1. No category

Security at the IP layer network snooping

Internet & Web Security
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
1
Overview
• Encryption and authentication ...
• Communication and data-sharing
applications ...
• Web security and firewalls ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
2
Encryption and
authentication ...
•
•
•
•
Foundations of Internet security
Data confidentiality and integrity
Authentication
Example systems
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
3
Communication and datasharing applications ...
•
•
•
•
Mail and news
Virtual terminal services
File sharing
Example systems
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
4
Web security and firewalls
...
•
•
•
•
WWW security
Network security issues
SATAN
Useful tools
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
5
Foundations of Internet
security ...
• Internet security ...
• Layered protocol models ...
• Security and Layered Internet
Protocols ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
6
Internet security ...
•
•
•
•
Authentication ...
Access control ...
Integrity ...
Confidentiality ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
7
Authentication ...
• Something you are (SYA)
• Something you know (SYK)
• Something you have (SYH)
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
8
Access control ...
• Who gets access to what
• Authentication, rights, privileges
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
9
Integrity ...
• Current vs. original (pure) condition of
data
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
10
Confidentiality ...
• E-mail "like postcards"
• FTP, WWW
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
11
Layered protocol models
...
• Protocol message contents ...
• Identities
• Sender, receiver
• Message length
• Message data
• Layered protocols ...
• Protocol enveloping ...
• OSI reference model ...
• Internet TCP/IP model ...
• Protocol enveloping in TCP/IP ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
12
Layered protocols ...
• N layers
Computer 1
I VPR
Computer 2
Layer N
Layer N – 1
Layer N
Layer N – 1
Layer 1
Layer 1
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
13
Protocol enveloping ...
Computer 1
I VPR
Computer 2
Layer N
Layer N – 1
Layer N
Layer N – 1
Layer 1
Layer 1
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
14
OSI reference model ...
• Open Systems Interconnection
abstract model
• Does not define: PL bindings, OS
bindings, API issues, UI issues
• Defines: 7 protocol layers ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
15
Defines: 7 protocol layers
...
•
•
•
•
•
•
•
Physical ...
Data link ...
Network ...
Transport ...
Session ...
Presentation ...
Application ...
I VPR
Application
Presentation
Session
Transport
Network
Data Link
Application-r
elated
services
Network-r
elated
services
Physical
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
16
Physical ...
• Network transmission medium
• E.g., coaxial, twisted-pair, fiber-optic
• Raw bit-stream service
• Responsible only for writing / reading
bits to / from physical medium
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
17
Data link ...
• Group bits into frames
• Goal: reliable delivery mechanism
• Error detection
• Noise, interference
• Collisions
• Flow control
• Avoid unnecessary frame loss
• Saturated buffers
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
18
Network ...
• Extend data link layer
• From local to neighboring / distant networks
• E.g., Ethernet, Token Ring
• Incompatible physical and link layers
• ==> Internetworks (networks of networks)
• Topology: routers
• Two network layer services ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
19
Two network layer
services ...
• connection-oriented (CO)
• "reliable" / "virtual-circuit"
• well ordered data stream
• guarantee lost, order, duplicate
• connectionless (CL)
• "unreliable" / "datagram"
• no guarantees
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
20
Transport ...
• higher-level tasks (not end-to-end delivery)
• multiplexing
• OSI: 5 incompatible transport protocols
• CL, w/ CL network
• CL, w/ CO network
• CO, w/ CO network
• CO, w/ CL network
• highest network aware
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
21
Session ...
• how data exchanged in dialog
• two-way simultaneous (full-duplex)
• two-way alternate (half-duplex)
• one-way (simplex)
• checkpointing
• synch points in data stream
• resume aborted transfer at last
encountered synch point
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
22
Presentation ...
• hide diff in data rep'n
• e.g., ASCII vs. EBCDIC
• generic rep’n w/ ISO ASN.) spec ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
23
generic rep'n w/ ISO ASN.
spec ...
•
•
•
•
•
•
•
•
(Abstract Syntax Notation One)
Boolean
Integer (arb. length)
Real (arb. length & prec.)
Enumerated (days of week, months of year, etc.)
Bit string (arb. length)
Octet (byte) string (arb. length)
Null (any undef'd value)
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
24
Application ...
• service consumer
• via APIs
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
25
Internet TCP/IP model ...
• 5 layers
• physical, data link, network, transport,
application
• session, presentation
• by application, w/ assistance of API
• Network layer: IP ...
• Transport layer: TCP & UDP ...
• Application layer ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
26
Network layer: IP ...
•
•
•
•
move data between endpoints
if not on same host ==> routing
IP protocol
IP datagram (packet)
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
27
Transport layer: TCP &
UDP ...
• Transmission Control Protocol (TCP)
• connection-oriented
• User Datagram Protocol (UDP)
• connectionless
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
28
Application layer ...
