Spring 2009. CS 155. Network Security Protocols and Defensive Mechanisms . John Mitchell. Plan for today. Network protocol security IPSEC BGP instability and S-BGP DNS rebinding and DNSSEC Wireless security – 802.11i/WPA2 Standard network perimeter defenses Firewall - PowerPoint PPT Presentation
Games and the Impossibility of Realizable Ideal
Functionality
Network Security Protocols and Defensive Mechanisms John
MitchellCS 155Spring 2009#Plan for todayNetwork protocol
securityIPSECBGP instability and S-BGPDNS rebinding and
DNSSECWireless security 802.11i/WPA2Standard network perimeter
defensesFirewallPacket filter (stateless, stateful), Application
layer proxiesTraffic shapingIntrusion detectionAnomaly and misuse
detection
#Dans lecture last ThursdayBasic network protocolsIP, TCP, UDP,
BGP, DNSProblems with themTCP/IPNo SRC authentication: cant tell
where packet fromPacket sniffingConnection spoofing, sequence
numbersBGP: advertise bad routes or close good onesDNS: cache
poisoning, rebinding (out of time; cover today)
#IPSECSecurity extensions for IPv4 and IPv6IP Authentication
Header (AH)Authentication and integrity of payload and headerIP
Encapsulating Security Protocol (ESP)Confidentiality of payloadESP
with optional ICV (integrity check value)Confidentiality,
authentication and integrity of payload#Recall packet formats and
layersApplicationTransport (TCP, UDP)Network (IP)Link
LayerApplication message - dataTCPdataTCPdataTCPdataTCP
HeaderdataTCPIPIP HeaderdataTCPIPETHETFLink (Ethernet) HeaderLink
(Ethernet) Trailersegment packetframemessage#IPSec Transport Mode:
IPSEC instead of IP header
http://www.tcpipguide.com/free/t_IPSecModesTransportandTunnel.htm#IPSEC
Tunnel Mode
#
IPSec Tunnel Mode: IPSEC header + IP header #VPNThree different
modes of use: Remote access client connections LAN-to-LAN
internetworking Controlled access within an intranetSeveral
different protocolsPPTP Point-to-point tunneling protocolL2TP
Layer-2 tunneling protocol IPsec (Layer-3: network layer)
Data layer#BGP exampleTransit: 2 provides transit for 7Algorithm
seems to work OK in practiceBGP is does not respond well to
frequent node outages34657182772 72 72 73 2 76 2 72 6 52 6 52 6 53
2 6 57 2 6 56 555Figure: D. Wetherall#BGP Security IssuesBGP is the
basis for all inter-ISP routingBenign configuration errors affect
about 1% of all routing table entries at any timeThe current system
is highly vulnerable to human errors, and a wide range of malicious
attackslinksroutersmanagement stationsMD5 MAC is rarely used,
perhaps due to lack of automated key management, and it addresses
only one class of attacksSlide: Steve Kent#S-BGP Design
OverviewIPsec: secure point-to-point router communicationPublic Key
Infrastructure: authorization framework for all S-BGP
entitiesAttestations: digitally-signed authorizations Address:
authorization to advertise specified address blocksRoute:
Validation of UPDATEs based on a new path attribute, using PKI
certificates and attestationsRepositories for distribution of
certificates, CRLs, and address attestationsTools for ISPs to
manage address attestations, process certificates & CRLs,
etc.Slide: Steve Kent#Address AttestationIndicates that the final
AS listed in the UPDATE is authorized by the owner of those address
blocks to advertise the address blocks in the UPDATEIncludes
identification of:owners certificate AS to be advertising the
address blocksaddress blocksexpiration dateDigitally signed by
owner of the address blocks, traceable up to the IANA via
certificate chainUsed to protect BGP from erroneous UPDATEs
(authenticated but misbehaving or misconfigured BGP speakers)#Route
AttestationIndicates that the speaker or its AS authorizes the
listeners AS to use the route in the UPDATEIncludes identification
of: ASs or BGP speakers certificate issued by owner of the AS the
address blocks and the list of ASes in the UPDATEthe
neighborexpiration dateDigitally signed by owner of the AS (or BGP
speaker) distributing the UPDATE, traceable to the IANA ...Used to
protect BGP from erroneous UPDATEs (authenticated but misbehaving
or misconfigured BGP speakers)#Validating a RouteTo validate a
route from ASn, ASn+1 needs:address attestation from each
organization owning an address block(s) in the NLRIaddress
allocation certificate from each organization owning address blocks
in the NLRIroute attestation from every AS along the path (AS1 to
ASn), where the route attestation for ASk specifies the NLRI and
the path up to that point (AS1 through ASk+1)certificate for each
AS or router along path (AS1 to ASn) to check signatures on the
route attestationsand, of course, all the relevant CRLs must have
been checkedSlide: Kent et al.#Recall: DNS LookupQuery:
"www.example.com A?"
