network security computer security peter reiher november
play

Network Security Computer Security Peter Reiher November 4, 2014 - PowerPoint PPT Presentation

Feb 29, 2024 •111 likes •797 views

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

  1. Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014

  2. Outline • Network security characteristics and threats • Denial of service attacks • Traffic control mechanisms • Firewalls • Encryption for network security & VPNs • Wireless security • Honeypots and honeynets Lecture 9 Page 2 CS 136, Fall 2014

  3. Some Important Network Characteristics for Security • Degree of locality • Media used • Protocols used Lecture 9 Page 3 CS 136, Fall 2014

  4. Degree of Locality • Some networks are very local – E.g., an Ethernet – Benefits from: • Physical locality • Small number of users and machines • Common goals and interests • Other networks are very non-local – E.g., the Internet backbone – Many users/sites share bandwidth Lecture 9 Page 4 CS 136, Fall 2014

  5. Network Media • Some networks are wires, cables, or over telephone lines – Can be physically protected • Other networks are satellite links or other radio links – Physical protection possibilities more limited Lecture 9 Page 5 CS 136, Fall 2014

  6. Protocol Types • TCP/IP is the most used – But it only specifies some common intermediate levels – Other protocols exist above and below it • In places, other protocols replace TCP/IP • And there are lots of supporting protocols – Routing protocols, naming and directory protocols, network management protocols – And security protocols (IPSec, ssh, ssl) Lecture 9 Page 6 CS 136, Fall 2014

  7. Implications of Protocol Type • The protocol defines a set of rules that will always be followed – But usually not quite complete – And they assume everyone is at least trying to play by the rules – What if they don’t? • Specific attacks exist against specific protocols Lecture 9 Page 7 CS 136, Fall 2014

  8. Threats To Networks • Wiretapping • Impersonation • Attacks on message – Confidentiality – Integrity • Denial of service attacks Lecture 9 Page 8 CS 136, Fall 2014

  9. Wiretapping • Passive wiretapping is listening in illicitly on conversations • Active wiretapping is injecting traffic illicitly • Packet sniffers can listen to all traffic on a broadcast medium – Ethernet or 802.11, e.g. • Wiretapping on wireless often just a matter of putting up an antenna Lecture 9 Page 9 CS 136, Fall 2014

  10. Impersonation • A packet comes in over the network – With some source indicated in its header • Often, the action to be taken with the packet depends on the source • But attackers may be able to create packets with false sources Lecture 9 Page 10 CS 136, Fall 2014

  11. Violations of Message Confidentiality • Other problems can cause messages to be inappropriately divulged • Misdelivery can send a message to the wrong place – Clever attackers can make it happen • Message can be read at an intermediate gateway or a router • Sometimes an intruder can get useful information just by traffic analysis Lecture 9 Page 11 CS 136, Fall 2014

  12. Message Integrity • Even if the attacker can’t create the packets he wants, sometimes he can alter proper packets • To change the effect of what they will do • Typically requires access to part of the path message takes Lecture 9 Page 12 CS 136, Fall 2014

  13. Denial of Service • Attacks that prevent legitimate users from doing their work • By flooding the network • Or corrupting routing tables • Or flooding routers • Or destroying key packets Lecture 9 Page 13 CS 136, Fall 2014

  14. How Do Denial of Service Attacks Occur? • Basically, the attacker injects some form of traffic • Most current networks aren’t built to throttle uncooperative parties very well • All-inclusive nature of the Internet makes basic access trivial • Universality of IP makes reaching most of the network easy Lecture 9 Page 14 CS 136, Fall 2014

  15. An Example: SYN Flood • Based on vulnerability in TCP • Attacker uses initial request/response to start TCP session to fill a table at the server • Preventing new real TCP sessions • SYN cookies and firewalls with massive tables are possible defenses Lecture 9 Page 15 CS 136, Fall 2014

  16. Normal SYN Behavior SYN SYN/ACK ACK Table of open TCP connections Lecture 9 Page 16 CS 136, Fall 2014

  17. A SYN Flood SYN SYN SYN SYN SYN/ACK SYN/ACK SYN/ACK SYN/ACK Server can’t Table of open fill request! TCP connections Lecture 9 Page 17 CS 136, Fall 2014

