Ch t 7 N t k S itChapter 7: Network...
Transcript of Ch t 7 N t k S itChapter 7: Network...
![Page 1: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/1.jpg)
Modern Computer NetworksAn Open Source ApproachAn Open Source Approach
Ch t 7 N t k S itChapter 7: Network Security
Chapter 7: Network Security Modern Computer Networks 1
![Page 2: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/2.jpg)
Content
7.1 Issues7.2 Data Securityy7.3 Firewall7 4 Intrusion Detection System7.4 Intrusion Detection SystemPitfalls and misleadingFurther readingsExercisesExercises
Chapter 7: Network Security Modern Computer Networks 2
![Page 3: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/3.jpg)
7.2 Data Securityy
CryptographDigital Signatureg gApplication Layer SecurityN t k L S itNetwork Layer Security
Chapter 7: Network Security Modern Computer Networks 3
![Page 4: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/4.jpg)
Cryptographyp g p
Secret Key AlgorithmPublic Key Algorithmy g
Chapter 7: Network Security Modern Computer Networks 4
![Page 5: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/5.jpg)
Secret Key Algorithmy g
S t i kSymmetric keyEncryption (public) key = Decryption (private) key
Basic elementsBasic elementsP-BOX: Transition cipherS-BOX: Substitution cipherS BOX: Substitution cipher
Product cipher
Encoder,8 to 3
Decoder,3 to 8
P1 P2 P3 P4
S3
S2
S1
S7
S6
S5
S11
S10
S9
P-BOX S-BOX
S4 S8 S12
Product Cipher
Chapter 7: Network Security Modern Computer Networks 5
![Page 6: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/6.jpg)
Data Encryption Standard (DES)yp ( )
O i i ll d l d b IBMOriginally developed by IBM Adopted by the US government in Jan. 1977E t d i bl k f 64 bit ith 56 bit kEncrypted in blocks of 64 bits with 56-bits keyA monoalphabetic substitution cipher using a 64-bit charactercharacter.
Same input produces same outputAlgorithmAlgorithm
Transposition16 iterations (with 56-bit key)16 iterations (with 56 bit key)32-bit swapInverse transposition
Chapter 7: Network Security Modern Computer Networks 6
![Page 7: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/7.jpg)
Encryption Procedure of DESyp64 bits
InputT=t1 t2 ... t64
Initial TranspositionIP
64 bits
L =R
T0
Key16 Iterations 48
64 bits64 bits
Li Ri-1 Ri=Li-1 f(Ri-1,Ki)
KeySelection
16 keys:K1,...,K16
Key48
64 bits
IP-1
64 bits
Output
Chapter 7: Network Security Modern Computer Networks 7
![Page 8: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/8.jpg)
Breaking DESg
56-bit key for international use but 128-bit key within USA56-bit key can be broken
Within 4 hours by super computers (1994)About 22 hours by a network of volunteers and a special purpose computer that was built for less that $250,000 (1999)(1999)Chinese Lottery
SolutionSolutionRun DES couple times, using different keys?Triple DES algorithm
Chapter 7: Network Security Modern Computer Networks 8
Triple DES algorithm
![Page 9: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/9.jpg)
Public Key Algorithmy g
First proposed by W.Diffie and M.E. HellmanAsymmetric keysy y
Encryption (public) key ≠ Decryption (private) key
The encryption algorithm E and theThe encryption algorithm E and the decryption algorithm D should meet the following requirementsfollowing requirements
D(E(P)) = PD(E(P)) = Pff fff fDifficult to deduce D from EDifficult to deduce D from E
E cannot be broken by a chosen plaintext attackE cannot be broken by a chosen plaintext attack
Chapter 7: Network Security Modern Computer Networks 9
![Page 10: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/10.jpg)
RSA Algorithmg
P d b Ri t Sh i d Adl t MIT iProposed by Rivest, Shamir, and Adleman at MIT in 1978RSARSA
Choose two large primes, p and q (> 1010100100))Compute n=p*q and z=(p-1)*(q-1)Compute n p q and z (p 1) (q 1)Choose a number relatively prime to z and call it dFind e such that e*d=1 mod z
Plaintext Plaintext PP, 0 , 0 ≤≤ P P ≤≤ n (664n (664--bit block is n ~ 10bit block is n ~ 10200200))encryption key = (encryption key = (nn,,ee)) decryption key = (decryption key = (nn,,dd))
Based on the difficulty of factoring large numbersBased on the difficulty of factoring large numbers
) (mod P C e n= ) (modC P d n=
Chapter 7: Network Security Modern Computer Networks 10
Based on the difficulty of factoring large numbers.Based on the difficulty of factoring large numbers.
![Page 11: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/11.jpg)
Why does RSA work?y
nn d= mod)) (mod P( PProve e
nPnPnn
qped
edd
=
=−− mod
modmod)) (mod P())1)(1mod((
e
nPnP
zed=
=
modmod
)mod(
PnP
== mod1
P=
Chapter 7: Network Security Modern Computer Networks 11
![Page 12: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/12.jpg)
Authentication
AuthenticationDigital Signatureg gMessage Digest
Chapter 7: Network Security Modern Computer Networks 12
![Page 13: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/13.jpg)
Authentication (cont.)( )
What’s Authentication?An unique digital IDgApplications
E-transaction via networksE-election via networksPrivacy Enhanced Mail (PEM)
Chapter 7: Network Security Modern Computer Networks 13
![Page 14: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/14.jpg)
Digital Signatureg g
3 RequirementsAuthentication
The receiver can verify the claimed identity of the sender. Non repudiationp
The sender cannot later repudiate the contents of the message.
IntegrityThe receiver cannot possibly have concocted the
fmessage itself.