Local recursive resolver caches these for TTL specified by
RR
ReplyResource Records in Reply3578"com. NS
a.gtld.net""a.gtld.net A 192.5.6.30""example.com. NS
a.iana.net""a.iana.net A 192.0.34.43" "www.example.com A 1.2.3.4"
"www.example.com A 1.2.3.4"#16DNS is InsecurePackets over UDP, <
512 bytes16-bit TXID, UDP Src port only securityResolver accepts
packet if above matchPacket from whom? Was it manipulated?
Cache poisoningAttacker forges record at resolverForged record
cached, attacks future lookupsKaminsky (BH USA08)Attacks
delegations with birthday problem#17The Domain Name System (DNS)
security extensions provide origin authentication and integrity
assurance services for DNS data, including mechanisms for
authenticated denial of existence of DNS data.
-RFC 4033
DNSSEC Goal#18DNSSECBasically no change to packet formatObject
security of DNS data, not channel securityNew Resource Records
(RRs)RRSIG : signature of RR by private zone keyDNSKEY : public
zone keyDS : crypto digest of child zone keyNSEC / NSEC3
:authenticated denial of existenceLookup referral chain
(unsigned)Origin attestation chain (PKI) (signed) Start at
pre-configured trust anchorsDS/DNSKEY of zone (should include
root)DS DNSKEY DS forms a link #19Dan: How to distribute trust
anchor?Query: "www.example.com A?"
3578Reply"com. NS a.gtld.net""a.gtld.net A
192.5.6.30""example.com. NS a.iana.net""a.iana.net A
192.0.34.43""www.example.com A 1.2.3.4""www.example.com A
1.2.3.4"RRs in DNS ReplyAdded by DNSSEC"com. DS""RRSIG(DS) by
.""com. DNSKEY""RRSIG(DNSKEY) by com.""example.com. DS""RRSIG(DS)
by com.""example.com DNSKEY""RRSIG(DNSKEY) by
example.com.""RRSIG(A) by example.com."Last Hop?DNSSEC
Lookup#20Dan: Time constantsAuthenticated Denial-of-ExistenceMost
DNS lookups result in denial-of-existence Understood mandate of
offline-techniqueNSEC (Next SECure)Lists all extant RRs associated
with an owner namePoints to next owner name with extant RREasy zone
enumerationNSEC3Hashes owner namesPublic salt to prevent
pre-computed dictionariesNSEC3 chain in hashed orderOpt-out bit for
TLDs to support incremental adoptionFor TLD type zones to support
incremental adoption Non-DNSSEC children not in NSEC3 chain#21DNS
Rebinding AttackRead permitted: its the same origin
Firewallwww.evil.comweb serverns.evil.comDNS
server171.64.7.115www.evil.com?corporateweb server171.64.7.115 TTL
= 0
192.168.0.100192.168.0.100[DWF96, R01]DNSSEC cannot stop this
attack#DNS Rebinding DefensesBrowser mitigation: DNS PinningRefuse
to switch to a new IPInteracts poorly with proxies, VPN, dynamic
DNS, Not consistently implemented in any browserServer-side
defensesCheck Host header for unrecognized domainsAuthenticate
users with something other than IPFirewall defensesExternal names
cant resolve to internal addressesProtects browsers inside the
organization#Mobile IPv6 Architecture
IPv6Mobile Node (MN)Corresponding Node (CN)Home Agent (HA)Direct
connection via binding updateAuthentication is a requirementEarly
proposals weak#
Authentica-tion Server (RADIUS)No KeyAuthenticator
UnAuth/UnAssoc802.1X BlockedNo KeySupplicantUnAuth/UnAssoc802.1X
