Lec21 22
-
Upload
namishmaheshwari -
Category
Documents
-
view
141 -
download
1
description
Transcript of Lec21 22
Security - Systems
Design Considerations
Layer 2 DesignL2 Control protocols - 802.1q, STP and ARP802.1q
for Ethernet switches to exchange VLAN infoPrimary Issues: VLAN hopping
Spanning Tree Protocolfor L2 loop avoidancePrimary Issues: No authentication on bridge PDUsAttacks: Cause link failure; pretend to be root of tree.Defense: Control participation in STP (switch level)
Layer 2 DesignARP
for MAC <-- IP mappingPrimary Issues: gARP messages for high availabilityDefense: VLANs, static ARP entries
DHCPfor IP allocationIssues: MAC Spoofing, rogue DHCP serverallow/deny for specific ports to respond to DHCP requests
Layer 2 Design
Wireless Networks – Medium Access
Boundary is diffused (not hard)
Intruders do not have to intercept wires – all messages are broadcast (in a shared medium)
Unauthenticated access modes may cause problems
Contention resolution – Fairness issues
Easy to limit / eliminate availability
IP Addressing DesignSubnetting
Administrative / Physical separation Primary Issues: Access ControlDefense: VLANs, Level 3 ACLs (Access Control Lists)
Ingress / Egress FilteringPrivate address traffic not seen outside.Incoming traffic only from outside worldFiltering at edge or close to edge - not necessarily only at the firewall.
NATPrivate addresses translated to public addressesIncoming traffic - reverse translationstatic, 1-1, many-1avoid using NAT (many-1) for security
ICMP Design Issuesping messages
essential for admin. - turning off is not a solution except in specific cases.
Primary issue - Echo request/reply messages - variable length data field
ping-of-death attacks, DoS attacks, buffer overflows
covert channels (w/ software on host)
Solutions: “Explicitly permit - implicitly deny”
Permit ICMP echo request/reply messages w/ networks of necessity and for required users
Deny all other echo messages
ICMP - Design Issues
Other required ICMP messages
(some types of ) Destination Unreachable messages
TTL 0 messages needed by traceroute
lCMP filtering
ACLs for permitting specific messages (seen above) and for denying all others
Routing - Issues
Possible attacks:
Traffic Redirection
Traffic sent to a black-hole
Router DoS (Denial of Service) - Attack on Availability
Routing protocol DoS
Unauthorized router prefix origination
Routing - IssuesAttack methods & possible solutions:
Configuration modification of routers
Secure routers - Device Hardening
Rogue Router Introduction
Add message authentication to routing protocol
Use ACLs to block routing protocol message types from unwanted networks
Spoofing / Modifying of routing messages
Message authentication; TCP seq. #s help;
Sending malformed or excess packets
DoS mitigation for excess; no easy soln. for malformed packets
Router - Device hardeningDisable Unneeded Services
No DNS lookup for router
no echo or fingering services
no bootp service (if not needed)
no source routing and directed broadcast
no ICMP redirects
Password Encryption
Authentication
Use hashed passwords
Use secure protocols (say SSH) for line access
Setup usernames and access controls
Routing Protocol - Message
Auth.Passwords with routing update messages
MD5 digest authentication with secret keying
Protocol Specific:
Avoid RIP v1. - has no auth. mechanism
OSPF (widely userd for interior gateways) - supports keyed MD5
BGP (widely used for cross-domain routing) - supports keyed MD5 through TCP option
Routing - IssuesAsymmetric Routing & State-Aware Security
Asymetric traffic - different paths for request and return; per packet routing
Can happen at switches, over the Internet or at ISP.
Causes problems for state-aware security devices and mechanisms - Firewalls, IDS etc.
Routing - Issues
Asymmetric Routing - Solutions
Use Symmetric Routing
hard to do and impractical
Load balance per flow (rather than per packet)
cannot avoid request-return asymmetry.
Manipulate flows using NAT or routing
Use state-sharing security devices - e.g exchange info. bet. firewalls
significant traffic overhead
Use stateless security features - e.g. ACLs
works only for easy situations - simple traffic categorizations
Transport Protocol - Design Issues
Denial Of Service attacks
easy to launch and cannot be completely stopped.
network flooding (consume bw) vs. transport flooding (consume host resources)
Network Flooding
Detection: thru’ Network Intrusion Detection, routers and firewalls (i.e. their log data)
Stopping: often thru’ Service provider only; stops good as well as bad traffic
Transport Protocol - Design Issues
Stopping Network Flooding
Basic ACL: drop all traffic destined for an IP address; configure this throughout the ISP’s network.
Black Hole Filtering: Propagate static routes to divert traffic to a black hole. Faster than basic ACL approach; much less CPU impact.
Sinkhole Routing: Traffic diverted to a specific location so that it can be studied.
Transport Protocol - Design Issues
Trace Back (DoS)
Manual ACL trace back : create an ACL with broad permits that are made more specific as more information about attack is gained.
Backscatter Trace back :
combine black hole and sinkhole routingblack hole routing results in ICMP unreachable messages use a chunk of unallocated IP addresses for internal routing within ISP to forward to a sinkhole.
Tracebacks are useless if the attacker is spoofing a legitimately allocated address.
Transport Protocol - Design Issues
DoS Mitigation
QoS techniques -
limit traffic by type (UDP 10 Mbps, ICMP 200Kbps etc.) ; use token system for traffic to limit it;
application specific filtering
(e.g. in ecommerce scenarios UDP traffic is needed)
use a distributed design
content delivery networks
Transport Protocol - Design Issues
(back to) Denial Of Service attacks
easy to launch and cannot be completely stopped.
network flooding (consume bw) vs. transport flooding (consume host resources)
Transport Flooding
TCP SYN flooding - use a SYN packet (part of a 3-way handshake) but never respond to the acknowledgment; TCP is connection oriented : connections kept open for a time; connection queues overflow;
Transport Protocol - Design Issues
SYN cookies
host specific method of mitigating SYN flooding attacks;
avoid storing SYN packets in queue; use challenge-response model for handshake.
TCP intercept
network-level protection for SYN floods
intercept connection requests at an intermediate node which transparently forwards TCP packets to server; SYN packets are acked ASAP; if client does not respond use a backoff protocol; (e.g PIX firewalls)