Network Security #5 IMS584 (네트워크보안)

Fall, 2011 Prof. Huy Kang Kim Agenda

• English Summary for students • I. Designing Firewalls: A Survey • II. Virtual

I. Designing Firewalls: A Survey

Introduction • Demilitarized Zone • Packet Filters Versus Application-Level Gateways • Stateful Firewalls • Additional Services • Limitations of Firewalls

FIREWALL CLASSIFICATION • Personal • Distributed Firewall • Layer 2 Firewall • Appliance Firewall

FIREWALL DEPLOYMENT: MANAGEMENT • Location • Virtual Private Networks • Damage Mitigation Techniques Introduction

• Firewall – a collection of components interposed between two networks that filter traffic between them according to some security policy – Comprising two packet filtering routers – Must be strategically placed so that all traffic between the internal network and the outside world passes through it Introduction

• DMZ (Demilitarized zone) – Acting as a buffer between the internal (trusted) and external (untrusted) networks – Goals • Protecting hosts on the internal (inside) network from attacks from the outside • Allowing machines located in the DMZ to be accessed from the outside and thus be able to provide services to the outside world or serve as stepping stones linking hosts from the internal network to the hosts in the outside world • Enforcing an organization wide security policy – Positioning of the hosts in the DMZ also makes them more vulnerable • Configured with special attention to their security Introduction

• Packet Filters Versus Application-Level Gateways – Packet-level filtering • Rather coarse as it is positioned at the network and transport layers and hence has little or no information about what is happening at the application level – Application-level gateway • Located in the DMZ and processing traffic for specific applications • Handling specific knowledge of the application or user authentication required by higher level policies. • E-mail gateway Introduction

• Stateful Firewalls – Firewall could not know whether the (secondary) connection request (ex, FTP) was issued by an existing connection or it was created independently – Employing state machines to maintain state associated with established protocol connections • Decisions are made on the basis of the information in the packet plus the state of the connection maintained by the firewall Introduction

• Firewalls’ Additional Services – Network Address Translation (NAT) • NAT task is natural to be assigned to Firewalls – Split-Horizon DNS • Maintaining two DNS such as internal DNS and the server in the DMZ – Mitigating Host Fingerprinting • Packet filtering firewalls include “scrub” function -> Allowing applications and hosts on the internal network some protection against hand-crafted packets designed to trigger vulnerabilities • A key part of the obfuscation process is protection against time- dependent probes Introduction

• Firewalls’ Additional Services – Intrusion Detection Systems •Placed within the DMZ and may be traffic monitors or booby- trapped hosts •Traffic monitors –Tapping into all traffic that crosses the DMZ and attempt to identify patterns that may indicate an attack •Booby-trapped systems (honeypots) –Configured to look like potential targets for attack •Output from the IDS is used as a signal to trigger attack containment and mitigation actions Introduction

• Limitations of (Traditional) firewalls – Firewalls need to be customized to the needs of their environment – Firewalls tend to become congestion points due to the increasing line speeds and the more computationally intensive protocols – Firewalls increases the management problem such as performance, fault tolerance, and other reasons – Traditional firewalls can do very little, if anything, against a disgruntled employee – Firewalls are generally not intended to guard against misbehavior by insiders, there is a tension between internal needs for more connectivity and the difficulty of satisfying needs with a centralized firewall

Introduction

• Limitations of (Traditional) firewalls –End-to-end encryption can also be a threat to firewalls –There are protocols that firewalls find relatively difficult to handle because they involve multiple, seemingly independent packet flows, for example, FTP –There is an increasing need for finer grained (and even application-specific) access control which standard firewalls cannot readily accommodate without greatly increasing their complexity and processing requirements –Firewalls are still useful is that they provide an obvious, mostly hassle-free, mechanism for enforcing network security policy

Firewall Classification

• There exist a number of other firewalls that are customized for particular applications or environments • Personal Firewall – Software that runs on your workstation and acts as a packet filtering firewall – Installing kernel-level software that monitors and intercepts network- related calls. In this way the firewall can determine which process is sending the packets –Advantage •It can associate rules with programs –Weakness •It runs under a general-purpose operating system and must coexist with services that run with elevated privileges (sometimes without the user even being aware of it). If a privileged process is compromised, then the firewall can be confused or even subverted •Assuming that network-aware processes can be infected, the intruder will have all the privileges of the infected process, which may be more than adequate to carry out its mission Firewall Classification

• Distributed Firewall –Proposed for addressing conventional firewalls’ shortcomings such as relying on topology restrictions and controlled network entry points and be unable to filter traffic it does not see –Security policy is defined centrally but enforced at each individual network endpoint –Necessary three components •A language for expressing policies and resolving requests •A mechanism for safely distributing security policies •A mechanism that applies the security policy to incoming packets or connections

