network security part i: introduction general overview of network security
TRANSCRIPT
Network SecurityNetwork SecurityPart I: IntroductionPart I: Introduction
General Overview of General Overview of Network SecurityNetwork Security
SECURITY INNOVATION ©20032
OutlineOutline
– Network TopologiesNetwork Topologies– Network AddressingNetwork Addressing– LANsLANs– MANsMANs– WANsWANs
SECURITY INNOVATION ©20033
OverviewOverview
• Network InfrastructureNetwork Infrastructure– The building blocks of a networkThe building blocks of a network
• basic network protocolsbasic network protocols• network managementnetwork management• authenticationauthentication• routingrouting• other random thingsother random things
– switches, hubsswitches, hubs– printersprinters– routersrouters
SECURITY INNOVATION ©20034
OverviewOverview
• Does this stuff matter?Does this stuff matter?– Absolutely - the network depends on theseAbsolutely - the network depends on these
• Basic protocols - obviousBasic protocols - obvious• network management & allocationnetwork management & allocation
– simplify network design and machine simplify network design and machine deploymentdeployment
• AuthenticationAuthentication– access controlaccess control
• RoutingRouting– Getting from A to BGetting from A to B
• Other stuffOther stuff– The network RUNS on theseThe network RUNS on these
SECURITY INNOVATION ©20035
OverviewOverview• ImpactsImpacts
– Attacking protocols can allow for hijacking, Attacking protocols can allow for hijacking, spoofing and impersonationspoofing and impersonation
– control network devicescontrol network devices– elevate accesselevate access– change network flowchange network flow– hide connectionshide connections– sniffingsniffing– ……and moreand more
SECURITY INNOVATION ©20036
EthernetEthernet
• IEEE 802.3, technology originated from IEEE 802.3, technology originated from Xerox Corp.Xerox Corp.
• Data packaged into framesData packaged into frames• Network Interface Card (NIC)Network Interface Card (NIC)• CSMA/CDCSMA/CD
– Carrier SenseCarrier Sense– Multiple AccessMultiple Access– Collision DetectionCollision Detection
SECURITY INNOVATION ©20037
Network Network CablingCabling
• CablingCabling– Thick EthernetThick Ethernet – 10BASE-5 – 10BASE-5– Thin EthernetThin Ethernet – 10BASE-2 – 10BASE-2– ShieldedShielded & Unshielded & Unshielded Twisted Pair (STP Twisted Pair (STP, ,
UTPUTP)) – 10BASE-T (Cat 3) 100BASE-T (Cat 5) – 10BASE-T (Cat 3) 100BASE-T (Cat 5)– Fiber OpticFiber Optic – Gigabit Ethernet – Gigabit Ethernet– Wireless LANWireless LAN
• TCP/IP Layer 1TCP/IP Layer 1
SECURITY INNOVATION ©20038
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Cabling in OSI Protocol Cabling in OSI Protocol StackStack
Cabling
SECURITY INNOVATION ©20039
Cabling IssuesCabling Issues
• Physical EnvironmentPhysical Environment– TrunkingTrunking– Network ClosetsNetwork Closets– RisersRisers
• Physical Environment - IssuesPhysical Environment - Issues– Single or multi-occupancySingle or multi-occupancy– Access Control to floor buildingAccess Control to floor building– Network passes through public areasNetwork passes through public areas– Network infrastructure easily accessible Network infrastructure easily accessible – Network infrastructure shares facilitiesNetwork infrastructure shares facilities– Electromagnetic environmentElectromagnetic environment
SECURITY INNOVATION ©200310
Thin EthernetThin Ethernet• Short overall cable runsShort overall cable runs..• Vulnerability: information broadcast to all Vulnerability: information broadcast to all
devicesdevices..– Threat: Information Leakage, Illegitimate UseThreat: Information Leakage, Illegitimate Use
• Vulnerability: One cable fault disables networkVulnerability: One cable fault disables network– Threat: Denial of ServiceThreat: Denial of Service
• Easy to installEasy to install & & attach additional devicesattach additional devices– Vulnerability: Anyone can plug into hub.Vulnerability: Anyone can plug into hub.
• Threat: Illegitimate Use.Threat: Illegitimate Use.
• Rarely seen now.Rarely seen now.
Thin Ethernet
SECURITY INNOVATION ©200311
UTP and HubUTP and Hub
• Cable between hub and device is a single Cable between hub and device is a single entityentity
• Only connectors are at the cable endsOnly connectors are at the cable ends• Additional devices can only be added at the Additional devices can only be added at the
hubhub• Disconnection/cable break rarely affects other Disconnection/cable break rarely affects other
devicesdevices• Easy to installEasy to install
hub
10/100BASE-T
UTPUTP
SECURITY INNOVATION ©200312
Other Layer 1 OptionsOther Layer 1 Options• Fiber OpticFiber Optic
– Cable between hub and device is a single entityCable between hub and device is a single entity– Tapping or altering the cable is difficultTapping or altering the cable is difficult– Installation is more difficultInstallation is more difficult– Much higher speedsMuch higher speeds
• Wireless LANWireless LAN– Popular where building restrictions apply.Popular where building restrictions apply.– Several disadvantagesSeveral disadvantages
• Radio signals are subject to interference, interception, Radio signals are subject to interference, interception, and alteration.and alteration.
• Difficult to restrict to building perimeter.Difficult to restrict to building perimeter.
– Security must be built in from initial network design.Security must be built in from initial network design.
SECURITY INNOVATION ©200313
HubsHubs• Data is broadcast to everyone on the hubData is broadcast to everyone on the hub
– Vulnerability: information broadcast to all Vulnerability: information broadcast to all devicesdevices..• Threat: Information Leakage, Illegitimate UseThreat: Information Leakage, Illegitimate Use
– Vulnerability: Anyone can plug into hub.Vulnerability: Anyone can plug into hub.• Threat: Illegitimate Use.Threat: Illegitimate Use.
• TCP/IP Layer 1TCP/IP Layer 1• Intelligent HubsIntelligent Hubs
– Signal regeneration.Signal regeneration.– Traffic monitoring.Traffic monitoring.– Can be configured remotely.Can be configured remotely.
SECURITY INNOVATION ©200314
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Hubs in OSI Protocol Hubs in OSI Protocol StackStack
Cabling, Hubs
SECURITY INNOVATION ©200315
Ethernet Addressing Ethernet Addressing
• Address of Network Interface CardAddress of Network Interface Card• Unique 48 bit valueUnique 48 bit value
– first 24 bits indicate vendor .first 24 bits indicate vendor .
• For example, 00:E0:81:10:19:FCFor example, 00:E0:81:10:19:FC– 00:E0:81 indicates Exten Corporation00:E0:81 indicates Exten Corporation– 10:19:FC indicates 1,055,228th NIC10:19:FC indicates 1,055,228th NIC
• Media Access Control (MAC) addressMedia Access Control (MAC) address
SECURITY INNOVATION ©200316
IP AddressingIP Addressing
• IP address is 32 bits long IP address is 32 bits long • Usually expressed as 4 octets separated Usually expressed as 4 octets separated
by dotsby dots• 62.49.67.17062.49.67.170
• RFC 1918 specifies reserved addresses RFC 1918 specifies reserved addresses for use on private networks.for use on private networks.
– 10.0.0.0 to 10.255.255.25510.0.0.0 to 10.255.255.255– 172.16.0.0 to 172.31.255.255172.16.0.0 to 172.31.255.255– 192.168.0.0 to 192.168.255.255192.168.0.0 to 192.168.255.255
• Many large ranges assignedMany large ranges assigned– 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck
SECURITY INNOVATION ©200317
IP Address to Ethernet IP Address to Ethernet AddressAddress
• Address Resolution Protocol (ARP)Address Resolution Protocol (ARP)– Layer 3 protocolLayer 3 protocol– Maps IP address to MAC addressMaps IP address to MAC address
• ARP QueryARP Query– Who has 192.168.0.40? Tell 192.168.0.20Who has 192.168.0.40? Tell 192.168.0.20
• ARP ReplyARP Reply– 192.168.0.40 is at 00:0e:81:10:19:FC192.168.0.40 is at 00:0e:81:10:19:FC
• ARP caches for speedARP caches for speed– Records previous ARP repliesRecords previous ARP replies– Entries are aged and eventually discardedEntries are aged and eventually discarded
SECURITY INNOVATION ©200318
ARP Query & ARP ReplyARP Query & ARP Reply
Web BrowserIP 192.168.0.20
MAC 00:0e:81:10:17:D1
Web ServerIP 192.168.0.40
MAC 00:0e:81:10:19:FC
(1) ARP Query(1) ARP QueryWho has Who has
192.168.0.40? 192.168.0.40?
