Networking and network security
5/20/20 Reasons To Know Networking In Regard to Computer Security
■ To understand the flow of information on the Internet
■ To understand the levels of activity in network traffic flow
■ To understand the basis for vulnerabilities
■ To understand the basis for security tools and how they work Base Principle – Packet Switching
■ Messages broken up into packets
■ Packets are sent onto network, routed to destination, reassembled
■ Advantages (compared to circuit switching; e.g. traditional phones)
■ Better sharing of bandwidth
■ Greater overall efficiency
■ Allows more users, no greater delay Protocol Layering
■ Protocol: a convention for communication between two agents (aka handshaking)
■ Motivation: Separation of functionality
■ Layers take care of particular task re: information
■ Offer services to next layer in protocol stack
■ Advantage: modularity
■ Disadvantages: possible overlap, redundancy of functionality Protocol Data Units
■ Layer sends message by building a protocol data unit (PDU)
■ Take data from layer N, add additional information to meet needs of layer N-1
■ PDU handed to next lower layer
■ Lower layer now has responsibility for message Internet Protocol Stack
■ Seven layers in Open Systems Interconnect (OSI) model
■ 7) Application
■ 6) Presentation
■ 5) Session
■ 4) Transport
■ 3) Network
■ 2) Data Link
■ 1) Physical General Layer Functions
■ Segmentation / Reassembly
■ Breaking large message into standard size chunks
■ Error Control
■ How to detect or correct errors
■ Flow Control
■ Avoid overwhelming slower systems
■ Multiplexing
■ Sharing of lower-level connections
■ Connection setup
■ How to establish a virtual communication path Application Layer (7)
■ Function: High-Level Application Systems and End-User Processes
■ Implemented in: Software
■ PDU: Message
■ Examples
■ sftp, http, smtp, ssh, … Presentation Layer (6)
■ Function: Provides independence from differences in data representation by formatting and encrypting data
■ Implemented in software
■ Examples: ASCII encoding, NFS, FTP file path/name translation Session Layer (5)
■ Function: Establishes, manages and terminates connections between applications
■ Implemented in software
■ Examples: SSL, DNS, RPC Transport Layer (4)
■ Function/Service: Transport message from one system to another system
■ Implemented in: Software
■ PDU: Segment
■ Two methods
■ TCP (connection-oriented protocol)
■ UDP (connectionless protocol) TCP
■ TCP=Transmission Control Protocol
■ Connection-Oriented Service
■ Guaranteed Delivery of Message
■ Flow Control
■ Breaks message into shorter segments
■ Advantage: More Control
■ Examples
■ http, sftp, smtp, ssh UDP
■ UDP = User Datagram Protocol
■ Connection-less Service
■ No Guaranteed Delivery of Message
■ No Flow Control / Handshaking
■ No Overhead For Connection
■ Continuous Data Stream
■ Advantage: Faster
■ Disadvantage: Possible loss of information
■ Examples
■ Video, Voice (e.g. phone) Network Layer (3)
■ Function/Service: Routing segments from host to host, through intermediate systems
■ Network Layer receives segment and destination address from Transport Layer
■ Implemented in: Hardware & Software
■ PDU: Datagram
■ Two major parts
■ IP Protocol: structure of datagram, how end systems (and routers) act on this information
■ Routing protocols: for transfer from source host to destination host
■ Examples: IP, IPX Data Link Layer (2)
■ Function/Service: Move a datagram from one node to the next in the route
■ Implemented in: Hardware
■ PDU: Frame
■ Examples:
■ Ethernet, Token Ring, FDDI, Gigabit Ethernet Physical Layer (1)
■ Function/Service: Routing physical bits from one network node to adjacent node
■ Implemented in: Hardware
■ PDU: Bits
■ Examples:
■ Optical fiber, Twisted pair wire, Coaxial cable
■ Voltage levels, signaling What implements each layer?
■ End Systems / Hosts: Implements all layers
■ Routers/Switches: Layers 1-3 and possibly IP protocol
■ Bridges: Implements layer 1-2
■ Hubs: Implements layer 1 (essentially repeaters)
■ Firewalls
■ Packet filtering (operate at layer 3)
■ Application gateways (operate at layer 7) Internet Addressing
■ 32 bits that uniquely identifies internet host
■ Displayed www.xxx.yyy.zzz
■ Split into two parts: network and host
■ Certain network segments reserved
■ Can be used for isolated private networks
■ 10.0.0.0 – 10.255.255.255;
■ 172.16.0.0 – 172.31.255.255;
■ 192.168.0.0 – 192.168.255.255 NAT Internally use Externally use 10/16 port numbers to 172.0/12 distinguish hosts 192.168/16
Internal Internet Boundary router network
■ Assume traffic is TCP or UDP
■ Replace external port number with index into table identifying internal host and port
■ Deal with other protocols on case-by-case basis Ports
■ Certain system process must respond to a particular application protocol (e.g. sftp, smtp)
■ Port is the “address” for application communication on system
■ E.g. Port 80 for http
■ E.g. Port 25 for smtp
■ E.g. Port 1521 for Oracle connections
■ Port List: http://www.iana.org/assignments/port-numbers Socket
■ Interface between the application layer and the transport layer
■ Acts as an API between application and network
■ Programmer only controls application side, plus a few transport level details
■ Transport protocol (TCP or UDP)
■ A few transport parameters (e.g. maximum buffer size) Additional Information
■ Internet Engineering Task Force (IETF)
■ http://www.ietf.org
■ Primary documents: RFCs
■ IP: RFC 791
■ TCP: RFC 793
■ UDP: RFC 768
■ Internet Addressing: RFC 900
■ OSI Model and Information Security
■ http://www.giac.org/practical/GSEC/Damon_Reed_GSEC.pdf Firewalls References
• Stallings, Chapter 9 • Cheswick, et. al. “Firewalls and Internet Security, 2nd ed.” Addison-Wesley, 2003.