  18. And no changes KEY POINT: to TCP protocol Server doesn’t SYN Cookies itself need to save SYN/ACK number is cookie value! Client IP address & port, server’s secret function of IP address and various information port, and a timer No room in the table, so send back a SYN cookie, instead Server recalculates cookie to determine if proper response Lecture 9 Page 18 CS 136, Fall 2014

  19. General Network Denial of Service Attacks • Need not tickle any particular vulnerability • Can achieve success by mere volume of packets • If more packets sent than can be handled by target, service is denied • A hard problem to solve Lecture 9 Page 19 CS 136, Fall 2014

  20. Distributed Denial of Service Attacks • Goal: Prevent a network site from doing its normal business • Method: overwhelm the site with attack traffic • Response: ? Lecture 9 Page 20 CS 136, Fall 2014

  21. The Problem Lecture 9 Page 21 CS 136, Fall 2014

  22. Why Are These Attacks Made? • Generally to annoy • Sometimes for extortion • Sometimes to prevent adversary from doing something important • If directed at infrastructure, might cripple parts of Internet Lecture 9 Page 22 CS 136, Fall 2014

  23. Attack Methods • Pure flooding – Of network connection – Or of upstream network • Overwhelm some other resource – SYN flood – CPU resources – Memory resources – Application level resource • Direct or reflection Lecture 9 Page 23 CS 136, Fall 2014

  24. Why “Distributed”? • Targets are often highly provisioned servers • A single machine usually cannot overwhelm such a server • So harness multiple machines to do so • Also makes defenses harder Lecture 9 Page 24 CS 136, Fall 2014

  25. How to Defend? • A vital characteristic: – Don’t just stop a flood – ENSURE SERVICE TO LEGITIMATE CLIENTS!!! • If you deliver a manageable amount of garbage, you haven’t solved the problem • Nor have you if you prevent a flood by dropping all packets Lecture 9 Page 25 CS 136, Fall 2014

  26. Complicating Factors • High availability of compromised machines – Millions of zombie machines out there • Internet is designed to deliver traffic – Regardless of its value • IP spoofing allows easy hiding • Distributed nature makes legal approaches hard • Attacker can choose all aspects of his attack packets – Can be a lot like good ones Lecture 9 Page 26 CS 136, Fall 2014

  27. Basic Defense Approaches • Overprovisioning • Dynamic increases in provisioning • Hiding • Tracking attackers • Legal approaches • Reducing volume of attack • None of these are totally effective Lecture 9 Page 27 CS 136, Fall 2014

  28. Traffic Control Mechanisms • Filtering – Source address filtering – Other forms of filtering • Rate limits • Protection against traffic analysis – Padding – Routing control Lecture 9 Page 28 CS 136, Fall 2014

  29. Source Address Filtering • Filtering out some packets because of their source address value – Usually because you believe their source address is spoofed • Often called ingress filtering – Or egress filtering . . . Lecture 9 Page 29 CS 136, Fall 2014

  30. Source Address Filtering for Address Assurance • Router “knows” what network it sits in front of – In particular, knows IP addresses of machines there • Filter outgoing packets with source addresses not in that range • Prevents your users from spoofing other nodes’ addresses – But not from spoofing each other’s Lecture 9 Page 30 CS 136, Fall 2014

  31. Source Address Filtering Example 95.113.27.12 56.29.138.2 My network shouldn’t be creating packets with this source address So drop the packet 128.171.192.* Lecture 9 Page 31 CS 136, Fall 2014

  32. Source Address Filtering in the Other Direction • Often called egress filtering – Or ingress filtering . . . • Occurs as packets leave the Internet and enter a border router – On way to that router’s network • What addresses shouldn’t be coming into your local network? Lecture 9 Page 32 CS 136, Fall 2014

  33. Filtering Incoming Packets 128.171.192.5 128.171.192.7 Packets with this source address should be going out, not coming in So drop the packet 128.171.192.* Lecture 9 Page 33 CS 136, Fall 2014

  34. Other Forms of Filtering • One can filter on things other than source address – Such as worm signatures, unknown protocol identifiers, etc. • Also, there are unallocated IP addresses in IPv4 space – Can filter for packets going to or coming from those addresses • Some source addresses for local use only – Internet routers can drop packets to/from them Lecture 9 Page 34 CS 136, Fall 2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 9 Page 1 CS 236 Online Some Important Network Characteristics for Security Degree of locality Media used Protocols used Lecture 9