Chapter 7: Network Security Modern Computer Networks 14
![Page 15: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/15.jpg)
Authentication without Encryptionyp
Authentication only, but without message encryption
e.g., Message broadcast from authorized sourceSolutionSolution
Message Digest (MD)Use a secure (one(one way) hash function Hway) hash function H to compute aUse a secure (one(one--way) hash function Hway) hash function H to compute a fixedfixed--size tag H(M||Ssize tag H(M||SABAB)), called a message digestmessage digest for a given message M concatenated with a shared secret value SAB
For secret-key digital signature
Chapter 7: Network Security Modern Computer Networks 15
![Page 16: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/16.jpg)
MD5 message-digest algorithmg g g
S ifi d i RFC1321 d l d b R Ri t iSpecified in RFC1321, developed by Ron Rivest in 1992.Padded an arbitrary length message to multiples ofPadded an arbitrary length message to multiples of 512 bits, then produce a 128128--bit message digestbit message digestEvery bit of the hash code is a function of every bitEvery bit of the hash code is a function of every bit in the inputRivest’s conjectureRivest s conjecture
The difficulty of coming up with two messages having the same message digest is in the order of 264 operationsThe difficulty of finding a message with a given digest is on the order of 2128 operations
Chapter 7: Network Security Modern Computer Networks 16
![Page 17: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/17.jpg)
Application Layer Securitypp y y
Secure Socket Layer (SSL)Security Electronic Transaction (SET)y ( )
Chapter 7: Network Security Modern Computer Networks 17
![Page 18: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/18.jpg)
Secure Socket Layer (SSL)y ( )
Why SSL?Provide encryption layer between Application and y yTCP layers
ApplicationApplication
SSLSSL
TCPTCP
IPIP
Chapter 7: Network Security Modern Computer Networks 18
![Page 19: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/19.jpg)
What’s SSL?RFC 2246 :Transport Layer Security (TLS) protocol.Original development by Netscape in 1994Encrypt data with various algorithm
DES Triple DES RSA Digital SignatureDES, Triple DES, RSA, Digital SignatureSSL Contents
SSL server authenticationSSL server authenticationSSL client authenticationEncrypted SSL session
Chapter 7: Network Security Modern Computer Networks 19
![Page 20: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/20.jpg)
SSL Handshake
Cli S
SSL Client Hello
SSL Server Hello
Client Server
Server Certification
Request Client CertificationRequest Client Certification
SSL Handshake
Client Certification
ClientKeyExchange (RSA)
Certificate Verify
Ch Ci h S
DigitalSignature
ChangeCipherSpec
Finished
Encrypted data stream (DES)Encrypted Data
Chapter 7: Network Security Modern Computer Networks 20
![Page 21: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/21.jpg)
Security Electronic Transaction (SET)y ( )
Wh SET?Why SET?SSL is only for securing the communication data b t li t dbetween client and serverProblems with SSL
Cli t SSL SClient SSL ServerServer : illegal using the client’s credit cardClient : send un-authorization credit cardClient : send un authorization credit card
SET is a security mechanism for E-transaction via networks
The same procedure as traditional transaction, but with networking
Chapter 7: Network Security Modern Computer Networks 21
![Page 22: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/22.jpg)
Wh t’ SET?What’s SET?Development by VISA, MasterCard, IBM, Microsoft, and HP in 1996HP in 1996.Members
CardholderMerchantIssuer (Credit card bank)Acquirer (Bank)Acquirer (Bank)Certificate Authority , (CA)
Two types of paymentE-walletCredit card
Chapter 7: Network Security Modern Computer Networks 22
![Page 23: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/23.jpg)
SET M h iSET MechanismConfidentialityConfidentiality
Data with DES and RSAAuthenticationAuthentication
Di it l Si t ith RSADigital Signature with RSACardholder, Merchant, and Bank
IntegrityIntegrityIntegrityIntegrityDigital Envelope to exchange DES keyReceiver’s RSA public key(DES key)Receiver s RSA public key(DES key)
Non repudiationNon repudiationDigital Signature with RSA
Chapter 7: Network Security Modern Computer Networks 23
g g
![Page 24: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/24.jpg)
SET Operationp1
2,3
Merchant
MerchantInternet
Cardholder
E-wallet12
5
Merchant Server
CA
4
Internet
6,7 11
Internet
Payment Gateway
P.S 2341Credit Card
9
10
Chapter 7: Network Security Modern Computer Networks 24
Acquirer (Bank)
Issuer/Credit Card Bank
8
![Page 25: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/25.jpg)
Network Layer Securityy y
IP Security (IPSec) Virtual Private Network (VPN)( )
Chapter 7: Network Security Modern Computer Networks 25
![Page 26: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/26.jpg)
IPSec
Why IPSec?Provide interoperable,high quality, g ycryptographically-based security for IPv4 and IPv6 communication
Security servicesAccess controlAccess controlIntegrityAuthenticationAuthenticationConfidentiality
Chapter 7: Network Security Modern Computer Networks 26
![Page 27: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/27.jpg)
Components for IPSecp
Traffic securityAuthentication Header (AH)( )
IntegrityAuthentication
Encapsulation Security Payload (ESP)Confidentiality
Key management and distributionSimple Key-management for IP (SKIP)Simple Key management for IP (SKIP)Internet Key Exchange (IKE)
Chapter 7: Network Security Modern Computer Networks 27
![Page 28: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/28.jpg)
Key Concept: Security Associationy p y
One-way relationship between a sender and a receiver
F t h t it i tiFor two-way secure exchange, two security associations are required.
Uniquely identified by an IP and SPIUniquely identified by an IP and SPISPI: security parameter index
ParametersParametersAuthentication algorithm, mode, key(s)Encryption algorithm, mode, transform, key(s)Encryption algorithm, mode, transform, key(s)Lifetime of the keys, security associationSecurity level, source IP, ...
Chapter 7: Network Security Modern Computer Networks 28
y , ,
![Page 29: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/29.jpg)
Authentication
RFC 1828 ifi th f MD5 fRFC 1828 specifies the use of MD5 for authentication.The MD5 algorithm is performed over the IP packet plus a secret key and then inserted into the IP packet.At the destination, the same calculation is performed on the IP packet plus the secret key and compared to the received value.Provides both authentication and data integrity.
