iv. network security - ensimagensiwiki.ensimag.fr/images/5/5e/network_security_-_4...27 4mmsr -...
TRANSCRIPT
• Lecturers: Fabien Duchene, Dominique Vicard • Chapters:
• IV.6. Internet
4MMSR - Network security course
IV. Network Security
4MMSR
2010-2011
Grenoble INP Ensimag
Plan – thème IV. La sécurité des réseaux
• 4. Intranet • Authentification
Active Directory, Kerberos
• Conformance (IDS/IPS, Antimalware, NAC)
• 5. Protocoles • RFID • RAS: PPTP, L2F, L2TP • RADIUS • 802.1x – wifi • IPSec • SSL/TLS • VPN • GSM
• 6. Internet • Firewall • Proxy, Socks • Web-Services • PKI
• 7. Browser • Privacy mode • Javascript, XSS • Flash, ActiveX, Java • Sandbox • HTLM5
o 0. Introduction o Le réseau o Parano: mode d’emploi
o 1. Menaces, vuln., attaques o Définitions o Attaques
o 2. Qqes algorithmes o Stéganographie o Partage de secret o P2P: l’algo. Eigentrust
o 3. Poste client o Certifications o Principes de la sécurité o Principaux méchanismes o NT4+ o Unix
0.1. Introduction 4MMSR - Network Security - 2010-2011 2
IV. 6. Internet
3 4MMSR - Network Security - 2010-2011
• Firewall • Proxy, Socks • Web-Services • PKI
6.1. Firewall
4 4MMSR - Network Security - 2010-2011
• Introduction • Firewall locations
o Network edge o Endpoint & servers
• Packet filtering • Stateful Packet Inspection • Application firewalls • Firewall policy
Some stuff from Cyril Voisin’s lecture: “Base de la sécurité des réseaux", Principal Security Advisor, Microsoft
6.1.1. Perimeter security
5 4MMSR - Network Security - 2010-2011
• Security at the network layers (transport & network) • Part of the in-depth defense mechanism • Traditional security view
• But! • Old, traditional mechanism • This is NOT SUFICIENT today: a host protection is vital! • Lack of flexibility, cost
o Microsoft now pushes for a “deperimeterization”: IPSec boundaries
6.1.1. Firewall - introduction
6 4MMSR - Network Security - 2010-2011
• Filtering • “limits network access between at least two
networks” o 2 directions filtering o Rules, metrics o RFC2979
• thus located between two networks o L2 switching capabilities o L3 router in an IP path
• Information Disclosure prevention: • IPv4 network: Network Address Translation protects a
network topology from being discovered o 1-to-1 mapping o 1-to-N mapping (discrimation regarding destination port)
6.1.1. Firewall – introduction (2)
7 4MMSR - Network Security - 2010-2011
• Products • Software firewall
o Installable executable – linux iptables – Windows Advanced Firewall
o Virtual machine
• Hardware accelerated firewall “appliance” = HW+SW o Eg: Juniper, NetASQ !
6.1.2. Firewall locations
8 4MMSR - Network Security - 2010-2011
• Endpoint & servers “host-based firewall” • Software: in-depth defense principle! • Tight OS interactions (each socket or routing operation!) • Easier to hack than separate firewalls
• Network Edge o Software o Virtualized o Hardware
Firewall WAN (public network) LAN
(controlled network)
Picture source: Wikipedia
DMZ (DeMilitarized Zone) "perimeter network"
• Two firewall levels • the multiculture principle => different brands
• One firewall level:
6.1.2. some common DMZ network topologies
9 4MMSR - Network Security - 2010-2011
!"#$%"$#&'()&
'()&
!"#$%"$#&
!"#$%"*+&"$#,-%.&
!"#$%"*+&"$#,-%.&
6.1.3. Stateless firewalls “packet filtering”
11 4MMSR - Network Security - 2010-2011
• 1st generation: o 1988 Dodong Sean James, Elohra (DEC) o 1980-1990 Bill Cheswick and Steve Bellovin (AT&T
Bell Labs)
• Filter packets for allowing some circuits: o Pass o Drop (silently discard) o Reject (error response to the sender)
• Depending of L3 (Network) and L4 (Transport) metrics o IP source/dest address o TCP/UDP source/dest port number
• Policy example: o allow TCP->21 traffic from networkA to network B o deny all traffic from (any network) to (any network)
!""#$%&'(#$)%/*00+12*3-"4&5$551-"4&
0%$5$"#*3-"67&
*$'+)",$-%/8'94&:;97&
.#-/,$0&/!97&
12+0%/$#<$%"$#7&
34()25'&%
6.1.4. Stateful packet inspection “session filtering”
12 4MMSR - Network Security - 2010-2011
• Attacks on 1st generation FW: o DoS: eg: SYN flood (firewall ressources consumption)
• 2rd generation o 1989-90: Janardhan Sharma, Dave Presetto, and Kshitij Nigam o 1995: first commercial product by Nir Zuk’s team (CheckPoint)
• Stores the “connection state” o is that new packet conform to that current connection? o or is it for a new connection? o see the NAT connection table (in your network lecture !)