156 views • 11 slides
Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware

838 views • 67 slides
Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall 2014 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow

859 views • 70 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136, Winter 2017 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

599 views • 57 slides
Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136, Winter 2008 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.19k views • 72 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter

Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter

Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 10 Page 1 CS 236 Online Firewall Configuration and Administration Again, the firewall is the point of attack for intruders

375 views • 16 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 19 Page 1 CS 236 Online Putting It All Together Weve talked a lot about security principles And about security problems And

209 views • 17 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3 Page 1 CS 136, Winter 2017 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

1.16k views • 66 slides
Program 2 Corrections/Clarifications CPSC 314 Computer Graphics handin 314 proj2 (not 414)

Program 2 Corrections/Clarifications CPSC 314 Computer Graphics handin 314 proj2 (not 414)

University of British Columbia Program 2 Corrections/Clarifications CPSC 314 Computer Graphics handin 314 proj2 (not 414) Jan-Apr 2005 f not s to toggle flat/smooth shading Tamara Munzner s already in use for camera

562 views • 11 slides
100% Big Data 0% Hadoop 0% Java Pavlo Baron, codecentric pavlo.baron@codecentric.de

100% Big Data 0% Hadoop 0% Java Pavlo Baron, codecentric pavlo.baron@codecentric.de

100% Big Data 0% Hadoop 0% Java Pavlo Baron, codecentric pavlo.baron@codecentric.de @pavlobaron github.com/pavlobaron I dont rant. I just express my opinion. So here is the short story... sitting there, listening...

1.32k views • 75 slides
Caught in the honeypot: (almost) a year in review ukasz Siewierski Polish Chapter / CERT

Caught in the honeypot: (almost) a year in review ukasz Siewierski Polish Chapter / CERT

Caught in the honeypot: (almost) a year in review ukasz Siewierski Polish Chapter / CERT Polska 2014 Honeynet Project Workshop Warsaw, 12th May, 2014 Honeeebox ukasz Siewierski Caught in the honeypot: (almost) a year in review 2 / 11

285 views • 15 slides
My Background Ph.D. at Carnegie Mellon University Research

My Background Ph.D. at Carnegie Mellon University Research

2/17/15 Introduc)on to Security The Role of Data Science Prof. Tudor Dumitra Assistant Professor, ECE University of Maryland, College Park

719 views • 15 slides
Performance Comparison of Two On-demand Routing Protocols for Ad Hoc Networks Elizabeth M. Royer

Performance Comparison of Two On-demand Routing Protocols for Ad Hoc Networks Elizabeth M. Royer

Performance Comparison of Two On-demand Routing Protocols for Ad Hoc Networks Elizabeth M. Royer Charles E. Perkins Samir R. Das Department of Electrical Communications Systems Division of Computer Science and Computer Engineering

583 views • 10 slides
IRA / 401(k) $ 200,000 Age 70 Criteria: Safety 1 14 27 40 53 2 15 28 41 54 3 16 29

IRA / 401(k) $ 200,000 Age 70 Criteria: Safety 1 14 27 40 53 2 15 28 41 54 3 16 29

IRA / 401(k) $ 200,000 Age 70 Criteria: Safety 1 14 27 40 53 2 15 28 41 54 3 16 29 42 55 4 17 30 43 56 5 18 31 44 57 6 19 32 45 58 7 20 33 46 59 8 21 34 47 150 9 22 35 48 annuity providers offering

418 views • 19 slides
Using Synchronization Using Synchronization Administrative Administrative Lab 2 due Thursday at

Using Synchronization Using Synchronization Administrative Administrative Lab 2 due Thursday at

Using Synchronization Using Synchronization Administrative Administrative Lab 2 due Thursday at midnight. Sign up for demos on the Web; e-mail your writeup to me and your demoee, and cc: all group members. Problem set will be available on the

289 views • 11 slides
Updated: The Animal Spirits Index rebounded in March Economic agents expectations of near-term

Updated: The Animal Spirits Index rebounded in March Economic agents expectations of near-term

Updated: The Animal Spirits Index rebounded in March Economic agents expectations of near-term economy improved Animal Spirits Index (ASI) is constructed from five variables: (1) The S&P 500 index - Rebounded back above 2,800 (2) The

433 views • 11 slides

More recommend