Networking and network security

5/20/20 Reasons To Know Networking In Regard to Computer Security

■ To understand the flow of information on the

■ To understand the levels of activity in network traffic flow

■ To understand the basis for vulnerabilities

■ To understand the basis for security tools and how they work Base Principle –

■ Messages broken up into packets

■ Packets are sent onto network, routed to destination, reassembled

■ Advantages (compared to circuit switching; e.g. traditional phones)

■ Better sharing of bandwidth

■ Greater overall efficiency

■ Allows more users, no greater delay Protocol Layering

■ Protocol: a convention for communication between two agents (aka handshaking)

■ Motivation: Separation of functionality

■ Layers take care of particular task re: information

■ Offer services to next layer in

■ Advantage: modularity

■ Disadvantages: possible overlap, redundancy of functionality Protocol Data Units

■ Layer sends message by building a (PDU)

■ Take data from layer N, add additional information to meet needs of layer N-1

■ PDU handed to next lower layer

■ Lower layer now has responsibility for message Stack

■ Seven layers in Open Systems Interconnect (OSI) model

■ 7) Application

■ 6) Presentation

■ 5) Session

■ 4) Transport

■ 3) Network

■ 2)

■ 1) Physical General Layer Functions

■ Segmentation / Reassembly

■ Breaking large message into standard size chunks

■ Error Control

■ How to detect or correct errors

■ Flow Control

■ Avoid overwhelming slower systems

■ Multiplexing

■ Sharing of lower-level connections

■ Connection setup

■ How to establish a virtual communication path (7)

■ Function: High-Level Application Systems and End-User Processes

■ Implemented in: Software

■ PDU: Message

■ Examples

■ sftp, http, smtp, ssh, … (6)

■ Function: Provides independence from differences in data representation by formatting and encrypting data

■ Implemented in software

■ Examples: ASCII encoding, NFS, FTP file path/name translation (5)

■ Function: Establishes, manages and terminates connections between applications

■ Implemented in software

■ Examples: SSL, DNS, RPC (4)

■ Function/Service: Transport message from one system to another system

■ Implemented in: Software

■ PDU: Segment

■ Two methods

■ TCP (connection-oriented protocol)

■ UDP (connectionless protocol) TCP

■ TCP=Transmission Control Protocol

■ Connection-Oriented Service

■ Guaranteed Delivery of Message

■ Flow Control

■ Breaks message into shorter segments

■ Advantage: More Control

■ Examples

■ http, sftp, smtp, ssh UDP

■ UDP =

■ Connection-less Service

■ No Guaranteed Delivery of Message

■ No Flow Control / Handshaking

■ No Overhead For Connection

■ Continuous Data Stream

■ Advantage: Faster

■ Disadvantage: Possible loss of information

■ Examples

■ Video, Voice (e.g. phone) (3)

■ Function/Service: segments from host to host, through intermediate systems

■ Network Layer receives segment and destination address from Transport Layer

■ Implemented in: Hardware & Software

■ PDU: Datagram

■ Two major parts

■ IP Protocol: structure of datagram, how end systems (and routers) act on this information

■ Routing protocols: for transfer from source host to destination host

■ Examples: IP, IPX Data (2)

■ Function/Service: Move a datagram from one to the next in the route

■ Implemented in: Hardware

■ PDU: Frame

■ Examples:

, Token Ring, FDDI, Gigabit Ethernet (1)

■ Function/Service: Routing physical bits from one network node to adjacent node

■ Implemented in: Hardware

■ PDU: Bits

■ Examples:

■ Optical fiber, Twisted pair wire, Coaxial cable

■ Voltage levels, signaling What implements each layer?

■ End Systems / Hosts: Implements all layers

■ Routers/Switches: Layers 1-3 and possibly IP protocol

■ Bridges: Implements layer 1-2

■ Hubs: Implements layer 1 (essentially repeaters)

■ Firewalls

■ Packet filtering (operate at layer 3)

■ Application gateways (operate at layer 7) Internet Addressing

■ 32 bits that uniquely identifies internet host

■ Displayed www.xxx.yyy.zzz

■ Split into two parts: network and host

■ Certain network segments reserved

■ Can be used for isolated private networks

■ 10.0.0.0 – 10.255.255.255;

■ 172.16.0.0 – 172.31.255.255;

■ 192.168.0.0 – 192.168.255.255 NAT Internally use Externally use 10/16 port numbers to 172.0/12 distinguish hosts 192.168/16

Internal Internet Boundary network

■ Assume traffic is TCP or UDP

■ Replace external port number with index into table identifying internal host and port

■ Deal with other protocols on case-by-case basis Ports

■ Certain system process must respond to a particular application protocol (e.g. sftp, smtp)

■ Port is the “address” for application communication on system

■ E.g. Port 80 for http

■ E.g. Port 25 for smtp

■ E.g. Port 1521 for Oracle connections

■ Port List: http://www.iana.org/assignments/port-numbers Socket

■ Interface between the application layer and the transport layer

■ Acts as an API between application and network

■ Programmer only controls application side, plus a few transport level details

■ Transport protocol (TCP or UDP)

■ A few transport parameters (e.g. maximum buffer size) Additional Information

■ Internet Engineering Task Force (IETF)

■ http://www.ietf.org

■ Primary documents: RFCs

■ IP: RFC 791

■ TCP: RFC 793

■ UDP: RFC 768

■ Internet Addressing: RFC 900

■ OSI Model and Information Security

■ http://www.giac.org/practical/GSEC/Damon_Reed_GSEC.pdf Firewalls References

• Stallings, Chapter 9 • Cheswick, et. al. “Firewalls and Internet Security, 2nd ed.” Addison-Wesley, 2003.