• Additional conformance verification for: o TCP flags (SYN, ACK, RST, PSH, FIN) o Session state and the TCP sequence number! o If any packet does not correspond to the expected state, it is
blocked!
6.1.4. Stateful firewalls – TCP states
13 4MMSR - Network Security - 2010-2011 http://en.wikipedia.org/wiki/Transmission_Control_Protocol
6.1.4. Stateful firewalls – state table
14 4MMSR - Network Security - 2010-2011
• Statically limited size table • Each entry:
• Flushing policy: if the connection is closed, or if no packet is sent during the TIMEOUT time
• Some Internet Protocol numbers:
6,7$5#%",$-%
8#)9+'9,+%",$-%
6,7$5#%:3%
8#)9+'9,+%:3%
:3%+7;<#$%!"#$"%%&'(%
3$,-,5,&%!"#$"%%&'()
*2;#,7-%!"#$"%%&'()
=>?@=& A=& A>BC?AC>DECAA& >AFCDDC?EC=& B& G(:9& ?=H=E&
:3%+7;<#$% :3%+';#%
>& !;(9&
B& :;9&
>I& 8'9&
http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
Understanding the FW-1 State Table, Lance Spitzner
6.1.4. SPI firewall - example
15 4MMSR - Network Security - 2010-2011
• Eg: web-server (HTTP on TCP 80) publishing over IPv4, protected by D-NAT (Destination NAT) in that case in 1-to-1 mapping
SPI Firewall Web Client 87.98.190.108 10.0.0.4/28
. Web-Server (listening on TCP
8082)
.5 .6
Public IP addresses
91.121.51.205
G-J%2$9-%#K&:;9&@=ID@&'$53"*3-"9-%#K&:;9&DE&
G-J%2$!9K&DICFD6&'$53"*3-"!9KF>C>A>6&
6=.%
GL9-%#K&:;9&@=ID@&'L9-%#K&:;9&DEDA&
GL!9K&DI6&'L!9K&>ECECEC=&
6=.%
GL9-%#K&:;9&DEDA&'L9-%#K&:;9&@=ID@&
GL!9K&>ECECEC=&'L!9K&DI6&
6=.%>?@%
GL9-%#K&:;9&DE&'L9-%#K&:;9&@=ID@&GL!9K&F>C>A>C=>CAE=&
'L!9K&DI6&
6=.%>?@%
DMZ
A%
B%
C%D%
E%F%
G%
SYN processing
AB%
The client can now send its HTTP requests and the same kind of checks are performed during the WHOLE communication
6&>?@% 6&>?@% AA%AH%
I% J%
!"#$%&'()M *+,)-&.)&)/01&2)
-&%3.-&45)!6789)678):+;9):+;()
M <=)&%2)&>?"@)3")%"?)@5.#5>?)?-&?9)?-5)#&>45?)1A'')B5)3@"##53)
6.1.5. Application firewalls
16 4MMSR - Network Security - 2010-2011
• 3nd generation o 1990-91: Bill Cheswick (AT&T), Marcus Ranum, and
Gene Spafford (Purdue)
• Has a “protocol description” o Sequences, data types & size : eg: HTTP, DNS !
• QoS: traffic prioritization o Useful for applications with real-time requirements (eg: SIP)
• Performs Deep Packet Inspection o blocks known
– attacks (exploit signature) ~ 80% – viruses (signature too)
o force specific protocol behavior – eg: limiting the HTTP header to x bytes
o blocks specific content – eg: sending PDF files via gmail
Bill Cheswick, The Design of a Secure Internet Gateway, USENIX 1990
!""#$%&'(#$)%/*00+12*3-"4&5$551-"4&
0%$5$"#*3-"67&
*$'+)",$-%/8'94&:;97&
.#-/,$0&/!97&
12+0%/$#<$%"$#7&
34()25'&%
6.1.6. Firewall policy
19 4MMSR - Network Security - 2010-2011
• Set of rules
• Example: • Block all outgoing FTP traffic except from host ! to
host ! • Allow only a subset of commands of the SIP protocol
• Least privilege principle: • The last evaluated rule has to be
o “Deny All traffic from any network to any network”
6.1.7. Additional cool stuff
20 4MMSR - Network Security - 2010-2011
• Policy depending of the identity of authenticated users: • Role-Based Access Control
• Could also have additional functions: • Proxy • Failover, Load-Balancing
Firewall - interlude
26 4MMSR - Network Security - 2010-2011
• Firewalls and Internet security: repelling the wily hacker, William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin
IV.6.2.1. Proxy
27 4MMSR - Network Security - 2010-2011
• Acts as an intermediary for requests from clients to another service.
