Chapters 9 and 8 SambaSMB, Network Security - PowerPoint PPT Presentation

About This Presentation
Title:

Chapters 9 and 8 SambaSMB, Network Security

Description:

A 'Workgroup' is a set of NBT nodes on an IP subnet that shares the same Workgroup name. ... A Domain Master Browser enables browsing across subnets ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 21
Provided by: profri
Category:

less

Transcript and Presenter's Notes

Title: Chapters 9 and 8 SambaSMB, Network Security


1
Chapters 9 and 8Samba/SMB, Network Security
  • Professor Rick Han
  • University of Colorado at Boulder
  • rhan_at_cs.colorado.edu

2
Announcements
  • HW 5 a possibility
  • Programming Assignment 3 due May 2
  • Lecture slides from last week online after class
  • In Chapter 8, read all sections.
  • Next, Samba/SMB, Network Security

3
Recap of Previous Lecture
  • An example caching policy for an HTTP proxy
  • Conditional GET with If-Modified-Since header
  • Proxy returns page from its cache only if that
    page is not expired and its Last-Modified is more
    recent than If-Modified-Since date
  • Otherwise, proxy forwards conditional GET to
    server, who either replies with
  • New page, or
  • Status 340 Not Modified
  • Network Address Translation (NAT)
  • Outbound Substitute NATs IP address and TCP
    port for the packets source IP and source TCP
    port
  • Inbound Substitute NATs IP addr and TCP port
    for packets dest IP and dest TCP port

4
Recap of Previous Lecture (2)
  • NAT
  • Static NATs map an inbound packets dest IP and
    dest TCP port to a internal hosts fixed IP addr
    and TCP port
  • Enables a Web server behind a NAT to serve Web
    pages to external hosts
  • Adds security risk
  • Dynamic NATs provide a firewall masquerading
    capability
  • In absence of fixed mappings, external hosts
    cant make an inbound connection to any internal
    host
  • Internal hosts can still make outbound TCP
    connections

5
Samba/SMB
  • Server Message Block (SMB) Protocol
  • File sharing protocol that ships with Microsoft
    OSs
  • Basis for Network Neighborhood
  • Application-layer protocol over TCP/UDP/IP
  • Open-source SAMBA Server suite enables other OSs
    such as Linux to speak SMB
  • Enables an MS client to access files on a UNIX
    server very useful!

6
Samba/SMB (2)
  • For historical reasons, SMB first ran across the
    NETBIOS API, which then ran across various
    network protocols, e.g. TCP/UDP, IPX, SNA,
    DECnet, etc.
  • SMB packets can be framed in NETBIOS packets
    which are encapsulated by TCP/UDP
  • NETBIOS over TCP/UDP is called NBT

SMB
NETBIOS
TCP/UDP, IPX, SNA or
7
Samba/SMB (3)
  • Newer version of SMB Windows 2000 now runs SMB
    natively on top of TCP/UDP
  • no NETBIOS framing
  • renamed to Common Internet FileSystem (CIFS)
  • CIFS actually refers to entire suite of
    protocols file/printer-sharing, service
    announcement, naming, authentication,
    authorization
  • Supports older version of SMB too, to maintain
    compatibility

SMB (Windows 2000)
TCP/UDP
8
Samba/SMB (4)
  • NBT creates an abstraction a virtual LAN, even
    if actual nodes are distributed over wide area
  • NBT provides 3 services over a virtual LAN
  • Naming Service
  • Datagram Distribution Service
  • Session Service
  • NBT Naming Service
  • Broadcast wheres anchor? Here I am
  • Point-to-point required to bridge subnets,
    because broadcasts are typically confined to a
    subnet
  • A NETBIOS Name Server (NBNS) provides name-to-IP
    mappings for a NETBIOS virtual LAN
  • Also called WINS in MS terminology

9
Samba/SMB (5)
  • NBT Naming Service (cont.)
  • Runs on UDP port 137 NETBIOS naming queries are
    encapsulated in UDP then IP
  • NBT Datagram Service
  • Runs over UDP port 138
  • Point-to-point and multicast are straightforward
    within a LAN
  • Multicast across IP subnets requires a bridging
    agent a NETBIOS Datagram Distribution Server
    (NBDD)
  • Multicast datagrams are sent to NBDD, which gets
    list of hosts in multicast group from NBNS, then
    sends point-to-point to each host
  • WINS messed up its implementation of NBDD (as of
    May 2001) some group members wont receive
    multicast

10
Samba/SMB (6)
  • NBT Session Service
  • Runs over TCP port 139
  • Implements file sharing
  • Simple sequence of events
  • Source X gives NETBIOS name of destination Y to
    NBT Name Service and gets back IP address of Y
  • Source X establishes a TCP connection with Y
  • Source X sends a NETBIOS SESSION SERVICE REQUEST
    to Y. Y accepts request.
  • X and Y exchange files via SMB.
  • SMB packets consist of 0xFF then the letters
    SMB followed by a command and data
  • Commands are patterned after DOS I/O commands,
    and include OPEN, CLOSE, DELETE, etc.

