Download ppt - CSCE 522 - Farkas1 CSCE 522 Network Security. Reading Pfleeger and Pfleeger: Chapter 6 CSCE 522 - Farkas2

CSCE 522 - Farkas 1

CSCE 522CSCE 522Network SecurityNetwork Security

ReadingReading

Pfleeger and Pfleeger: Chapter 6

CSCE 522 - Farkas 2

Overview of TCP/IPOverview of TCP/IPLayersLayers

CSCE 522 - Farkas 3

CSCE 522 - Farkas 4

Internet ChallengeInternet Challenge Interconnected networks differ (protocols,

interfaces, services, etc.) Solutions:

1. Reengineer and develop one global packet switching network standard: not economically feasible

2. Have every host implement the protocols of every network it wants to communicate with: too complex, very high engineering cost

3. Add an extra layer: internetworking layer Hosts: one higher-level protocol Connecting networks use the same protocol Interface between the new protocol and network

CSCE 522 - Farkas 5

LayeringLayering

Organize a network system into logically distinct entities– the service provided by one entity is based only

on the service provided by the lower level entity

CSCE 522 - Farkas 6

TCP/IP Protocol StackTCP/IP Protocol Stack

Application Layer

Transport Layer

Internetwork Layer

Network Access Layer

• Each layer interacts with neighboring layers above and below• Each layer can be defined independently• Complexity of the networking is hidden from the application

CSCE 522 - Farkas 7

LayeringLayering

Advantages– Modularity – protocols easier to manage and maintain– Abstract functionality –lower layers can be changed

without affecting the upper layers– Reuse – upper layers can reuse the functionality

provided by lower layers

Disadvantages– Information hiding – inefficient implementations

CSCE 522 - Farkas 8

ISO OSI Reference ISO OSI Reference ModelModel

ISO – International Standard OrganizationOSI – Open System InterconnectionGoal: a general open standard

– allow vendors to enter the market by using their own implementation and protocols

CSCE 522 - Farkas 9

OSI vs. TCP/IPOSI vs. TCP/IP OSI: conceptually define: service, interface, protocol Internet: provide a successful implementation

Application

Presentation

Session

Transport

Network

Datalink

Physical

Internet

NetworkAccess

Transport

Application

IP

LAN Packetradio

TCP UDP

Telnet FTP DNS

CSCE 522 - Farkas 10

Network AccessNetwork Access Layer Layer

Responsible for packet transmission on the physical media

Transmission between two devices that are physically connected

The goal of the physical layer is to move information across one “hop”

For example: Ethernet, token ring, Asynchronous Transfer Mode (ATM)


NNetwork Layeretwork Layer

Provides connectionless and unreliable serviceRouting (routers): determine the path a path

has to traverse to reach its destinationDefines addressing mechanism

– Identify each destination unambiguously– Hosts should conform to the addressing

mechanism


IP Addresses – Network layerIP Addresses – Network layerIP provides logical address space and a corresponding

addressing schemaIP address is a globally unique or private number

associated with a host network interfaceEvery system which will send packets directly out across

the Internet must have a unique IP addressIP addresses are based on where the hosts are connectedIP addresses are controlled by a single organization -

address ranges are assignedThey are running out of space!


Routing ProtocolsRouting Protocols

• Enable routing decisions to be made• Manage and periodically update routing tables, stored at each router •Router : “which way” to send the packet •Protocol types:

•Reachability•Distance vector


The Domain Name The Domain Name SystemSystem

Each system connected to the Internet also has one or more logical addresses.

Unlike IP addresses, the domain address have no routing information - they are organized based on administrative units

There are no limitations on the mapping from domain addresses to IP addresses


Domain Name Domain Name ResolutionResolution

Domain Name Resolution: looking up a logical name and finding a physical IP address

There is a hierarchy of domain name serversEach client system uses one domain name server

which in turn queries up and down the hierarchy to find the address

If your server does not know the address, it goes up the hierarchy possibly to the top and works its way back down


Transport LayerTransport Layer Provides services to the application layer Services:

– Connection-oriented or connectionless transport– Reliable or unreliable transport– Security : new compared to the other two services.