Chapter 7: Network Security Modern Computer Networks 29
g y
![Page 30: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/30.jpg)
Authentication (cont.)( )
Two ways in which IP authentication service can be used
End-to-endEnd-to-intermediateEnd to intermediate
Router/End-to-intermediate
Router/FirewallIntranet
InternetInternet
d d h i iChapter 7: Network Security Modern Computer Networks 30
End-to-end authentication
![Page 31: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/31.jpg)
Authentication (cont.)( )
0 8 16 31
Security Parameter Index (SPI)
ReservedLengthNext Header
Security Parameter Index (SPI)
ReservedLengthNext Header
0 8 16 31
Security Parameter Index (SPI)
Sequence Number Field
Security Parameter Index (SPI)
Sequence Number Field
Authentication Data (variable)Authentication Data (variable)
Length : Length of Authentication Data field in 32Length : Length of Authentication Data field in 32--bits words.bits words.i i d d ifi i i ii i d d ifi i i iSecurity Parameters index: Identifies a security association.Security Parameters index: Identifies a security association.
Chapter 7: Network Security Modern Computer Networks 31
![Page 32: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/32.jpg)
Encapsulating Security Payloadp g y y
Provide support for privacy and data integrity for IP packets.Two modes
Transport-mode ESP mechanism encrypts a transport-l tlayer segmentTunnel-mode ESP mechanism encrypts an entire IP packet
ESP HeaderESP HeaderSPIParameters dependent on the encryption algorithmParameters dependent on the encryption algorithm
Chapter 7: Network Security Modern Computer Networks 32
![Page 33: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/33.jpg)
Transport-Mode ESPp
Encrypt the data carried by IPESP header is inserted into the IP packet immediately prior to the transport layer header ( D ti ti O ti h d ito the transport-layer header (or Destination Option header is present)
Suspectable to traffic analysis on the transmittedSuspectable to traffic analysis on the transmitted packets
End-to-end transportEnd to end transport
T t l tIP Header Ext. Header ESP Header Transport layer segment
Unencrypted Encrypted
Chapter 7: Network Security Modern Computer Networks 33
![Page 34: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/34.jpg)
Tunnel-Mode ESP
Encrypt an entire IP packetCounter traffic analysis problemySource sends encrypted IP packet to firewallFirewall sends to destination firewallFirewall sends to destination firewallDestination firewall forwards to destination
IP Header Ext. Header ESP Header IP header + Transport layer segmentUnencrypted Encrypted
Chapter 7: Network Security Modern Computer Networks 34
![Page 35: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/35.jpg)
Authentication Plus Privacyy
Encryption before authenticationTransport-mode ESP
Authentication applies to the entire IP packet delivered to the ultimate destination
Tunnel-Mode ESPAuthentication applies to the entire IP packet delivered t th fi llto the firewall
IP Header Auth Header ESP Header Transport layer segment E-TIP Header Auth. Header ESP Header spo ye seg e
Scope of authenticationE T : Encapsulating Security Payload trailing fields
Chapter 7: Network Security Modern Computer Networks 35
E-T : Encapsulating Security Payload trailing fields
![Page 36: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/36.jpg)
Authentication Plus Privacy (cont.)y ( )
Authentication before encryptionOnly appropriate for tunnel mode ESPyAuthentication before encryption is better
AH is protected by ESPp yMore convenient to perform authentication on unencrypted data, then protected by encryption
IP-H IP-H Transport layer segment E-TESP-H A-H
Scope of authentication
Chapter 7: Network Security Modern Computer Networks 36
![Page 37: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/37.jpg)
Key managementy g
SKIPProposed by Sun Microsystemy yApply Diffie-Hellman key exchange algorithm to share private keyp yFor security, public key is authenticated by Certificate Authority (CA)y ( )
Need Public Key Infrastructure(PKI) support
Chapter 7: Network Security Modern Computer Networks 37
![Page 38: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/38.jpg)
Key management (cont.)y g ( )
ISAKMP/Oakley(IKE)Oakley defines key identificationy yISAKMP defines key distribution
Two phasespPhase 1: ISAKMP SA establishment
The two ISAKMP peer establish a secure, authenticated channel with which to communicateUnlike IPSec SA, ISAKMP SA is bi-directional
Phase 2: use ISAKMP SA to construct AH or ESP SAPhase 2: use ISAKMP SA to construct AH or ESP SA
Chapter 7: Network Security Modern Computer Networks 38
![Page 39: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/39.jpg)
Virtual Private Network (VPN)( )
Why VPN?Private data network for enterprisesLease line
X.25, Frame Relay , and ATM, y ,Custom-made service
Disadvantages of lease linegComplexity configurationHigh cost of network access equipments
Chapter 7: Network Security Modern Computer Networks 39
![Page 40: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/40.jpg)
VPN
What is VPN?Build private network communication on public network
How to implement VPNHow to implement VPNTunnelingEncryption & decryptionEncryption & decryptionKey management
th ti tiauthentication
Chapter 7: Network Security Modern Computer Networks 40
![Page 41: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/41.jpg)
Tunnelingg
L 2 t liLayer 2 tunnelingExtend the PPP model by allowing the L2 and PPP endpoints to reside on different devicesendpoints to reside on different devices
Save the long-term toll chargeUse Internet to transmit PPP frames
S t lti t lSupport multi-protocolIP, IPX, NetBEUI, AppleTalkTake advantage of PPP
PPTPL2TP
L 3 t liLayer 3 tunnelingIPSec
Chapter 7: Network Security Modern Computer Networks 41
![Page 42: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/42.jpg)
PPTP
Microsoft proposed protocolPPP frames are encapsulated in IP packetsTunnel modes
Client-initiatedClient creates PPTP connection to remote PPTP server directly
ISP initiatedISP-initiatedClient creates PPP session with access server of ISPAccess server of ISP make tunnel with remote PPTP serverccess se e o S a e tu e t e ote se e