• Disadvantage of Both the Distributed and the Personal Firewalls –Any breach of security by one of the other applications (e.g., a virus infection) may interfere with the operation of the firewall

Firewall Classification

• Layer 2 Firewall –Traditional Firewall •Operating at the internetwork (IP) layer -> Designed to operate at the same layer as the machine that they replaced (the routers) –Like to position our firewall as a “bump in the wire”, so that it is transparent to the rest of the network elements. –The transparency of the layer 2 firewall to the IP hosts allows the insertion of a firewall without disrupting the operation of the network –Allowing easy deployment (essentially on demand) in order to provide increased security to a specific segment of the internal network, to troubleshoot a problem, or to mitigate an ongoing attack Firewall Classification

• Layer 2 Firewall

(a) Network without internal firewall requires a single IP address space

(b) Adding a firewall as a requires the network address space to be split in two

(c) Adding a bridging firewall can be done without any modifications to the network or hosts Firewall Classification

• Using Layer 2 Firewall to Prevent ARP Spoofing Attacks –ARP spoofing attacks •Involved in a (hostile) host (H) that issues fake gratuitous ARP packets providing its MAC address for the address of a host (R) that is to be spoofed -> If the recipient (S) of the gratuitous ARP packet has the IP address in its cache, it will replace the corresponding MAC address with the new (spoofed) MAC address, then the victim host will now send all packets destined for R to H because its ARP cache has been contaminated –Allow ARP packets through while verifying that the information within them is consistent with previous traffic and flag cases where MAC-to-IP address mappings change

Firewall Classification

• Appliance Firewall –A dedicated hardware device external to the host that we want to protect –Acting as a traditional firewall, but it only protects a single host –Must implement the site security policy, there is a need for distributing this policy to all appliance firewalls in the network in a secure manner •The appliance firewalls download security policy updates at regular intervals •The user of the protected host initiates a policy update –Particularly effective in helping mobile users secure their laptops •The appliance firewall may be used as a (VPN) gateway to allow the mobile user access to the home network

Firewall Deployment: Management

• Location –Considerable care must be taken in determining placement of firewall assets –Perimeter Firewalls •Where one firewall sees all traffic to and from that organization’s network and enforces its security policy •For manageability and traffic aggregation –The reasons of Usage of Perimeter Firewalls •For redundancy (fail-over) reasons, a small pool of firewalls share the burden of managing one network uplink •The cluster approach also serves to mitigate the performance impact of firewalls by load balancing traffic across its members •Typical organizations have multiple connections to the public network () nowadays, often for fail-over reasons

Firewall Deployment: Management

Organization A has two geographically (and topologically) distinct branch network, each with its own uplink to the Internet. Organization A’s main branch also has a secondary uplink and uses clusters of firewalls for redundancy and performance reasons. Organization B has only one network attachment and uses a single firewall Firewall Deployment: Management

• Location –Modern organizations further augment their perimeter firewalls with auxiliary, internal firewalls that protect specific networks and resources •This partitioning of the internal network is often done across departmental boundaries and mirrors the “need-to-know” approach to security •Internal Firewalls are also used to define the boundaries of so-called Extranets –Difference between Perimeter and Internal Firewalls •Perimeter firewalls are faster and more expensive, since they need to handle significantly more traffic •Intrusion prevention functionality is more often used by internal firewalls Firewall Deployment: Management

• Virtual Private Networks (VPNs) –VPN implementations must include a packet filtering firewall to determine which packets will get sent through the VPN –In order to prevent spoofing or injection attacks, the VPN firewall must also examine the incoming packets •Three possible responses to packets –They should be sent via the VPN. –They should be sent outside the VPN –They should not be sent at all –VPN connections from the outside are not fully trusted and external users are forced to use DMZ-style networks that provide limited services Firewall Deployment: Management

• Damage Mitigation Techniques –Firewalls act primarily as damage prevention mechanisms •Primary role is to keep unauthorized entities outside the protected network by enforcing the organization’s security policy –Often, the policy or the mechanisms that enforce it prove to be incapable of warding off an attack -> administrators are expected to manually intervene, often alerted by an IDS that detects a specific attack or a general anomaly –Modern firewalls increasingly employ automated countermeasures •Intrusion prevention •Intrusion quarantining Firewall Deployment: Management

• Damage Mitigation Techniques – Intrusion Prevention Systems • Can also allow for somewhat more permissive treatment of outside or unknown users by allowing them to interact with protected systems in limited ways; if an attack (or suspicious behavior) is detected, these privileges can be automatically revoked • Most IDSs also exhibit an unacceptable number of false negatives, that is, they misidentify attacks as legitimate behavior (and do not raise an alert) -> IPSs are often used to detect misbehaving of legitimate users, with outsiders being governed solely by access control rules

