Other defenses Threat model (beyond TLS) TLS = confidentiality, - - PowerPoint PPT Presentation

other defenses threat model beyond tls
SMART_READER_LITE
LIVE PREVIEW

Other defenses Threat model (beyond TLS) TLS = confidentiality, - - PowerPoint PPT Presentation

Nov 18, 2022 215 likes •609 views

Other defenses Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity Metadata leaks Resource starvation Topic Virtual Private Networks (VPNs) Run as closed networks on Internet Use IPSEC to secure

slide-1
SLIDE 1

Other defenses

slide-2
SLIDE 2

Threat model (beyond TLS)

  • TLS = confidentiality, integrity, authenticity
  • Metadata leaks
  • Resource starvation
slide-3
SLIDE 3

Topic

  • Virtual Private Networks (VPNs)
  • Run as closed networks on Internet
  • Use IPSEC to secure messages

Introduction to Computer Networks 61

Internet

slide-4
SLIDE 4

Motivation

  • The best part of IP connectivity
  • You can send to any other host
  • The worst part of IP connectivity
  • Any host can send packets to you!
  • There’s nasty stuff out there …

Introduction to Computer Networks 62

Internet

slide-5
SLIDE 5

Motivation (2)

  • Often desirable to separate network from the

Internet, e.g., a company

  • Private network with leased lines
  • Physically separated from Internet

Introduction to Computer Networks 63

Site A Site B Site C

No way in!

Leased line

slide-6
SLIDE 6

Motivation (3)

  • Idea: Use the public Internet instead of leased lines

– cheaper!

  • Logically separated from Internet …
  • This is a Virtual Private Network (VPN)

Introduction to Computer Networks 64

Internet Site A Site B Site C

Maybe …

Virtual link

slide-7
SLIDE 7

Goal and Threat Model

  • Goal is to keep a logical network (VPN) separate

from the Internet while using it for connectivity

  • Threat is Trudy may access VPN and intercept or tamper

with messages

Introduction to Computer Networks 65

Ideal

slide-8
SLIDE 8

Tunneling

  • How can we build a virtual link? With tunneling!
  • Hosts in private network send to each other normally
  • To cross virtual link (tunnel), endpoints encapsulate

packet

Introduction to Computer Networks 66

Public Internet Virtual link

  • r tunnel

Private Network B Private Network A Tunnel endpoint Tunnel endpoint

slide-9
SLIDE 9

Tunneling (2)

  • Tunnel endpoints encapsulate IP packets (“IP in IP”)
  • Add/modify outer IP header for delivery to endpoint

67

TCP IP 802.11 App IP 802.11 TCP IP 802.11 App IP Public Internet 802.11 IP

Ethernet

IP IP

Ethernet

IP Tunnel Endpoint Tunnel Endpoint Private Network B Private Network A Many Routers!

slide-10
SLIDE 10

Tunneling (3)

  • Simplest encapsulation wraps packet with another

IP header

  • Outer (tunnel) IP header has tunnel endpoints as

source/destination

  • Inner packet has private network IP addresses as

source/destination

Introduction to Computer Networks 68

TCP HTTP IP IP

Outer (Tunnel) IP Inner packet

slide-11
SLIDE 11

Tunneling (4)

  • Tunneling alone is not secure …
  • No confidentiality, integrity/ authenticity
  • Trudy can read, inject her own messages
  • We require cryptographic protections!
  • IPSEC (IP Security) is often used to secure VPN tunnels

Introduction to Computer Networks 69

slide-12
SLIDE 12

IPSEC (IP Security)

  • Longstanding effort to secure the IP layer
  • Adds confidentiality, integrity/authenticity
  • IPSEC operation:
  • Keys are set up for communicating host pairs
  • Communication becomes more connection-oriented
  • Header and trailer added to protect IP packets

Introduction to Computer Networks 70

Tunnel Mode

slide-13
SLIDE 13

Takeaways

  • VPNs are useful for building networks on top of the

Internet

  • Virtual links encapsulate packets
  • Alters IP connectivity for hosts
  • VPNs need crypto to secure messages
  • Typically IPSEC is used for confidentiality,

integrity/authenticity

Introduction to Computer Networks 71

slide-14
SLIDE 14

Tor

  • “The Onion Router”
  • Basic idea:
  • 1. Many volunteers act as routers in the overlay
  • 2. Generate circuit of routers that you know will send packet
  • 3. Encrypt the packet in layers for each router in circuit
  • 4. Send the packet
  • 5. Each router receives, decrypts their layer, and forwards based on new info
  • 6. Routers maintain state about circuit to route stuff back to sender
  • But again, only know the next hop
slide-15
SLIDE 15

Resource Attacks

slide-16
SLIDE 16

Topic

  • Distributed Denial-of-Service (DDOS)
  • An attack on network availability

Introduction to Computer Networks 74

Internet

Yum!

slide-17
SLIDE 17

Topic

  • Distributed Denial-of-Service (DDoS)
  • An attack on network availability

Introduction to Computer Networks 75

Internet

Uh oh!

slide-18
SLIDE 18

Motivation

  • The best part of IP connectivity
  • You can send to any other host
  • The worst part of IP connectivity
  • Any host can send packets to you!

