IC3 - Network Security
description
Transcript of IC3 - Network Security
1
IC3 - Network Security
M.Sc. in Information Security
Royal Holloway, University of London
2
IC3 - Network Security
Lecture 2, Part 1
Network Components and Protocols
3
CINS/F1-01
Objectives of Lecture
• Understand the different components that are likely to be found in a network.
• Study the major network protocols (focussing on TCP/IP networks).
• Develop an awareness of the inherent security risks of using these components and protocols.
• Study a few ‘classic’ attacks on networks: ARP spoofing,TCP Denial of Service, network sniffing.
4
Contents
In this lecture, we take a layer-by-layer look at the most important network components and protocols, and associated security issues:
2.1 Network Cabling and Hubs (Layer 1)
2.2 Switches and ARP (Layer 2)
2.3 Routers and IP (Layer 3)
2.4 TCP and ICMP (Layer 4)
2.5 Network sniffers (multiple layers)
5
2.1 Network Cabling and Hubs
• TCP/IP Layer 1 (physical) devices.
• Cabling connects other components together.
• Hubs provide a point where data on one cable can be transferred to another cable.
• We study their basic operation and associated security issues.
6
Network Cabling
• Different Cabling Types:– Thick Ethernet – 10BASE-5– Thin Ethernet – 10BASE-2– Shielded & Unshielded Twisted Pair (STP, UTP) –
10BASE-T (Cat 3) 100BASE-T (Cat 5)
7
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Cabling in OSI Protocol Stack
Cabling
8
Cabling Security Issues
• Physical Environment– Trunking– Network Closets– Risers
• Physical Environment - Issues– Single or multi-occupancy– Access Control to floor building– Network passes through public areas– Network infrastructure easily accessible – Network infrastructure shares facilities– Electromagnetic environment
9
Thin Ethernet
• Short overall cable runs.
• Vulnerability: information broadcast to all devices.– Threat: Information Leakage, Illegitimate Use.
• Vulnerability: One cable fault disables network.– Threat: Denial of Service.
• Easy to install & attach additional devices.– Threat: Illegitimate Use.
• Rarely seen now.
Thin Ethernet
10
UTP and Hub
• Cable between hub and device is single entity.
• Only connectors are at the cable ends.
• Additional devices can only be added at the hub.
• Disconnection/cable break rarely affects other devices.
• Easy to install.
hub
10/100BASE-T
UTP
11
Other Layer 1 options
• Fibre Optic– Cable between hub and device is a single entity,– Tapping or altering the cable is difficult,– Installation is more difficult,– Much higher speeds – Gigabit Ethernet.
• Wireless LAN– Popular where building restrictions apply,– Several disadvantages:
• Radio signals are subject to interference, interception, and alteration.
• Difficult to restrict to building perimeter.
– Security must be built in from initial network design.– IEEE 802.11b.– Discussed further in Lecture 8.
12
Hubs
• Data is broadcast to everyone on the hub– Vulnerability: information broadcast to all devices.
• Threat: Information Leakage, Illegitimate Use.
– Vulnerability: Anyone can plug into hub.• Threat: Illegitimate Use.
• OSI Layer 1.
• Intelligent Hubs:– Signal regeneration,– Traffic monitoring,– Can be configured remotely.
13
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Hubs in OSI Protocol Stack
Cabling, Hubs
14
2.2 Switches and Layer 2 Issues
• More on Ethernet and IP addressing.
• Switch operation.
• Security issues for layer 2/switches - ARP spoofing and MAC flooding.
• Safeguards.
15
Ethernet Addressing
• Address of Network Interface Card.
• Unique 48 bit value.– first 24 bits indicate vendor.
• For example, 00:E0:81:10:19:FC.– 00:E0:81 indicates Tyan Corporation.– 10:19:FC indicates 1,055,228th NIC.
• Media Access Control (MAC) address.
16
IP Addressing
• IP address is 32 bits long – hence 4 billion ‘raw’ addresses available.
• Usually expressed as 4 decimal numbers separated by dots:– 0.0.0.0 to 255.255.255.255– Typical IP address: 134.219.200.162.
• Many large ranges already assigned:– 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck.– Shortage of IP addresses solved using private IP
addresses and subnetting/supernetting.
• More on addressing later.
17
IP Address to Ethernet Address
• Address Resolution Protocol (ARP):– Layer 3 protocol,– Maps IP address to MAC address.
• ARP Query– Who has 192.168.0.40? Tell 192.168.0.20.
• ARP Reply– 192.168.0.40 is at 00:0e:81:10:19:FC.
• ARP caches for speed:– Records previous ARP replies,– Entries are aged and eventually discarded.