BlockedNo KeySupplicantAuth/Assoc802.1X BlockedNo KeyAuthenticator
Auth/Assoc802.1X BlockedNo KeyAuthentica-tion Server (RADIUS)No
Key802.11 AssociationEAP/802.1X/RADIUS
AuthenticationSupplicantAuth/Assoc802.1X BlockedMSKAuthenticator
Auth/Assoc802.1X BlockedNo KeyAuthentica-tion Server (RADIUS)MSKMSK
SupplicantAuth/Assoc802.1X BlockedPMKAuthenticator Auth/Assoc802.1X
BlockedPMKAuthentica-tion Server (RADIUS)No Key4-Way
HandshakeSupplicantAuth/Assoc802.1X UnBlockedPTK/GTKAuthenticator
Auth/Assoc802.1X UnBlockedPTK/GTKAuthentica-tion Server (RADIUS)No
KeyGroup Key HandshakeSupplicantAuth/Assoc802.1X UnBlockedNew
GTKAuthenticator Auth/Assoc802.1X UnBlockedNew GTKAuthentica-tion
Server (RADIUS)No Key802.11i ProtocolData
CommunicationSupplicantAuth/Assoc802.1X
UnBlockedPTK/GTKAuthenticator Auth/Assoc802.1X
UnBlockedPTK/GTKAuthentica-tion Server (RADIUS)No Key#25RSNA
involves three entities: the Supplicant, the Authenticator, and the
Authentication Server. In an general infrastructure network, the
supplicant is implemented in the mobile devices like a PDA, a
cellphone or a laptop; the authenticator is implemented in the
Access Point; the authentication server could be implemented either
in the Access Point with the authenticator, or separately in a
backend server, like a RADIUS server. When it is implemented in a
separate server, the links between the authenticator and the
authentication server are assumed to be physically secure.In order
to adopt 802.1X authentication in wireless networks, we consider
the association between the supplicant and the authenticator as a
logical 802.1X port. At the beginning, the supplicant and the
authenticator are unauthenticated and unassociated, 802.1X ports
are blocked, and there are no shared secrets between them. In the
first stage, the supplicant and the authenticator set up an 802.11
association. After this stage, the supplicant and the authenticator
go to the authenticated and associated state. Here authenticated
only means that 802.11 open system authentication is successful,
this is not considered to be a real authentication. Now there is a
radio connection between the supplicant and the authenticator, but
they cannot transmit data packets to each other because the logical
802.1X port is still blocked, only protocol packets are accepted.In
the second stage, the authenticator will act as a relay, the
supplicant and the authentication server run some mutual
authentication protocol and generate some common secret, called MSK
(Master Session Key). Then the server moves the MSK to the
authenticator, and the supplicant and authenticator will derive the
same PMK (Pair-wise Master Key) from the MSK locally. Here move
means the server will delete the key itself after sending to the
authenticator, because the server is assumed not to disclose and
possess the key afterwards. This stage could be absent when a
Pre-Shared Key or a cached PMK is used.In the third stage, the
authenticator initialize a 4-way handshake to confirm the PMK
existence and derive a fresh PTK for the following data sessions.