24 Firewalls
• On the day that you take up your command, block the frontier passes, destroy the official tallies, and stop the passage of all emissaries. - Sun Tzu, The Art of War
25 What is a Firewall?
• System or group of systems that enforces an access control policy between two or more networks
• In principle the firewall is a pair of mechanisms: – one which exists to block traffic – one which exists to permit traffic
26 What is a Firewall?
• A choke point of control and monitoring • Interconnects networks with differing trust levels • Imposes restrictions on network services – only authorized traffic is allowed • Auditing and controlling access – can implement alarms for abnormal behavior • Is itself immune to penetration (well, in theory) • Provides perimeter defense
27 Firewall cartoon
28 Firewall characteristics
• Four techniques used to control access to a network: – Service control - determines the types of services allowed; • the firewall may filter traffic on the basis of IP address, TCP port number • may provide proxy services • may be the mail or web server – Direction control • inbound or outbound controls
29 Firewall techniques
– User control • controls access to a service according to the user who is asking for it
– Behavior control • controls how the services are used • for example, may filter spam • limit access to part of the information on a web server
30 Firewall Limitations
• Cannot protect from attacks that bypass the firewall – e.g. sneaker net, utility modems, trusted organizations, trusted services (eg SSL/SSH)
• Cannot protect against internal threats – e.g. disgruntled employee, idiots inside organization
• Cannot protect against transfer of all virus infected programs or files – because of the huge range of OS & file types
31 Bottom line
• For a firewall to be effective, it must be part of a consistent overall organizational security architecture
• Firewall policies must be realistic and reflect the level of security in the entire network
32 Types of firewalls
• Network layer
– make decisions based on source or destination addresses or port numbers (look at IP addresses in the Network layer)
– a router is a type of network layer firewall
– the earliest of these types of firewalls did packet filtering based on either the source or destination (or both) addresses in individual packets. (we call these circuit-layer firewalls now)
33 Types of firewalls
• Application layer – Generally these are hosts running proxy servers which permit no traffic directly between networks and which perform elaborate logging and auditing of traffic passing through them – Can also be used as NATs • Circuit-level gateways – Work at the TCP level (transport layer)
34 Network Layer Firewall using Packet Filters
• Uses the simplest of components • Foundation of any firewall system • Examine each IP packet (no context) and permit or deny according to rules • Hence restrict access to services (ports) • Possible default policies – that not expressly permitted is prohibited – that not expressly prohibited is permitted
35 Network Layer Firewall using Packet Filters
• Deny/Allow can be based on characteristics of the packet – source address – destination address – port number • there are a lot of “well known” port numbers • see http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
36 Attacks on Packet Filters
• IP address spoofing – Fake source address to be trusted – Response: add filters on router to block
• Source routing attacks – Attacker sets a route other than default – Response: block source routed packets
• Tiny fragment attacks – Split header info over several tiny packets – Response: either discard or reassemble before check
37 Firewalls - Application Level Gateway/Proxy
• Works at the application layer of the OSI stack • Use an application specific gateway / proxy • Has full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user • Asks the question - should this process accept this connection?
38 Firewalls - Application Level Gateway/Proxy
• Need separate proxies for each services
• Some services naturally support proxying
• Others are more problematic
• Custom services generally not supported
39 Firewalls – Stateful Packet Filters
• Also called circuit layer filters • Work at the Transport Layer (TCP) • Examine each IP packet in context – keeps tracks of client-server sessions – checks each packet validly belongs to one • Better able to detect bogus packets out of context • But is susceptible to distributed denial of service attacks
40 Firewalls - Circuit Level Gateway
• Creates two TCP connections and ferries traffic between them • Imposes security by limiting which such connections are allowed • Once created usually relays traffic without examining contents • Typically used when one trusts internal users by allowing general outbound connections • SOCKS commonly used for this – most Internet client software understands the SOCKs protocol and can be configured to use SOCKs relay hosts.
41 SOCKS?
• SOCKS is short for SOCKetS
• SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
• Clients behind a firewall, needing to access exterior servers, may connect to a SOCKS proxy server instead.
42 Sockets...
• Such proxy server controls the eligibility of the client to access the external server and passes the request on to the server.
• SOCKS can also be used in the opposite way, allowing the clients outside the firewall ("exterior clients") to connect to servers inside the firewall (internal servers).
43