9 NetworkManagement&Security
-
Upload
raghu-goud -
Category
Documents
-
view
224 -
download
0
Transcript of 9 NetworkManagement&Security
Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li
TCP/IP Essentials A Lab-Based Approach
Chapter 9 Network Management
& Security
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 2
Network Management
n A network administrator needs to ¨ Collect statistics from a device to see if it works properly ¨ Monitor network traffic load on routers to see if the load is
appropriately distributed ¨ Go through collected information to identify the cause when a
network failure occurs
n Simple Network Management Protocol (SNMP) ¨ Application layer protocol ¨ Exchange management information between network devices ¨ Consist of a manager and multiple managed devices
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 3
An SNMP Management Scenario n Managed device
¨ A number of Management Information Bases (MIBs) record local management related infomation
¨ SNMP Agent provides interface between MIBs and an SNMP Manager, UDP port 161
n SNMP manager ¨ Performs read or write operations on MIB objects by sending SNMP
messages to the agent ¨ Agent sends a trap message to the manager on UDP port 162 when a
significant event occurs
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 4
SNMP Messages n Get: fetches the value of one or more objects n GetNext: fetches the value of the next object after the specified
object n Set: Sets the value of one or more objects n Response: Returns the value of one or more objects n Trap: Reports the occurrence of some significant events in a
managed device ¨ The manager does not acknowledge Traps
n Inform: Reports the occurrence of some significant events in a managed device ¨ The manager returns a response
n GetBulk: Allows responses with a large amount of management information
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 5
SNMP Message Formats
Version Community PDU
PDU Type Request ID Error Status Error Index Object 1,
Value 1 Object 2, Value 2 …
PDU Type Request ID Non Repeaters
Max. Repetitions
Object 1, Value 1
Object 2, Value 2 …
SNMPv2 Get, GetNext, Inform, Response, Set, and Trap messages
SNMPv2 GetBulk message
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 6
SNMP Message Fields n Version Number
¨ The version of SNMP: SNMPv1,SNMPv2, SNMPv3 ¨ SNMPv2 extends SNMPv1 by defining additional operations ¨ SNMPv3 extends SNMPv2 by adding security and remote
configuration capabilities n Community Name
¨ Defines the access scope for SNMP managers and agents ¨ An SNMP message carrying a different community name is
discarded ¨ Provides a simple authentication for SNMP messages
n Protocol Data Unit (PDU) Type ¨ Specifies the SNMP message type
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 7
SNMP Message Fields n Request ID
¨ Used to match an SNMP request with the corresponding response
n Error Status ¨ An integer specifying an error ¨ Only set by an SNMP response
n Error Index ¨ An integer offset specifying which object was in error if an error
occurred ¨ Only set by an SNMP response
n Objects and Values ¨ A list of objects and their values
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 8
MIB Structure n A managed device maintains a large number of SNMP objects
storing management information n The Structure of Management Information (SMI)
¨ Defines the rules for describing management information and the data types used in SNMP
¨ Data types: Integer, Octet String, Sequence n MIB objects are organized as a tree
¨ Each level of the tree consists of groups ¨ Each group has its name and the associated numerical identifier ¨ Leaves in the mib-2 subtree are MIB objects ¨ Vendor-specific MIBs are located in the enterprise subtree ¨ Each node (leaf) is identified by a concatenation of the names (or
IDs) of all its predecessors starting from the root n The leaf tcpMaxConn can be identified by 1.3.6.1.2.1.6.4 or
iso.org.dod.internet.mgmt.mib-2.tcp.tcpMaxConn
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 10
NET-SNMP
n Formerly known as UCD-SNMP n A very popular public domain SNMP implementation n Consists of
¨ an extensible SNMP agent ¨ a set of tools to request or set information from SNMP agents ¨ a set of tools to generate and handle SNMP traps ¨ an SNMP API library for writing SNMP related programs
n Section 9.2.3 for details
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 11
Why Network Security?
n A computer connected to Internet is exposed to attackers from all over the world
n Messages exchanged between two end hosts may be intercepted or modified by an attacker ¨ Many local networks are broadcast networks ¨ Internet routers are shared by many data flows
n There is no global control over all the networks and users in the Internet
n An attacker may claim a false identity to gain unauthorized access to information or disrupt the normal operation of a network system
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 12
Basic Network Security Model n The sender encrypts the messages using a key before sending
them out to the network n The receiver uses the corresponding key to decrypt the message n If the keys are kept safely, the messages will not be decipherable to
an opponent n A third party, trusted by both end users, is used to distribute the
keys reliably.