(1) ARP Query(1) ARP QueryWho has Who has
192.168.0.40? 192.168.0.40?
(2) ARP Reply(2) ARP Reply192.168.0.40 is at192.168.0.40 is at 00:0e:81:10:19:FC00:0e:81:10:19:FC
(2) ARP Reply(2) ARP Reply192.168.0.40 is at192.168.0.40 is at 00:0e:81:10:19:FC00:0e:81:10:19:FC hub
10/100BASE-T
SECURITY INNOVATION ©200319
SwitchesSwitches• Switches only send data to the intended Switches only send data to the intended
receiver.receiver.• Builds an index of which device has Builds an index of which device has
which MAC address.which MAC address.
switch
10/100BASE-T
00:0e:81:10:19:FC
MAC address
2 00:0e:81:32:96:af
Device
1
3 00:0e:81:31:2f:d7
4 00:0e:81:97:03:05
8 00:0e:81:10:17:d1
SECURITY INNOVATION ©200320
Switch OperationSwitch Operation
• When a frame arrives at switchWhen a frame arrives at switch– Switch looks up destination MAC address in Switch looks up destination MAC address in
index.index.– Sends the frame to the device in the index Sends the frame to the device in the index
that owns that MAC address.that owns that MAC address.
• Switches are often intelligent:Switches are often intelligent:– Traffic monitoring, remotely configurable.Traffic monitoring, remotely configurable.
• Switches operate at Layer 2.Switches operate at Layer 2.
SECURITY INNOVATION ©200321
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Switches in OSI Protocol Switches in OSI Protocol StackStack
Cabling,Hubs
Switches
SECURITY INNOVATION ©200322
Basic ProtocolsBasic Protocols
• Security at the IP layer discussed over Security at the IP layer discussed over and overand over
• Security at the link layer ignoredSecurity at the link layer ignored
SECURITY INNOVATION ©200323
ARPARP
• Address Resolution ProtocolAddress Resolution Protocol– Used for mapping network IP addresses to Used for mapping network IP addresses to
physical (in the case of Ethernet, MAC) physical (in the case of Ethernet, MAC) interface addresses.interface addresses.
– Broadcast at the link layer.Broadcast at the link layer.
SECURITY INNOVATION ©200324
ARP Security FlawsARP Security Flaws
• Lack of AuthenticationLack of Authentication• Limited Table EntriesLimited Table Entries
– ARP caches can be overpopulated and ARP caches can be overpopulated and flushedflushed
SECURITY INNOVATION ©200325
ARP Authentication ARP Authentication FlawsFlaws
• Lack of AuthenticationLack of Authentication– ARP replies are typically accepted and ARP replies are typically accepted and
cached without concern for origin when cached without concern for origin when received.received.
– No method to distinguish between legitimate No method to distinguish between legitimate and illegitimate messagesand illegitimate messages
SECURITY INNOVATION ©200326
ARP Authentication FlawsARP Authentication Flaws
• Lack of AuthenticationLack of Authentication– Arp replies are typically accepted and cached Arp replies are typically accepted and cached
without concern for origin when received.without concern for origin when received.
– No method to distinguish between legitimate No method to distinguish between legitimate and illegitimate messagesand illegitimate messages
SECURITY INNOVATION ©200327
ARP Lack of ARP Lack of AuthenticationAuthentication
• Invalid ARP repliesInvalid ARP replies– When an ARP who-is is broadcast on the wire, When an ARP who-is is broadcast on the wire,
anyone can reply and be mapped to the anyone can reply and be mapped to the associated network address.associated network address.
• Gratuitous ARP repliesGratuitous ARP replies– ARP replies without requests can be sent out ARP replies without requests can be sent out
and cached, diverting traffic from the and cached, diverting traffic from the compromised network address to the compromised network address to the attacker.attacker.
SECURITY INNOVATION ©200328
ARP AttacksARP Attacks
• Replace entries in ARP caches for Replace entries in ARP caches for existing addressesexisting addresses– Denial of ServiceDenial of Service
– Reply to requests with compromised host Reply to requests with compromised host adress as router or nameserver. adress as router or nameserver.
– Non-blind traffic hijackingNon-blind traffic hijacking
– Exploitation of host-based trusts.Exploitation of host-based trusts.
SECURITY INNOVATION ©200329
ARP AttacksARP Attacks
• ARP Cache OverpopulationARP Cache Overpopulation– Sending too many gratuitous ARP replies Sending too many gratuitous ARP replies
flushing the target ARP cache in some flushing the target ARP cache in some implementations.implementations.
• Reach cache maximum, can cause devices like Reach cache maximum, can cause devices like switches to re-enter “learning mode”switches to re-enter “learning mode”
SECURITY INNOVATION ©200330
ARP VulnerabilityARP Vulnerability
• ARP spoofingARP spoofing– Masquerade threatMasquerade threat– Gratuitous ARPGratuitous ARP– ARP replies have no proof of originARP replies have no proof of origin– A malicious device can claim any MAC A malicious device can claim any MAC
addressaddress– Enables all fundamental threatsEnables all fundamental threats
SECURITY INNOVATION ©200331
Before ARP SpoofingBefore ARP Spoofing
IP 192.168.0.20IP 192.168.0.20MAC 00:0e:81:10:17:d1
IP 192.168.0.40IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1IP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address 00:0e:81:10:19:FC192.168.0.40192.168.0.40
192.168.0.1192.168.0.100:1f:42:12:04:72
MAC addressIP address 00:0e:81:10:17:d1192.168.0.20192.168.0.20
192.168.0.1192.168.0.100:1f:42:12:04:72
SECURITY INNOVATION ©200332
After ARP SpoofingAfter ARP Spoofing
(2) Gratuitious ARP192.168.0.20 is at00:1f:42:12:04:72
(2) Gratuitious ARP192.168.0.20 is at00:1f:42:12:04:72
(1) Gratuitious ARP192.168.0.40 is at00:1f:42:12:04:72
(1) Gratuitious ARP192.168.0.40 is at00:1f:42:12:04:72
IP 192.168.0.20MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address 192.168.0.40192.168.0.40
192.168.0.1192.168.0.1 00:1f:42:12:04:72
MAC addressIP address 192.168.0.20192.168.0.20
192.168.0.1192.168.0.1 00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
SECURITY INNOVATION ©200333
Effect of ARP SpoofingEffect of ARP SpoofingIP datagramIP datagram
Dest: 192.168.0.40Dest: 192.168.0.40MAC: 00:1f:42:12:04:72MAC: 00:1f:42:12:04:72
IP datagramIP datagramDest: 192.168.0.40Dest: 192.168.0.40
MAC: 00:1f:42:12:04:72MAC: 00:1f:42:12:04:72
IP 192.168.0.20MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address 192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC addressIP address 192.168.0.20
192.168.0.1 00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
MAC addressIP address
Attackers relay index Attackers relay index
00:0e:81:10:19:FC192.168.0.40
192.168.0.20 00:0e:81:10:17:d1
SECURITY INNOVATION ©200334
Switch VulnerabilitySwitch Vulnerability• MAC FloodingMAC Flooding
– Malicious device connected to switchMalicious device connected to switch– Sends multiple Gratuitous ARPsSends multiple Gratuitous ARPs– Each ARP claims a different MAC addressEach ARP claims a different MAC address– When index fills, some switches revert to hub When index fills, some switches revert to hub
behaviourbehaviour
switchswitch
… …
00:0e:81:10:19:FC
MAC address
4 00:0e:81:32:96:af
Device 1
00:0e:81:32:96:b1
4 00:0e:81:32:97:a4
11
22
44
99999999
4
00:0e:81:32:96:b033 4
SECURITY INNOVATION ©200335
Safeguards?Safeguards?