18
ARP Query & ARP Reply
Web BrowserIP 192.168.0.20
MAC 00:0e:81:10:17:D1
Web ServerIP 192.168.0.40
MAC 00:0e:81:10:19:FC
(1) ARP QueryWho has
192.168.0.40?
(1) ARP QueryWho has
192.168.0.40?
(2) ARP Reply192.168.0.40 is at 00:0e:81:10:19:FC
(2) ARP Reply192.168.0.40 is at 00:0e:81:10:19:FC
hub
10/100BASE-T
19
Switches
• Switches only send data to the intended receiver (an improvement on hubs).
• Builds an index of which device has which MAC address.
switch
10/100BASE-T
00:0e:81:10:19:FC
MAC address
2 00:0e:81:32:96:af
Device
1
3 00:0e:81:31:2f:d7
4 00:0e:81:97:03:05
8 00:0e:81:10:17:d1
20
Switch Operation
• When a frame arrives at switch:– Switch looks up destination MAC address in index.– Sends the frame to the device in the index that owns
that MAC address.
• Switches are often intelligent:– Traffic monitoring, remotely configurable.
• Switches operate at Layer 2.
21
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Switches in OSI Protocol Stack
Cabling,Hubs
Switches
22
ARP Vulnerability
• ARP spoofing:– Masquerade threat realised by issuing
gratuitous ARPs.– ARP replies have no proof of origin, so a
malicious device can claim any MAC address.
– Enables all fundamental threats!
23
Before ARP spoofing
IP 192.168.0.20MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address
00:0e:81:10:19:FC192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC addressIP address
00:0e:81:10:17:d1192.168.0.20
192.168.0.1 00:1f:42:12:04:72
24
After ARP spoofing
IP 192.168.0.20MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address
192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC addressIP address
192.168.0.20
192.168.0.1 00:1f:42:12:04:72
(2) Gratuitious ARP192.168.0.20 is at00:1f:42:12:04:72
(2) Gratuitious ARP192.168.0.20 is at00:1f:42:12:04:72
(1) Gratuitious ARP192.168.0.40 is at00:1f:42:12:04:72
(1) Gratuitious ARP192.168.0.40 is at00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
25
Effect of ARP spoofing
IP 192.168.0.20MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address
192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC addressIP address
192.168.0.20
192.168.0.1 00:1f:42:12:04:72
IP datagramDest: 192.168.0.40
MAC: 00:1f:42:12:04:72
IP datagramDest: 192.168.0.40
MAC: 00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
MAC addressIP address
Attacker’s relay index
00:0e:81:10:19:FC192.168.0.40
192.168.0.20 00:0e:81:10:17:d1
26
Effect of ARP spoofing
• Attacker keeps a relay index: a table containing the true association between MAC addresses and IP addresses.
• But the two devices at 192.168.0.20 and 192.18.0.40 update their ARP caches with false information.
• All traffic for 192.168.0.20 and 192.168.0.40 gets sent to attacker by layer 2 protocol (Ethernet).
• Attacker can re-route this traffic to the correct devices using his relay index and layer 2 protocol.
• So these devices (and the switch) are oblivious to the attack.
27
Switch Vulnerability
• MAC Flooding– Malicious device connected to switch.– Sends multiple gratuitous ARPs.– Each ARP claims a different MAC address.– When index fills, some switches revert to hub behaviour: all
data broadcast.
switch
00:0e:81:10:19:FC
MAC address
4 00:0e:81:32:96:af
Device
1
4 00:0e:81:32:96:b1
… …
4 00:0e:81:32:97:a4
1
2
4
9999
4
4 00:0e:81:32:96:b03 4
28
Safeguards
• Physically secure the switch.– Prevents threat of illegitimate use.
• Switches should failsafe when flooded.– New threat: Denial of Service.
• Arpwatch: monitors MAC to IP address mappings.
• Switch port locking of MAC addresses:– Prevents ARP spoofing,– But reduces flexibility (adding new host requires
reconfiguration of switch).
29
2.3 Routers and Layer 3 Issues
• Routers support indirect delivery of IP datagrams.
• Employing routing tables.– Information about possible destinations and how
to reach them.
• Three possible actions for a datagram:– Sent directly to destination host.– Sent to next router on way to known destination.– Sent to default router.
• Routers operate at Layer 3.
30
Routers in OSI Protocol Stack
1 Physical
2 DataLink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Cabling,Hubs
Switches
Routers
31
More on IP Addressing
• IP addresses logically split into two parts.
• First part identifies network.
• Second part identifies host on that network.
• Example: the IP address 192.168.0.20:– 192.168.0.x identifies network.– y.y.y.20 identifies host on network.– We have a network with up to 256 (in fact 254) hosts (.0
and .255 are reserved).– The network mask 255.255.255.0 identifies the size of the
network and the addresses of all hosts that are locally reachable.
