Networking and network security 5/20/20 Reasons To Know Networking In Regard to Computer Security ■ To understand the flow of information on the Internet ■ To understand the levels of activity in network traffic flow ■ To understand the basis for vulnerabilities ■ To understand the basis for security tools and how they work Base Principle – Packet Switching ■ Messages broken up into packets ■ Packets are sent onto network, routed to destination, reassembled ■ Advantages (compared to circuit switching; e.g. traditional phones) ■ Better sharing of bandwidth ■ Greater overall efficiency ■ Allows more users, no greater delay Protocol Layering ■ Protocol: a convention for communication between two agents (aka handshaking) ■ Motivation: Separation of functionality ■ Layers take care of particular task re: information ■ Offer services to next layer in protocol stack ■ Advantage: modularity ■ Disadvantages: possible overlap, redundancy of functionality Protocol Data Units ■ Layer sends message by building a protocol data unit (PDU) ■ Take data from layer N, add additional information to meet needs of layer N-1 ■ PDU handed to next lower layer ■ Lower layer now has responsibility for message Internet Protocol Stack ■ Seven layers in Open Systems Interconnect (OSI) model ■ 7) Application ■ 6) Presentation ■ 5) Session ■ 4) Transport ■ 3) Network ■ 2) Data Link ■ 1) Physical General Layer Functions ■ Segmentation / Reassembly ■ Breaking large message into standard size chunks ■ Error Control ■ How to detect or correct errors ■ Flow Control ■ Avoid overwhelming slower systems ■ Multiplexing ■ Sharing of lower-level connections ■ Connection setup ■ How to establish a virtual communication path Application Layer (7) ■ Function: High-Level Application Systems and End-User Processes ■ Implemented in: Software ■ PDU: Message ■ Examples ■ sftp, http, smtp, ssh, … Presentation Layer (6) ■ Function: Provides independence from differences in data representation by formatting and encrypting data ■ Implemented in software ■ Examples: ASCII encoding, NFS, FTP file path/name translation Session Layer (5) ■ Function: Establishes, manages and terminates connections between applications ■ Implemented in software ■ Examples: SSL, DNS, RPC Transport Layer (4) ■ Function/Service: Transport message from one system to another system ■ Implemented in: Software ■ PDU: Segment ■ Two methods ■ TCP (connection-oriented protocol) ■ UDP (connectionless protocol) TCP ■ TCP=Transmission Control Protocol ■ Connection-Oriented Service ■ Guaranteed Delivery of Message ■ Flow Control ■ Breaks message into shorter segments ■ Advantage: More Control ■ Examples ■ http, sftp, smtp, ssh UDP ■ UDP = User Datagram Protocol ■ Connection-less Service ■ No Guaranteed Delivery of Message ■ No Flow Control / Handshaking ■ No Overhead For Connection ■ Continuous Data Stream ■ Advantage: Faster ■ Disadvantage: Possible loss of information ■ Examples ■ Video, Voice (e.g. phone) Network Layer (3) ■ Function/Service: Routing segments from host to host, through intermediate systems ■ Network Layer receives segment and destination address from Transport Layer ■ Implemented in: Hardware & Software ■ PDU: Datagram ■ Two maJor parts ■ IP Protocol: structure of datagram, how end systems (and routers) act on this information ■ Routing protocols: for transfer from source host to destination host ■ Examples: IP, IPX Data Link Layer (2) ■ Function/Service: Move a datagram from one node to the next in the route ■ Implemented in: Hardware ■ PDU: Frame ■ Examples: ■ Ethernet, Token Ring, FDDI, Gigabit Ethernet Physical Layer (1) ■ Function/Service: Routing physical bits from one network node to adjacent node ■ Implemented in: Hardware ■ PDU: Bits ■ Examples: ■ Optical fiber, Twisted pair wire, Coaxial cable ■ Voltage levels, signaling What implements each layer? ■ End Systems / Hosts: Implements all layers ■ Routers/Switches: Layers 1-3 and possibly IP protocol ■ Bridges: Implements layer 1-2 ■ Hubs: Implements layer 1 (essentially repeaters) ■ Firewalls ■ Packet filtering (operate at layer 3) ■ Application gateways (operate at layer 7) Internet Addressing ■ 32 bits that uniquely identifies internet host ■ Displayed www.xxx.yyy.zzz ■ Split into two parts: network and host ■ Certain network segments reserved ■ Can be used for isolated private networks ■ 10.0.0.0 – 10.255.255.255; ■ 172.16.0.0 – 172.31.255.255; ■ 192.168.0.0 – 192.168.255.255 NAT Internally use Externally use 10/16 port numbers to 172.0/12 distinguish hosts 192.168/16 Internal Internet Boundary router network ■ Assume traffic is TCP or UDP ■ Replace external port number with index into table identifying internal host and port ■ Deal with other protocols on case-by-case basis Ports ■ Certain system process must respond to