•
•
•
•
FTP
SMTP: Simple Mail Transfer Protocol
NNTP: Network News
HTTP
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
29
Protocol enveloping in
TCP/IP ...
• Application data
--> TCP segment
--> IP datagram -> Ethernet frame
Application
FTP, SMTP, HTTP,
TCP
UDP
Protocol Suite
ICMP
IP
Data Link
Ethernet, Token Ring, FDDI
Physical
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
30
Security and Layered
Internet Protocols ...
•
•
•
•
Physical and link layer ...
Security at the IP layer ...
TCP/UDP layer ...
Application layer ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
31
Physical and link layer ...
• physical transmission medium
• access control
• confidentiality
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
32
Security at the IP layer ...
•
•
•
•
•
•
•
network snooping (sniffing) ...
Message replay ...
Message alteration ...
Message delay and denial ...
Authentication issues ...
Unauthorized access ...
Routing attacks ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
33
network snooping
(sniffing) ...
• abuse of tools for debugging / network
problems ...
• network interface into promiscuous
mode ...
• solution: encrypt
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
34
abuse of tools for debugging
/ network problems ...
•
•
•
•
e.g., Network General's Expert Sniffer
etherfind (SunOS)
tcpdump (free on Internet)
Sniffer FAQ
• comp.security, news.answers
• ftp://ftp.iss.net/pub/faq/sniff
• http://www.iss.net/iss/sniff.html
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
35
network interface into
promiscuous mode ...
• report all packets to sniffer
• display / record
• analyze
• super user on unix / VMS
• remote also possible
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
36
Message replay ...
• snoop & record conversation between
systems A & B
• play back messages from A to B
• replay, as if A
• e.g., restore earlier password file (and
account)
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
37
Message alteration ...
• modify contents
• modify checksomes to cover
alterations
• solution: encrypt for data integrity
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
38
Message delay and denial
...
• delay: datagrams held indefinitely
• unauthorized control of router
• authenticate to prevent
• denial: datagrams discarded before
delivery
• overwhelm router / other comm. end
system
• datagram overflow ==> lost
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
39
Authentication issues ...
• address masquerading ...
• address spoofing ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
40
Address masquerading ...
• configure network interface w/ other
system's IP address
• NFS: access solely based on IP
address
• one system down, another can
masquerade
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
41
Address spoofing ...
•
•
•
•
•
aka TCP sequence number attack
exploits weakness of TCP
net effect at IP layer
How ...
Defense ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
42
How ...
• Legitimate 3-way handshake A <--> B
...
• C impersonates A ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
43
Legitimate 3-way
handshake A <--> B ...
• A --> B: SYN + ISN(A) (initial sequence
number)
• A <-- B: SYN + ISN(B) + ACK(ISN(A))
• A --> B: ACK(ISN(B))
• A <--> B: application data
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
44
C impersonates A ...
• C --> B: counterfeit IP datagram SYN +
ISN(C)
• A <-- B: SYN + ISN(B) + ACK(ISN(C))
• A down; doesn't know
• C --> B: ACK(ISN(B))
• C predicts ISN(B)
• TCP ISN generator: 32-bit clock (w/
time)
• C --> B: rsh command
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
45
external
Defense ...
S: 108.3.54.9
D: 117.25.9.1
Internal
117.25.xxx.yyy
accepted
• 1. no address-based
S: 117.25.16.41 blocked
D: 117.25.2.7
auhentication
• 2. screening router
accepted
• filter packets based on
configurable rules
blocked
• inbound attacks from
outside
• outbound attacks from
inside
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
46
Unauthorized access ...
• Packet filtering
• Screeing router
• Firewall
Application
Transport (TCP, UDP)
Network (IP)
Data Link
Physical
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
47
Routing attacks ...
•
•
•
•
normally: dynamic routing
instead: source routing (legit for tests)
use to bypass filter
or, pass through attacking location
• alteration, delay, denial
• ICMP (Internet Control Message
Protocol) redirects
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
48
TCP/UDP layer ...
•
•
•
•
Some of same problems as at IP layer
No guarantee of confidentiality
packet filtering
hijacking
• modify controls through "hijacked"
privileges
• e.g., steal telnet session
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
49
Application layer ...
• Application gateways ...
• APIs ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
50
Application gateways ...
•
•
•
•
firewalls at app layer
mail (SMTP) gateway ...
proxy ...
server filter ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
51
mail (SMTP) gateway ...
• change headers of outgoing messages
to hide internal topology
• e.g., [email protected] -->
[email protected]
• deliver inbound messages correctly
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
52
proxy ...
• w/ firewall
• both server (to inside client) and client
(to outside server)
• block inside from direct connection to
outside
• single outbound access point ==>
• sophisticated logging & access
control
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
53
server filter ...
• host sw
• filter access to own servers
• mini firewall: guard passage into local
host
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
54
APIs ...