MultiplexingCall ID
Chapter 7: Network Security Modern Computer Networks 42
Call ID
![Page 43: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/43.jpg)
L2TP
Combine Cisco proposed L2F and PPTPMessage types
Control messageEstablishment, maintenance and clearing of tunnels and callsT itt d li bl t l h lTransmitted on reliable control channel
Data messageEncapsulate PPP frames being carried over the tunnelEncapsulate PPP frames being carried over the tunnelTransmitted on unreliable data channel
MultiplexingMultiplexingCall ID
Chapter 7: Network Security Modern Computer Networks 43
![Page 44: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/44.jpg)
Other issues
E ti d d tiEncryption and decryptionPreviously described
Key managementDescribed in IPsec section
AuthenticationUser authenticationUser authentication
Password,ID cardPAP, CHAP in PPP
Equipment authenticationX.509 certificate
Chapter 7: Network Security Modern Computer Networks 44
![Page 45: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/45.jpg)
VPN typesyp
Virtual Leased Line (VLL)Simplest type of VPNy
Virtual Private Routed Networks (VPRN)Works on network layerWorks on network layer
Virtual Private Dial Networks (VPDN)Virtual Private LAN Segment (VPLS)
Works on link layery
Chapter 7: Network Security Modern Computer Networks 45
![Page 46: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/46.jpg)
Virtual Leased Line (VLL)( )
Two CPE devices are connected by point to point link
CPE connects to ISP node via link layer connectionIP tunnels are set up between ISP nodes
Li k l tLink layer typeATM VCCF l i itFrame relay circuit
To a customer, it looks like if a single ATM VCC or F R l i it d t i t t thFrame Relay circuit were used to interconnect the CPE devices
Chapter 7: Network Security Modern Computer Networks 46
![Page 47: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/47.jpg)
VLL examplep
IPFrameRelay
Circuit
FrameRelay
Circuit
CPE
10.2.3.5ISP edge node
Backbone CPEISP edge node
10.2.3.610.2.3.5
IP tunnel
10.2.3.6
subnet = 10.2.3.4/30
Chapter 7: Network Security Modern Computer Networks 47
![Page 48: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/48.jpg)
Virtual Private Routed Network (VPRN)( )
P k t f di i i d t t th t k lPacket forwarding is carried out at the network layerA VPRN consists
A h f IP t l b t ISP tA mesh of IP tunnels between ISP routersRouting capabilities needed to forward site
A VPRN specific forwarding table is located at each ISP routerp g
BenefitMinimum complexity and configuration of CPE outers
Heavy works are done by ISP edge router
Disadvantagel bilitpoor scalability
Full mesh topology are not appropriate in the case of large number of ISP routers
Chapter 7: Network Security Modern Computer Networks 48
![Page 49: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/49.jpg)
ISPedge
router10.5.5.0/30
ISPedge
router
CPE CPE
10.6.6.0/30router router10.11.11.1/30
IPBackboneBackbone
ISPedge
t
VPRN example
router
10.11.11.4/30 10.11.11.7/30
CPE CPE 10.8.8.0/3010.7.7.0/30
IP tunnelstub link
Chapter 7: Network Security Modern Computer Networks 49
backdoor link
![Page 50: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/50.jpg)
Virtual Private Routed Network (VPRN)( )
Backup link is used in the case of failure of primary linkBackdoor link refers to a link between two customer sites that does not traverse the ISPcustomer sites that does not traverse the ISP network
Chapter 7: Network Security Modern Computer Networks 50
![Page 51: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/51.jpg)
Virtual Private Dial Network (VPDN) ( )
Remote user connect through an ad hoc tunnel into another site
User us connected to a public IP network via a dial-up PSTN or ISDN link
L2TP allows for the extension of user PPP session from an L2TP Access Concentratorsession from an L2TP Access Concentrator (LAC) to a remote L2TP Network Server (LNS)(LNS)
Chapter 7: Network Security Modern Computer Networks 51
![Page 52: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/52.jpg)
Tunneling mechanismsg
Compulsory tunnelingLAC extends a PPP session across a backbone using L2TP to a remote LNS
Dial and network access server act as LAC
Voluntary tunnelingAn individual host connects to a remote site usingAn individual host connects to a remote site using a tunnel originating on the host, with no involvement from intermediate network nodes
Chapter 7: Network Security Modern Computer Networks 52
![Page 53: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/53.jpg)
Compulsory tunneling examplep y g p
IPdial
ti
HOST
10 2 3 5NAS (LAC)
IPBackbone Corp. Network
GW (LNS)
connection
10 2 3 610.2.3.5 10.2.3.6
L2TP Tunnel
PPP session
Chapter 7: Network Security Modern Computer Networks 53
![Page 54: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/54.jpg)
Voluntary tunneling exampley g p
dial
HOST (LAC)NAS
IPBackbone Corp. Network
GW (LNS)
connection
10.2.3.5( )
10.2.3.6L2TP Tunnel with PPP session
ororIPSec Tunnel
Chapter 7: Network Security Modern Computer Networks 54
![Page 55: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/55.jpg)
Virtual Private LAN Segment (VPLS)g ( )
Emulation of a LAN segment using Internet facilitiesDifference from VPRN
Each VPLS edge node implements link layerEach VPLS edge node implements link layer bridging rather than network forwarding
Chapter 7: Network Security Modern Computer Networks 55
![Page 56: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/56.jpg)
VPLS examplepISPedgenode
ISPedgenode
10.5.5.1/24 10.5.5.2/24
CPE CPE
IPBackbone
ISPedgenode
10.5.5.3/24
CPE
IP tunnelstub link
Chapter 7: Network Security Modern Computer Networks 56
stub link
![Page 57: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/57.jpg)
Open Source Implementationp p
Frees/WanMain components
KLIPS (KerneL IP Security)kernel IPSECWork as a module in Linux kernelimplements AH, ESP, and packet handling within the kernel
PlutoPlutoIKE daemonimplements IKE, negotiating connections with otherimplements IKE, negotiating connections with other systems
Administrator interface
Chapter 7: Network Security Modern Computer Networks 57
![Page 58: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/58.jpg)
Main flowchart of Frees/Wan/
START
init_module()
ipsec init()ipsec_init()
cleanup_module()
Chapter 7: Network Security Modern Computer Networks 58
![Page 59: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/59.jpg)
ipsec_tdbinit()
ipsec_radijinit()
pfkey_init()
register_netdevice_notifier()
Flowchart of ipsec_init( )ESP
NO
YES
inet add protocol
( )
Part I
AH
inet_add_protocol(&esp_protocol)
YES
i dd l
IPCOMP
NO
YES
inet_add_protocol(&ah_protocol)
inet_add_protocol(&comp_protocol)
Chapter 7: Network Security Modern Computer Networks 59
![Page 60: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/60.jpg)
ipsec tunnel init
Flowchart of ipsec_init( )
Part II
ipsec_tunnel_init_device()
Part II
SYSCTL YESSYSCTL YES
ipsec_sysctl_register( )NO
RETURN
Chapter 7: Network Security Modern Computer Networks 60
![Page 61: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/61.jpg)
Function descriptionp
ipsec_tdbinit( )Initailize tunnel description blockTDB is used for record information of communication
Source IP, destination IP, error message, current t tstatus…
ipsec_radijinit( )Initialize a radix tree structure for routing table of IPSec
pfkey_init( )Key distribution and management for two communication endpoints
Chapter 7: Network Security Modern Computer Networks 61
![Page 62: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/62.jpg)
Function descriptionp
i t td i tifi ( )register_netdevice_notifier( )Register ipsec as a virtual network interface
Should be mapped to a physical interfaceShould be mapped to a physical interface
inet_add_protocol ( )Register protocol to inetd depends on the command given g p p gby administrator
ipsec_rev( )Protocol handler
ipsec_tunnel_init_device( )U d t d fi ti f i d iUsed to define operations of ipsec devices
ipsec_sysctl_register( )Used if sysctl command is received
Chapter 7: Network Security Modern Computer Networks 62
Used if sysctl command is received
![Page 63: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/63.jpg)
Flowchart of PlutoSTART
initialization
wait for eventwait for event
timertimer event?
YES
NO
invoke packet
invoke timer handler
invoke packet handler
Chapter 7: Network Security Modern Computer Networks 63
![Page 64: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/64.jpg)
7.3 Firewall
IntroductionNetwork layer: packet filtery pApplication layer: TIS—Trusted Information SystemSystem
Chapter 7: Network Security Modern Computer Networks 64
![Page 65: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/65.jpg)
Introduction of Firewall
A system or group of systems that enforces an access control policy between two networks
Redirects request to actual serverqHide intranet servers from internetAccess logs invasion detection and alarmsAccess logs, invasion detection and alarms
Chapter 7: Network Security Modern Computer Networks 65
![Page 66: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/66.jpg)
What can a firewall protect against?p g
Protect against unauthenticated interactive logins from the “outside” worldRecord and monitor status of the protected networknetwork
suspicious data accessM it b l i t ti f th t t dMonitor abnormal instruction of the protected network
Intrusion detectionAgainst network-borne attack
Chapter 7: Network Security Modern Computer Networks 66
![Page 67: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/67.jpg)
Firewall categoriesg
Network layer firewallApplication layer firewallpp y
Chapter 7: Network Security Modern Computer Networks 67
![Page 68: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/68.jpg)
Network layer firewally
W k th t k l f OSI d lWorks on the network layer of OSI modelPacket filter
Based on the header of the IP packet and rules defined by administratorFields checked
Protocol IDSource IP addressDestination IP addressSource TCP/UDP portDestination TCP/UDP port
Chapter 7: Network Security Modern Computer Networks 68
![Page 69: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/69.jpg)
Screened Host Firewall
i
allow
Internet
Baston HostIP filtering router
Private Network
disallow
Chapter 7: Network Security Modern Computer Networks 69
![Page 70: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/70.jpg)
Screened host firewall
B ti h tBastion hostA exposed gateway machine
highly defended and secured strong point thathighly-defended and secured strong point that can resist attack
Router operationRouter operationTraffic from Internet to bastion host is permittedAll traffic from inside to Internet are rejected unless itAll traffic from inside to Internet are rejected unless it comes from bastion host
AdvantageSimple router filtering rules
Disadvantage
Chapter 7: Network Security Modern Computer Networks 70
Packet can go inside directly
![Page 71: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/71.jpg)
Screened subnet Firewall
Baston Host
Internet PrivateN t kInternet
IP filtering router IP filtering routerNetworkDMZ
Chapter 7: Network Security Modern Computer Networks 71
![Page 72: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/72.jpg)
Screened subnet firewall
DMZ (demilitarized zone)An area between inside firewall and outside firewall
Inside firewall refers to router located in private networkOutside firewall refers to Internet access router
Hosts in private network are protected by two or more firewallsfirewalls
Create private network and DMZ by two routersAd tAdvantage
No site in private network is exposed to InternetR t l d t i t t k h b tt ti
Chapter 7: Network Security Modern Computer Networks 72
Router closed to private network has better routing performance than bastion host
![Page 73: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/73.jpg)
Application layer firewallpp y
Works on the application layer of OSI modelProxy serverProxy server
Chapter 7: Network Security Modern Computer Networks 73
![Page 74: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/74.jpg)
Dual-Homed gatewayg y
Internet Private NetworkInternet
Dual-Homed Gateway
Private Network
IP routing andforwarding disabled
Chapter 7: Network Security Modern Computer Networks 74
![Page 75: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/75.jpg)
Dual - Homed gatewayg y
Dual – Homed gatewayA highly secured host that runs proxy softwareg y yBlock all IP traffic between two networkRouting and forwarding capability are disabledRouting and forwarding capability are disabled