Firewall Deployment: Management

• Damage Mitigation Techniques – Host-Subnet Quarantining • With the drastic increase of network worm and virus -> Organizations have turned to firewalls as a means of containing such attacks • Updating the perimeter firewall’s policy to contain newly discovered attacks • Internal firewalls are increasingly used to quarantine subnets or specific hosts that exhibit suspicious behavior by taking advantage of some of the observable characteristics of fast-spreading worms • Internal firewalls, often deployed at the LAN level, can block off hosts that appear to have been infected Firewall Deployment: Management

• Damage Mitigation Techniques – Host-Subnet Quarantining • In the more advanced quarantining approaches, the infected host is placed in a virtual LAN (VLAN) that allows it to access a Web server containing the latest software patches for several operating systems -> The user can then install these patches and restart the system without the worm or danger of being reinfected • Proactive way – When a new node appears on the network, the firewall scans it for known vulnerabilities using the same techniques (and often the same software) that attackers use to identify vulnerable hosts. If the firewall determines that the host is running software that is known to be vulnerable and has not been patched, the host is placed in the same VLAN and the user directed to a Web page with instructions on how to update the system Virtual Private Networks

Introduction•

VPN OVERVIEW

VPN BENEFITS

VPN TERMINOLOGY

VPN TAXONOMY •Security Requirements •Tunneling Protocols

IPSEC • Authentication Header • Encapsulating Security Payload • Example Usage of AH and ESP • Internet Key Exchange Introduction

• VPNs – An effective and popular means for providing secure communications between geographically distributed network entities – Providing a mechanism by which two networks can communicate with each other over a public infrastructure, such as the Internet, by tunneling the data in a way that emulates a logical point-to-point connection – Providing secure connectivity between a corporate network and remote users, branch offices, or business partners. In addition to cost-effective security – Offering other significant advantages such as scalability, flexibility, ease of management, and ubiquitous coverage Introduction

• IPSec (Internet Protocol Security) – A framework of open standards proposed by the Internet Engineering Task Force (IETF)

– As the best security solution for VPNs because it provides end- to-end, per-packet and/or per-session security and efficient key exchange and incorporates a variety of standard encryption and authentication algorithms VPN Overview

• VPN Definition –As a network that provides a secure link between two private networks • The network is virtual because data are tunneled through a public network, such as the Internet emulating a logical point-to-point connection • Network is private because the tunnel provides data confidentiality, integrity, authentication, and access control • Simple Concept –The payload is encapsulated with a new header by the tunnel endpoint when it enters the tunnel and deencapsulated when it leaves the tunnel –By the addition of the new header, the payload can be encrypted and authenticated –The tunnel endpoints provide access control –VPN tunnels can be established on different intermediary networks and protocols VPN Overview

(a)VPN tunnel between two private networks

(b) how a VPN tunnel enables security VPN Benefits

• Cost Savings –With a VPN, long-distance leased lines can be replaced by a short dedicated connection to the nearest point of presence (POP) of the Internet service provider (ISP) • Scalability –Can easily extend the geographic reach of the company’s networks since new connections can be added easily • Flexibility –Since tunnel users are not boxed into using too little or too much bandwidth –New value-added services can be deployed easily with VPNs

VPN Terminology

• VPN Client – A device that initiates a VPN tunnel with a VPN server • VPN Server – A device that accepts a VPN tunnel request from a VPN client • VPN Tunnel – A secure logical connection between two private networks across a public network • Tunnel Endpoints – The two devices that are at the start and culminating points of a VPN tunnel VPN Terminology

– A network protocol that enables setting up of a VPN tunnel and typically provides secure communication • P (Provider) Network and C (Customer) Network – The provider backbone network, typically a public infrastructure network like the Internet – A C network is one that is owned and managed by a customer - a private network • P Devices and C Devices – The core devices that switch and forward packets in the P network – Similarly, the C devices are core devices in the C network VPN Terminology

• PE (Provider Edge) Devices and CE (Customer Edge) Devices – PE devices are P devices at the edge of the P network that connect to devices in the C network – Similarly, the CE devices are at the edge of the C network • VPN Concentrator – A device (typically) at the server side to which multiple VPN tunnels are terminated

VPN Taxonomy VPN Taxonomy

• Security Requirements – Confidentiality with encryption engines – Integrity with one-way hash function – Authentication with digital signature – Certification with digital signature – Access Control with firewalls or other filtering mechanisms – Key Management

