other threats threat model beyond tls
play

Other threats Threat model (beyond TLS) TLS = confidentiality, - PowerPoint PPT Presentation

Aug 30, 2022 •426 likes •736 views

Other threats Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity Metadata leaks Resource starvation Topic Virtual Private Networks (VPNs) Run as closed networks on Internet Use IPSEC to secure messages

  1. Other threats

  2. Threat model (beyond TLS) • TLS = confidentiality, integrity, authenticity • Metadata leaks • Resource starvation

  3. Topic • Virtual Private Networks (VPNs) • Run as closed networks on Internet • Use IPSEC to secure messages Internet Introduction to Computer Networks 3

  4. Motivation • The best part of IP connectivity • You can send to any other host • The worst part of IP connectivity • Any host can send packets to you! • There’s nasty stuff out there … Internet Introduction to Computer Networks 4

  5. Motivation (2) • Often desirable to separate network from the Internet, e.g., a company • Private network with leased lines • Physically separated from Internet Leased line Site C Site A Site B No way in! Introduction to Computer Networks 5

  6. Motivation (3) • Idea: Use the public Internet instead of leased lines – cheaper! • Logically separated from Internet … • This is a Virtual Private Network (VPN) Virtual link Site C Site A Internet Site B Maybe … Introduction to Computer Networks 6

  7. Goal and Threat Model • Goal is to keep a logical network (VPN) separate from the Internet while using it for connectivity • Threat is Trudy may access VPN and intercept or tamper with messages Ideal Introduction to Computer Networks 7

  8. Tunneling • How can we build a virtual link? With tunneling! • Hosts in private network send to each other normally • To cross virtual link (tunnel), endpoints encapsulate packet Tunnel endpoint Tunnel endpoint Virtual link or tunnel Public Internet Private Network A Private Network B Introduction to Computer Networks 8

  9. Tunneling (2) • Tunnel endpoints encapsulate IP packets (“IP in IP”) • Add/modify outer IP header for delivery to endpoint App App Tunnel Many Tunnel Endpoint Routers! Endpoint TCP TCP IP IP IP IP IP IP IP IP 802.11 802.11 802.11 802.11 Ethernet Ethernet Private Network A Public Internet Private Network B 9

  10. Tunneling (3) • Simplest encapsulation wraps packet with another IP header • Outer (tunnel) IP header has tunnel endpoints as source/destination • Inner packet has private network IP addresses as source/destination Inner packet Outer (Tunnel) IP HTTP IP TCP IP Introduction to Computer Networks 10

  11. Tunneling (4) • Tunneling alone is not secure … • No confidentiality, integrity/ authenticity • Trudy can read, inject her own messages • We require cryptographic protections! • IPSEC (IP Security) is often used to secure VPN tunnels Introduction to Computer Networks 11

  12. IPSEC (IP Security) • Longstanding effort to secure the IP layer • Adds confidentiality, integrity/authenticity • IPSEC operation: • Keys are set up for communicating host pairs • Communication becomes more connection-oriented • Header and trailer added to protect IP packets Tunnel Mode Introduction to Computer Networks 12

  13. Takeaways • VPNs are useful for building networks on top of the Internet • Virtual links encapsulate packets • Alters IP connectivity for hosts • VPNs need crypto to secure messages • Typically IPSEC is used for confidentiality, integrity/authenticity Introduction to Computer Networks 13

  14. Tor • “The Onion Router” • Basic idea: 1. Many volunteers act as routers in the overlay 2. Generate circuit of routers that you know will send packet 3. Encrypt the packet in layers for each router in circuit 4. Send the packet 5. Each router receives, decrypts their layer, and forwards based on new info 6. Routers maintain state about circuit to route stuff back to sender • But again, only know the next hop

  15. Resource Attacks

  16. Topic • Distributed Denial-of-Service (DDOS) • An attack on network availability Yum! Internet Introduction to Computer Networks 16

  17. Topic • Distributed Denial-of-Service (DDoS) • An attack on network availability Uh oh! Internet Introduction to Computer Networks 17

  18. Motivation • The best part of IP connectivity • You can send to any other host • The worst part of IP connectivity • Any host can send packets to you! Uh oh! Internet Introduction to Computer Networks 18

  19. Motivation (2) • Flooding a host with many packets can interfere with its IP connectivity • Host may become unresponsive • This is a form of denial-of-service (DoS) Uh oh Internet Hello? Introduction to Computer Networks 19