Chapter 7: Network Security Modern Computer Networks 75
![Page 76: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/76.jpg)
Open Source Implementation- Netfilterp p
What is netfilter?A set of checkpoints in the packet’s traversal of the protocol stackstack
The checkpoints are called hooks
Actions taken on hooksActions taken on hooksNF_ACCEPTNF DROPNF_DROPNF_STOLENNF QUEUE_QNF_REPEAT
Packet selection is done by IP Tables
Chapter 7: Network Security Modern Computer Networks 76
y
![Page 77: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/77.jpg)
Open Source Implementation- Netfilterp p
Hooks in packet traversalNF_IP_PRE_ROUTING ROUTEA C D
NF_IP_LOCAL_INNF IP FORWARD ROUTENF_IP_FORWARDNF_IP_POST_ROUTINGNF IP LOCAL OUT
ROUTE
NF_IP_LOCAL_OUT B E
Local Process
Chapter 7: Network Security Modern Computer Networks 77
![Page 78: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/78.jpg)
Open Source Implementation - iptablesp p p
Rule structureStruct ipt_entryy
struct ipt_ipnf-cachetarget_offsetnext_offsetcomefromstruct ipt_counters
Strcut ipt_entry_matchStruct ipt_entry_target
Chapter 7: Network Security Modern Computer Networks 78
![Page 79: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/79.jpg)
Open Source Implementation- TISp p
Set of programs to facilitate the network firewallSoftware components
SmapSmapSMTP service
NetaclNetaclTELNET service, finger, and Access control list
ftp gw http gw rlogin gw telnet gwftp-gw, http-gw, rlogin-gw,telnet-gwProxy server for FTP,http,rlogin, and telnet
Chapter 7: Network Security Modern Computer Networks 79
![Page 80: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/80.jpg)
Http-Gwp
A proxy server with proxy capability for http,gopher,and ftpMay cooperate with squid
http-gw has no caching capabilityhttp-gw has no caching capabilitySquid act as a caching Web proxy
M filt ifi URL itMay filter specific URLs or sites
Chapter 7: Network Security Modern Computer Networks 80
![Page 81: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/81.jpg)
Netperm-tablep
Common configuration file for TISRule matching is from top to bottom, left to g p ,rightExample of http gw part of Netperm tableExample of http-gw part of Netperm-tablehttp-gw: userid roothttp-gw: directory /www_datahttp-gw: timeout 60p ghttp-gw: permit-hosts 177.3.4.* http-gw: deny-hosts *
Chapter 7: Network Security Modern Computer Networks 81
http-gw: deny-hosts
![Page 82: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/82.jpg)
STARTbind listen
YES
- DAEMON accept
NO(inetd) NO(parent)
ReadConfiguration
Get user's http
fork=0YES(child)
http example of
Trusted information system (TIS)
Get user s httprequest
Forward httprequest Trusted information system (TIS)request
Receive httpresponse
text/htmlBlock transfer
betweenconnections
NO
Content filterwith FSM
YES
Chapter 7: Network Security Modern Computer Networks 82
END
![Page 83: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/83.jpg)
7.4 Intrusion Detection Systemy
IntroductionIntrusionProtectionO S I l t ti S tOpen Source Implementation- Snort
Chapter 7: Network Security Modern Computer Networks 83
![Page 84: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/84.jpg)
Network Intrusion
What’s network intrusion?Intrude a system via networks such as, Internet yand Intranet
===== Welcome ======Login: Unsafe
Server
Login: UnsafePassword: HereYouAre
Chapter 7: Network Security Modern Computer Networks 84
![Page 85: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/85.jpg)
Why network intrusion?For funGather information or resource of the target systemyDamage data and filesCrash target systemCrash target system
Chapter 7: Network Security Modern Computer Networks 85
![Page 86: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/86.jpg)
Intrusion Procedure
GatherGatherInformation
GatherInformation
IntrudeIntrude
Crack targetCrack target
Get InformationGet InformationEmbed backdoor
for next coming
Embed backdoorfor next comingfor next coming
Clear logClear log
Chapter 7: Network Security Modern Computer Networks 86
![Page 87: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/87.jpg)
Intrusion Waysy
MonitoringPassword CrackinggSecurity HolesM li i C dMalicious CodeDenial of ServiceScanning
Chapter 7: Network Security Modern Computer Networks 87
![Page 88: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/88.jpg)
Monitoringg
Wh t’ M it i ?What’s Monitoring?Monitor the MAC frame, IP packet, and
li ti l i f ti f th t t tapplication layer information of the target systemTo get MAC addressTo get TCP/IP informationTo get TCP/IP informationTo get username and passwordTo get some useful informationg
ToolsSniffitSniffit, http://reptile.rug.ac.be/~coder/sniffit/sniffit.htmlNetXray,
Chapter 7: Network Security Modern Computer Networks 88
y,
![Page 89: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/89.jpg)
Password Crackingg
H t k dHow to crack passwordGuessBrute force with dictionary file
Unix, /etc/passwd and /etc/shadow , pfilesWindows 2000 SAM fileWindows 2000, SAM file
Plain text transmission without encryptionTools
Netcat, http://www.atstake.com/research/tools/nc11nt.zipWWWHack http://packetstorm securify com/Crackers/wwwhack zip
Chapter 7: Network Security Modern Computer Networks 89
WWWHack, http://packetstorm.securify.com/Crackers/wwwhack.zipL0phtCrack, http://www.l0pht.com/l0phtcrack/dist/l0phtcrack25.exeJohn-16d.zip, http://www.openwall.com/john
![Page 90: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/90.jpg)
Security Holesy
What’s security hole?Bugs of systems, applications, or protocols g y
Types of security holeBuffer overflowBuffer overflowInput Validation ErrorC fi ti EConfiguration ErrorSystem bugSoftware bugProtocol bug
Chapter 7: Network Security Modern Computer Networks 90
![Page 91: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/91.jpg)
Buffer overflow
Put more data to the specified bufferPut more data to the specified bufferCause buffer overflowP i t t th k d fil // t th k d filPoint to the cracked file //execute the cracked file
Put more data to buffer
void called(){
Put more data to bufferthen cause buffer overflowand point to the crackedfile address
. . . char buffer[200]; . . .