•
•
•
•
•
•
portability
transparency
modularity
compatibility
supportability
Longevity
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
55
Encryption and
authentication ...
•
•
•
•
Foundations of Internet security ...
Data confidentiality and integrity ...
Authentication
Example systems
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
56
Data confidentiality and
integrity ...
• Encryption, decryption, digital
signatures ...
• Simple cryptosystem ...
• Keys cryptosystems ...
• One-way hash functions
• Encryption and decryption algorithms
...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
57
Encryption, decryption,
digital signatures ...
• Encryption
• Plaintext --> ciphertext
• Decryption
• Plaintext <-- ciphertext
• Digital signature
• authentication
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
58
Simple cryptosystem ...
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
• Caesar Cipher
• Simple substitution cipher
• ROT-13
• half alphabet ==> 2 x ==> plaintext
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
59
Keys cryptosystems …
•
•
•
•
keys and keyspace ...
secret-key and public-key ...
key management ...
strength of key systems ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
60
keys and keyspace …
•
•
•
•
ROT: key is N
Brute force: 25 values of N
IDEA in PGP: 2 128 numeric keys
1 billion keys / sec ==>
>10,781,000,000,000,000,000,000 years
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
61
secret-key and public-key
...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
62
key management ...
• secret
• agree on same / have diff
• public
• really belong to alleged owner?
• centralized trust
• CAs: certification authorities
• decentralized trust
• trusted entity signs public key of
unknown
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
63
strength of key systems ...
• key secrecy
• no back door (trap door)
• resistance to attack
• brute force
• analytical …
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
64
Analytical ...
• cryptanalysts' attacks
• ciphertext-only
• known-plaintext
• chosen-plaintext
• adaptive-chosen-plaintext
• chosen-ciphertext
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
65
Encryption and
decryption algorithms ...
•
•
•
•
•
•
DES
IDEA
RC2 and RC4
Diffie-Hellman
RSA
Skipjack and Clipper
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
66
Us cryptographic export
restrictions
• 56-bit key max
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
67
Authentication ...
•
•
•
•
Authentication techniques
User-to-host authentication ...
Host-to-host authentication ...
User-to-user authentication
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
68
User-to-host
authentication ...
•
•
•
•
static passwords in cleartext
static passwords with one-way hash
One-time passwords
Trusted third parties
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
69
Host-to-host
authentication ...
• No authentication
• Disclosing passwords
• Digital signature and encryption
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
70
Example systems ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
71
Overview
• Encryption and authentication ...
• Communication and data-sharing
applications ...
• Web security and firewalls ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
72
Communication and datasharing applications ...
•
•
•
•
Mail and news ...
Virtual terminal services ...
File sharing ...
Example systems ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
73
Mail and news ...
•
•
•
•
•
•
•
Core application protocols ...
sendmail ...
Privacy Enhanced Mail (PEM) ...
RIPEM ...
Pretty Good Privacy (PGP) ...
Anonymous remailers
MIME
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
74
Core application
protocols ...
•
•
•
•
SMTP
POP3
IMAP4
NNTP
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
75
sendmail ...
•
•
•
•
DEBUG mode
.forward files
aliases database
CERT advisories
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
76
Privacy Enhanced Mail
(PEM) ...
•
•
•
•
PEM message types
Digital signatures
Encryption
Certificates and key management
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
77
RIPEM ...
•
•
•
•
•
Generating a key pair
Encrypting a message
Decrypting a message
Singing a cleartet message
Verifying a signature
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
78
Pretty Good Privacy
(PGP) ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
79
Virtual terminal services
...
•
•
•
•
•
•
Virtual terminal operation
Secure terminals
Telnet
BSD trusted host mechanism
Server filters
logdaemon
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
80
File sharing ...
• Trivial FTP (TFTP)
• FTP
• NFS
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
81
Example systems ...
• X Windows
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
82
Overview
• Encryption and authentication ...
• Communication and data-sharing
applications ...
• Web security and firewalls ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
83
Web security and firewalls
...
•
•
•
•
WWW security ...
Network security issues ...
SATAN
Useful tools
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
84
WWW security ...
•
•
•
•
Web model
Browsers and servers
NCSA httpd ...
New directions in Web security ...
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
85
NCSA httpd ...
•
•
•
•
•
•
•
Building the server
Server configuration files
Basic authentication
Managing access control files
httpd log files
CGI programming
CERT advisories
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
86
New directions in Web
security ...
• Digest authentication
• S-HTTP
• SSL
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
87
Network security issues ...
•
•
•
•
•
IP security option (IPSO)
swIPe
IPv4 and IPv6 security protocols
SNMPv1 and SNMPv2
Firwalls: Filters and Gateways
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
88
SATAN
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
89
Useful tools
I VPR
Institute for Visualization and Perception Research
© Copyright 1998 Haim Levkowitz
90

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz