of 31 /31
CSCE 522 - Farkas 1 CSCE 522 CSCE 522 Network Security Network Security

CSCE 522 - Farkas1 CSCE 522 Network Security. Reading Pfleeger and Pfleeger: Chapter 6 CSCE 522 - Farkas2

Embed Size (px)

Text of CSCE 522 - Farkas1 CSCE 522 Network Security. Reading Pfleeger and Pfleeger: Chapter 6 CSCE 522 -...

  • CSCE 522 - Farkas* CSCE 522 Network Security

    CSCE 522 - Farkas

  • ReadingPfleeger and Pfleeger: Chapter 6CSCE 522 - Farkas*

    CSCE 522 - Farkas

  • Overview of TCP/IPLayersCSCE 522 - Farkas*

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Internet ChallengeInterconnected networks differ (protocols, interfaces, services, etc.)Solutions:Reengineer and develop one global packet switching network standard: not economically feasibleHave every host implement the protocols of every network it wants to communicate with: too complex, very high engineering costAdd an extra layer: internetworking layerHosts: one higher-level protocolConnecting networks use the same protocolInterface between the new protocol and network

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*LayeringOrganize a network system into logically distinct entitiesthe service provided by one entity is based only on the service provided by the lower level entity

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*TCP/IP Protocol StackApplication LayerTransport LayerInternetwork LayerNetwork Access Layer Each layer interacts with neighboring layers above and below Each layer can be defined independently Complexity of the networking is hidden from the application

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*LayeringAdvantagesModularity protocols easier to manage and maintainAbstract functionality lower layers can be changed without affecting the upper layersReuse upper layers can reuse the functionality provided by lower layers DisadvantagesInformation hiding inefficient implementations

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*ISO OSI Reference ModelISO International Standard OrganizationOSI Open System InterconnectionGoal: a general open standard allow vendors to enter the market by using their own implementation and protocols

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*OSI vs. TCP/IPOSI: conceptually define: service, interface, protocolInternet: provide a successful implementation

    ApplicationPresentationSessionTransportNetworkDatalinkPhysicalInternetNetworkAccessTransportApplicationIPLANPacketradioTCPUDPTelnetFTPDNS

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Network Access LayerResponsible for packet transmission on the physical mediaTransmission between two devices that are physically connectedThe goal of the physical layer is to move information across one hopFor example: Ethernet, token ring, Asynchronous Transfer Mode (ATM)

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Network LayerProvides connectionless and unreliable serviceRouting (routers): determine the path a path has to traverse to reach its destinationDefines addressing mechanismIdentify each destination unambiguouslyHosts should conform to the addressing mechanism

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*IP Addresses Network layerIP provides logical address space and a corresponding addressing schemaIP address is a globally unique or private number associated with a host network interfaceEvery system which will send packets directly out across the Internet must have a unique IP addressIP addresses are based on where the hosts are connectedIP addresses are controlled by a single organization - address ranges are assignedThey are running out of space!

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Routing Protocols Enable routing decisions to be made Manage and periodically update routing tables, stored at each router Router : which way to send the packet Protocol types: ReachabilityDistance vector

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*The Domain Name SystemEach system connected to the Internet also has one or more logical addresses.Unlike IP addresses, the domain address have no routing information - they are organized based on administrative unitsThere are no limitations on the mapping from domain addresses to IP addresses

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Domain Name ResolutionDomain Name Resolution: looking up a logical name and finding a physical IP address There is a hierarchy of domain name serversEach client system uses one domain name server which in turn queries up and down the hierarchy to find the addressIf your server does not know the address, it goes up the hierarchy possibly to the top and works its way back down

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Transport LayerProvides services to the application layerServices: Connection-oriented or connectionless transportReliable or unreliable transportSecurity : new compared to the other two services. May provide: authenticity, confidentiality, integrityApplication has to choose the services it requires from the transport layerLimitations of combinations, e.g., connectionless and reliable transport is invalid

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Application LayerProvides services for an application to send and recieve data over the network, e.g., telnet (port 23), mail (port 25), finger (port 79)

    Interface to the transport layer Operating system dependentSocket interface most popular

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Communication Between LayersTransport layerNetwork layerData Link layerNetwork layerData Link layerNetwork layerData Link layerData Link layerNetwork layerTransport layerApplication layerApplication layerApplication DataTransport payloadNetworkPayloadData LinkPayloadHost ARouterRouterHost B

    CSCE 522 - Farkas

  • Networks ThreatsCSCE 522 - Farkas*

    CSCE 522 - Farkas

  • Network Threats 1.ReconnaissancePort scan: which ports and services are running, which OS is installed, applications and their versionsSocial engineering: can access sensitive information up to login credentialsIntelligence: open source vs. espionageBulletin boards, chats, documentations, etc. CSCE 522 - Farkas*

    CSCE 522 - Farkas

  • Threats in TransitPassive attacks: wiretap, traffic monitoring, packet sniffer, etc.Protocol Flaws: RFC number used to report new vulnerabilitiesImpersonationNonexistent authentication, guessing authentication information, well-known authenticationEavesdropping and wiretappingSpoofing and masqueradingSession hijacking, man-in-the-middleCSCE 522 - Farkas*

    CSCE 522 - Farkas

  • Message Confidentiality ThreatsMis-deliveryTarget not available, promiscuous-modeExposure EavesdroppingTraffic analysisCSCE 522 - Farkas*

    CSCE 522 - Farkas

  • Message Integrity ThreatsFalsification of MessagesNoiseMalformed PacketsProtocol failuresCSCE 522 - Farkas*

    CSCE 522 - Farkas

  • Denial of Service ThreatsTransmission failureMultiple reasons, intentional accidentalConnection flooding: attacker sends as much data as the victim can handle, preventing other from acessE.g., ping of death, smurf, syn flooding, etc.Traffic redirection: routers forward packets to wrong addressCorrupted router, incorrect DNS entry, etc. CSCE 522 - Farkas*

    CSCE 522 - Farkas

  • How to address these threats?CSCE 522 - Farkas*

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Security -- At What Level?Secure traffic at various levels in the networkWhere to implement security? -- Depends on the security requirements of the application and the userBasic services that need to be implemented:Key managementConfidentialityNonrepudiationIntegrity/authenticationAuthorization

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Network Access Layer (Data Link) SecurityDedicated link between hosts/routers hardware devices for encryptionAdvantages: SpeedDisadvantages:Not scaelableWorks well only on dedicates linksTwo hardware devices need to be physically connected

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Internetwork Layer SecurityIP Security (IPSec)Advantages:Overhead involved with key negotiation decreases
  • CSCE 522 - Farkas*Transport Layer SecurityAdvantages:Does not require enhancement to each applicationDisadvantages:Difficult to obtain user contextImplemented on an end system (Transport Layer Security)Protocol specific Implemented for each protocolMust maintain context for a connection

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Application Layer SecurityAdvantages:Executing in the context of the user --> easy access to users credentialsComplete access to data --> easier to ensure nonrepudationApplication can be extended to provide security (do not depend on the operating system)Application understand data --> fine tune securityDisadvantages:Implemented in end hostsSecurity mechanisms have to be implemented for each application --> expensivegreated probability of making mistake

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Application ExampleE-mail client using PGPExtended capabilitiesAbility to look up public keys of the usersAbility to provide securiy services such as encryption/decrytion, nonrepudation, and authentication for e-mail messages

    CSCE 522 - Farkas