}
stack pointer
buffer (200 bytes)
stack pointer
buffer (200 bytes). . .. . .
. . .
. . .
return address cracked file address
. . . . . .
Chapter 7: Network Security Modern Computer Networks 91
![Page 92: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/92.jpg)
Malicious Code
What’s Malicious Code?Computer programs are written specifically to g ycause mischief or, worse, cause damage to infected computersTwo types of Malicious Code
BackdoorBackdoor (i.e., Trojan Horses)VirusVirus
Chapter 7: Network Security Modern Computer Networks 92
![Page 93: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/93.jpg)
Backdoor, i.e.,Trojan Horses Unlike a virus, but Trojan horse does not replicate jitself.Stay in the target systemy g y
Masquerade as a legitimate programInflict damageReport information to the remote attackerAllow remote attacker takes control of the target
Chapter 7: Network Security Modern Computer Networks 93
![Page 94: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/94.jpg)
ViVirusSelf-replicatingDestructType of virus
Marco virusCOM and EXE virusBoot virusBoot virusJoke virus Java Malicious CodeJava Malicious CodeActiveX Malicious Code VBScript、JavaScript and HTML virus.
Chapter 7: Network Security Modern Computer Networks 94
![Page 95: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/95.jpg)
Examples:First Internet Virus
“I W ” b R b T M i J 1988“Internet Worm” by Robert T. Morris Jr., 1988.Famous virus via email
“I love you” 2000I love you , 2000. Attack Microsoft IIS
“Code Red”, 2001.Code Red , 2001.“Nimda”, 2001.
Virus listhttp://www.wildlist.org/
Chapter 7: Network Security Modern Computer Networks 95
![Page 96: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/96.jpg)
Denial of Service
What’s DoS?Not a intrusion attack, but deny services of target y gsystemExhaust target resourcesgStop providing services
Chapter 7: Network Security Modern Computer Networks 96
![Page 97: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/97.jpg)
How does DoS do?TCP SYN flood with IP spoofing attackgICMP reply flood attackPing of DeathPing of DeathTeardrop attackUDP flood attackUDP flood attackDDoS – Distributed DoS
Hi h f tt k t li t d t tHierarchy of attacker, master, client, and target
Chapter 7: Network Security Modern Computer Networks 97
![Page 98: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/98.jpg)
DD SDD S Di t ib t d D SDi t ib t d D SDDoS DDoS –– Distributed DoSDistributed DoSLaunch coordinated UDP flood DoS attacks from many sourcesHierarchy of attacker, master, client, and target
Att k th I t dAttacker, the IntruderA small number of servers, or mastersA large number of clients or daemonsA large number of clients, or daemonsTarget, the victim
Two of the tools have seen are known as Trinoo (or trin00)Tribe Flood Network (or TFN), and TFN2K
Chapter 7: Network Security Modern Computer Networks 98
![Page 99: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/99.jpg)
Attacker
commandport 27665/TCP
command commandrequest: port 27444/UDPreply: port 31335/UDP
MasterMaster
p y p
1 UDP flood attack
attack attack
1. UDP flood attack2. TCP SYN flood attack3. ICMP echo request flood attack4. M attack5. Targa3 attack
AgentAgentAgent
Target Target Target Target
Chapter 7: Network Security Modern Computer Networks 99
![Page 100: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/100.jpg)
Scanningg
What’s scanning?Dawn of attackingScanning services and security holes of the target only, but not real attackingScanning typesScanning types
Local scanningCOPSTIGER
R t iRemote scanningSATAN (Security Administrator’s Tool for Analyzing Networks)SAINT (S it Ad i i t t ’ I t t d N t k T l)
Chapter 7: Network Security Modern Computer Networks 100
SAINT (Security Administrator’s Integrated Network Tool)Fluxay
![Page 101: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/101.jpg)
Examples of attackingp g
Security Hole Attack Type
sendmail Failure to Handle DoSExceptional Conditions
Wu-ftpd 2.6 Buffer overflow Remote exploit
Group Apache 1 3 12
Design error Remote and local exploits1.3.12 exploits
Piranha with Redhat 6.2
Configuration error Remote exploit
Linux “man” Malicious
Access validation error Local exploit
Chapter 7: Network Security Modern Computer Networks 101
![Page 102: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/102.jpg)
Protection
Prevent (Encryption, Authentication)Refer to 7.2.1 and 7.2.2
Access control (firewall)Refer to 7 3Refer to 7.3
Detection (monitoring, scanning)Audit (Auditing)
Chapter 7: Network Security Modern Computer Networks 102
![Page 103: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/103.jpg)
Detection
D t ti tDetection typesMonitoring
N t k b d itNetwork-based monitorDetection of DoS attack
H b d iHost-based monitorTools
Tripwire http://www tripwiresecurity comTripwire, http://www.tripwiresecurity.comRealSecure, http://www.iss.net
Scanning
Scanning for known patternsPrevent virus and backdoor
Chapter 7: Network Security Modern Computer Networks 103
Prevent virus and backdoor programs
![Page 104: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/104.jpg)
Audit
R di t l i d it l t d tRecording system login and security related eventPrevent intrusionTrace intrusionTrace intrusion
Audit records operationsAnalyzingMaintenanceBackup
ToolsToolsStalker, http://www.haystack.comIDES/NIDES, http://www.sri.comUnix’s Syslog Watchdog, http://www.infstream.com/var/adm/sulog file
Chapter 7: Network Security Modern Computer Networks 104
/var/adm/sulog file
![Page 105: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/105.jpg)
Open Source Implementation- Snortp p
Three modesSniffer
Read and decode network packets Packet loggergg
Log packets to diskIntrusion detection systemy
Analyze traffic based on pre-defined rulesPerform actions based upon what it sees
Chapter 7: Network Security Modern Computer Networks 105
![Page 106: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/106.jpg)
Snort Commands
C d liCommand line :snort -[options] <filters>
SnifferSniffer./snort -v
R n snort and sho IP andRun snort and show IP and TCP/UDP/ICMP headers
Packet logger./snort -dev -l ./log
Collect packets and places it in log deirctory
Chapter 7: Network Security Modern Computer Networks 106
deirctoryIntrusion detection system
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
![Page 107: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/107.jpg)
Snort Rules
A powerful description languageSnort takes action based upon rule typeyDivide into two sections :
Rule headeraction, protocol source and destination IP address, port information
Rule optionAlert messageWhich part of packet should be inspectedWhich part of packet should be inspected
Chapter 7: Network Security Modern Computer Networks 107
![Page 108: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/108.jpg)
Writing Snort Rulesg
Rule headeralert tcp any any - > 192.168.1.0/24 111
action protocol Source address and port number
destination address and port number
Rule option
and port number and port number
Rule option(content : “|00 01 86 a5|” ; msg : “mounted access” ;)
alert messageinspective part
Chapter 7: Network Security Modern Computer Networks 108
![Page 109: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/109.jpg)
Open Source Implementation- Snort p p(cont.)