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 13
Network Access Security Model n A gatekeeper function protects the internal information
system against attack from the outside network n The internal network performs accounting and auditing
in order to detect an intrusion
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 14
Security Elements and Services
n AAA elements in information security ¨ Authentication to ensure users’ identity ¨ Authorization to assign legitimate privilege to users ¨ Accounting to log user/network behavior for security analysis
n Other important security services ¨ Confidentiality protects transmitted data from analysis ¨ Integrity ensures that a piece of information is not altered ¨ Nonrepudiation ensures that the sender (receiver) cannot deny
sending (or receiving) a piece of information ¨ Availability ensures accessibility to users
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 15
Data Encryption n Classical encryption techniques
¨ Permutation: the order of the plaintext characters is changed ¨ Substitution: a plaintext alphabet is mapped to a different one
n Cipher is the module which performs the encryption ¨ Stream ciphers encrypt data bit by bit or byte by byte ¨ Block ciphers first pack the data bits into a fixed length block,
then encrypt the whole block into a ciphertext block.
Decryption Network Encryption plaintext plaintext ciphertext ciphertext
Sender Receiver
Shared Secret-Key
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 16
Encryption/Decryption Keys
n Symmetric-key cipher: the same key shared by both sender and receiver
n Public-key cipher: a private key and a public key for encryption and decryption
n The effectiveness of the encryption schemes depends on the keys ¨ The longer a key is, the more difficult to decrypt by brute force ¨ Multiple keys may be needed in a network; keys need to be
generated and distributed efficiently and reliably
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 17
Feistel Network Model n A 2w bit plaintext block is encrypted into a 2w bit ciphertext block n A number of identical blocks (called rounds) concatenated in a chain n Operations:
¨ The plaintext is first divided into two w-bit blocks, L1 and R1 ¨ Ri is first processed with a round function F, using a secret key Ki ¨ Compute the exclusive-OR of the L1 and the output of F. The result is
switched with Ri and fed into the next round
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 18
Data Encryption Standard (DES) n The most widely used encryption standard n Block-based cipher, 16 rounds, 64-bit blocks, 56-bit keys n Avalanche Effect: the strength of DES
¨ A small change in the plaintext or the 56-bit key produces a significant change in the ciphertext
¨ Makes the ciphertext difficult to decrypt by brute force
n Symmetric cipher, the same keys are used in the encryption and decryption
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 19
Public-Key Encryption/Decryption n The public key for message encryption/decryption by a sender n The private key for message decryption/encryption by the receiver
plaintext plaintext ciphertext ciphertext
Public Key Sender Receiver
Private Key
Decryption Network Encryption
plaintext plaintext ciphertext ciphertext
Sender Receiver
Decryption Network Encryption
Public Key
Private Key
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 20
Provide Authentication n Bob encrypts a message using his own private key and sends to
Alice n Alice decrypts the received message using Bob’s public key n All other users can decrypt the message since Bob’s public key is
known n Alice knows that the message can only be sent by Bob since only
Bob knows his own private key
plaintext
plaintext ciphertext ciphertext
Bob’s Private Key
Bob Alice
Decryption Network Encryption
Bob’s Public Key
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 21
Provide Confidentiality n Bob encrypts the message using Alice’s public key so
that other users cannot read the message n Alice decrypts the received message using her private
key n The message is indecipherable to all other users
plaintext
plaintext ciphertext ciphertext
Alice’s Public Key
Bob Alice
Decryption Network Encryption
Alice’s Private Key
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 22
Provide Authentication and Confidentiality n Bob first encrypts the message using Alice’s public key,
then further encrypts the ciphertext with his private key ¨ The 1st encryption ensures communication confidentiality ¨ The 2nd encryption provides sender authentication
n Alice first decrypts the message using Bob’s public key, then decrypts the results using her private key
Message Message
Bob Alice
Encrypted Message
Encrypted Message
Double Encrypted Message
Decryption Encryption
Encryption Decryption
Alice’s Public
Key
Alice’s Private
Key
Bob’s Private
Key
Bob’s Public
Key
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 23
Rivest-Shamir-Adleman (RSA) n A widely used public-key encryption scheme
¨ Block cipher, block size less than or equal to B (bits), n=2B
¨ M: plaintext ¨ C: ciphertext ¨ Public key {e, n}, C=Me mod n ¨ Private key {d, n}, M=Cd mod n ¨ M = Cd mod n = Med mod n, any satisfying three-tuple of n, e, d
produces a pair of keys n High computational cost of public-key encryption
¨ Exponential function used, higher cost compared to permutation and substitution operation
¨ Used in key-management and signature applications ¨ Not practical to encrypt the whole message using public-key
encryption
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 24