– This mask can be fetched from network’s default router using ICMP Address Mask Request message.
32
InternetInternetRouters
switch
Router
switch
Router
192.168.1.10192.168.1.11192.168.0.40 62.49.147.170
62.49.147.169IP address 192.168.0.20
Network mask 255.255.255.0Default router 192.168.0.254
192.168.0.254 192.168.1.254
33
InternetInternetRouters
switch
Router
switch
Router
192.168.1.10
192.168.1.11192.168.0.40192.168.0.254
62.49.147.170
62.49.147.169
IP datagramDest: 192.168.0.40
IP datagramDest: 192.168.0.40
IP address 192.168.0.20
Network mask 255.255.255.0Default router 192.168.0.254
192.168.1.254
34
InternetInternetRouters
switch
Router
switch
Router
192.168.1.10
192.168.1.11192.168.0.40192.168.0.254
62.49.147.170
62.49.147.169
IP datagramDest: 192.168.1.11
IP datagramDest: 192.168.1.11
IP address 192.168.0.20
Network mask 255.255.255.0Default router 192.168.0.254
192.168.1.254
35
InternetInternetRouters
switch
Router
switch
Router
192.168.1.10
192.168.1.11192.168.0.40192.168.0.254
62.49.147.170
62.49.147.169
IP datagramDest: 134.219.200.69
IP datagramDest: 134.219.200.69
IP address 192.168.0.20
Network mask 255.255.255.0Default router 192.168.0.254
192.168.1.254
36
Protocol Layering and Routing (TCP/IP)
Application Layer
Transport Layer
Internet Layer
Network Interface
Physical Network
Application Layer
Transport Layer
Internet Layer
Network Interface
HTTP Message
TCP Packet
EthernetFrame
EthernetFrame
IP Datagram IP Datagram
Internet Layer
Network Interface
Physical Network
Host BHost A
Router
37
Private Addressing
• Set of addresses have been reserved for use on private networks (IETF RFC 1918):– 10.0.0.0 to 10.255.255.255 (1 network, 224 hosts),– 172.16.0.0 to 172.31.255.255 (16 networks, 216 hosts each),– 192.168.0.0 to 192.168.255.255 (256 networks, 28 hosts
each).
• Packets with src/dest addresses in these ranges will never be routed outside private network.– Helps to solve problem of shortage of IP addresses.– Security?
• Previous example: router has external IP address 62.49.147.170 and two internal addresses: 192.168.0.254 and 192.168.1.254: – It acts as default router for two small private networks.
38
Some Layer 3 Security Issues – 1
• IP spoofing: IP addresses are not authenticated, so dangerous to base security on raw IP addresses alone.– An attacker can place any IP address in the source
address of an IP datagram.– An attacker can replay IP datagrams.– Masquerade and integrity violation threats.
• Users have few guarantees about route taken by their data.– Information leakage threat.
39
Some Layer 3 Security Issues – 2
• Security of routing updates.– Attacker may be able to corrupt routing tables on
routers by sending false updates.– Denial of Service threat.
• What security is applied to protect remote administration of routers? – Attacker may be able to reconfigure or take control
of remote router and change its behaviour.– Eg advertise attractive routes to other routers and so
bring interesting traffic its way.
40
2.4 TCP, ICMP and Layer 4 issues
• Each TCP connection begins with three packets:– A SYN packet from sender to receiver.
• “Can we talk?”
– An SYN/ACK packet from receiver to sender.• “Fine – ready to start?”
– An ACK packet from sender to receiver.• “OK, start”
• The packet type is indicated by a flag in the packet header.
41
TCP Handshaking
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
TCP PacketACK flag
TCP PacketACK flag
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
192.168.0.20 192.168.0.40
“Can we talk?”
“Fine, ready to start?”
“OK, start”
42
Tracking TCP handshakes
• The destination host has to track which machines it has sent a “SYN+ACK” to
• Keeps a list of TCP SYN packets that have had a SYN+ACK returned.
• When ACK is received, packet removed from list as connection is open.
43
TCP Denial Of Service
• What if the sender doesn’t answer with an ACK?– A SYN packet from sender to receiver.
• “Can we talk?”
– An SYN/ACK packet from receiver to sender.• “Fine – ready to start?”
– ………………..nothing…………..……
• If the sender sends 100 SYN packets per second– Eventually receiver runs out of memory to track
the SYN+ACK replies.– SYN flooding.
44
TCP Denial Of Service + IP Spoofing
• A host can place any IP address in the source address of an IP datagram.
• Disadvantage: Any reply packet will return to the wrong place.
• Advantage (to an attacker): No-one knows who sent the packet.
• If the attacker sends 100 SYN packets per second with spoofed source addresses….