11
Samba/SMB (7)
  • SMB
  • Several dialects of SMB, so there is always a
    negotiation phase to make sure SMB client speaks
    the same dialect as SMB server
  • Network Neighborhood is supported by a Browsing
    Service
  • Browsing is organized in terms of IP subnets and
    Workgroups.
  • A "Workgroup" is a set of NBT nodes on an IP
    subnet that shares the same Workgroup name.
  • On each subnet, the Workgroup members hold an
    "election," which involves sending group
    datagrams via the NBT Datagram Service.
  • A Domain Master Browser enables browsing across
    subnets

12
Samba/SMB (8)
  • CIFS
  • Removes NETBIOS/NBT
  • Also, replaces NETBIOS services with
    standard-based services
  • Example NBNS is replaced with Dynamic DNS
  • SAMBA
  • Racing to stay compatible with latest MS twist on
    CIFS, e.g. Windows 2000
  • See www.samba.org for more info

13
Network Security
  • Classic properties of secure systems
  • Confidentiality
  • Encrypt message so only sender and receiver can
    understand it.
  • Authentication
  • Both sender and receiver need to verify the
    identity of the other party in a communication
    are you really who you claim to be?
  • Authorization
  • Does a party with a verified identity have
    permission to access (r/w/x/) information? Gets
    into access control policies.

14
Network Security (2)
  • Classic properties of secure systems (cont.)
  • Integrity
  • During a communication, can both sender and
    receiver detect whether a message has been
    altered?
  • Non-Repudiation
  • Originator of a communication cant deny later
    that the communication never took place
  • Availability
  • Guaranteeing access to legitimate users.
    Prevention of Denial-of-Service (DOS) attacks.

15
Cryptography
plaintext
ciphertext
plaintext
  • Encryption algorithm also called a cipher
  • Cryptography has evolved so that modern
    encryption and decryption use secret keys
  • Only have to protect the keys! gt Key
    distribution problem
  • Cryptographic algorithms can be openly published

plaintext
ciphertext
plaintext
Key KA
Key KB
16
Cryptography (2)
  • Cryptography throughout history
  • Julius Caesar cipher replaced each character by
    a character cyclically shifted to the left.
    Weakness?
  • Easy to attack by looking at frequency of
    characters
  • Mary Queen of Scots put to death for treason
    after Queen Elizabeths Is spymaster cracked her
    encryption code
  • WWII Allies break German Enigma code and
    Japanese naval code
  • Enigma code machine (right)

17
Cryptography (3)
  • Cryptanalysis Type of attacks
  • Brute force try every key
  • Ciphertext-only attack
  • Attacker knows ciphertext of several messages
    encrypted with same key (but doesnt know
    plaintext).
  • Possible to recover plaintext (also possible to
    deduce key) by looking at frequency of ciphertext
    letters
  • Known-plaintext attack
  • Attackers observes pairs of plaintext/ciphertext
    encrypted with same key.
  • Possible to deduce key and/or devise algorithm to
    decrypt ciphertext.

18
Cryptography (4)
  • Cryptanalysis Type of attacks
  • Chosen-plaintext attack
  • Attacker can choose the plaintext and look at the
    paired ciphertext.
  • Attacker has more control than known-plaintext
    attack and may be able to gain more info about
    key
  • Adaptive Chosen-Plaintext attack
  • Attacker chooses a series of plaintexts, basing
    the next plaintext on the result of previous
    encryption
  • Differential cryptanalysis very powerful
    attacking tool
  • But DES is resistant to it
  • Cryptanalysis attacks often exploit the
    redundancy of natural language
  • Lossless compression before encryption removes
    redundancy

19
Cryptography (5)
  • Symmetric or Secret-Key Cryptography
  • Both sender and receiver keys are the same KAKB
  • Data Encryption Standard (DES)
  • Encodes plaintext in 64-bit chunks using a 64-bit
    key (56 bits 8 bits parity)
  • Uses permutation or transposition of characters
  • abcd ? dbac
  • Was cracked in 1997
  • Triple-DES put the output of DES back as input
    into DES again, loop again

20
Cryptography (6)
  • Public-Key Cryptography
  • Host who wants data sent to it advertises a
    public encryption key Kpublic
  • