lecture 17 network security
play

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction - PowerPoint PPT Presentation

Mar 26, 2023 •646 likes •868 views

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger The

  1. Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  2. The network … (perimeter) (edge) Internet LAN (server) (remote hosts/servers) (hosts/desktops) 2 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  3. Internet Services • Internet Protocol (IP) • Really refers to a whole collection of protocols making up the vast majority of the Internet • Routing • How these packets move from place to place? • Network management • Administrators have to maintain the services and infrastructure supporting everyone’s daily activities • Quality of service • How do we ensure that we get our fair share of network resources, e.g., bandwidth? 3 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  4. Reality • Networks are not secure .. • Never meant to be .... • Designers of Internet saw security as largely orthogonal to network services .. 4 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  5. Address Resolution Protocol (ARP) • Protocol used to map IP address onto the physical layer addresses (MAC) 1) ARP request: who has x.x.x.x? 2) ARP response: me! • Policy: last one in wins • Used to forward packets on the appropriate interfaces by network devices (e.g., bridges) • Attack: replace good entries with your own • Leads to • Session hijacking • Man-in-the-middle attacks • Denial of service, etc. Q : Why would you want to spoof an IP address? 5 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  6. Sequence number prediction • TCP/IP uses a three-way handshake to establish a connection 1. C -> S: Q C where sequence numbers Q C 2. S -> C: Q S , ack(Q C ) and Q S are nonces 3. C -> S: ack(Q S ) … then send data • However assume the bad guy does not hear msg 2, if he can guess Q S , then he can get S to accept whatever data it wants (useful if doing IP authentication, e.g., “rsh”) Client Server Adversary 6 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  7. Routing Manipulation • RIP - routing information protocol • Distance vector routing protocol • Routers exchange reachability and “distance” vectors for all the sub-networks within (a typically small) domain • Use vectors to decide which is best, notification of changes is propagated quickly • So, the big problem is that you receive vast amounts of data that a router uses to form the routing table • So, just forge that, and the game is up • Manipulate paths, DOS, hijack connections, etc. • Solutions: • Authenticate data, but this is less than obvious how to do this efficiently (a whole lot of people are trying) 7 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  8. Internet Control Message Protocol (ICMP) • ICMP is used as a control plane for IP messages • Ping (connectivity probe) • Destination Unreachable (error notification) • Time-to-live exceeded (error notification) • These are used for good purposes, and are largely indispensable tools for network management and control • Error notification codes can be used to reset connections without any • Solution: verify/sanity check sources and content • ICMP “returned packets” • Real solution: filter most of ICMP, ignore it 8 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  9. The “ping of death” … • In 1996, someone discovered that many operating systems, routers, etc. could be crash/rebooted by sending a single malformed packet • It turns out that you can send a IP packet larger than 65,535 (2 16 ), it would crash many things • The real reason lies in the way fragmentation works • It allows somebody to send a packet bigger than IP allows • Which blows up most fixed buffer size implementations • … and dumps core, blue screen of death, etc. • Note: this is not really ICMP specific, but easy (try it) � % ping -l 65510 your.host.ip.address • This was a popular pastime of early hackers • Solution: patch the implementations 9 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  10. POP/SMTP/FTP • Post office protocol - mail retrieval • Passwords passed in the clear (duh) • Solution: SSL, SSH, Kerberos • Simple mail transport protocol (SMTP) - email • Nothing authenticated: SPAM • Nothing hidden: eavesdropping • Solution: your guess is as good as mine • File Transfer protocol - file retrieval • Passwords passed in the clear (duh) • Solution: SSL, SSH, Kerberos 10 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  11. DNS - The domain name system • DNS maps between IP address (12.1.1.3) and domain and host names (ada.cse.psu.edu) • How it works: the “root” servers redirect you to the top level domains (TLD) DNS servers, which redirect you to the appropriate sub-domain, and recursively … . • Note: there are 13 “root” servers that contain the TLDs for .org, .edu, and country specific registries (.fr, .ch) root .edu psu.edu cse.psu.edu 130.203.16.130 ada.cse.psu.edu? Host (resolver) 11 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  12. DNS Vulnerabilities • Nothing is authenticated, so really the game is over • You can not really trust what you hear … • But, many applications are doing just that. • Spoofing of DNS is really dangerous • Moreover, DNS is a catalog of resources • Zone-transfers allow bulk acquisition of DNS data • … and hence provide a map for attacking the network • Lots of opportunity to abuse the system • Relies heavily on caching for efficiency -- cache pollution • Once something is wrong, it can remain that way in caches for a long time (e.g., it takes a long time flush) 12 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  13. DNSSEC • A standard-based (IETF) solution to security in DNS • Prevents data spoofing and corruption • Public key based solution to verifying DNS data • Authenticates • Communication between servers • DNS data • Public keys (a bootstrap for PKI?) 13 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  14. DNSSEC Mechanisms • Securing the DNS records • Each domain signs their “zone” with a private key • Public keys published via DNS • Indirectly signed by parent zones • Ideally, you only need to self-signed root, and follow keys down the hierarchy Signs Signs Signs root .edu psu.edu cse.psu.edu 14 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  15. DNSSEC challenges • Incremental deployability • Everyone has DNS, can’t assume a flag day • Resource imbalances • Some devices can’t afford real authentication • Cultural • Most people don’t have any strong reason to have secure DNS ($$$ not justified in most environments) • Lots of transitive trust assumptions (you have no idea how the middlemen do business) • Take away: DNSsec will be deployed, but it is unclear whether it will be used appropriately/widely 15 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  16. Filtering: Firewalls • Filtering traffic based on policy • Policy determines what is acceptable traffic • Access control over traffic • Accept or deny policy Application • May perform other duties Network • Logging (forensics, SLA) • Flagging (intrusion detection) Link • QoS (differentiated services) 16 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  17. xListing • Blacklisting - specifying specific connectivity that is explicitly disallowed • E.g., prevent connections from badguys.com • Whitelisting - specifying specific connectivity that explicitly allowed • E.g., allow connections from goodguys.com • These is useful for IP filtering, SPAM mitigation, … • Q: What access control policies do these represent? 17 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  18. Stateful/Stateless and Proxy/Transparent • Single packet contains insufficient data to make access control decision • State allows historical context consideration • Firewall collects data over time • e.g., TCP packet is part of established session • Firewalls can affect network traffic • Transparent: appear as a single router (network) • Proxy: receives, interprets, and reinitiates communication (application) • Transparent good for speed (routers), proxies good for complex state (applications) 18 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  19. Example Server Firewall Interface IP TCP UDP ... ... 80 ...... ... .............. 1 2 3 25 216 1 2 3 42 216 Sendmail named Apache 19 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  20. Example Server Firewall Interface IP TCP UDP ... ... 80 ...... ... .............. 1 2 3 25 216 1 2 3 42 216 Sendmail named Apache 20 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TCP/IP: TCP Network Security Lecture 7 Eike Ritter Network Security - Lecture 7 1 TCP

TCP/IP: TCP Network Security Lecture 7 Eike Ritter Network Security - Lecture 7 1 TCP

TCP/IP: TCP Network Security Lecture 7 Eike Ritter Network Security - Lecture 7 1 TCP spoofing Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP connection comes from host Bob) Mallory wants to impersonate

923 views • 17 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides
TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) Network Security Lecture 2 Any questions

TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) Network Security Lecture 2 Any questions

TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) Network Security Lecture 2 Any questions on Administrativia, organizational matters? Historical/cultural overview? Eike Ritter Network Security - Lecture 2 1 Today PGP in 6

431 views • 42 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 9 Page 1 CS 236 Online Some Important Network Characteristics for Security Degree of locality Media used Protocols used Lecture 9

156 views • 11 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture

739 views • 40 slides
CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang

CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang

CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang xwy@cs.duke.edu Overview Why studying network security? The topic itself is worth another class Basic cryptography building blocks

768 views • 49 slides
CS 598: Network Security Matthew Caesar February 7, 2011 1 This lecture Network devices

CS 598: Network Security Matthew Caesar February 7, 2011 1 This lecture Network devices

Lecture 4: Device Security and Router Mechanisms CS 598: Network Security Matthew Caesar February 7, 2011 1 This lecture Network devices Their internals and how they work Network connections How to plug devices together 2

1.41k views • 119 slides
Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security Security threats Regulators and ISP security Some headlines Davie-Besse nuclear reactor control network

482 views • 17 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

815 views • 25 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy

System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy

Advanced Security Research System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy of Constraints Using a Hierarchy of Constraints Calvin Ko Calvin Ko , Network Associates, Inc. NAI Labs , Network

462 views • 27 slides
IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger

IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger

IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger than most networks can transmit in one packet Each network type defines maximum transmission unit (MTU) maximum number of bytes that can be

1.01k views • 23 slides
ilab Lab 1+2 The Basics / Static Routing ISO/OSI Layer Model (1979-1983) Applications, e.g.

ilab Lab 1+2 The Basics / Static Routing ISO/OSI Layer Model (1979-1983) Applications, e.g.

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 1+2 The Basics / Static Routing ISO/OSI Layer Model (1979-1983) Applications, e.g. HTTP, FTP, 7 Application Layer

804 views • 55 slides
Computer Networks - Xarxes de Computadors Outline Course Syllabus Unit 1: Introduction Unit 2.

Computer Networks - Xarxes de Computadors Outline Course Syllabus Unit 1: Introduction Unit 2.

Xarxes de Computadors Computer Networks Computer Networks - Xarxes de Computadors Outline Course Syllabus Unit 1: Introduction Unit 2. IP Networks Unit 3. Point to Point Protocols -TCP Unit 4. LANs Unit 5. Data Transmission 1 Lloren

1.13k views • 87 slides
9 Data Link Layer Data Link Layer LAN Address (more) Why both MAC and IP address? Answer:

9 Data Link Layer Data Link Layer LAN Address (more) Why both MAC and IP address? Answer:

Data Link Layer Data Link Layer Taking Turns MAC protocols Taking Turns MAC protocols Token passing: Polling: T control token passed master node from one node to next invites slave nodes data sequentially. to

448 views • 7 slides
Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G.

Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G.

Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G. NguyenThiHuong and Seon Wook Kim Microarchitecture and Compiler Laboratory School of Electrical Engineering Korea University Motivation

416 views • 19 slides
ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Course Organization Top-Down! Starting with Applications / App programming Then Transport Layer (TCP/UDP) Then Network Layer (IP)

695 views • 31 slides
Joint Agencies Vehicle-Grid Integration (VGI) Working Group Two WO WORKSHOP #2 10 AM 5 PM

Joint Agencies Vehicle-Grid Integration (VGI) Working Group Two WO WORKSHOP #2 10 AM 5 PM

Joint Agencies Vehicle-Grid Integration (VGI) Working Group Two WO WORKSHOP #2 10 AM 5 PM SEPTEMBER 26, 2019 SAN FRANCISCO, CA https://gridworks.org/initiatives/rule-21-working-group-3/ Agenda 10:00-10:15 Participant Introductions and

273 views • 24 slides

More recommend