• Types • Forward
• Open
• Reverse
• Applications o Squid o Microsoft Forefront Threat Management Gateway (ISA server)
!"#$%"$#&
!"#$%"$#&!"#$%"$#&
!"#$%"$#&
Internal network
Proxy
Proxy
Proxy
Internal server (eg: webserver)
Internal network
IV.6.2.2. Proxy - features
30 4MMSR - Network Security - 2010-2011
• Policy: • Filtering at the application level
o Similar to Deep-Packet Inspection – eg: HTTP URL filtering – DNS: blacklist
• Caching o Accelerating some requests o (eg: Forward proxy loading static content from google.fr from its
cache rather than fetching it again from the Internet)
• Logging o Each corporation providing an internet access has to log requests
(liability issues)
• the policy could be dependent of the authenticated user/comp.
IV.6.2.3. Proxy - SOCKS
31 4MMSR - Network Security - 2010-2011
• SOCKet Security, RFC1928, default TCP port 1080 (server) • The application has to "understand" a SOCKS dialog • Eg: forward proxy in a corporation ; HTTP GET /
!"#$%"$#&
Internal network
Proxy Client FW
Identity provider
allow HTTP, DNS from proxy to
Internet
SOCKS
U::9&
:;9&
!9&2+1$"#M5$%T$%&
GV;WG&
:;9&!9&2+1$"#M0%-XR&
U::9&
:;9&!9&/5-J%2$&Y&0%-XR7&
U::9&
:;9&!9&/5-J%2$&Y&0%-XRHZ,7&
IV. 6.3. Services Oriented Architecture
34 4MMSR - Network Security - 2010-2011
• Web-Service • WS-Security • WS-Federation
6.3.1. Service Oriented Architecture
35 4MMSR - Network Security - 2010-2011
• Provides: • UDDI: Service location • WSDL: Service description • SOAP: Remote Procedure Call
• Interesting: • Interoperability • Low-coupling
• Web-Services and Firewalls: o Generally TCP 80 or TCP 443 for the
transport. o "classic DPI" is not enough, since the
"real applications" function at a higher level than HTTP!
[(\&
U::9&H&O9;&
:;9&
!9&
6.3.2. WS-Security
37 4MMSR - Network Security - 2010-2011
• A way of ensuring integrity and confidentiality properties on SOAP messages.
o Author: OASIS (Microsoft, IBM, !)
• Credentials: transport of security tokens • SAML Security Assertion Markup Language
o Authentication o Authorization o .. between "security domains" (eg: Active Directory domains)
• Kerberos • X.509
• Integrity: XML signature • Encryption: XML encryption
6.3.3. WS-Federation & SAML: identity federation
38 4MMSR - Network Security - 2010-2011
• An user authenticates through his Identity Provider (eg: corp A) and gets access to applications published by a Service Provider (eg: corp B) ~ Web-Browser SSO
• Some definitions (see ADFS 1.0 example next slide) • Identity Provider (eg: LDAP, SQL database!) • Claims (FR: revendication)
o Eg: User.Age >=18
• Token (FR: jeton) • Service Provider: provides the application
http://blogs.sun.com/hubertsblog/entry/deep_dive_on_saml_2
6.3.4. Active Directory Federation Services 1.0
39 4MMSR - Network Security - 2010-2011
o Example in Business2Businness Web-Browser Single-Sign-On
Active Directory Federation Services 2.0 (2010), Philippe BERAUD , Microsoft
Web Application
Corporation A (Authentication)
Client C
K6L>% K6LM#<L3$,N(%>%
K6LM#<L3$,N(%O%
Corporation R (Ressource)
Identity Provider
DMZ DMZ
A HTTP GET / web app. B 2.1 Authenticate to FS-P B (HTTP 302). I need the claims c1,c2..