• Physically secure the switchPhysically secure the switch• Switches should failsafe when floodedSwitches should failsafe when flooded
– Threat: Denial of ServiceThreat: Denial of Service
• Arpwatch: monitors MAC to IP address Arpwatch: monitors MAC to IP address mappingsmappings
• Switch port locking of MAC addressesSwitch port locking of MAC addresses– Prevents ARP spoofingPrevents ARP spoofing– Reduces flexibilityReduces flexibility
SECURITY INNOVATION ©200336
IP RoutersIP Routers
• Routers support indirect delivery of ip Routers support indirect delivery of ip datagrams.datagrams.
• Employing routing tables.Employing routing tables.– Information about possible destinations and Information about possible destinations and
how to reach them.how to reach them.
• Three possible actions for a datagramThree possible actions for a datagram– Sent directly to destination host.Sent directly to destination host.– Sent to next router on way to known Sent to next router on way to known
destination.destination.– Sent to default router.Sent to default router.
• IP Routers operate at Layer 3.IP Routers operate at Layer 3.
SECURITY INNOVATION ©200337
Routers in OSI Protocol Routers in OSI Protocol StackStack
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Cabling,Hubs
Switches
Routers
SECURITY INNOVATION ©200338
192.168.1.254192.168.1.254
62.49.147.16962.49.147.169
RoutersRouters
switchswitch
RouterRouter
switchswitch
RouterRouter
192.168.1.10192.168.1.10192.168.1.11192.168.1.11
192.168.0.40192.168.0.40
192.168.0.254192.168.0.254
62.49.147.17062.49.147.170
IP address IP address 192.168.0.20192.168.0.20
Subnet Subnet 255.255.255.0255.255.255.0Default router Default router 192.168.0.254192.168.0.254
InterneInternett
SECURITY INNOVATION ©200339
RoutersRouters
switchswitch
RouteRouterr
switchswitch
RouterRouter
192.168.1.10192.168.1.10192.168.1.11192.168.1.11192.168.0.40192.168.0.40
192.168.0.192.168.0.254254
62.49.147.17062.49.147.170
62.49.147.16962.49.147.169
IP datagramIP datagramDest: 192.168.0.40Dest: 192.168.0.40
IP datagramIP datagramDest: 192.168.0.40Dest: 192.168.0.40
IP address IP address 192.168.0.20192.168.0.20
Subnet Subnet 255.255.255.0255.255.255.0Default router Default router 192.168.0.254192.168.0.254
192.168.1.254192.168.1.254
InterneInternett
SECURITY INNOVATION ©200340
RoutersRouters
switchswitch
RouterRouter
switchswitch
RouterRouter
192.168.1.10192.168.1.10192.168.1.11192.168.1.11192.168.0.40192.168.0.4062.49.147.17062.49.147.170
IP datagramIP datagramDest: 192.168.1.11Dest: 192.168.1.11
IP datagramIP datagramDest: 192.168.1.11Dest: 192.168.1.11
IP address IP address 192.168.0.20192.168.0.20
Subnet Subnet 255.255.255.0255.255.255.0Default router Default router 192.168.0.254192.168.0.254
InternetInternet
192.168.0.254192.168.0.254 192.168.1.254192.168.1.254
62.49.147.16962.49.147.169
SECURITY INNOVATION ©200341
RoutersRouters
switchswitch
Router
switchswitch
RouterRouter
192.168.1.10192.168.1.10192.168.1.11192.168.1.11192.168.0.40192.168.0.40
192.168.0.254192.168.0.254
62.49.147.17062.49.147.170
62.49.147.16962.49.147.169
IP datagramIP datagramDest: 134.219.200.69Dest: 134.219.200.69
IP datagramIP datagramDest: 134.219.200.69Dest: 134.219.200.69
IP address IP address 192.168.0.20192.168.0.20
Subnet Subnet 255.255.255.0255.255.255.0Default router Default router 192.168.0.254192.168.0.254
192.168.1.254192.168.1.254
SECURITY INNOVATION ©200342
DHCPDHCP
• Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol– Popular amongst pc users for ease of Popular amongst pc users for ease of
installation and configurationinstallation and configuration– UDP transportUDP transport– To broadcast, from 0.0.0.0To broadcast, from 0.0.0.0
SECURITY INNOVATION ©200343
DHCP Security ProblemsDHCP Security Problems
• UnauthenticatedUnauthenticated– Anyone can request an addressAnyone can request an address
• UndirectedUndirected– Anyone can respondAnyone can respond
• Limited ACL capabilitiesLimited ACL capabilities– Limit addresses per macLimit addresses per mac
SECURITY INNOVATION ©200344
DHCP AttacksDHCP Attacks
• Get all addressesGet all addresses– Denial Of ServiceDenial Of Service– Reply to requests with compromised host set Reply to requests with compromised host set
as router or nameserveras router or nameserver
• Deregister hostsDeregister hosts– hijack ip’s, connectionshijack ip’s, connections
SECURITY INNOVATION ©200345
DHCP FixesDHCP Fixes
• AuthenticationAuthentication– ISC is adding authentication in their 3.1 ISC is adding authentication in their 3.1
implementationimplementation– Others have implemented proprietary Others have implemented proprietary
authentication mechanismsauthentication mechanisms
• Don’t allow dynamic assignment of DNS Don’t allow dynamic assignment of DNS servers or routersservers or routers– Statically define theseStatically define these
SECURITY INNOVATION ©200346
Gateway ProtocolsGateway Protocols
• IGPIGP– RIPv1RIPv1
– RIPv2RIPv2
– OSPFOSPF
SECURITY INNOVATION ©200347
RIPRIP
• Routing Information ProtocolRouting Information Protocol– Widely used distance-vector IGP (Interior Widely used distance-vector IGP (Interior
Gateway Protocol) within autonomous Gateway Protocol) within autonomous systems. systems.
– Exists in two forms, Version 1 and the Exists in two forms, Version 1 and the backwards compatible Version 2.backwards compatible Version 2.
• RIPv1 is extremely vulnerable to serious RIPv1 is extremely vulnerable to serious attack.attack.
SECURITY INNOVATION ©200348
RIP Security FlawsRIP Security Flaws
• Transport Method Transport Method • Authentication Authentication
SECURITY INNOVATION ©200349
RIP Transport Method RIP Transport Method FlawsFlaws
• Based on UDP, utilizing port 520 for Based on UDP, utilizing port 520 for sending and receiving messages.sending and receiving messages.– UDP is unreliable, no sequencing of packets. UDP is unreliable, no sequencing of packets.
Easy to send arbitrary data to target .Easy to send arbitrary data to target .
– Since sequencing is not a concern, forging Since sequencing is not a concern, forging source address can be very effective.source address can be very effective.
– May be able to receive data from anywhere May be able to receive data from anywhere on the internet.on the internet.
SECURITY INNOVATION ©200350
RIP Authentication FlawsRIP Authentication Flaws
• Lack of any authentication in RIPv1Lack of any authentication in RIPv1
• Cleartext Authentication recommended in Cleartext Authentication recommended in RFC 2453 RIPv2 SpecificationsRFC 2453 RIPv2 Specifications
• MD5 Key/KeyID Digest Based MD5 Key/KeyID Digest Based Authentication described in RFC 2082. Authentication described in RFC 2082.
SECURITY INNOVATION ©200351
RIP AttacksRIP Attacks
• Forging RIP messagesForging RIP messages– Spoofing source address and sending invalid Spoofing source address and sending invalid
routes, altering traffic flow.routes, altering traffic flow.
• Traffic HijackingTraffic Hijacking
• Traffic MonitoringTraffic Monitoring
• Redirecting traffic from trusted to untrusted.Redirecting traffic from trusted to untrusted.