VPN Taxonomy

• Tunneling Protocols –PPTP (Point-to-Point Tunneling Protocol) • Documented in the IETF request for RFC 2637 • A layer 2 tunneling protocol that provides authenticated and encrypted access from desktops to remote-access servers • Using PPP (Point-to-Point Protocol) data link connections and comes in two operational modes – The ISP’s access server intercepts the remote user’s PPP connection and builds a tunnel to the corporate network – The VPN tunnel can be constructed all the way from the remote user to the corporate network • Relying on the encryption and authentication mechanisms – DES, 3-DES for encryption – PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol) for authentication

VPN Taxonomy

• Tunneling Protocols from Cisco –L2F (Layer 2 Forwarding) •Using PPP for encryption and authentication but extends authentication to support TACACS+ (Terminal Access Controller Access Control System) and RADIUS (Remote Authentication Dial-in User Service) authentication by using EAP (Extensible Authentication Protocol) •Supporting two levels of authentication –One from the remote user to the ISP POP –The other from the ISP POP to the corporate gateway •Multiple VPN tunnels can be established using L2F. While PPTP supports only IP, L2F can run on top of other layer 2 protocols such as ATM and frame relay

VPN Taxonomy

• L2TP (Layer 2 Tunneling Protocol) –In order to remove the noninteroperability limitation of L2F, it was combined with PPTP to produce the IETF and industry standard L2TP • IPSec (IP Security) –A set of open standards for a layer 3 tunneling protocol for VPNs –Incorporating per-packet, end-to-end, and segment-by-segment protection and accommodates a wide variety of strong cryptographic algorithms for confidentiality, integrity, and authentication and an effective key management procedure –While PPTP, L2F, and L2TP are mainly applicable to user–site VPNs, IPSec can be targeted for both site–site and user–site VPNs

VPN Taxonomy

• SSL/TLS (Secure Sockets Layer/Transport Layer Security) –SSL is an application layer tunneling protocol that is supported by most Web browsers to secure HyperText Transfer Protocol (HTTP) documents –SSL/TLS provides server authentication by digital certificates and an optional server–client subauthentication –Encryption is by DES, 3DES, RC2 (Rivest Cipher 2), or RC4 (Rivest Cipher 4), and keyed hash MD-5 (Message Digest 5) and SHA-1 (secure hash algorithm) ensure message integrity –RFC 2246 documents the TLS protocol

VPN Taxonomy

• Summary of VPN Tunneling Protocols IPSec

• IPSec –A network layer tunneling protocol for IP proposed by IETF as a set of open standards –Providing per-packet, per-session, end-to-end, and segment-by-segment protection –Ensuring multilevel protection by combining a number of standard cryptographic measures •Private key encryption with DES, 3DES, CAST 128, RC5, or IDEA •Authentication with HMAC-MD5 or HMAC-SHA •Diffie–Hellman exchanges to generate secret keys at the tunnel endpoints •Protection of Diffie–Hellman exchanges by public key encryption •Validation of public keys by digital certificates

IPSec

• IPSec –Consisting of three main components •Authentication header AH •Encapsulating security payload ESP •Internet key exchange IKE

• IPSec Authentication Header –Containing a hashed message digest for the contents of the packet and thus ensuring integrity and authentication of the packet –Containing a sequence number for prevention of replay attacks and a security parameters index (SPI)

IPSec

• IPSec Authentication Header –No encryption is provided with AH –Transport mode –Tunnel mode •A new IP header is added in front of AH

AH Format AH Transport and Tunnel Modes IPSec

• Encapsulating Security Payload –Using ESP ensures data confidentiality by encryption in addition to integrity and authentication –ESP contains a header chunk with the SPI and other parameters and a trailer chunk with the authentication data –The packet portion between the ESP header and trailer gets encrypted

ESP Format IPSec

• Example Usage of AH and ESP –IPSec allows bundling of AH and ESP together in one VPN tunnel •This flexibility allows the VPN tunnel to be tailored according to the security requirements IPSec

• Example Usage of AH and ESP

IPSec

• Internet Key Exchange – The two peers setting up the IPSec VPN tunnel first set up a SA • SA defines followings – Encryption algorithm and its key, – Authentication algorithm and its key – AH and ESP modes, key life times – Lifetime of the SA itself IPSec

• Internet Key Exchange – IKE Process for generating the secret key for data transfer • Phase 1 – Proposals for SA are sent and negotiated – A Diffie–Hellman exchange is done to generate a master key – Encrypted with the master key, digital signatures and certificates are exchanged to authenticate the peers • Phase 2 – A second Diffie–Hellman exchange is done to generate a private data exchange key. This Diffie–Hellman exchange is protected by the master key – The private data exchange key is used to transfer data (for ESP modes) • Private keys can be refreshed every few minutes using encrypted Diffie–Hellman exchanges Current Research on VPNs

• Configurable and Programmable VPNs • Resource management in VPNs and cost optimization • Wireless VPNs • Design of management architectures, security policies, and policy distribution architectures