45
TCP Denial of Service
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
192.168.0.20192.168.0.40
“Can we talk?”
“Fine, ready to sta
rt?”
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN flag
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
TCP PacketSYN & ACK flag
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
IP datagramSrc: 192.168.0.40Dest: 62.49.10.1
… the destination host will soon be unable to accept new connections from legitimate senders.
46
TCP/IP Ports
• Many processes on a single machine may be waiting for network traffic.
• When a packet arrives, how does the transport layer know which process it is for?
• The port allows the transport layer to deliver the packet to the application layer.
• TCP packets have source and destination ports.– Source port is used by receiver as destination of
replies.
47
Port Assignments
• Well known ports from 0 to 1023– http=port 80– smtp=port 25– syslog=port 514– telnet=23– ssh=22– ftp=21 + more…
• Registered ports from 1024 to 49151
• Dynamic or private ports from 49152 to 65535
48
Port Multiplexing
putty
Transport Layer
Internet Layer
Network Layer
Physical Network
telnet
Transport Layer
Internet Layer
Network Layer
Message
Packet
Datagram
Frame
Host A Host B
ienet
scape apache
Port 80Port 23Port 2077
Port 2076 Port 2078
49
Ports in Action
switch
HTTP messageGET index.html
www.localserver.org
HTTP messageGET index.html
www.localserver.org
TCP PacketSrc Port: 2076Dest Port: 80
TCP PacketSrc Port: 2076Dest Port: 80
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
HTTP messageContents of index.html
HTTP messageContents of index.html
TCP PacketSrc Port: 80
Dest Port: 2076
TCP PacketSrc Port: 80
Dest Port: 2076
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
192.168.0.20 192.168.0.40
TELNET messageTELNET message
TCP PacketSrc Port: 2077Dest Port: 23
TCP PacketSrc Port: 2077Dest Port: 23
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
TELNET messageTELNET message
TCP PacketSrc Port: 23
Dest Port: 2077
TCP PacketSrc Port: 23
Dest Port: 2077
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
50
Broadcast Addressing
• Broadcast IP addresses: – Any packet with destination IP address ending .255
in a network with network mask 255.255.255.0 gets sent to all hosts on that network.
– Similarly for other sizes of networks.– A handy feature for network management, fault
diagnosis and some applications. – Security?
51
ICMP
• ICMP = Internet Control Message Protocol.
• Layer 4 protocol (like TCP) carried over IP, mandatory part of IP implementations.
• Carries IP error and control messages.
• ICMP Echo Request: test route to a particular host.
• Live host should reply with ICMP Echo Reply packet.
192.168.0.40192.168.0.20
ICMP PacketEcho
ICMP PacketEcho
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
ICMP PacketEcho Reply
ICMP PacketEcho Reply
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20
52
ICMP ‘SMURF’ Denial of Service
192.168.0.20
ICMP PacketEcho Request
ICMP PacketEcho Request
IP datagramSrc: 192.168.1.30
Dest: 192.168.0.255
IP datagramSrc: 192.168.1.30
Dest: 192.168.0.255
ICMP PacketEcho Reply
ICMP PacketEcho Reply
IP datagramSrc: 192.168.0.1
Dest: 192.168.1.30
IP datagramSrc: 192.168.0.1
Dest: 192.168.1.30
Attacker
Victim
192.168.1.30
.
.
.
192.168.0.1
192.168.0.254
192.168.0.3
192.168.0.2
ICMP PacketEcho Reply
ICMP PacketEcho Reply
IP datagramSrc: 192.168.0.2
Dest: 192.168.1.30
IP datagramSrc: 192.168.0.2
Dest: 192.168.1.30
ICMP PacketEcho Reply
ICMP PacketEcho Reply
IP datagramSrc: 192.168.0.3
Dest: 192.168.1.30
IP datagramSrc: 192.168.0.3
Dest: 192.168.1.30
ICMP PacketEcho Reply
ICMP PacketEcho Reply
IP datagramSrc: 192.168.0.254Dest: 192.168.1.30
IP datagramSrc: 192.168.0.254Dest: 192.168.1.30
53
Safeguards
• TCP Denial of Service is hard to defend against.
• Even more virulent: Distributed Denial of Service (DDoS).– attacker launches from many hosts simultaneously.
• Aggressively age incomplete TCP connections?
• Use firewall/IDS to detect attack in progress.
• Use relationship with IP service provider to investigate and shut down DoS traffic.
• SMURF: drop most external ICMP traffic at boundary firewall.– There are other good reasons to do this: ICMP can be used as
tool by hacker to investigate your network…
54
2.5 Network Sniffers
• Network Interface Cards (NICs) normally operate in non-promiscuous mode.– Only listen for frames with their MAC address.