24 Firewalls

• On the day that you take up your command, block the frontier passes, destroy the official tallies, and stop the passage of all emissaries. - Sun Tzu, The Art of War

25 What is a Firewall?

• System or group of systems that enforces an access control policy between two or more networks

• In principle the firewall is a pair of mechanisms: – one which exists to block traffic – one which exists to permit traffic

26 What is a Firewall?

• A choke point of control and monitoring • Interconnects networks with differing trust levels • Imposes restrictions on network services – only authorized traffic is allowed • Auditing and controlling access – can implement alarms for abnormal behavior • Is itself immune to penetration (well, in theory) • Provides perimeter defense

27 Firewall cartoon

28 Firewall characteristics

• Four techniques used to control access to a network: – Service control - determines the types of services allowed; • the firewall may filter traffic on the basis of IP address, TCP port number • may provide proxy services • may be the mail or web server – Direction control • inbound or outbound controls

29 Firewall techniques

– User control • controls access to a service according to the user who is asking for it

– Behavior control • controls how the services are used • for example, may filter spam • limit access to part of the information on a web server

30 Firewall Limitations

• Cannot protect from attacks that bypass the firewall – e.g. sneaker net, utility modems, trusted organizations, trusted services (eg SSL/SSH)

• Cannot protect against internal threats – e.g. disgruntled employee, idiots inside organization

• Cannot protect against transfer of all virus infected programs or files – because of the huge range of OS & file types

31 Bottom line

• For a firewall to be effective, it must be part of a consistent overall organizational security architecture

• Firewall policies must be realistic and reflect the level of security in the entire network

32 Types of firewalls

• Network layer

– make decisions based on source or destination addresses or port numbers (look at IP addresses in the Network layer)

– a router is a type of network layer firewall

– the earliest of these types of firewalls did packet filtering based on either the source or destination (or both) addresses in individual packets. (we call these circuit-layer firewalls now)

33 Types of firewalls

• Application layer – Generally these are hosts running proxy servers which permit no traffic directly between networks and which perform elaborate logging and auditing of traffic passing through them – Can also be used as NATs • Circuit-level gateways – Work at the TCP level (transport layer)

34 Network Layer Firewall using Packet Filters

• Uses the simplest of components • Foundation of any firewall system • Examine each IP packet (no context) and permit or deny according to rules • Hence restrict access to services (ports) • Possible default policies – that not expressly permitted is prohibited – that not expressly prohibited is permitted

35 Network Layer Firewall using Packet Filters

• Deny/Allow can be based on characteristics of the packet – source address – destination address – port number • there are a lot of “well known” port numbers • see http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

36 Attacks on Packet Filters

• IP address spoofing – Fake source address to be trusted – Response: add filters on router to block

• Source routing attacks – Attacker sets a route other than default – Response: block source routed packets

• Tiny fragment attacks – Split header info over several tiny packets – Response: either discard or reassemble before check

37 Firewalls - Application Level Gateway/Proxy

• Works at the application layer of the OSI stack • Use an application specific gateway / proxy • Has full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user • Asks the question - should this process accept this connection?

38 Firewalls - Application Level Gateway/Proxy

• Need separate proxies for each services

• Some services naturally support proxying

• Others are more problematic

• Custom services generally not supported

39 Firewalls – Stateful Packet Filters

• Also called circuit layer filters • Work at the Transport Layer (TCP) • Examine each IP packet in context – keeps tracks of client-server sessions – checks each packet validly belongs to one • Better able to detect bogus packets out of context • But is susceptible to distributed denial of service attacks

40 Firewalls - Circuit Level Gateway

• Creates two TCP connections and ferries traffic between them • Imposes security by limiting which such connections are allowed • Once created usually relays traffic without examining contents • Typically used when one trusts internal users by allowing general outbound connections • SOCKS commonly used for this – most Internet client software understands the SOCKs protocol and can be configured to use SOCKs relay hosts.

41 SOCKS?

• SOCKS is short for SOCKetS

• SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.

• Clients behind a firewall, needing to access exterior servers, may connect to a SOCKS proxy server instead.

42 Sockets...

• Such proxy server controls the eligibility of the client to access the external server and passes the request on to the server.

• SOCKS can also be used in the opposite way, allowing the clients outside the firewall ("exterior clients") to connect to servers inside the firewall (internal servers).

43