Lec21 22

Security - Systems

Design Considerations

Layer 2 DesignL2 Control protocols - 802.1q, STP and ARP802.1q

for Ethernet switches to exchange VLAN infoPrimary Issues: VLAN hopping

Spanning Tree Protocolfor L2 loop avoidancePrimary Issues: No authentication on bridge PDUsAttacks: Cause link failure; pretend to be root of tree.Defense: Control participation in STP (switch level)

Layer 2 DesignARP

for MAC <-- IP mappingPrimary Issues: gARP messages for high availabilityDefense: VLANs, static ARP entries

DHCPfor IP allocationIssues: MAC Spoofing, rogue DHCP serverallow/deny for specific ports to respond to DHCP requests

Layer 2 Design

Wireless Networks – Medium Access

Boundary is diffused (not hard)

Intruders do not have to intercept wires – all messages are broadcast (in a shared medium)

Unauthenticated access modes may cause problems

Contention resolution – Fairness issues

Easy to limit / eliminate availability

IP Addressing DesignSubnetting

Administrative / Physical separation Primary Issues: Access ControlDefense: VLANs, Level 3 ACLs (Access Control Lists)

Ingress / Egress FilteringPrivate address traffic not seen outside.Incoming traffic only from outside worldFiltering at edge or close to edge - not necessarily only at the firewall.

NATPrivate addresses translated to public addressesIncoming traffic - reverse translationstatic, 1-1, many-1avoid using NAT (many-1) for security

ICMP Design Issuesping messages

essential for admin. - turning off is not a solution except in specific cases.

Primary issue - Echo request/reply messages - variable length data field

ping-of-death attacks, DoS attacks, buffer overflows

covert channels (w/ software on host)

Solutions: “Explicitly permit - implicitly deny”

Permit ICMP echo request/reply messages w/ networks of necessity and for required users

Deny all other echo messages

ICMP - Design Issues

Other required ICMP messages

(some types of ) Destination Unreachable messages

TTL 0 messages needed by traceroute

lCMP filtering

ACLs for permitting specific messages (seen above) and for denying all others

Routing - Issues

Possible attacks:

Traffic Redirection

Traffic sent to a black-hole

Router DoS (Denial of Service) - Attack on Availability

Routing protocol DoS

Unauthorized router prefix origination

Routing - IssuesAttack methods & possible solutions:

Configuration modification of routers

Secure routers - Device Hardening

Rogue Router Introduction

Add message authentication to routing protocol

Use ACLs to block routing protocol message types from unwanted networks

Spoofing / Modifying of routing messages

Message authentication; TCP seq. #s help;

Sending malformed or excess packets

DoS mitigation for excess; no easy soln. for malformed packets

Router - Device hardeningDisable Unneeded Services

No DNS lookup for router

no echo or fingering services

no bootp service (if not needed)

no source routing and directed broadcast

no ICMP redirects

Password Encryption

Authentication

Use hashed passwords

Use secure protocols (say SSH) for line access

Setup usernames and access controls

Routing Protocol - Message

Auth.Passwords with routing update messages

MD5 digest authentication with secret keying

Protocol Specific:

Avoid RIP v1. - has no auth. mechanism

OSPF (widely userd for interior gateways) - supports keyed MD5

BGP (widely used for cross-domain routing) - supports keyed MD5 through TCP option

Routing - IssuesAsymmetric Routing & State-Aware Security

Asymetric traffic - different paths for request and return; per packet routing

Can happen at switches, over the Internet or at ISP.

Causes problems for state-aware security devices and mechanisms - Firewalls, IDS etc.

Routing - Issues

Asymmetric Routing - Solutions

Use Symmetric Routing

hard to do and impractical

Load balance per flow (rather than per packet)

cannot avoid request-return asymmetry.

Manipulate flows using NAT or routing

Use state-sharing security devices - e.g exchange info. bet. firewalls

significant traffic overhead

Use stateless security features - e.g. ACLs

works only for easy situations - simple traffic categorizations

Transport Protocol - Design Issues

Denial Of Service attacks

easy to launch and cannot be completely stopped.

network flooding (consume bw) vs. transport flooding (consume host resources)

Network Flooding

Detection: thru’ Network Intrusion Detection, routers and firewalls (i.e. their log data)

Stopping: often thru’ Service provider only; stops good as well as bad traffic


Stopping Network Flooding

Basic ACL: drop all traffic destined for an IP address; configure this throughout the ISP’s network.

Black Hole Filtering: Propagate static routes to divert traffic to a black hole. Faster than basic ACL approach; much less CPU impact.

Sinkhole Routing: Traffic diverted to a specific location so that it can be studied.


Trace Back (DoS)

Manual ACL trace back : create an ACL with broad permits that are made more specific as more information about attack is gained.

Backscatter Trace back :

combine black hole and sinkhole routingblack hole routing results in ICMP unreachable messages use a chunk of unallocated IP addresses for internal routing within ISP to forward to a sinkhole.

Tracebacks are useless if the attacker is spoofing a legitimately allocated address.


DoS Mitigation

QoS techniques -

limit traffic by type (UDP 10 Mbps, ICMP 200Kbps etc.) ; use token system for traffic to limit it;

application specific filtering

(e.g. in ecommerce scenarios UDP traffic is needed)

use a distributed design

content delivery networks


(back to) Denial Of Service attacks

easy to launch and cannot be completely stopped.

network flooding (consume bw) vs. transport flooding (consume host resources)

Transport Flooding

TCP SYN flooding - use a SYN packet (part of a 3-way handshake) but never respond to the acknowledgment; TCP is connection oriented : connections kept open for a time; connection queues overflow;


SYN cookies

host specific method of mitigating SYN flooding attacks;

avoid storing SYN packets in queue; use challenge-response model for handshake.

TCP intercept

network-level protection for SYN floods

intercept connection requests at an intermediate node which transparently forwards TCP packets to server; SYN packets are acked ASAP; if client does not respond use a backoff protocol; (e.g PIX firewalls)

Lec21 22

Documents

Transcript of Lec21 22