2.2 security domain=A
B
3.1. Plz provide a token from FS-A
3.2 HTTP 302 FS-A User authentication SAML Token Request
C
FS-A - obtains the attributes from IP - build the claims (c1,c2) - add some information regarding C - signs them = SAML token [C,c1,c2]FS-A
D Intranet Intranet
E
[C,c1,c2!]FS-A HTTP POST
Token construction: - checks the FS-A token signature - and builds [C,c1,c2]FS-R
F
I8: HTTP 200 OK, servicing
G7.1 [C,c1,c2..]FS-R
HTTP POST
X.509 cert. exchange FS-R accepts FS-A tokens
IV. 6.4. Public Key Infrastructure
40 4MMSR - Network Security - 2010-2011
• Defintion • Components • Certification Authority • Chain of trust • Certificate issuance • Revocation • Example • PKCS • Implementation & use cases
Fabien Duchene, Introduction to the Microsoft PKI Active Directory Certificate Services 2008 R2, Sogeti-ESEC
6.4.1. PKI - definition
• Hardware, software, people, policies and procedures to manage the lifecycle of digital certificates
o (manage, distribute, use, store and revoke)
• It uses: asymmetric cryptography o ! and is ONE solution to associate certificates with identity =
hierarchical model o ! other models exist:
– local trust model (eg: SPKI) – web of trust (eg: PGP)
41
X«C» X«A» Z«B»
V
W
X
C A B
Z
Y
U
TISO3960-94/d04
U«V»V«U»
V«W»W«V»
W«X»X«W»X«Z»
Y«Z»Z«Y»Z«X»
V«Y»Y«V»
Figure 4 – CA hierarchy – A hypothetical example4MMSR - Network Security - 2010-2011
6.4.2. PKI - components
42
W$R5&*"Q&2$%3]2*#$5&&S*"*P$S$"#&&#--+54&*JQ13"P6&
?#$9P5'-#%"7<&25'9,+%'+Q%$#R,5'9,+%Q2)-$2<79,+%",2+-)%%
/;O\4&V;G97&
?#$9P5'9,+%>7-4,$2-(%/;^7&
?#$9P5'-#S)7& O#T7#)-,$)&&&&&&&&&&/2-S0J#$%4&J5$%7&
8O\5&<_0KHH&&]+$KHH&&+Q*0KHH&
G$2J%1#R&0-+12R&
;$%3]2*#$&$"%-++S$"#&*"Q&O$T-2*3-"&0-+12R&
*J#<$"32*3-"&
:Q#+9-(%3$,R2Q#$%/$PK&^''G7&
Applications and services .. able to interact with certificates
4MMSR - Network Security - 2010-2011
6.4.3. Certification Authority
• A trusted party (server), as part of a PKI: • Verify the identity of a certificate requestor • Issue certificates to requestors (users, comp)
according to the issuance policy • Manage certificate revocation*
43
*revocation: designing a certificate as no more valid, even if its expiration date is future.
4MMSR - Network Security - 2010-2011
Sheldon Cooper
Kim Cameron
Issued certificate
GeekCompany Root CA
6.4.4. PKI – Trust topology
44
• ^&42#$'$5425'&&#%J5#&S-Q$+K&– 85$%5H2-S0J#$%5&#%J5#&#<$&O--#&;^&– :%*"513T$&#%J5#&%$+*3-"&3++&#<$&+$*Z5&
I trust that Root CA
! thus I also trust these CA (issued cert. by the Root CA)
! thus I also trust the identity of that
user/comp (issued cert..)
4MMSR - Network Security - 2010-2011
6.4.4 Certificate insuance
• A Root CA self-signs its certificate • The most common model: the requester generates the
KeyPair o Certificate template: set of parameters (key length, authentication
requirements (1/2/3 factor(s)), permissions!
45
Authenticated Certificate request (public key, validity, certificate template!) C%
B%KeyPair generation (according to the chosen certificate template parameters)
H% Authentication A%
Certificate Templates fetching
4MMSR - Network Security - 2010-2011
Certificate F%
Verifications (template parameters)
D%
Certificate issuance (see next slide)
E%
Identity Provider
Certification Authority
Certificate Template store
Client
6.4.4. Chain of trust & certificate issuance
• Trust hierarchy: trusting the Root CA • Signature: each CA signs all issued certificates
• ! including the child PKI ones!
46 4MMSR - Network Security - 2010-2011
6.4.4. Chain of trust - signature
47
;+$*%&#$X#&2$%3]2*#$&1"Z-%S*3-"&
Thumbprint computation
Thumbprint signed with the issuing CA private key
* hash: function that takes a block of data and returns a fixed size bit string. (eg: MD5, SHA-1, SHA-512!)
Cert. Signature field
4MMSR - Network Security - 2010-2011
How could the “chain of trust” be broken?
• For any certificate in that chain:
• Validity time: certificate expired? • Subject name: the certificate information is different to
what the application expects? (eg: loading an https website by its IP, instead of FQDN)
• Revocation: has that certificate been revoked at the CDP?