a particular application protocol (e.g. sftp, smtp) ■ Port is the “address” for application communication on system ■ E.g. Port 80 for http ■ E.g. Port 25 for smtp ■ E.g. Port 1521 for Oracle connections ■ Port List: http://www.iana.org/assignments/port-numbers Socket ■ Interface between the application layer and the transport layer ■ Acts as an API between application and network ■ Programmer only controls application side, plus a few transport level details ■ Transport protocol (TCP or UDP) ■ A few transport parameters (e.g. maximum buffer size) Additional Information ■ Internet Engineering Task Force (IETF) ■ http://www.ietf.org ■ Primary documents: RFCs ■ IP: RFC 791 ■ TCP: RFC 793 ■ UDP: RFC 768 ■ Internet Addressing: RFC 900 ■ OSI Model and Information Security ■ http://www.giac.org/practical/GSEC/Damon_Reed_GSEC.pdf Firewalls References • Stallings, Chapter 9 • Cheswick, et. al. “Firewalls and Internet Security, 2nd ed.” Addison-Wesley, 2003. 24 Firewalls • On the day that you take up your command, block the frontier passes, destroy the official tallies, and stop the passage of all emissaries. - Sun Tzu, The Art of War 25 What is a Firewall? • System or group of systems that enforces an access control policy between two or more networks • In principle the firewall is a pair of mechanisms: – one which exists to block traffic – one which exists to permit traffic 26 What is a Firewall? • A choke point of control and monitoring • Interconnects networks with differing trust levels • Imposes restrictions on network services – only authorized traffic is allowed • Auditing and controlling access – can implement alarms for abnormal behavior • Is itself immune to penetration (well, in theory) • Provides perimeter defense 27 Firewall cartoon 28 Firewall characteristics • Four techniques used to control access to a network: – Service control - determines the types of services allowed; • the firewall may filter traffic on the basis of IP address, TCP port number • may provide proxy services • may be the mail or web server – Direction control • inbound or outbound controls 29 Firewall techniques – User control • controls access to a service according to the user who is asking for it – Behavior control • controls how the services are used • for example, may filter spam • limit access to part of the information on a web server 30 Firewall Limitations • Cannot protect from attacks that bypass the firewall – e.g. sneaker net, utility modems, trusted organizations, trusted services (eg SSL/SSH) • Cannot protect against internal threats – e.g. disgruntled employee, idiots inside organization • Cannot protect against transfer of all virus infected programs or files – because of the huge range of OS & file types 31 Bottom line • For a firewall to be effective, it must be part of a consistent overall organizational security architecture • Firewall policies must be realistic and reflect the level of security in the entire network 32 Types of firewalls • Network layer – make decisions based on source or destination addresses or port numbers (look at IP addresses in the Network layer) – a router is a type of network layer firewall – the earliest of these types of firewalls did packet filtering based on either the source or destination (or both) addresses in individual packets. (we call these circuit-layer firewalls now) 33 Types of firewalls • Application layer – Generally these are hosts running proxy servers which permit no traffic directly between networks and which perform elaborate logging and auditing of traffic passing through them – Can also be used as NATs • Circuit-level gateways – Work at the TCP level (transport layer) 34 Network Layer Firewall using Packet Filters • Uses the simplest of components • Foundation of any firewall system • Examine each IP packet (no context) and permit or deny according to rules • Hence restrict access to services (ports) • Possible default policies – that not expressly permitted is prohibited – that not expressly prohibited is permitted 35 Network Layer Firewall using Packet Filters • Deny/Allow can be based on characteristics of the packet – source address – destination address – port number • there are a lot of “well known” port numbers • see http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 36 Attacks on Packet Filters • IP address spoofing – Fake source address to be trusted – Response: add filters on router to block • Source routing attacks – Attacker sets a route other than default – Response: block source routed packets • Tiny fragment attacks – Split header info over several tiny packets – Response: either discard or reassemble before check 37 Firewalls - Application Level Gateway/Proxy • Works at the application layer of the OSI stack • Use an application specific gateway