– Obtaining Cleartext RIPv2 "password" when Obtaining Cleartext RIPv2 "password" when sent across network.sent across network.
• Using retrieved password to send authenticated Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with updates to RIPv2 routers, altering traffic flow with consequences listed above. consequences listed above.
SECURITY INNOVATION ©200352
RIP SolutionsRIP Solutions
• Disabling RIPv1 and using RIPv2 with Disabling RIPv1 and using RIPv2 with MD5 authentication.MD5 authentication.
• Enabling MD5 based authentication for Enabling MD5 based authentication for RIPv2RIPv2
• Disabling RIP completely and using OSPF Disabling RIP completely and using OSPF with MD5 authentication as interior with MD5 authentication as interior gateway protocol. OSPF is the suggested gateway protocol. OSPF is the suggested IGP.IGP.
SECURITY INNOVATION ©200353
OSPFOSPF
• OSPF - Open Shortest Path FirstOSPF - Open Shortest Path First– Link-State Interior Gateway Protocol. In wide Link-State Interior Gateway Protocol. In wide
use within autonomous systems.use within autonomous systems.
– OSPF is the recommended IGP, intended as a OSPF is the recommended IGP, intended as a replacement for RIP.replacement for RIP.
SECURITY INNOVATION ©200355
OSPF Authentication OSPF Authentication FlawsFlaws
• Default Lack of AuthenticationDefault Lack of Authentication– By default in some implementations, OSPF By default in some implementations, OSPF
authentication may be off.authentication may be off.
• Cleartext "simple password" Cleartext "simple password" AuthenticationAuthentication– Commonly a default setting, clear-text Commonly a default setting, clear-text
password included in OSPF message used to password included in OSPF message used to authenticate peers.authenticate peers.
• Type of authentication determined by Type of authentication determined by "CODE" field in the OSPF message header."CODE" field in the OSPF message header.
SECURITY INNOVATION ©200356
OSPF AttacksOSPF Attacks
• Forging OSPF messages Forging OSPF messages – Can be somewhat difficult but theoretically Can be somewhat difficult but theoretically
possible if no authentication required or possible if no authentication required or cleartext password obtained.cleartext password obtained.
SECURITY INNOVATION ©200357
OSPF SolutionOSPF Solution
• Enable MD5 Authentication in OSPF Enable MD5 Authentication in OSPF implementation.implementation.
SECURITY INNOVATION ©200358
VLANsVLANs
• VLAN is a virtual LAN.VLAN is a virtual LAN.• Switch is configured to Switch is configured to
divide up devices into divide up devices into VLANs.VLANs.
• Device on one VLAN can’t Device on one VLAN can’t send to devices on send to devices on another VLAN.another VLAN.
switchswitch
SECURITY INNOVATION ©200359
VLANs & RoutersVLANs & Routers
• How to get from one VLAN to another?How to get from one VLAN to another?– Connect them with a router.Connect them with a router.
switchswitch
RouterRouterRouter
SECURITY INNOVATION ©200360
Secure?Secure?
Layer 3…Layer 3…
192.168.0.2192.168.0.2
Network Network 192.168.0.0192.168.0.0
Network Network 192.168.1.0192.168.1.0
192.168.1.1192.168.1.1
192.168.1.2192.168.1.2
192.168.0.1192.168.0.1
AA
CC
BB
DD
SECURITY INNOVATION ©200361
Secure?Secure?
switchswitch
Layer 2…Layer 2…
At Layer 3, the switch is “invisible”At Layer 3, the switch is “invisible”At Layer 2, the switch becomes “visibleAt Layer 2, the switch becomes “visible”
AA CCBB
DD
SECURITY INNOVATION ©200362
TCP HandshakingTCP Handshaking
• Each TCP connection begins with three Each TCP connection begins with three packets:packets:– A SYN packet from sender to receiver.A SYN packet from sender to receiver.
• ““Can we talk?”Can we talk?”
– An SYN/ACK packet from receiver to sender.An SYN/ACK packet from receiver to sender.• ““Fine – ready to start?”Fine – ready to start?”
– An ACK packet from sender to receiver.An ACK packet from sender to receiver.• ““OK, start”OK, start”
SECURITY INNOVATION ©200363
TCP HandshakingTCP HandshakingTCP PacketTCP Packet
SYN flagSYN flag
TCP PacketTCP PacketSYN flagSYN flag
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
TCP PacketTCP PacketSYN & ACK flagSYN & ACK flag
TCP PacketTCP PacketSYN & ACK flagSYN & ACK flag
IP datagramIP datagramSrc: Src: 192.168.0.40192.168.0.40
Dest: Dest: 192.168.0.20192.168.0.20
IP datagramIP datagramSrc: Src: 192.168.0.40192.168.0.40
Dest: Dest: 192.168.0.20192.168.0.20
TCP PacketTCP PacketACK flagACK flag
TCP PacketTCP PacketACK flagACK flag
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
192.168.0.20192.168.0.20
192.168.0.40192.168.0.40
““Can we talk?”
Can we talk?”
““Fine, ready to start?”Fine, ready to start?”
““OK, start”
OK, start”
SECURITY INNOVATION ©200364
Tracking TCP Tracking TCP HandshakesHandshakes
• The destination machine has to track The destination machine has to track which machines it has sent a which machines it has sent a “SYN+ACK” to“SYN+ACK” to
• Keeps a list of TCP SYN packets that Keeps a list of TCP SYN packets that have had a SYN+ACK returned.have had a SYN+ACK returned.
• When ACK is received, packet removed When ACK is received, packet removed from list as connection is open.from list as connection is open.
SECURITY INNOVATION ©200365
TCP Denial Of ServiceTCP Denial Of Service
• What if the sender doesn’t answer with What if the sender doesn’t answer with an ACK?an ACK?– A SYN packet from sender to receiver.A SYN packet from sender to receiver.
• ““Can we talk?”Can we talk?”
– An SYN/ACK packet from receiver to sender.An SYN/ACK packet from receiver to sender.• ““Fine – ready to start?”Fine – ready to start?”
– ………………………………..nothing…………..……..nothing…………..……
• If the sender sends 100 SYN packets per If the sender sends 100 SYN packets per secondsecond– Eventually receiver runs out of room to Eventually receiver runs out of room to
track the SYN+ACK repliestrack the SYN+ACK replies– SYN flooding.SYN flooding.
SECURITY INNOVATION ©200366
IP SpoofingIP Spoofing
• A machine can place any IP address in A machine can place any IP address in the source address of an IP datagram.the source address of an IP datagram.
• Disadvantage: Any reply packet will Disadvantage: Any reply packet will return to the wrong place.return to the wrong place.
• Advantage (to an attacker): No-one Advantage (to an attacker): No-one knows who sent the packet.knows who sent the packet.
• If the sender sends 100 SYN packets per If the sender sends 100 SYN packets per second with spoofed source second with spoofed source addresses…. addresses….
SECURITY INNOVATION ©200367
TCP Denial of ServiceTCP Denial of Service
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
192.168.0.20192.168.0.20
192.168.0.40192.168.0.40
““Can we talk?”
Can we talk?”
““Fine, ready to sta
rt?”
Fine, ready to sta
rt?”
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketTCP PacketSYN flagSYN flag
TCP PacketTCP PacketSYN flagSYN flag
IP datagramIP datagramSrc: Src: 62.49.10.162.49.10.1
Dest: Dest: 192.168.0.40192.168.0.40
IP datagramIP datagramSrc: Src: 62.49.10.162.49.10.1
Dest: Dest: 192.168.0.40192.168.0.40
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
TCP PacketTCP PacketSYN & ACK flagSYN & ACK flag
TCP PacketTCP PacketSYN & ACK flagSYN & ACK flag
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20Dest: Dest: 62.49.10.162.49.10.1
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20Dest: Dest: 62.49.10.162.49.10.1
SECURITY INNOVATION ©200368
TCP/IP PortsTCP/IP Ports
• Many processes on a single machine may be Many processes on a single machine may be waiting for network traffic.waiting for network traffic.
• When a packet arrives, how does the When a packet arrives, how does the transport layer know which process it is for?transport layer know which process it is for?
• The port allows the transport layer to deliver The port allows the transport layer to deliver the packet to the application layer.the packet to the application layer.
• Packets have source and destination port.Packets have source and destination port.– Source port is used by receiver as destination of Source port is used by receiver as destination of
replies.replies.
SECURITY INNOVATION ©200369
Port AssignmentsPort Assignments
• Well known ports from 0 to 1023Well known ports from 0 to 1023– http=port 80http=port 80– smtp=port 25smtp=port 25– syslog=port 514syslog=port 514– telnet=23telnet=23– ssh=22ssh=22– ftp=21 + more…ftp=21 + more…
• Registered ports from 1024 to 49151Registered ports from 1024 to 49151• Dynamic or private ports from 49152 to Dynamic or private ports from 49152 to
6553565535
SECURITY INNOVATION ©200370
Port MultiplexingPort Multiplexing
putty
Transport Layer
Internet Layer
Network Layer
Physical Network
telnet
Transport Layer
Internet Layer
Network Layer
Message
Packet
Datagram
Frame
Host A Host B
ienet
scape apache
Port 80Port 23Port 2077
Port 2076 Port 2078
SECURITY INNOVATION ©200371
Ports in ActionPorts in Action
switchswitch
HTTP messageHTTP messageGET index.htmlGET index.html
www.localserver.orgwww.localserver.org
HTTP messageHTTP messageGET index.htmlGET index.html
www.localserver.orgwww.localserver.org
TCP PacketTCP PacketSrc Port: 2076Src Port: 2076Dest Port: 80Dest Port: 80
TCP PacketTCP PacketSrc Port: 2076Src Port: 2076Dest Port: 80Dest Port: 80
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
HTTP messageHTTP messageContents of Contents of index.htmlindex.html
HTTP messageHTTP messageContents of Contents of index.htmlindex.html
TCP PacketTCP PacketSrc Port: 80Src Port: 80
Dest Port: 2076Dest Port: 2076
TCP PacketTCP PacketSrc Port: 80Src Port: 80
Dest Port: 2076Dest Port: 2076
IP datagramIP datagramSrc: Src: 192.168.0.40192.168.0.40
Dest: Dest: 192.168.0.20192.168.0.20
IP datagramIP datagramSrc: Src: 192.168.0.40192.168.0.40
Dest: Dest: 192.168.0.20192.168.0.20
192.168.0.20192.168.0.20 192.168.0.40192.168.0.40
TELNET messageTELNET messageTELNET messageTELNET message
TCP PacketTCP PacketSrc Port: 2077Src Port: 2077Dest Port: 23Dest Port: 23
TCP PacketTCP PacketSrc Port: 2077Src Port: 2077Dest Port: 23Dest Port: 23
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.40192.168.0.40
TELNET messageTELNET messageTELNET messageTELNET message
TCP PacketTCP PacketSrc Port: 23Src Port: 23
Dest Port: 2077Dest Port: 2077
TCP PacketTCP PacketSrc Port: 23Src Port: 23
Dest Port: 2077Dest Port: 2077
IP datagramIP datagramSrc: Src: 192.168.0.40192.168.0.40
Dest: Dest: 192.168.0.20192.168.0.20
IP datagramIP datagramSrc: Src: 192.168.0.40192.168.0.40
Dest: Dest: 192.168.0.20192.168.0.20
SECURITY INNOVATION ©200372
Network SniffersNetwork Sniffers
• Network Interface Cards normally Network Interface Cards normally operating in non-promiscuous mode.operating in non-promiscuous mode.– Only listen for frames with their MAC Only listen for frames with their MAC
addressaddress
• A sniffer changes a NIC into promiscuous A sniffer changes a NIC into promiscuous mode.mode.– Reads frames regardless of MAC address.Reads frames regardless of MAC address.
• Many different sniffersMany different sniffers– tcpdumptcpdump– etherealethereal– SnortSnort
SECURITY INNOVATION ©200374
Sniffing LegitimatelySniffing Legitimately
• Do they have legitimate uses?Do they have legitimate uses?– Yes … when used in an authorized and Yes … when used in an authorized and
controlled mannercontrolled manner..– Network analyzers or protocol analyzers.Network analyzers or protocol analyzers.– With complex networks, they are used for With complex networks, they are used for
fault investigation and performance fault investigation and performance measurementmeasurement..
– Useful when understanding how a COTS Useful when understanding how a COTS product uses the network.product uses the network.
SECURITY INNOVATION ©200375
DetectingDetecting Sniffers Sniffers
• Detecting an Detecting an sniffing sniffing attackattack• Very difficultVery difficult, but sometimes possible, but sometimes possible
– Tough Tough to check remotely whether a device is to check remotely whether a device is sniffingsniffing. Approaches include:. Approaches include:• Sending large volumes of data, then sending ICMP Sending large volumes of data, then sending ICMP
ping requests.ping requests.• Sending data to unused IP addresses and Sending data to unused IP addresses and
watching for DNS requests for those IP addresses.watching for DNS requests for those IP addresses.• Exploiting operating system quirks.Exploiting operating system quirks.
– AntiSniff, Security Software TechnologiesAntiSniff, Security Software Technologies
SECURITY INNOVATION ©200376
SnifferSniffer Safeguards Safeguards
• Preventing attacksPreventing attacks or limiting their or limiting their effectseffects– Basically a matter of network and system Basically a matter of network and system
design securitydesign security– Examples of safeguards are:Examples of safeguards are:
• Use of non-promiscuous interfacesUse of non-promiscuous interfaces..• Encryption of network trafficEncryption of network traffic..• One-time passwordsOne-time passwords e.g. SecurId, skey. e.g. SecurId, skey.• Lock MAC addresses to switch ports – not Lock MAC addresses to switch ports – not
effective.effective.
SECURITY INNOVATION ©200377
Packet SniffingPacket Sniffing
• Recall how Ethernet works …Recall how Ethernet works …• When someone wants to send a packet When someone wants to send a packet
to some else …to some else …• They put the bits on the wire with the They put the bits on the wire with the
destination MAC address …destination MAC address …• And remember that other hosts are And remember that other hosts are
listening on the wire to detect for listening on the wire to detect for collisions …collisions …
• It couldn’t get any easier to figure out It couldn’t get any easier to figure out what data is being transmitted over the what data is being transmitted over the network!network!
SECURITY INNOVATION ©200378
Packet SniffingPacket Sniffing
• This works for wireless too!This works for wireless too!• In fact, it works for any broadcast-based In fact, it works for any broadcast-based
mediummedium
SECURITY INNOVATION ©200379
Packet SniffingPacket Sniffing
• What kinds of data can we get?What kinds of data can we get?• Asked another way, what kind of Asked another way, what kind of
information would be most useful to a information would be most useful to a malicious user?malicious user?
• Answer: Anything in plain textAnswer: Anything in plain text– Passwords are the most popularPasswords are the most popular
SECURITY INNOVATION ©200380
Packet SniffingPacket Sniffing
• How can we protect ourselves?How can we protect ourselves?• SSH, not TelnetSSH, not Telnet
– Many people at CMU still use Telnet and send their Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)password in the clear (use PuTTY instead!)
– Now that I have told you this, please do not exploit this Now that I have told you this, please do not exploit this informationinformation
– Packet sniffing is, by the way, prohibited by Computing Packet sniffing is, by the way, prohibited by Computing ServicesServices
• HTTP over SSLHTTP over SSL– Especially when making purchases with credit cards!Especially when making purchases with credit cards!
• SFTP, not FTPSFTP, not FTP– Unless you Unless you reallyreally don’t care about the password or data don’t care about the password or data– Can also use KerbFTP (download from MyAndrew)Can also use KerbFTP (download from MyAndrew)
• IPSecIPSec– Provides network-layer confidentialityProvides network-layer confidentiality
SECURITY INNOVATION ©200381
Example applicationsExample applications
• Defeat sniffingDefeat sniffing– Race hosts on ARP repliesRace hosts on ARP replies– reply to ARP’s with broadcast addressreply to ARP’s with broadcast address– overpopulate cachesoverpopulate caches
• some switches will flush their cachessome switches will flush their caches
– alter routing on the host you want to sniffalter routing on the host you want to sniff
SECURITY INNOVATION ©200382
Networks at the Building Networks at the Building LevelLevel
• New ThreatsNew Threats– Backbone which connects LANsBackbone which connects LANs– Interconnections between the LAN and the Interconnections between the LAN and the
backbonebackbone– Control of information flow within a larger Control of information flow within a larger
networknetwork– Network Management itself Network Management itself
SECURITY INNOVATION ©200383
BackboneBackbone
HumanHumanResourcesResources
FinanceFinance
SalesSales
DevelopmentDevelopment
SECURITY INNOVATION ©200384
Network Backbone Network Backbone Threats IThreats I
• Backbone carries all inter-Backbone carries all inter-LANLAN traffic traffic• ConfidentialityConfidentiality
– All data could be eavesdroppedAll data could be eavesdropped
• IntegrityIntegrity– Any errors could affect all the network trafficAny errors could affect all the network traffic
• AvailabilityAvailability– Loss of backbone means that workgroups Loss of backbone means that workgroups
would be unable to communicate with each would be unable to communicate with each otherother
SECURITY INNOVATION ©200385
Network Backbone Network Backbone Threats IIThreats II
• Overview of ThreatsOverview of Threats– Point of interconnection between workgroup Point of interconnection between workgroup
and backbone is a sensitive areaand backbone is a sensitive area– From security viewpoint it:From security viewpoint it:
• Provides a point of access to the backboneProvides a point of access to the backbone• Provides a point of access to all the data Provides a point of access to all the data
associated with a workgroupassociated with a workgroup• Damage at this point could affect both the Damage at this point could affect both the
workgroup and the backboneworkgroup and the backbone
SECURITY INNOVATION ©200386
Network ManagementNetwork Management
• An overviewAn overview– Management of complex networks is a Management of complex networks is a
difficult taskdifficult task– Specialised tools are available (including HP Specialised tools are available (including HP
OpenView, IBM Netview, Cabletron OpenView, IBM Netview, Cabletron Spectrum, Sun NetManager)Spectrum, Sun NetManager)
SECURITY INNOVATION ©200387
Fault HandlingFault Handling
• Without network management, faults will:Without network management, faults will:– Disrupt network operationDisrupt network operation– Require substantial effort to identifyRequire substantial effort to identify– Require a long time to repairRequire a long time to repair
• Network Management facilities combined Network Management facilities combined with intelligent devices allows:with intelligent devices allows:– Faults to be handled / identified locallyFaults to be handled / identified locally– Alert messages to be raised and gathered Alert messages to be raised and gathered
centrallycentrally– Appropriate actions to be takenAppropriate actions to be taken
SECURITY INNOVATION ©200388
Further IntegrationFurther Integration
• Physical NetworkPhysical Network– Cable Management SystemsCable Management Systems– Actual device locationsActual device locations
• Servers and WorkstationsServers and Workstations– Servers disk space monitoringServers disk space monitoring– Printer statusPrinter status
SECURITY INNOVATION ©200389
LAN Safeguards - ILAN Safeguards - I
• PartitioningPartitioning– With a building network there will be different types With a building network there will be different types
of information being processedof information being processed– Some types of data will require extra protection e.g.Some types of data will require extra protection e.g.
• FinanceFinance• Personnel / Human ResourcesPersonnel / Human Resources• Internal AuditInternal Audit• Divisional headsDivisional heads
– Two situations where extra controls are neededTwo situations where extra controls are needed• Physically separate group or teamPhysically separate group or team• Widely distributed group of staffWidely distributed group of staff
SECURITY INNOVATION ©200390
DHCPDHCP
• Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol– Popular amongst pc users for ease of Popular amongst pc users for ease of
installation and configurationinstallation and configuration– UDP transportUDP transport– To broadcast, from 0.0.0.0To broadcast, from 0.0.0.0
SECURITY INNOVATION ©200391
DHCP Security ProblemsDHCP Security Problems
• UnauthenticatedUnauthenticated– Anyone can request an addressAnyone can request an address
• UndirectedUndirected– Anyone can respondAnyone can respond
• Limited ACL capabilitiesLimited ACL capabilities– Limit addresses per macLimit addresses per mac
SECURITY INNOVATION ©200392
DHCP AttacksDHCP Attacks
• Get all addressesGet all addresses– Denial Of ServiceDenial Of Service– Reply to requests with compromised host set Reply to requests with compromised host set
as router or nameserveras router or nameserver
• Deregister hostsDeregister hosts– hijack ip’s, connectionshijack ip’s, connections
SECURITY INNOVATION ©200393
DHCP FixesDHCP Fixes
• AuthenticationAuthentication– ISC is adding authentication in their 3.1 ISC is adding authentication in their 3.1
implementationimplementation– Others have implemented proprietary Others have implemented proprietary
authentication mechanismsauthentication mechanisms
• Don’t allow dynamic assignment of DNS Don’t allow dynamic assignment of DNS servers or routersservers or routers– Statically define theseStatically define these
SECURITY INNOVATION ©200394
LAN Safeguards - IILAN Safeguards - II
• PartitioningPartitioning– Network configured so that:Network configured so that:
• Group workstations cabled to their own Group workstations cabled to their own switchswitch• SwitchesSwitches programmed to restrict data flow onto programmed to restrict data flow onto
the backbonethe backbone
– Add a FirewallAdd a Firewall• Control use of any network servicesControl use of any network services• Control systems that can be contacted Control systems that can be contacted
SECURITY INNOVATION ©200395
LAN Safeguards – IIILAN Safeguards – III
• Other ConsiderationsOther Considerations– If workgroup users are not located in a single If workgroup users are not located in a single
area, different measures must be adoptedarea, different measures must be adopted– In most cases, addressing is used to control In most cases, addressing is used to control
traffic flow but does not prevent traffic being traffic flow but does not prevent traffic being read in transitread in transit
– Higher level of security can be provided by Higher level of security can be provided by encryption, but:encryption, but:
• Does encryption mechanism understand the network Does encryption mechanism understand the network protocol?protocol?
• What is the performance impact of encryption?What is the performance impact of encryption?• How are encryption keys generated, distributed, and How are encryption keys generated, distributed, and
stored?stored?• Will a workstation on the encrypted workgroup be able to Will a workstation on the encrypted workgroup be able to
communicate with an unencrypted server?communicate with an unencrypted server?
SECURITY INNOVATION ©200396
MMAN - IAN - I
• Metropolitan Area NetworkMetropolitan Area Network• New EnvironmentNew Environment
– A network which encompasses several A network which encompasses several closely located buildings (closely located buildings (sometimes also sometimes also called a campus network)called a campus network)
– Such expanded network environments bring Such expanded network environments bring additional security concerns:additional security concerns:• Network exposed to outside worldNetwork exposed to outside world• Problems of scaleProblems of scale
SECURITY INNOVATION ©200397
MAN ExampleMAN Example
Building ABuilding A
Building BBuilding B
Building CBuilding C
SECURITY INNOVATION ©200398
MAN MAN - II- II
• Exposure to outside worldExposure to outside world– Network has left the security of the buildingNetwork has left the security of the building– Small scale may rule out encryptionSmall scale may rule out encryption– New risks must be assessedNew risks must be assessed
• Private or public areasPrivate or public areas
– Investigate constraints on solutionInvestigate constraints on solution• e.g. buried or elevated linkse.g. buried or elevated links
– May need non-physical linksMay need non-physical links• e.g. Lasere.g. Laser, , infra-redinfra-red, microwave, microwave
SECURITY INNOVATION ©200399
MANMAN - III - III
• Problem of scaleProblem of scale– Information flow must be controlled, and Information flow must be controlled, and
faulty network components (in one building) faulty network components (in one building) must not affect other buildings, so:must not affect other buildings, so:• Filters / bridges / firewalls will be neededFilters / bridges / firewalls will be needed
– Network Information Centre (NIC) is requiredNetwork Information Centre (NIC) is required– Normally a second level backbone is usedNormally a second level backbone is used
SECURITY INNOVATION ©2003100
WAN - IWAN - I
• Wide Area NetworkWide Area Network– National or International networkNational or International network
• Threats Become More Significant:Threats Become More Significant:– Sensitive data (including passwords) much Sensitive data (including passwords) much
more widely transmittedmore widely transmitted– Switched network rather than point-to-pointSwitched network rather than point-to-point– Change management errors Change management errors – Dark-room equipment sitesDark-room equipment sites– Unauthorised access to network linksUnauthorised access to network links– Traffic flow monitoring (is this an issue?)Traffic flow monitoring (is this an issue?)