• A sniffer changes a NIC into promiscuous mode.– Reads frames regardless of MAC address.
• Many different sniffers:– tcpdump– ethereal– Snort
55
Ethereal
56
Sniffing Legitimately
• Do they have legitimate uses?– Yes … when used in an authorised and controlled
manner.– Network analyzers or protocol analyzers.– With complex networks, they are used for fault
investigation and performance measurement.– Useful when understanding how a COTS product
uses the network.
57
Detecting Sniffers
• Very difficult, but sometimes possible.– Tough to check remotely whether a device is
sniffing. Approaches include:• Sending large volumes of data, then sending ICMP ping
requests.• Sending data to unused IP addresses and watching for
DNS requests for those IP addresses.• Exploiting operating system quirks.
– AntiSniff, Security Software Technologies.
58
Sniffer Safeguards
• Preventing attacks or limiting their effects.– Basically a matter of network and system design
security.– Examples of safeguards are:
• Use of non-promiscuous interfaces.• Encryption of network traffic.• One-time passwords e.g. SecurID, skey.• Lock MAC addresses to switch ports – not effective.
59
IC3 - Network Security
Lecture 2, Part 2
Network Types
60
CINS/F1-01
Objectives of Lecture
• Examine the major different types of networks, in increasing order of size and complexity: LANs, MANs, WANs, Internet.
• Understand additional security threats for each network type.
• Look at some possible safeguards for each network type.
61
Contents
2.6 LANs
2.7 Networks at the building level
2.8 MANs
2.9 WANs
2.10 The Internet
62
2.6 Local Area Networks
• Local Area Networks (LANs) used within limited areas (e.g. buildings/campuses) as opposed to WANs (Wide Area Networks).
• Workgroup LAN: ‘An identifiable grouping of computer and networking resources which may be treated as a single entity.’
• The basic building block of larger networks.– Large networks typically consist of interconnected
workgroup LANs.
• Security of workgroup LAN an essential component of the overall network security in an organisation.
63
IEEE 802
• The IEEE 802 standards have come to dominate LANs. They specify protocols for use at layers 1 and 2.
• ISO/IEC 8802-n = IEEE 802.n
• IEEE 802.2 = Layer 2 (most of).
• IEEE 802.3, 802.4 and 802.5 are three options for Layer 1 (and a bit of Layer 2).
• IEEE 802.3 = Ethernet.
64
LAN Threats
• We have already seen several threats pertinent to LANs in Lecture 2.1:– Deficiencies of Thin Ethernet and Hubs: broadcast
data.– Layer 1 threats: who has access to cabling,
broadcast wireless signals?– Layer 2 threats: ARP spoofing, MAC flooding of
switches.– Layer 3: IP spoofing.– Layer 4 threats: TCP flooding, ICMP SMURF.– Who can insert a sniffing device? Are hubs/switches
in locked cabinets?
65
2.7 Networks at the building level
• New threats to:– Backbone which connects multiple workgroup LANs,– Interconnections between the LAN and the
backbone,– Control of information flow within a larger network,– Network Management itself.
66
Backbone
HumanResources
Finance
Sales
Development
Backbone: typically routed via risers or under floors.
67
Network Backbone Threats – 1
Overview of threats:
• Backbone carries all inter-LAN traffic.
• Confidentiality:– All data could be eavesdropped.
• Integrity:– Any errors could affect all the network traffic.
• Availability:– Loss of backbone means that workgroups would be
unable to communicate with each other.
68
Network Backbone Threats – 2
• Overview of Threats– Point of interconnection between workgroup and
backbone is a sensitive area– From security viewpoint it:
• Provides a point of access to the backbone• Provides a point of access to all the data associated with a
workgroup• Damage at this point could affect both the workgroup and
the backbone
69
LAN Safeguards – 1
• Partitioning– With a building network there will be different types
of information being processed.– Some types of data will require extra protection, e.g.
• Finance• Personnel / Human Resources• Internal Audit• Divisional heads
– Two situations where extra controls are needed• Physically separated group or team• Widely distributed group of staff
70
LAN Safeguards – 2
• Partitioning– Network configured so
that:• Group workstations
cabled to their own switch.
• Switches programmed to restrict data flow onto the backbone.
– Add a Firewall• Control all traffic to and
from hosts behind firewall.
Firewall
Switch
Switch
71
LAN Safeguards 3 – VLANs
• VLAN is a virtual LAN.
• Switch is configured to divide up devices into VLANs.
• Device on one VLAN can’t send to deviceson another VLAN – security through partitioning.
switch
72
VLANs & Routers
• How to get from one VLAN to another?– Connect them with a router.– Router can exercise control over data flow.– Only one switch needed, in place of two.
switch
router
73
Secure?