Introduction to Computer Networks 76

Internet

Uh oh!

slide-19
SLIDE 19

Motivation (2)

  • Flooding a host with many packets can interfere

with its IP connectivity

  • Host may become unresponsive
  • This is a form of denial-of-service (DoS)

Introduction to Computer Networks 77

Internet

Uh oh Hello?

slide-20
SLIDE 20

Goal and Threat Model

  • Goal is for host to keep network connectivity for

desired services

  • Threat is Trudy may overwhelm host with undesired traffic

Introduction to Computer Networks 78

Trudy Internet

Ideal Hello! Hi!

slide-21
SLIDE 21
slide-22
SLIDE 22

Internet Reality

  • DDoS is a huge problem today!
  • Github attack of 1tbps
  • There are no great solutions
  • CDNs, network traffic filtering, and best practices all help

Introduction to Computer Networks 80

slide-23
SLIDE 23

Denial-of-Service

  • Denial-of-service means a system is made unavailable to intended

users

  • Typically because its resources are consumed by attackers instead
  • In the network context:
  • “System” means server
  • “Resources” mean bandwidth (network) or CPU/memory (host)

Introduction to Computer Networks 81

slide-24
SLIDE 24

Host Denial-of-Service

  • Strange packets can sap host resources!
  • “Ping of Death” malformed packet
  • “SYN flood” sends many TCP connect requests and never follows up
  • Few bad packets can overwhelm host
  • Patches exist for these vulnerabilities
  • Read about “SYN cookies” for interest

Introduction to Computer Networks 82

XXX

slide-25
SLIDE 25

Network Denial-of-Service

  • Network DOS needs many packets
  • To saturate network links
  • Causes high congestion/loss
  • Helpful to have many attackers … or Distributed Denial-of-Service

Introduction to Computer Networks 83

Uh oh

Access Link

slide-26
SLIDE 26

Distributed Denial-of-Service (DDOS)

  • Botnet provides many attackers in the form of

compromised hosts

  • Hosts send traffic flood to victim
  • Network saturates near victim

Introduction to Computer Networks 84

Ouch L

Victim Botnet

slide-27
SLIDE 27

Complication: Spoofing

  • Attackers can falsify their IP address
  • Put fake source address on packets
  • Historically network doesn’t check
  • Hides location of the attackers
  • Called IP address spoofing

Introduction to Computer Networks 85

From: “Bob” Trudy

I hate that Bob! Ha ha!

Alice

slide-28
SLIDE 28

Spoofing (2)

  • Actually, it’s worse than that
  • Trudy can trick Bob into really sending packets to Alice
  • To do so, Trudy spoofs Alice to Bob

Introduction to Computer Networks 86

1: To Bob From: “Alice” Trudy

Huh?

Alice Bob 2: To Alice From Bob (reply)

slide-29
SLIDE 29

Best Practice: Ingress Filtering

  • Idea: Validate the IP source address of packets at ISP

boundary (Duh!)

  • Ingress filtering is a best practice, but deployment has

been slow

Introduction to Computer Networks 87

From: Bob

Trudy

Nope, from Trudy Drat

ISP boundary Internet

slide-30
SLIDE 30

Introduction to Computer Networks 88

Flooding Defenses

  • 1. Increase network capacity around the server; harder

to cause loss

  • Use a CDN for high peak capacity
  • 2. Filter out attack traffic within the network (at

routers)

  • The earlier the filtering, the better
  • Ultimately what is needed, but ad hoc measures by ISPs today
slide-31
SLIDE 31

End-to-End principle

slide-32
SLIDE 32

End-to-end Principle

  • Broad networking principle
  • First implementation in French CYCLADES network (after ARPA)

(1970)

  • Articulated in its most recognizable form by Saltzer, Reed, Clark

(1981)

  • Guidance on placing functionality such as reliability,

security, etc.—in network or at endpoints (hosts)?

  • Argues for endpoint placement
slide-33
SLIDE 33

Multiple interpretations of the principle

  • The network cannot be trusted. Do it yourself.
  • The network can suffer heavy damage
  • Nuclear attacks (but not DDoS attacks!)
  • Need end-to-end correctness anyway
  • Diminishing returns from in-network functionality
  • Not everyone needs it
  • Place functionality in the network only when necessary (e.g.,

for performance)

slide-34
SLIDE 34

E2E Example: Error-correcting codes

IP: Host detects errors 802.11: Link detects errors

slide-35
SLIDE 35

E2E Example: ARQ

TCP: Host retransmits

  • n failure

802.11: Link detects drops and retransmits

slide-36
SLIDE 36

E2E Example: In-order delivery

TCP: Host enforces in-

  • rder delivery

SS5: Network enforces in-order delivery

slide-37
SLIDE 37

E2E Example: Security

SSL: Host encrypts content GSM: Network encrypts content

slide-38
SLIDE 38

End-to-End limitations

  • Some functionality cannot be implemented at endpoints
  • NATs, DoS protection, … the principle is silent on these
  • Assumes a clear dividing line between network and endpoints
  • Reality of distributed applications (e.g., CDNs) is more complex
  • No guidance on how much functionality can go in the network

for performance