  20. Goal and Threat Model • Goal is for host to keep network connectivity for desired services • Threat is Trudy may overwhelm host with undesired traffic Hi! Hello! Ideal Internet Trudy Introduction to Computer Networks 20

  22. Internet Reality • DDoS is a huge problem today! • Github attack of 1tbps • There are no great solutions • CDNs, network traffic filtering, and best practices all help Introduction to Computer Networks 22

  23. Denial-of-Service • Denial-of-service means a system is made unavailable to intended users • Typically because its resources are consumed by attackers instead • In the network context: • “System” means server • “Resources” mean bandwidth (network) or CPU/memory (host) Introduction to Computer Networks 23

  24. Host Denial-of-Service • Strange packets can sap host resources! • “Ping of Death” malformed packet • “SYN flood” sends many TCP connect requests and never follows up • Few bad packets can overwhelm host XXX • Patches exist for these vulnerabilities • Read about “SYN cookies” for interest Introduction to Computer Networks 24

  25. Network Denial-of-Service • Network DOS needs many packets • To saturate network links • Causes high congestion/loss Access Link Uh oh • Helpful to have many attackers … or Distributed Denial-of-Service Introduction to Computer Networks 25

  26. Distributed Denial-of-Service (DDOS) • Botnet provides many attackers in the form of compromised hosts • Hosts send traffic flood to victim • Network saturates near victim Ouch L Victim Botnet Introduction to Computer Networks 26

  27. Complication: Spoofing • Attackers can falsify their IP address • Put fake source address on packets • Historically network doesn’t check • Hides location of the attackers • Called IP address spoofing I hate that Bob! Ha ha! From: “Bob” Trudy Alice Introduction to Computer Networks 27

  28. Spoofing (2) • Actually, it’s worse than that • Trudy can trick Bob into really sending packets to Alice • To do so, Trudy spoofs Alice to Bob Huh? 1: To Bob 2: To Alice From: “Alice” From Bob (reply) Trudy Alice Bob Introduction to Computer Networks 28

  29. Best Practice: Ingress Filtering • Idea: Validate the IP source address of packets at ISP boundary (Duh!) • Ingress filtering is a best practice, but deployment has been slow Nope, from Trudy Drat From: Bob Internet Trudy ISP boundary Introduction to Computer Networks 29

  30. Flooding Defenses 1. Increase network capacity around the server; harder to cause loss • Use a CDN for high peak capacity 2. Filter out attack traffic within the network (at routers) • The earlier the filtering, the better • Ultimately what is needed, but ad hoc measures by ISPs today Introduction to Computer Networks 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda

The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda

The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda Grses Motivation imec - ESAT/COSIC, KU Leuven Threat Modeling 1. Characterize the system 2. Identify the threats 3. Threat and Risk analysis

147 views • 12 slides
Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Introduction Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430) Inquisitive people, unintentional blunders Hackers driven by technical challenges Disgruntled employees or

357 views • 23 slides
Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
Threats and Responses 1 The Threat Environment Constantly evolving and innovative terrorist

Threats and Responses 1 The Threat Environment Constantly evolving and innovative terrorist

Canadas Maritime Security Title Goes Here Threats and Responses 1 The Threat Environment Constantly evolving and innovative terrorist and organized crime threats against marine transportation globally 200,000 km of coastline -

795 views • 12 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction to access control Policy matrix Specification Design Implementation Operation and Maintenance Security in the Course Lectures

784 views • 40 slides
SCARC BOMB THREAT TRAINING BOMB THREATS American schools and companies receive thousands of

SCARC BOMB THREAT TRAINING BOMB THREATS American schools and companies receive thousands of

SCARC BOMB THREAT TRAINING BOMB THREATS American schools and companies receive thousands of bomb threat calls every year. Very few of these are warnings of real bombs. A large percentage of these calls prove to be hoaxes; however, all bomb

589 views • 17 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Purpose To help Ohio businesses fight back against data security threats. What Threat?

Purpose To help Ohio businesses fight back against data security threats. What Threat?