SECURITY INNOVATION ©2003101
Gateway ProtocolsGateway Protocols
• IGPIGP– RIPv1RIPv1
– RIPv2RIPv2
– OSPFOSPF
SECURITY INNOVATION ©2003102
RIPRIP
• Routing Information ProtocolRouting Information Protocol– Widely used distance-vector IGP (Interior Widely used distance-vector IGP (Interior
Gateway Protocol) within autonomous Gateway Protocol) within autonomous systems. systems.
– Exists in two forms, Version 1 and the Exists in two forms, Version 1 and the backwards compatible Version 2.backwards compatible Version 2.
• RIPv1 is extremely vulnerable to serious RIPv1 is extremely vulnerable to serious attack.attack.
SECURITY INNOVATION ©2003103
RIP Security FlawsRIP Security Flaws
• Transport Method Transport Method • Authentication Authentication
SECURITY INNOVATION ©2003104
RIP Transport Method RIP Transport Method FlawsFlaws
• Based on UDP, utilizing port 520 for Based on UDP, utilizing port 520 for sending and receiving messages.sending and receiving messages.– UDP is unreliable, no sequencing of packets. UDP is unreliable, no sequencing of packets.
Easy to send arbitrary data to target .Easy to send arbitrary data to target .
– Since sequencing is not a concern, forging Since sequencing is not a concern, forging source address can be very effective.source address can be very effective.
– May be able to receive data from anywhere May be able to receive data from anywhere on the internet.on the internet.
SECURITY INNOVATION ©2003105
RIP Authentication FlawsRIP Authentication Flaws
• Lack of any authentication in RIPv1Lack of any authentication in RIPv1
• Cleartext Authentication recommended in Cleartext Authentication recommended in RFC 2453 RIPv2 SpecificationsRFC 2453 RIPv2 Specifications
• MD5 Key/KeyID Digest Based MD5 Key/KeyID Digest Based Authentication described in RFC 2082. Authentication described in RFC 2082.
SECURITY INNOVATION ©2003106
RIP AttacksRIP Attacks
• Forging RIP messagesForging RIP messages– Spoofing source address and sending invalid Spoofing source address and sending invalid
routes, altering traffic flow.routes, altering traffic flow.
• Traffic HijackingTraffic Hijacking
• Traffic MonitoringTraffic Monitoring
• Redirecting traffic from trusted to untrusted.Redirecting traffic from trusted to untrusted.
– Obtaining Cleartext RIPv2 "password" when Obtaining Cleartext RIPv2 "password" when sent across network.sent across network.
• Using retrieved password to send authenticated Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with updates to RIPv2 routers, altering traffic flow with consequences listed above. consequences listed above.
SECURITY INNOVATION ©2003107
RIP SolutionsRIP Solutions
• Disabling RIPv1 and using RIPv2 with Disabling RIPv1 and using RIPv2 with MD5 authentication.MD5 authentication.
• Enabling MD5 based authentication for Enabling MD5 based authentication for RIPv2RIPv2
• Disabling RIP completely and using OSPF Disabling RIP completely and using OSPF with MD5 authentication as interior with MD5 authentication as interior gateway protocol. OSPF is the suggested gateway protocol. OSPF is the suggested IGP.IGP.
SECURITY INNOVATION ©2003108
OSPFOSPF
• OSPF - Open Shortest Path FirstOSPF - Open Shortest Path First– Link-State Interior Gateway Protocol. In wide Link-State Interior Gateway Protocol. In wide
use within autonomous systems.use within autonomous systems.
– OSPF is the recommended IGP, intended as a OSPF is the recommended IGP, intended as a replacement for RIP.replacement for RIP.
SECURITY INNOVATION ©2003110
OSPF Authentication OSPF Authentication FlawsFlaws
• Default Lack of AuthenticationDefault Lack of Authentication– By default in some implementations, OSPF By default in some implementations, OSPF
authentication may be off.authentication may be off.
• Cleartext "simple password" Cleartext "simple password" AuthenticationAuthentication– Commonly a default setting, clear-text Commonly a default setting, clear-text
password included in OSPF message used to password included in OSPF message used to authenticate peers.authenticate peers.
• Type of authentication determined by Type of authentication determined by "CODE" field in the OSPF message header."CODE" field in the OSPF message header.
SECURITY INNOVATION ©2003111
OSPF AttacksOSPF Attacks
• Forging OSPF messages Forging OSPF messages – Can be somewhat difficult but theoretically Can be somewhat difficult but theoretically
possible if no authentication required or possible if no authentication required or cleartext password obtained.cleartext password obtained.
SECURITY INNOVATION ©2003112
OSPF SolutionOSPF Solution
• Enable MD5 Authentication in OSPF Enable MD5 Authentication in OSPF implementation.implementation.
SECURITY INNOVATION ©2003113
Authentication Flaw Authentication Flaw OverviewOverview
• Authentication is a means for Authentication is a means for verification and granting of accessverification and granting of access
• Problems range from denial of service to Problems range from denial of service to active and passive attacks leading to active and passive attacks leading to total compromisetotal compromise– gain accessgain access– elevate accesselevate access
SECURITY INNOVATION ©2003115
WAN - IIWAN - II
• Impact of different mediaImpact of different media– FiberFiber
• Minimal external radiationMinimal external radiation• Special equipment required for tappingSpecial equipment required for tapping• Normally a tap causes disruption of serviceNormally a tap causes disruption of service
– Satellite, radio, or microwaveSatellite, radio, or microwave• Extensive external radiationExtensive external radiation• Special (but easily available) equipment needed Special (but easily available) equipment needed
for tappingfor tapping• Tapping does not disrupt servicesTapping does not disrupt services• Carrier MIGHT provide some encryptionCarrier MIGHT provide some encryption
SECURITY INNOVATION ©2003116
WAN - IIIWAN - III
• Partitioning Networks - Physical Partitioning Networks - Physical SeparationSeparation– Provides good separationProvides good separation– Conceptually easy to understandConceptually easy to understand– Legacy approach - in the days when Legacy approach - in the days when
adequate logical separation was not possibleadequate logical separation was not possible• Still done in very secure networksStill done in very secure networks
– Sharing data is difficult and uncontrolledSharing data is difficult and uncontrolled– CostlyCostly
SECURITY INNOVATION ©2003117
WAN - IVWAN - IV
• Partitioning Networks - Logical Partitioning Networks - Logical SeparationSeparation– Closed User GroupsClosed User Groups
• Multiple virtual networks on one physical oneMultiple virtual networks on one physical one• Based on network addressesBased on network addresses• Managed by the Network Management Centre Managed by the Network Management Centre
(NMC)(NMC)
– PVCs (Permanent Virtual Circuits)PVCs (Permanent Virtual Circuits)– CryptographyCryptography
SECURITY INNOVATION ©2003118
WAN - VWAN - V
• Data ConfidentialityData Confidentiality– Choice of physical mediaChoice of physical media– Network PartitioningNetwork Partitioning– Link EncryptionLink Encryption (Layer 2) (Layer 2)– End-to-end EncryptionEnd-to-end Encryption (Layer 4) (Layer 4)– Key and equipment management issuesKey and equipment management issues
SECURITY INNOVATION ©2003119
WAN - VIWAN - VI
• Link EncryptionLink Encryption– For individual linksFor individual links– Protocol IndependentProtocol Independent– Throughput is not normally an issueThroughput is not normally an issue– Moderate cost (£700-£1000 per unit)Moderate cost (£700-£1000 per unit)
• But Link Encryption for Larger NetworksBut Link Encryption for Larger Networks– Is expensiveIs expensive– Is a management burdenIs a management burden– Data is not protected inside switches Data is not protected inside switches
SECURITY INNOVATION ©2003120
WAN – VIIWAN – VII
• Conditions of Connection (COC)Conditions of Connection (COC)– Very powerful tool for Network Services Very powerful tool for Network Services
Dept. when it does not have direct authorityDept. when it does not have direct authority– Details users’ responsibilitiesDetails users’ responsibilities
• Responsible for security of their end systemsResponsible for security of their end systems• Comply with COC’s standardsComply with COC’s standards• Control access to end-systems and equipmentControl access to end-systems and equipment• Protect user-ids, passwords etc.Protect user-ids, passwords etc.• Become security awareBecome security aware• Support tests investigations etc .Support tests investigations etc .