Upon this point, the 802.1X ports are unblocked to accept data
packets.As the fourth stage, the supplicant and the authenticator
might also perform a group key handshake to distribute a GTK in
case of multicast applications, however, this is not necessary
since the GTK (Group Transient Key) could also be transmitted in
the 4-way handshake.With the shared PTK and GTK, the supplicant and
authenticator could derive the encryption key and MAC key, thus
perform secure data communications.We will focus on the 4-way
handshake because it is an essential part in all operation
modes.AnnouncementsHomework 2 will be out by ThursDue one week from
Thursday#Perimeter and Internal DefensesCommonly deployed
defensesPerimeter defenses Firewall, IDSProtect local area network
and hostsKeep external threats from internal networkInternal
defenses Virus scanningProtect hosts from threats that get through
the perimeter defensesExtend the perimeter VPNRest of this
lecture#Basic Firewall ConceptSeparate local area net from
internet
RouterFirewall All packets between LAN and internet routed
through firewallLocal networkInternet#Packet FilteringUses
transport-layer information onlyIP Source Address, Destination
AddressProtocol (TCP, UDP, ICMP, etc)TCP or UDP source &
destination portsTCP Flags (SYN, ACK, FIN, RST, PSH, etc)ICMP
message typeExamplesDNS uses port 53Block incoming port 53 packets
except known trusted serversIssuesStateful filteringEncapsulation:
address translation, other complications
Fragmentation#Source/Destination Address Forgery
#More about networking: port numberingTCP connection Server port
uses number less than 1024 Client port uses number between 1024 and
16383Permanent assignmentPorts 1024 must be available for client to
make connectionLimitation for stateless packet filteringIf client
wants port 2048, firewall must allow incoming trafficBetter:
stateful filtering knows outgoing requestsOnly allow incoming
traffic on high port to a machine that has initiated an outgoing
request on low port #Filtering Example: Inbound SMTP
Can block external request to internal server based on port
number#Filtering Example: Outbound SMTP
Known low port out, arbitrary high port inIf firewall blocks
incoming port 1357 traffic then connection fails#Stateful or
Dynamic Packet Filtering
#TelnetPORT 1234ACKTelnet Client
Telnet Server231234 Client opens channel to server; tells server
its port number. The ACK bit is not set while establishing the
connection but will be set on the remaining packets Server
acknowledges Stateful filtering can use this pattern to identify
legitimate sessions#35PORT 5151OKDATA CHANNELTCP ACKFTP Client
FTP Server20Data21Command51505151 Client opens command channel
to server; tells server second port number Server acknowledges
Server opens data channel to clients second port Client
acknowledgesFTP#36From Zwicky, Building Internet Firewalls, second
edition page 456Normal IP Fragmentation
Flags and offset inside IP header indicate packet
fragmentationComplication for firewalls#Abnormal Fragmentation
Low offset allows second packet to overwrite TCP header at
receiving host#Packet Fragmentation AttackFirewall configurationTCP
port 23 is blocked but SMTP port 25 is allowedFirst packet
Fragmentation Offset = 0. DF bit = 0 : "May Fragment" MF bit = 1 :
"More Fragments" Destination Port = 25. TCP port 25 is allowed, so
firewall allows packetSecond packetFragmentation Offset = 1: second
packet overwrites all but first 8 bits of the first packetDF bit =
0 : "May Fragment" MF bit = 0 : "Last Fragment." Destination Port =
23. Normally be blocked, but sneaks by! What happensFirewall
ignores second packet TCP header because it is fragment of firstAt
host, packet reassembled and received at port 23#Proxying
FirewallApplication-level proxiesTailored to http, ftp, smtp,
etc.Some protocols easier to proxy than othersPolicy embedded in
proxy programsProxies filter incoming, outgoing packetsReconstruct
application-layer messagesCan filter specific application-layer
commands, etc.Example: only allow specific ftp commandsOther
examples: ?Several network locations see next slides
Beyond packet filtering#Firewall with application proxiesDaemon
spawns proxy when communication detected Network ConnectionTelnet
daemonSMTP daemonFTP daemonTelnet proxyFTP proxySMTP proxy#Screened
Host Architecture
#Screened Subnet Using Two Routers
#Dual Homed Host Architecture
#Application-level proxiesEnforce policy for specific
protocolsE.g., Virus scanning for SMTPNeed to understand MIME,
encoding, Zip archives Flexible approach, but may introduce network