D
CLayer 3…
192.168.0.2
Network 192.168.0.0
Network 192.168.1.0
192.168.1.1
192.168.1.2
A
192.168.0.1
B
…two perfectly separated LANs
74
Secure?
switch
DC
Layer 2…
• At Layer 3, the switch is ‘invisible’.• At Layer 2, the switch becomes ‘visible’; the two LANs are actually physically connected.• Lesson: Important to examine network from layer 2 perspective as well as layer 3 when assessing security.
AB
75
LAN Safeguards – 4
• Extra controls– If workgroup users are not located in a single area,
different measures must be adopted.– In most cases, addressing is used to control traffic
flow but does not prevent traffic being read in transit.– Higher level of security can be provided by
encryption, but:• Does encryption mechanism understand the network
protocol?• What is the performance impact of encryption?• How are encryption keys generated, distributed, and
stored?• Will a workstation on the encrypted workgroup be able to
communicate with an unencrypted server?
76
2.8 MANs
• Metropolitan Area Network.
• New Environment– A network which encompasses several closely
located buildings (sometimes also called a campus network).
• Such expanded network environments bring additional security concerns:– Network exposed to outside world,– Problems of scale.
77
MAN example
Building A
Building B
Building C
78
MAN Threats
• Exposure to outside world:– Network has left the security of the building.– Small scale may rule out encryption.– New risks must be assessed:
• Private campus or network crossing public areas?• Links to business partners? What are there security
policies? Who are their staff?• Dial-up access for remote users?
– Investigate constraints on solution:• e.g. buried or elevated links.
– May need non-physical links:• e.g. laser, infra-red, microwave, wireless.
79
MAN Threats
• Problem of scale– Information flow must be controlled, and faulty
network components (in one building) must not affect other buildings, so:
• Filters / bridges / firewalls will be needed
– Network Information Centre (NIC) is required.– Specialised network management tools become
essential (manual approach no longer feasible).• Possibility for greater integration – cable management
systems, device location maps, server disk space monitoring, printer status,…
– Normally a second level backbone is used.
80
2.9 WANs
• Wide Area Network– National or international network.
81
WAN Threats
• Threats become more significant:– Sensitive data (including passwords) much more
widely transmitted.– Greater organisational distances.– Control may be more distributed.– Outsourcing of network infrastructure to 3rd parties,
sharing of infrastructure with other customers.– More staff, hence greater chance of insider attacks.– More changes, hence greater risk of change
management errors.– Greater demand for external connections increases
threat of unauthorised access by outsiders.
82
WAN Partitioning – 1
• Partitioning of networks using physical separation:– Provides good separation (!) and conceptually simple– Legacy approach - in the days when adequate logical
separation was not possible, still done in very secure networks– Sharing data is difficult and uncontrolled– Costly and inflexible
SecureNetwork
OpenNetwork
SensitiveApplications
OtherApplications
Classified,Operational,Alarms, . . .
83
WAN Partitioning – 2
• Partitioning of networks using logical separation:– Closed User Groups:
• Multiple virtual networks on one physical one,• Based on network addresses,• Managed by the Network Management Centre.
– Permanent Virtual Circuits (PVCs).– VLANs.– Protocol separation (IP,SNA, IPX).– Data confidentiality through encryption.
84
Encryption in WANs
• Encryption options and issues:– Choice of physical media– (Data) Link-level security (layer 2) – End-to-end security
• Can be provided at layers 3, 4: IPSec, SSL – Covered in more detail in Lectures 5 and 6.
• Or at layer 7 (application): SSH, secure e-mail – SSH covered in Lecture 6, secure e-mail in Lecture 9.
85
Choice of Media for WANs
• Impact of different media on confidentiality:– Fibre:
• Minimal external radiation,• Special equipment required for tapping (special-purpose
US Navy submarine!),• Normally a tap causes disruption of service.
– Satellite, radio or microwave:• Extensive external radiation,• Special (but easily available) equipment needed for
tapping,• Tapping does not disrupt services,• Carrier MIGHT provide some encryption.
86
Link Encryption
• Link encryption:– Offers data confidentiality for individual links,– Protocol independent (operates at layer 1/2),– Throughput is not normally an issue,– Moderate cost (£700-£1000 per unit).
• But link encryption for larger networks:– Is expensive,– Is a management burden,
– Does not scale well to large distributed networks,– Data may not be protected at intermediate sites, in
switches, etc.
87
Conditions of Connection (COC)
• Imposed on users of networks by service suppliers; counterpart to Service Level Agreement (SLA).
• A powerful tool for network services department when they do not have direct authority.
• Details users’ responsibilities:• Responsible for security of their end systems• Comply with COC’s standards• Control access to end-systems and equipment• Protect user-ids, passwords etc.• Become security aware• Support tests, investigations etc.