– User management signs up to it before User management signs up to it before getting the network servicegetting the network service
SECURITY INNOVATION ©2003121
InternetInternet• Internet connection prerequisite for most Internet connection prerequisite for most
corporationscorporations• Web browsing, email, file transferWeb browsing, email, file transfer• Increasingly used for business critical Increasingly used for business critical
applicationsapplications• Possible to replace expensive WAN link with Possible to replace expensive WAN link with
Internet VPN linkInternet VPN link• Threats Become CriticalThreats Become Critical
– Route of sensitive data not guaranteedRoute of sensitive data not guaranteed– Availability not guaranteedAvailability not guaranteed
• Denial of service attacks are real riskDenial of service attacks are real risk
– Any Internet host can probe any other host Any Internet host can probe any other host – Plenty of malicious content (viruses, Trojans, Plenty of malicious content (viruses, Trojans,
pornographypornography))
SECURITY INNOVATION ©2003122
Internet SafeguardsInternet Safeguards
• Firewalls to filter IP trafficFirewalls to filter IP traffic• DeMilitarized Zones to isolate Internet-DeMilitarized Zones to isolate Internet-
facing machines from internal networksfacing machines from internal networks• Content filters to filter email & web Content filters to filter email & web
traffic contenttraffic content• VPNs to protect critical applicationsVPNs to protect critical applications• Vital to understand how applications Vital to understand how applications
communicate, to understand whether communicate, to understand whether risk exists.risk exists.
SECURITY INNOVATION ©2003123
Printers FlawsPrinters Flaws
• Actually a very large potential problemActually a very large potential problem• Laundering of hacking spoilsLaundering of hacking spoils• bounce attacksbounce attacks• Denial of serviceDenial of service
SECURITY INNOVATION ©2003124
Printer flaws...Printer flaws...
• Many printers have FTP serversMany printers have FTP servers– Allow anonymous accessAllow anonymous access
• store as much data as memory or disk space in store as much data as memory or disk space in the printer - great place to store hacking tools, the printer - great place to store hacking tools, sniffer logs, and other stolen thingssniffer logs, and other stolen things
– Most are poor implementationsMost are poor implementations• easily used in more complex attackseasily used in more complex attacks
– ftp bounceftp bounce– Berkeley lpd flawsBerkeley lpd flaws
SECURITY INNOVATION ©2003125
Printer flaws...Printer flaws...
• Denial of ServiceDenial of Service– Used as a tool to conduct DoSUsed as a tool to conduct DoS
• most love to respond to broadcast pingsmost love to respond to broadcast pings– smurfsmurf
– Service deniedService denied• poor tcp/ip implementationspoor tcp/ip implementations
– crash easilycrash easily• poor service implementationpoor service implementation
– SNMPSNMP– ftpftp
SECURITY INNOVATION ©2003126
Printer fixes?Printer fixes?
• Disable everything you canDisable everything you can
SECURITY INNOVATION ©2003127
What to do?What to do?
• Maintain good perimeter defensesMaintain good perimeter defenses– At least you only have to trust your At least you only have to trust your
employees…employees…
• Use cryptographically secure transportsUse cryptographically secure transports– Crypto is goodCrypto is good
• But crypto fails without good policyBut crypto fails without good policy
• Disable unneeded servicesDisable unneeded services– Not using SNMP?Not using SNMP?
SECURITY INNOVATION ©2003128
What to do...What to do...
• Disable things like routed on hostsDisable things like routed on hosts– 99% of the time, static routes work fine on 99% of the time, static routes work fine on
end machinesend machines
• Use the strongest authentication Use the strongest authentication methods possiblemethods possible– Long keys, strong cryptoLong keys, strong crypto
SECURITY INNOVATION ©2003129
Social ProblemsSocial Problems
• People can be just as dangerous as People can be just as dangerous as unprotected computer systemsunprotected computer systems– People can be lied to, manipulated, bribed, People can be lied to, manipulated, bribed,
threatened, harmed, tortured, etc. to give up threatened, harmed, tortured, etc. to give up valuable informationvaluable information
– Most humans will breakdown once they are Most humans will breakdown once they are at the “harmed” stage, unless they have at the “harmed” stage, unless they have been specially trainedbeen specially trained• Think government here…Think government here…
SECURITY INNOVATION ©2003130
Social ProblemsSocial Problems
• Fun Example 1:Fun Example 1:– ““Hi, I’m your AT&T rep, I’m stuck on a pole. Hi, I’m your AT&T rep, I’m stuck on a pole.
I need you to punch a bunch of buttons for I need you to punch a bunch of buttons for me”me”
SECURITY INNOVATION ©2003131
Social ProblemsSocial Problems
• Fun Example 2:Fun Example 2:– Someone calls you in the middle of the nightSomeone calls you in the middle of the night
• ““Have you been calling Egypt for the last six Have you been calling Egypt for the last six hours?”hours?”
• ““No”No”• ““Well, we have a call that’s actually active right Well, we have a call that’s actually active right
now, it’s on your calling card and it’s to Egypt and now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2000 worth as a matter of fact, you’ve got about $2000 worth of charges on your card and … read off your AT&T of charges on your card and … read off your AT&T card number and PIN and then I’ll get rid of the card number and PIN and then I’ll get rid of the charge for you”charge for you”
SECURITY INNOVATION ©2003132
Social ProblemsSocial Problems
• Fun Example 3:Fun Example 3:– Who saw Office Space?Who saw Office Space?– In the movie, the three disgruntled In the movie, the three disgruntled
employees installed a money-stealing worm employees installed a money-stealing worm onto the companies systemsonto the companies systems
– They did this from They did this from insideinside the company, the company, where they had where they had full accessfull access to the to the companies systemscompanies systems• What security techniques can we use to prevent What security techniques can we use to prevent
this type of access?this type of access?
SECURITY INNOVATION ©2003133
Social ProblemsSocial Problems
• There aren’t always solutions to all of these problemsThere aren’t always solutions to all of these problems– Humans will continue to be tricked into giving out Humans will continue to be tricked into giving out
information they shouldn’tinformation they shouldn’t– Educating them may help a little here, but, depending on Educating them may help a little here, but, depending on
how bad you want the information, there are a lot of bad how bad you want the information, there are a lot of bad things you can do to get itthings you can do to get it
• So, the best that can be done is to implement a wide So, the best that can be done is to implement a wide variety of solutions and more closely monitor who has variety of solutions and more closely monitor who has access to what network resources and informationaccess to what network resources and information– But, this solution is still not perfectBut, this solution is still not perfect
SECURITY INNOVATION ©2003134
ConclusionsConclusions
• The Internet works only because we The Internet works only because we implicitly trust one anotherimplicitly trust one another
• It is very easy to exploit this trustIt is very easy to exploit this trust• The same holds true for softwareThe same holds true for software• It is important to stay on top of the It is important to stay on top of the
latest CERT security advisories to know latest CERT security advisories to know how to patch any security holeshow to patch any security holes