delaysBatch protocols are natural to proxySMTP (E-Mail) NNTP (Net
news)DNS (Domain Name System) NTP (Network Time ProtocolMust
protect host running protocol stackDisable all non-required
services; keep it simpleInstall/modify services you wantRun
security audit to establish baselineBe prepared for the system to
be compromised#References
Elizabeth D. ZwickySimon CooperD. Brent Chapman
William R CheswickSteven M BellovinAviel D Rubin#Traffic
ShapingTraditional firewallAllow traffic or notTraffic shapingLimit
certain kinds of trafficCan differentiate by host addr, protocol,
etcMulti-Protocol Label Switching (MPLS) Label traffic flows at the
edge of the network and let core routers identify the required
class of service #Stanford computer use
#PacketShaper ControlsA partition:Creates a virtual pipe within
a link for each traffic classProvides a min, max bandwidthEnables
efficient bandwidth use
Rate shaped P2P capped at 300kbps Rate shaped HTTP/SSL to give
better performance
#PacketShaper report: HTTP
Outside Web Server Normalized Network Response TimesNo
ShapingShapingNo ShapingShapingInside Web Server Normalized Network
Response Times#Host and network intrusion detectionIntrusion
preventionNetwork firewallRestrict flow of packetsSystem
securityFind buffer overflow vulnerabilities and remove
them!Intrusion detectionDiscover system modifications TripwireLook
for attack in progressNetwork traffic patternsSystem calls, other
system events#TripwireOutline of standard attackGain user access to
systemGain root accessReplace system binaries to set up backdoorUse
backdoor for future activitiesTripwire detection point: system
binariesCompute hash of key system binariesCompare current hash to
hash stored earlierReport problem if hash is differentStore
reference hash codes on read-only medium
#Is Tripwire too late?Typical attack on serverGain accessInstall
backdoorThis can be in memory, not on disk!!Use itTripwireIs a good
ideaWont catch attacks that dont change system filesDetects a
compromise that has happened
Remember: Defense in depth#Detect modified binary in memory?Can
use system-call monitoring techniquesFor example [Wagner, Dean IEEE
S&P 01]Build automaton of expected system callsCan be done
automatically from source codeMonitor system calls from each
programCatch violation
Results so far: lots better than not using source code!
#Example code and
automatonEntry(f)Entry(g)Exit(f)Exit(g)open()close()exit()getuid()geteuid()f(int
x) { x ? getuid() : geteuid(); x++}g() { fd = open("foo",
O_RDONLY); f(0); close(fd); f(1); exit(0);}If code behavior is
inconsistent with automaton, something is wrong#General intrusion
detectionMany intrusion detection systemsClose to 100 systems with
current web pagesNetwork-based, host-based, or combinationTwo basic
modelsMisuse detection model Maintain data on known attacksLook for
activity with corresponding signatures Anomaly detection model Try
to figure out what is normalReport anomalous behaviorFundamental
problem: too many false alarms
http://www.snort.org/#Anomaly DetectionBasic ideaMonitor network
traffic, system callsCompute statistical propertiesReport errors if
statistics outside established rangeExample IDES (Denning, SRI)For
each user, store daily count of certain activitiesE.g., Fraction of
hours spent reading emailMaintain list of counts for several
daysReport anomaly if count is outside weighted norm
Big problem: most unpredictable user is the most
important#Anomaly sys call sequencesBuild traces during normal run
of programExample program behavior (sys calls)open read write open
mmap write fchmod closeSample traces stored in file (4-call
sequences)open read write openread write open mmapwrite open mmap
writeopen mmap write fchmodmmap write fchmod closeReport anomaly if
following sequence observedopen read read open mmap write fchmod
close
Compute # of mismatches to get mismatch rate[Hofmeyr, Somayaji,
Forrest]#Difficulties in intrusion detectionLack of training
dataLots of normal network, system call dataLittle data containing
realistic attacks, anomaliesData driftStatistical methods detect
changes in behaviorAttacker can attack gradually and
incrementallyMain characteristics not well understoodBy many
measures, attack may be within bounds of normal range of
activitiesFalse identifications are very costlySys Admin spend many
hours examining evidence#SummaryNetwork protocol securityIPSECBGP
instability and S-BGPDNSSEC, DNS rebindingWireless security
802.11i/WPA2Standard network perimeter defensesFirewallPacket
filter (stateless, stateful), Application layer proxiesTraffic
shapingIntrusion detectionAnomaly and misuse detection #