Parse command initial programline
p gvariable
initial specifiedinterface
If not specifyconfig data
Set log directory
no rules,iffi l i exitsniffing or logging
i f f
Chapter 7: Network Security Modern Computer Networks 109
Open interface for reading packets
![Page 110: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/110.jpg)
Open Source Implementation- Snort p p(cont.)
set packet processorprocessor
initial allIf using initial all plugin modules
If using rule systems
set safe UID and GID
set default alert function
Specify commandline alertalert function
i h
line alert
Chapter 7: Network Security Modern Computer Networks 110
assign each interface a thread
![Page 111: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/111.jpg)
Attack vs. ProtectProtection
Encryption Authentication Access control
Audit Monitor Scan
Monitoring preventMonitoring prevent
Password crackS it t D R d D t tSecurity holes
prevent Decrease Record Detect
Scanning Prevent Record Detect
Atta
Malicious Code
Record Detect Detect
DoS Decrease Record Detect
ck
DoS Decrease Record Detect
Social Engineering
Chapter 7: Network Security Modern Computer Networks 111
![Page 112: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/112.jpg)
Pitfalls and misleadingg
Private key vs. public keyWhy RSA works?ySecurity of DES and Triple DESSSL SETSSL vs. SETHigh-level firewall vs. low-level firewallg
Chapter 7: Network Security Modern Computer Networks 112
![Page 113: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/113.jpg)
Further readingsg
[1] Dorothy E Denning Peter J Denning "Internet Besieged" Addison Wesley Oct[1] Dorothy E. Denning, Peter J. Denning, "Internet Besieged", Addison Wesley, Oct 1997[2] SecurityFocus, "SecurityFocus.com", http://www.securityfocus.com[3] Cryptographic Algorithms, "DES",[3] Cryptographic Algorithms, DES , http://www.ssh.fi/tech/crypto/algorithms.html#DES[4] Cryptographic Algorithms, "IDEA", http://www.ssh.fi/tech/crypto/algorithms.html#IDEA[5] C t hi Al ith "RSA"[5] Cryptographic Algorithms, "RSA", http://www.ssh.fi/tech/crypto/algorithms.html#RSA[6] Cryptographic Algorithms, "Diffie-Hellman", http://www.ssh.fi/tech/crypto/algorithms.html#Diffie-Hellmanp yp g[7] MIT distribution site for PGP, "Welcome to the MIT Distribution Center for PGP (Pretty Good Privacy)", http://web.mit.edu/network/pgp.html[8] The Secure Shell Community Site, "The Secure Shell Community Site", http://www ssh orghttp://www.ssh.org[9] R. Rivest, "The MD5 Message-Digest Algorithm", Apr 1992, http://sunsite.auc.dk/RFC/rfc/rfc1321.html
Chapter 7: Network Security Modern Computer Networks 113
![Page 114: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/114.jpg)
Further readingsg
[10] S K t d R Atki “S it A hit t f th I t t P t l ”[10] S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol,” IETF RFC 2401,November 1998[11] B. Gleeson, A. Lin, J. Heinanen, G. Armitage and A. Malis, “ A Framework for IP Based Virtual Private Networks,” IETF RFC 2764, February 2000[12] M. Curtin and M.J Ranum, ”Internet Firewalls: Frequently Asked Questions,” http://www.interhack.net/pubs/fwfaq/
Chapter 7: Network Security Modern Computer Networks 114
![Page 115: Ch t 7 N t k S itChapter 7: Network Securityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1/ch7.pdf · Chapter 7: Network Security Modern Computer Networks 5. Data Encrypyp](https://reader033.fdocuments.us/reader033/viewer/2022042201/5ea161a5db0737245e228ac4/html5/thumbnails/115.jpg)
Exercises
Wh t’ th i ti f ti f h it ti f DES t ?What’s the primary encryption function of each iteration of DES system?Figure out the breaking time of key size 32, 56, 128, and 168 bits, if single decryption time are 1 us and 10-6 us, respectively.In a p blic ke s stem sing RSA ith p blic ke is e 5 n 35 The tr dIn a public key system using RSA with public key is e=5, n=35. The trudy intercepts the ciphertext C=10. What’s the plaintext M?The encryption scheme used for UNIX passwords is one way, it is not possible to reverse it Therefore would it be accurate to say that this is inpossible to reverse it. Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption of the password?What’s requirements of digital signature?What’s the difference between network and application layer firewall?What s the difference between network and application layer firewall?What’s the differences between virtual lease line,virtual private routed network, virtual private dial network, and virtual private LAN segment?How to achieve authentication and privacy simultaneously by usingHow to achieve authentication and privacy simultaneously by using authentication header and encapsulation security payload in IPSec? What’s the procedure of DDoS attack? What’s the attack procedure of “Nimda” virus in October 2001?
Chapter 7: Network Security Modern Computer Networks 115