CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network - - PowerPoint PPT Presentation

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

CSE 543 - Computer Security (Fall 2006)

Lecture 16 - Network Security October 31, 2006

URL: http://www.cse.psu.edu/~tjaeger/cse543-f06

1

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Midterm

• Grades
• 85-100 -- A (4)
• 76-81 -- B+/A- (8)
• 66-73 -- B+/B (14)
• 59-63 -- B/B- (4)
• 53-56 -- C (2)
• 45-50 -- D (5)
• Impact
• 15% of grade (less than presentations and homeworks)
• Much less than project; much less than final
• Need over 50% on one test to get B-

2

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Some Questions

• First 14: General basic concepts or lookup in slides
• r papers
• Good: 1, 7, 9
• Indexing of key ideas in papers -- wing it
• Questions 17 and 19
• Generally well-done
• Long answer
• 15: Critical assessment necessary (not tamperproof)
• 16: Deep assessment of trust
• 17: ‘subject’ =/ ‘user’ -- integrity impact was good
• 18: ‘reference monitor guarantees’ from 7

3

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Question 20

• Given a trusted authority, use public key crypto to

send a key to another party

• Just what X needs to send
• X is sender; Y is receiver; M is authority
• Y needs X’s public key: X+, X, {H(X+, X)}M-
• X needs to ensure authenticity, secrecy, and integrity of key
• {K, X, {H(K, X)}X-}Y+
• How about with a secret group key
• Need authenticity, secrecy, and integrity
• {K, X}Kg, HMAC(Kg, {K, X})

4

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Project Meetings

• Meet with groups
• Discuss experiment
• Try to propose experiment
• Th, Fr, M
• Will send an email to schedule
• Project slides are not due until 11/28

5

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Network Security …

• This is a poorly understood engineering discipline.
• The following looks at the application of tools …

6

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Network security: the high bits

• The network is …
• … a collection of interconnected computers
• … with resources that must be protected
• … from unwanted inspection or modification
• … while maintaining adequate quality of service.
• Another way of seeing network security is
• Securing the network infrastructure such that the integrity,

confidentiality, and availability of the resources is maintained.

• Q: How do we do this?

7

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

The network …

Internet LAN (perimeter) (hosts/desktops) (edge) (server) (remote hosts/servers)

8

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

The big picture ….

• Internet Protocol (IP)
• Really refers to a whole collection of protocols

making up the vast majority of the Internet

• Routing
• How these packets move from place to place
• Network management
• Administrators have to maintain the services and

infrastructure supporting everyone’s daily activities

9

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Network security – the tools …

• Filtering
• Firewalls
• Communication Security and Services
• DNSsec, IPsec, SSH, ...
• Isolation
• VPNs, VLANs
• Detection and mitigation
• intrusion detection
• DDOS tools

10

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Filtering: the threats

• Adversary 1: some external

network entity attempting to gain access to internal resources

• Adversary 2: some internal, but malicious entity

(or software) trying to expose sensitive data

• Adversary 3: some internal or external entity that

is preventing access to internal resource (DOS)

11

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Filtering: Firewalls

• Filtering traffic based on policy
• Policy determines what is acceptable traffic
• Access control over traffic
• Accept or deny
• May perform other duties
• Logging (forensics, SLA)
• Flagging (intrusion detection)
• QOS (differentiated services)

Application Network Link

12

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Firewall Policy

• Specifies what traffic is (not) allowed
• Maps attributes to address and ports
• Example: HTTP should be allowed to any external host, but inbound
• nly to web-server

13

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

xListing

• Blacklisting - specifying specific connectivity that is

explicitly disallowed

• E.g., prevent connections from badguys.com
• Whitelisting - specifying specific connectivity that

explicitly allowed

• E.g., allow connections from goodguys.com
• These is useful for IP filtering, SPAM mitigation, …
• Q: What access control policies do these represent?

14

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Stateful, Proxy, and Transparent

• Single packet contains insufficient data to

make access control decision

• State allows historical context consideration
• Firewall collects data over time
• e.g., TCP packet is part of established session
• Firewalls can affect network traffic
• Transparent: appear as a single router (network)
• Proxy: receives, interprets, and reinitiates

communication (application)

• Transparent good for speed (routers), proxies

good for complex state (applications)

15

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

DMZ (De-militarized Zone)

(servers) LAN Internet LAN

16

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Practical Issues and Limitations

• Network layer firewalls are dominant
• DMZs allow multi-tiered fire-walling
• Tools are widely available and mature
• Personal firewalls gaining popularity
• Issues
• Network perimeters not quite as clear as before
• E.g., telecommuters, VPNs, wireless, …
• Every access point must be protected
• E.g., this is why war-dialing is effective
• Hard to debug, maintain consistency and correctness
• Often seen by non-security personnel as impediment
• E.g., Just open port X so I can use my wonder widget …
• SOAP - why is this protocol an issue?

17

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Wool’s Firewall Study

• What is the purpose of this study?

18

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Interesting tid-bits from the Wool study

• 12 error classes
• No default policy, automatic broad tools
• NetBIOS (the very use of the Win protocol deemed error)
• Portmapper protocols
• Use of “any wildcards”
• Lack of egress rules
• Interesting questions:
• Is the violation of Wool’s errors really a problem?
• “DNS attack” comment?
• Why do you think more expensive firewalls had a higher
• ccurrence of errors?
• Take away: configurations are bad

19

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Worms

20

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Worms

• A worm is a self-propagating program.
• As relevant to this discussion
• 1. Exploits some vulnerability on a target host …
• 2. (often) imbeds itself into a host …
• 3. Searches for other vulnerable hosts …
• 4. Goto (1)
• Q: Why do we care?

21

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

The Danger

• What makes worms so dangerous is that infection

grows at an exponential rate

• A simple model:
• s (search) is the time it takes to find vulnerable host
• i (infect) is the time is take to infect a host
• Assume that t=0 is the worm outbreak, the number of hosts

at t=j is

2(j/(s+i))

• For example, if (s+i = 1), what is it at time t=32?

22

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

The result

23

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

The Morris Worm

• Robert Morris, a 23 doctoral student from Cornell
• Wrote a small (99 line) program
• November 3rd, 1988
• Simply disabled the Internet
• How it did it
• Reads /etc/password, they tries the obvious choices and

dictionary, /usr/dict words

• Used local /etc/hosts.equiv, .rhosts, .forward to identify

hosts that are related

• Tries cracked passwords at related hosts (if necessary)
• Uses whatever services are available to compromise other hosts
• Scanned local interfaces for network information
• Covered its tracks (set is own process name to sh,

prevented accurate cores, re-forked itself)

24

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Other scanning strategies

• The doomsday worm: a flash worm
• Create a hit list of all vulnerable hosts
• Staniford et al. argue this is feasible
• Would contain a 48MB list
• Do the infect and split approach
• Use a zero-day vulnerability
• Result: saturate the Internet is less than 30 seconds!

25

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Worms: Defense Strategies

• (Auto) patch your systems: most, if not all, large worm
• utbreaks have exploited known vulnerabilities (with patches)
• Heterogeneity: use more than one vendor for your networks
• Shield (Ross): provides filtering for known vulnerabilities,

such that they are protected immediately (analog to virus scanning)

• Filtering: look for unnecessary or unusual communication

patterns, then drop them on the floor

• This is the dominant method, getting sophisticated (Arbor Networks)

Operating System

Network Interface

Shield

Network Traffic

26