88
2.10 The Internet
• Internet evolved out of a US Government funded network (ARPANET).
• Essentially a large collection of internetworked networks.
• Developed in parallel with OSI so some conflict between standards.
• Has its own protocols at layers 3 and 4: TCP (layer 4) and IP (layer 3).
• Has pushed OSI out (de facto beats de jure).• Now 5 million+ web sites, 200 million+ users.• IETF: Internet Engineering Task Force
89
The Internet
• Internet presence and connection a prerequisite for most corporations.
• Web browsing, email, file sharing and transfer, e-commerce, b2b commerce, e-government….
• Increasingly used for business critical applications.
• Possible to replace expensive WAN link with Internet virtual private network (VPN) link.
• Threats become critical– Route taken by sensitive data not guaranteed– Availability not guaranteed
• Denial of service attacks are real risk
– Any Internet host can probe any other host – Plenty of malicious content (viruses, trojans, pornography)
90
Some Internet Safeguards
• Firewalls to filter IP traffic, Intrusion Detection Systems to detect penetrations.
• De-Militarized Zones to isolate Internet-facing machines from internal networks.
• Content filters to filter email & web traffic content.
• VPNs to protect critical data routed over public Internet.
• Non-technical safeguards: policy, conditions of use for employees, sanctions.
91
IC3 - Network Security
Lecture 2, Part 3
Network Management Security
92
CINS/F1-01
Objectives of Lecture
• Understand the need for security of network management.
• Introduce the basic operation of the Simple Network Management Protocol (SNMP).
• Evaluate the security of the different versions of SNMP.
93
Contents
2.11 Network Management
2.12 SNMP overview
2.13 SNMP security
94
2.11 Network Management
• Management of complex networks is a difficult task.
• Without network management, faults will:– Disrupt network operation,– Require substantial effort to identify,– Require a long time to repair.
• Network Management facilities combined with intelligent devices allow:– Faults to be handled / identified locally,– Alert messages to be raised and gathered centrally,– Appropriate actions to be taken.
95
Network Management Tools
• Specialised tools are available (including HP OpenView, IBM Netview, Cabletron Spectrum, Sun NetManager).
• Common characteristics:– Graphical interfaces,– Collection of network alert messages,– Ability to ‘drill down’ to examine the network and
traffic on it.
Network Management Protocols
• Network management protocols enable on-line management of computers & networks.
• They support:– configuration management,– accounting,– event logging,– help with problem diagnosis.
• They are application layer protocols used for communications by network management systems.
Management Security
• But network management itself needs to be secured!
• Two aspects to network management security (as defined in ISO 7498-2):– management of security:
• support provided by network management protocols for provision of security services.
– security of management:• means for protecting network management
communications.
2.12 SNMP Overview
• The Simple Network Management Protocol (SNMP) is part of the Internet network management system.– Version 1 (1990/91) is specified in RFCs 1155-1157,
and 1212/1213.– Version 2 (1993), with some security features, is
specified in RFCs 1441-1448.– Version 3 (1999), with more complete security
features in RFCs 2570-2576
• All RFCs available at www.ietf.org.
99
SNMP V1 Architecture
UDP
Physical Network
Manager
IP
SNMP
Network
Central MIB
UDP
Agent
IP
SNMP
Network
Agent MIB
Architectural Model
• Model based on – a network management station (a host system
running SNMP, with management s/ware) – many network elements (hosts, routers, gateways,
servers).
• Management agent at a network device implements SNMP– provides access to the Management Information
Base (MIB).
101
SNMP Management
Management Station
NetworkElements
102
Connectionless Protocol
• Because V1 uses UDP, SNMP is a connectionless protocol – No guarantee that the management traffic is
received at the other entity – Advantages :
• reduced overhead • protocol simplicity
– Drawbacks : • connection-oriented operations must be built into upper-
layer applications, if reliability and accountability are needed
• V2 & V3 can use TCP.
103
SNMP Operations
• SNMP provides three simple operations : – GET : Enables the management station to retrieve
object values from a managed station;– SET : Enables the management station to set object
values in a managed station;– TRAP : Enables a managed station to notify the
management station of significant events.
• SNMP allows multiple accesses with a single operation.
104
SNMP Protocol Data Units
• Get Request : Used to obtain object values from an agent.
• Get-Next Request : Similar to the Get Request, except it permits the retrieving of the next object instance (in lexicographical order) in the MIB tree.
• Set Request : Used to change object values at an agent.
• Response : Responds to the Get Request, Get-Next Request and Set Request PDUs.
• Trap : Enables an agent to report an event to the management station (no response from the manager entity).
105
SNMP Port Numbers
• The UDP port numbers used for SNMP are : 161 (Requests) and 162 (Traps).