Hashing and Message Authentication n Hashing maps a message of variable length into a hash
value with fixed length n Hashing is not reversible
¨ A hash value can be computed from a message ¨ The message can never be recovered from a received hash
value only n Simplest hashing: block-based XOR
¨ Divide a message into blocks [B1, B2, ···, Bn] ¨ H = B1⊕ B2 ⊕ ··· ⊕ Bn
n Hashing can be used to generate a digest of the message, called the Message Authentication Code (MAC)
n The receiver can use the digest to verify if the message is authentic
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 25
Message Digest 5 (MD5) n MD5 is one of the most widely used hashing algorithms n The sender encrypts the message digest with the sender’s private
key n The receiver uses the same MD5 algorithm and the sender’s
public key to compute the digest of the received message n If the message is genuine, the two digests should be identical
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 26
Digital Signature n Used to provide nonrepudiation service when there is a lack of
complete trust between the users n Can be used to verify the date and time of a message, and to
authenticate the contexts of the message n A digital signature is a bit pattern including
¨ A digest of the message ¨ The user ID ¨ A timestamp ¨ Some other information
n Usually encrypted using either symmetric encryption or public-key encryption
n Direct digital signature: only the communicating parties involved n Arbitrated digital signature: a certificate is issued by an arbitrator to
the sender, may include a secret key n Digital Signature Standard (DSS)
¨ Widely used, hashing, public-key encryption
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 27
Secure Shell (SSH) n Application layer security n A set of protocols for secure remote login and other
secure network services over an insecure network ¨ Will replace transitional remote access protocols ¨ Supports almost any kind of public-key algorithm and various
types of authentication ¨ SSH client and server use digital signatures to verify their
identity ¨ All communication between the client and server is encrypted
n Major components: ¨ The Transport Layer Protocol (SSH-TRANS): provides server
authentication ¨ User Authentication Protocol (SSH-USERAUTH): authenticates
the client-side user to the server ¨ Connection Protocol (SSH-CONNECT): multiplexes the
encrypted tunnel into several logical channels
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 28
OpenSSH n A public domain implementation of SSH n Includes ssh, scp, sftp, sshd, sftp-server, and other basic utilites n Supports Linux and Solaris platforms n Provides tools for key management
¨ ssh-keygen: creates keys for public-key authentication ¨ ssh-agent: an authentication agent holding RSA keys ¨ ssh-add: used to register new keys with the SSH agent ¨ ssh-keyscan: used to gather SSH public keys
n Client programs: ¨ ssh, a secure client for logging into a remote machine and
executing commands there n E.g., to login into shakti as user guest:
ssh [email protected] ¨ scp, a secure client for copying files between hosts
n E.g., to upload a file foo.txt to host shakti: scp foo.txt [email protected]:/home/guest/foo.txt
¨ sftp, a secure interactive file transfer program
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 29
Kerberos n Application layer security n A network authentication protocol n Developed by the MIT Project Athena team n Uses symmetric key encryption for authenticating users
for network services n Uses a trusted Authentication Server and a Ticket-
Granting Server (TGS) to provide two types of tickets to a user ¨ Ticket-granting ticket ¨ Service-granting tickets ¨ Perform the ticket-granting ticket application once per user login ¨ Perform the service-granting ticket application once per service ¨ The user password is not transmitted, thus cannot sniffed by an
attacker
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 30
Kerberos ¨ When a user logs on to a computer
¨ A request for the ticket-granting ticket is sent to the Authentication Server
¨ The Authentication Server verifies the user ID and then returns a ticket-granting ticket which is encrypted using the user’s key
¨ Decrypt the returned ticket-granting ticket by using the user’s key ¨ The ticket is valid for a period of time and stored for future use ¨ The user’s key is computed from the user’s password, no need to
transmit the user’s password in the network ¨ When the user requests a network service,
¨ The ticket-granting ticket is used to request the corresponding service-granting ticket
¨ The TGS uses the received ticket-granting ticket to authenticate the request and returns the requested service-granting ticket to the user
¨ Then the user can request the network service using the service-granting ticket
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 31
Web Security
n HTTP requests and responses are sent as plaintext n Extra security for web service is needed in some
situations ¨ e.g., financial transactions
n Web security can be provided by ¨ Using the application layer security protocols ¨ Using the Secure Sockets Layer (SSL) in the transport layer ¨ Using IP security (IPsec) in the network Layer
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 32
Secure Sockets Layer (SSL) Protocol n Provides secure communications between a client and a server n Uses TCP’s reliable transport service for data communication n Independent of the higher layer application protocols n Application protocols (HTTP, Telnet, FTP, etc.) can use SSL for
secure communication n Consists of four protocols
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 33
SSL Record Message Format n The SSL record header consists of
¨ Content Type field, 8 bits ¨ Major Version field, 8 bits ¨ Minor Version field, 8 bits ¨ Compressed Length field, 16 bits
n The SSL record data section consists of ¨ Message Authentication Code (MAC) ¨ Actual data ¨ Possible padding bytes
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 34
Generating an SSL Record Message
n A higher layer message is first fragmented to fixed length blocks
n Each block may then be compressed n The MAC is computed using a hash function n Inputs of the hash function
¨ Possibly compressed data ¨ A secret key ¨ A 32-bit long sequence number
n The data and the MAC are encrypted and the SSL record header is appended
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 35
SSL Protocols n SSL can
¨ negotiate an encryption algorithm and session key ¨ authenticate for the secure connection
n SSL Handshake Protocol: for client and server to ¨ Authenticate each other ¨ Negotiate an encryption algorithm and a MAC algorithm ¨ Exchange the encryption keys
n SSL Change Cipher Spec Protocol ¨ updates the set of ciphers to be used on the connection
n SSL Alert Protocol ¨ delivers SSL-related alerts
to the peer entity n SSL Record Protocol
¨ all higher layer messages are encapsulated in SSL records
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 36
Secure Apache server n Uses SSL to provide a secure web service
¨ Certification of server and client ¨ Encryption of HTTP messages
n Uses TCP port 443 with URLs starting with https:// ¨ Unsecured Apache servers, TCP port 80, http://
n To set up a secure Apache server: ¨ mod_ssl Apache loadable module ¨ openssl utility ¨ Please refer to section 9.6.2 for detailed steps
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 37
Network Layer Security n Provide Security in the application layer
¨ Security protocols are tailored for a specific application ¨ e.g., SSH
n Provide security in the lower layers ¨ All higher layer applications enjoy the protection transparently ¨ e.g., SSL and IPsec
n IP security (IPsec) ¨ A set of protocols providing authentication and confidentiality
services in the network layer ¨ Protects all distributed applications ¨ Higher layer protocols can enjoy the protection provided by
IPsec transparently
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 38
A Typical IPsec Application n Two offices are connected by a secure channel provided by IPsec n Application data
¨ In each office network, transmitted as plaintext in regular IP datagrams ¨ Between the two office networks, encrypted and authenticated
n Perform security-related operations at the two IPsec-capable devices ¨ Authentication, encryption, and key management ¨ transparent to the users, no change for the hosts
n Also called Virtual Private Network (VPN) n Lower cost compared to using a leased line in traditional approaches
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 39
IPsec Protocols and Modes n Authentication protocol, using an Authentication Header
(AH) n Encryption/authentication protocol, called the
Encapsulating Security Payload (ESP) ¨ Encrypts the higher layer data ¨ Provides an optional authentication service
n Two modes of operation ¨ Transport mode
n provides protection for upper-layer protocols n Usually used for end-to-end communication between hosts
¨ Tunnel mode n protects the entire IP datagram n A tunnel is set up between the two IP sec gateways
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 40
IPsec Operations n Two protocols
¨ AH ¨ ESP
n Two modes ¨ Transport mode ¨ Tunnel mode
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 41
Firewall n A device or program inserted between a private network
and the Internet to control access n Can be used to
¨ block undesired traffic from the outside ¨ prevent an internal user from receiving an unauthorized external
network service n Usually is the only access point of a private network n Three type of firewalls
¨ Packet filter: blocks selected network packets ¨ Application gateway, or a proxy server: regulates outbound
traffic, as a relay for an application (e.g., web service) ¨ Circuit-level gateway: acts like a switch board, switching an
internal connection to another external connection
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 42
Iptables
n The default firewall in Linux for packet filtering n Components of a firewall policy (rule)
¨ A condition, e.g., destination port number of a packet ¨ The operation (called the target) on the packets that satisfy the
condition, e.g., drop
n Rules are organized into three tables in Linux ¨ Filter table: default table for filtering packets ¨ Nat table: alter packets that create a new connection ¨ Mangle table: for specific types of packet alteration
n Rules are organized into several chains in each table
Panwar, Mao, Ryoo, Li: TCP/IP Essentials 43
Iptables n Three chains of the filter table
¨ INPUT chain, rules applied to the packets destined to the host ¨ OUTPUT chain, rules applied to the packets generated by the
host ¨ FORWARD chain, rules applied to the packets routed by the
host n In iptables, a packet
¨ is first dispatched to the corresponding chain ¨ then is checked against each rule in that chain ¨ If there is a match, the target defined in the rule is performed on
the packet n Rules in the tables are configured by running iptables
command ¨ See section 9.8.2 for details