governed by a series of protocols that form the rules for how communications should happen The Internet is a network of networks. There is no centralized point. There

751 views • 56 slides
Rumor Routing Algorithm Aleksi Ahtiainen Aleksi.Ahtiainen@hut.fi T-79.194 Seminar on Theoretical

Rumor Routing Algorithm Aleksi Ahtiainen Aleksi.Ahtiainen@hut.fi T-79.194 Seminar on Theoretical

Rumor Routing Algorithm Aleksi Ahtiainen Aleksi.Ahtiainen@hut.fi T-79.194 Seminar on Theoretical Computer Science Feb 9 2005 Rumor Routing Algorithm Aleksi Ahtiainen T-79.194 Spring 2005 Contents Introduction The Algorithm

562 views • 22 slides
Lab Course RouterLab RIP - Routing Information Protocol (RFC 2453) Some of the slides

Lab Course RouterLab RIP - Routing Information Protocol (RFC 2453) Some of the slides

Lab Course RouterLab RIP - Routing Information Protocol (RFC 2453) Some of the slides come from: http://www.ietf.org/proceedings/07dec/slides/IDRTut-0.pdf 1 Monday, May 4, 2009 Miscellaneous Feedback Any other thing that needs

730 views • 23 slides
Packet Routing Problems on Plane Grids Ignasi Sau Valls Mascotte project, CNRS/I3S-INRIA-UNSA,

Packet Routing Problems on Plane Grids Ignasi Sau Valls Mascotte project, CNRS/I3S-INRIA-UNSA,

Packet Routing Problems on Plane Grids Ignasi Sau Valls Mascotte project, CNRS/I3S-INRIA-UNSA, France Joint work with Omid Amini, Florian Huc and Janez Zerovnik AEOLUS Workshop on Scheduling Ignasi Sau Valls (MASCOTTE) Packet Routing

1.17k views • 72 slides
Scalable node addressing Scalable node addre and message routing for global

Scalable node addressing Scalable node addre and message routing for global

Scalable node addressing Scalable node addre and message routing for global computing lobal computing Peer-to-peer (P2P) Global computing

1.37k views • 103 slides
Mercury: RPC for High-Performance Computing Jerome Soumagne The HDF Group June 23, 2017 RPC and

Mercury: RPC for High-Performance Computing Jerome Soumagne The HDF Group June 23, 2017 RPC and

Mercury: RPC for High-Performance Computing Jerome Soumagne The HDF Group June 23, 2017 RPC and High-Performance Computing 2 June 23, 2017 CS/NERSC Data Seminar RPC and High-Performance Computing 2 Remote Procedure Call (RPC) Allow

1.38k views • 50 slides
DHCAL Progress and Test Beam DHCAL Progress and Test Beam Preparation Preparation Lei Xia Xia

DHCAL Progress and Test Beam DHCAL Progress and Test Beam Preparation Preparation Lei Xia Xia

DHCAL Progress and Test Beam DHCAL Progress and Test Beam Preparation Preparation Lei Xia Xia Lei ANL- -HEP HEP ANL Introduction Introduction Particle Flow Algorithm (PFA) Is widely believed to be THE way to achieve precise jet

519 views • 30 slides
Research at the intersection of AI + Systems Joseph E. Gonzalez Assistant Professor, UC Berkeley

Research at the intersection of AI + Systems Joseph E. Gonzalez Assistant Professor, UC Berkeley

Research at the intersection of AI + Systems Joseph E. Gonzalez Assistant Professor, UC Berkeley jegonzal@cs.berkeley.edu Looking Back on AI Systems Going back to when I started graduate school Machine learning community has had an

1.04k views • 47 slides

More recommend