• Manager behaviour : – listens for agent traps on local port 162;– sends requests to port 161 of remote agent.
• Agent behaviour : – listens for manager requests on local port 161; – sends traps to port 162 of remote manager.
106
SNMP Messages
SNMP messageGET-REQUEST
SNMP messageGET-REQUEST
UDP datagramSrc Port: 3042Dest Port: 161
UDP datagramSrc Port: 3042Dest Port: 161
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.254
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.254
192.168.0.20192.168.0.254
192.168.1.254
192.168.2.254
192.168.254.254
SNMP messageGET-REQUEST reply
SNMP messageGET-REQUEST reply
UDP datagramSrc Port: 161
Dest Port: 3042
UDP datagramSrc Port: 161
Dest Port: 3042
IP datagramSrc: 192.168.0.254Dest: 192.168.0.20
IP datagramSrc: 192.168.0.254Dest: 192.168.0.20
107
SNMP Message Format
• All SNMPv1 PDUs are built in the same way :
• Community:– Local concept, defined at each device.– SNMP community = set of SNMP managers allowed
access to a particular device.– Each community is defined using a unique (within
the device) name, the community name.
• Each manager must specify a community in all get and set operations.
Version Community SNMP PDU
108
Trap Examples
• Cisco router traps– authentication
• device is the addressee of an SNMP protocol message that is not properly authenticated. (SNMPv1 - incorrect community string)
– linkup• device recognizes that one of the communication links
represented in the agent's configuration has come up.
– linkdown• device recognizes a failure in one of the communication links
represented in the agent's configuration.
– coldstart• device is reinitializing itself so that the configuration may be
altered.
– warmstart• device is reinitializing itself, but the configuration will not be
altered.
109
2.13 SNMP Security
• SNMPv1 provides only trivial security mechanisms, based on: – Authentication Mechanism – Access mode Mechanism
110
Authentication Mechanism
• Authentication Service: assure the destination that the SNMP message comes from the source from which it claims to be.
• Based on community name, included in every SNMP message from a management station to a device.
• This name functions as a password : the message is assumed to be authentic if the sender knows the password.
• No encryption of the community name.
111
SNMPv1 Key Vulnerability
• If an attacker can view the community string– They can masquerade as a member of the
community by including the community string in SNMP messages.
– The attacker may be able to manage any agent that shares that community string.
112
Access Mode Mechanism
• Based on community profiles.
• A community profile consists of the combination of : – a defined subset of MIB objects (MIB view),– an access mode for those objects (READ-ONLY or
READ-WRITE).
• A community profile is associated to each community defined by an agent.
Security Threats
• Two primary threats:– data modification - to an SNMP message,– masquerade - impersonator might send false SNMP
messages.
• Two secondary threats:– message stream modification - reordering, replay
and/or delay of SNMP messages,– eavesdropping - on SNMP messages.
Security Services
• Later versions of SNMP have identified security services required to meet threats:– data origin authentication,– data integrity,– message sequence integrity,– data confidentiality,– message timeliness & limited replay protection.
115
SNMPv3 User-Based Security Model
• A User, identified by UserName holds:– Secret keys– Other security information such as cryptographic
algorithms to be used.
• SNMPv3 entities are identified by snmpEngineID.– Each managed device or management station has
an snmpEngineID
116
Authoritative SNMP Entities
• Whenever a message is sent, one entity is authoritative.– For get or set, receiver is authoritative.– For trap, response or report, sender is authoritative.
• Authoritative entity has:– Localised keys– Timeliness indicators
117
Timeliness Indicators
• Prevent replay of messages.
• Each authoritative entity maintains a clock.
• A non-authoritative entity has to retrieve the time from the authoritative entity, confirm the received value, then maintain a synchronised clock.
• Messages can arrive within 150 seconds of their generated time.
118
Keys
• Keys generated from user password.
• User provides password to all entities.
• Each entity generates a key from the password and generates two further keys using the entity’s snmpEngineID.– One for data integrity/authentication– One for confidentiality
119
Data Integrity and Authenticity
• Generate a MAC (cryptographic “fingerprint”) of any message to be protected.
• Use HMAC algorithm with keys derived from localized user key K1.
• Send the “fingerprint” with the message.
• Recipient with same key can check fingerprint and be assured of integrity and authenticity of SNMP message.
120
Data Confidentiality
• DES in Cipher Block Chaining mode.
• Second localised key.
• Has to be used together with Data Integrity and Authenticity.
Management of SNMP security
• Following data needs to be managed:– secret (authentication and privacy) keys,– clock synchronisation (for replay detection),– SNMP party information.
• SNMP can be used to provide key management and clock synchronisation.
• After manually setting up some SNMP parties, rest can be managed using SNMP.