Purpose To help Ohio businesses fight back against data security threats. What Threat? Goal To create the best legal, technical, and collaborative cybersecurity environment possible in Ohio. Skimming

518 views • 25 slides
Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Dr Hans Georg Schaathun

Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Dr Hans Georg Schaathun

Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2010 Week 5 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 1 / 46

1.56k views • 108 slides
Programs 1 Cooperative Threat Reduction Evolved to combat emerging and global WMD threats

Programs 1 Cooperative Threat Reduction Evolved to combat emerging and global WMD threats

CBRN Capacity Building Programs 1 Cooperative Threat Reduction Evolved to combat emerging and global WMD threats Distinct approach to CBRN U.S. Department of State U.S. Department of Energy 2 The Chemical Security Program (CSP)

281 views • 16 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response Adaptive Security Strategy for SOC Ramy AlDamati Principle CyberSecurity Solution

680 views • 31 slides
Topics 1 . Building national interest in threat assessm ent 2 . Virginia threat assessm ent m

Topics 1 . Building national interest in threat assessm ent 2 . Virginia threat assessm ent m

The Virginia Model of School Threat Assessment June 19, 2019 Dewey Cornell, Ph.D. The Virginia Model of School Threat Assessm ent Dewey Cornell, Ph.D. Curry School of Education University of Virginia 434-924-8929 Email:

299 views • 15 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

4/25/08 Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You have several geographically separated local area networks that you would like to have connected securely Solution Set up a private

425 views • 7 slides
Project 5 Virtual Memory COS 318 Fall 2015 Project

Project 5 Virtual Memory COS 318 Fall 2015 Project

Project 5 Virtual Memory COS 318 Fall 2015 Project 5: Virtual Memory Goal: Add memory management and support for virtual memory to the

878 views • 23 slides
Bayesian Networks and Decision Graphs Chapter 6 Chapter 6 p. 1/17 Learning probabilities

Bayesian Networks and Decision Graphs Chapter 6 Chapter 6 p. 1/17 Learning probabilities

Bayesian Networks and Decision Graphs Chapter 6 Chapter 6 p. 1/17 Learning probabilities from a database We have: A Bayesian network structure. A database of cases over (some of) the variables. We want: A Bayesian network model

543 views • 39 slides
Pin Hole Cameras & Warp Functions Instructor - Simon Lucey 16-423 - Designing Computer Vision

Pin Hole Cameras & Warp Functions Instructor - Simon Lucey 16-423 - Designing Computer Vision

Pin Hole Cameras & Warp Functions Instructor - Simon Lucey 16-423 - Designing Computer Vision Apps Today Pinhole Camera. Homogenous Coordinates. Planar Warp Functions. Example of SLAM for AR Taken from: H. Liu et al.

620 views • 48 slides
Review of Symbols Review of Symbols CS 105 Basic Parameters Tour of the Black Holes of

Review of Symbols Review of Symbols CS 105 Basic Parameters Tour of the Black Holes of

366 views • 7 slides
100GE Upgrades at FNAL Phil DeMar ; Andrey Bobyshev CHEP 2015 April 14, 2015 FNAL High-Impact

100GE Upgrades at FNAL Phil DeMar ; Andrey Bobyshev CHEP 2015 April 14, 2015 FNAL High-Impact

100GE Upgrades at FNAL Phil DeMar ; Andrey Bobyshev CHEP 2015 April 14, 2015 FNAL High-Impact Traffic Isolation Philosophy If feasible, science data traffic kept logically separate: Optimal performance likely over WAN science data

345 views • 16 slides
Cache Hierarchies Po-An Tsai , Nathan Beckmann, and Daniel Sanchez Executive summary

Cache Hierarchies Po-An Tsai , Nathan Beckmann, and Daniel Sanchez Executive summary

Jenga: Software-Defined Cache Hierarchies Po-An Tsai , Nathan Beckmann, and Daniel Sanchez Executive summary Heterogeneous caches are traditionally organized as a rigid hierarchy Easy to program but introduce expensive overheads when

1.66k views • 152 slides
Comet Virtual Clusters Whats underneath? Philip Papadopoulos San Diego Supercomputer

Comet Virtual Clusters Whats underneath? Philip Papadopoulos San Diego Supercomputer

Comet Virtual Clusters Whats underneath? Philip Papadopoulos San Diego Supercomputer Center ppapadopoulos@ucsd.edu Overview NSF Award# 1341698, Gateways to Discovery: Cyberinfrastructure for the Long Tail of Science PI: Michael Norman

604 views • 38 slides

More recommend