• ! and of course if the Root CA of that chain is not trusted!
Technical overview of the Microsoft PKI ADCS 2008 R2 48
• CRL (Certificate Revocation List) • List of revocated certificates hashes periodically fetched
• OCSP (Online Certificate Status Protocol) • Real-Time web request
Certificate hash
! The certificate is not trusted
" The certificate is trusted
yes
no Periodical CRL download (HTTP, SMB, LDAP!)
6.4.5. PKI - Revocation
51
Certificate hash
! The certificate is not trusted
" The certificate is trusted
yes
no
Is the certificate revoked?
OCSP Request
OCSP signed Reply
Is the hash present in the signed CRL? (by the issuing CA)
4MMSR - Network Security - 2010-2011
PKI – certificate verification example • Consider the following scenario:
55
Should I trust the customer CA
certificate, knowing I obtained the Root CA
cert from the AIA?
0. Get the AIA information periodically (URL, download the Root CA public key)
3. Is the Root CA cert. revoked or expired? (CRL, OCSP) Is it the right computer (DNS FQDN)?
1. The Customer CA is presenting us its certificate (!and the related chain of
trust)
2. Do I trust the Root CA certificate? (“Trusted Root
Certification Authorities”?)
4. Check the Ext. Pol. CA certificate signature (parent CA)
5. 6. 7. 8. !
4MMSR - Network Security - 2010-2011
6.4.7. PKI - PKCS
• Public-Key Cryptography Standards • Based on Diffie & Hellmann research (1976)
asymetric crypto • OS neutral • Used in many standards relying on asymetric crypto
58 4MMSR - Network Security - 2010-2011
• PKCS #1: RSA Encryption Standard • PKCS #3: Diffie-Hellman Key-
Agreement Standard • PKCS #5: Password-Based
Cryptography Standard • PKCS #6: Extended-Certificate Syntax
Standard • PKCS #7: Cryptographic Message
Syntax Standard • PKCS #8: Private-Key Information
Syntax Standard
• PKCS #9: Selected Attribute Types • PKCS #10: Certification Request
Syntax Standard • PKCS #11: Cryptographic Token
Interface Standard • PKCS #12: Personal Information
Exchange Syntax Standard • PKCS #13: Elliptic Curve
Cryptography Standard • PKCS #15: Cryptographic Token
Information Format Standard
6.4.8. Some implementations & use cases
• Web-Security • SSL: website authentication and data encryption • Email signature and encryption
• Corporate security • 2 factors authentication
• Application/Data integrity • Java Applets • Apple iOS applications • Microsoft Windows updates • Antimalware signatures
59 4MMSR - Network Security - 2010-2011
IV.6. Internet - summary
61 4MMSR - Network Security - 2010-2011
`1%$,*++&
a G#*#$ZJ++H5#*#$+$55&a N<12<&+*R$%5&2-J"#&Z-%&Q$21Q1"Pb&a ̂ 00+12*3-"&a :%*"50-%#&a c$#,-%.&
a '-&#<$R&0$%Z-%S&S*5dJ$%*Q1"Pb&a eP&c^:&1"&!9T@&
a '$$0M9*2.$#&!"50$23-"&
a \-2*3-"K&$"Q0-1"#&-%&"$#,-%.b&
a f-Gb&
9%-XR&
a :R0$5&a ̀ -%,*%Q&a V0$"&a O$T$%5$&
a ̀ $*#J%$5&a ̀ 1+#$%1"P&/'9!7&a ;*2<1"P&a \-PP1"P&/%$+*3-"5<10&#-&*J#<$"32*3-"7&
a GV;WG&a \=&0%-#-2-+&a e*51$%&#-&*QS1"15#%*#$&]%$,*++5&
N$gMG$%T12$5&
a GV^&a G$%T12$&a O$dJ$5#-%&a h%-.$%&a 9%-T1Q$%&
a NGMG$2J%1#R&a NGM`$Q$%*3-"&a G^(\&#-.$"&a ̂ '`G&>CE&$X*S0+$&
9W!&
a ̂ 5RS$#%12&2%R0#-P%*0<R&a OG^&
a :%J5#&S-Q$+&a ;$%3]2*3-"&^J#<-%1#R&
a !55J*"2$&a G1P"*#J%$&a GS*%#&;*%Q&a O$T-2*3-"&;O\&a ;$%3]2*#$&a 9W;G&a ̂ 00+12*3-"5&a G-i,*%$&1"#$P%1#R&a ̂ J#<$"32*3-"&a '*#*&$"2%R03-"&