May provide: authenticity, confidentiality, integrity Application has to choose the services it requires

from the transport layer Limitations of combinations, e.g., connectionless

and reliable transport is invalid


Application LayerApplication Layer

Provides services for an application to send and recieve data over the network, e.g., telnet (port 23), mail (port 25), finger (port 79)

Interface to the transport layer – Operating system dependent– Socket interface – most popular


Communication Between Communication Between LayersLayers

Transport layer

Network layer

Data Link layer

Network layer

Data Link layer

Network layer

Data Link layer Data Link layer

Network layer

Transport layer

Application layerApplication layerApplication Data

Transport payload

NetworkPayload

Data LinkPayload

Host A Router Router Host B

Networks ThreatsNetworks Threats


Network Threats 1.Network Threats 1.

Reconnaissance– Port scan: which ports and services are running,

which OS is installed, applications and their versions

– Social engineering: can access sensitive information up to login credentials

– Intelligence: open source vs. espionage– Bulletin boards, chats, documentations, etc.


Threats in TransitThreats in Transit

Passive attacks: wiretap, traffic monitoring, packet sniffer, etc.

Protocol Flaws: RFC number used to report new vulnerabilities

Impersonation– Nonexistent authentication, guessing authentication

information, well-known authentication– Eavesdropping and wiretapping– Spoofing and masquerading– Session hijacking, man-in-the-middle


Message Confidentiality Message Confidentiality ThreatsThreats

Mis-delivery– Target not available, promiscuous-mode

Exposure – Eavesdropping– Traffic analysis


Message Integrity ThreatsMessage Integrity Threats

Falsification of MessagesNoiseMalformed PacketsProtocol failures


Denial of Service ThreatsDenial of Service Threats

Transmission failure– Multiple reasons, intentional accidental

Connection flooding: attacker sends as much data as the victim can handle, preventing other from acess– E.g., ping of death, smurf, syn flooding, etc.

Traffic redirection: routers forward packets to wrong address– Corrupted router, incorrect DNS entry, etc.


How to address these threats?How to address these threats?



Security -- At What Level?Security -- At What Level?

Secure traffic at various levels in the network Where to implement security? -- Depends on the

security requirements of the application and the user

Basic services that need to be implemented: Key management Confidentiality Nonrepudiation Integrity/authentication Authorization


Network Access Layer (Data Link) Network Access Layer (Data Link) SecuritySecurity

Dedicated link between hosts/routers hardware devices for encryption

Advantages: – Speed

Disadvantages:– Not scaelable– Works well only on dedicates links– Two hardware devices need to be physically connected


InternInternetwork Layer Securityetwork Layer SecurityIP Security (IPSec) Advantages:

– Overhead involved with key negotiation decreases <-- multiple protocols can share the same key management infrastructure

– Ability to build VPN and intranet– Provides per flow or per connection security

Disadvantages:– Difficult to handle low granularity security, e.g.,

nonrepudation, user-based security,


Transport Layer SecurityTransport Layer Security Advantages:

– Does not require enhancement to each application Disadvantages:

– Difficult to obtain user context– Implemented on an end system (Transport Layer

Security)– Protocol specific

Implemented for each protocol Must maintain context for a connection


Application Layer Application Layer SecuritySecurity

Advantages:– Executing in the context of the user --> easy access to user’s

credentials– Complete access to data --> easier to ensure nonrepudation– Application can be extended to provide security (do not depend on

the operating system)– Application understand data --> fine tune security

Disadvantages:– Implemented in end hosts– Security mechanisms have to be implemented for each application

--> – expensive– greated probability of making mistake


Application ExampleApplication Example

E-mail client using PGPExtended capabilities

– Ability to look up public keys of the users– Ability to provide securiy services such as

encryption/decrytion, nonrepudation, and authentication for e-mail messages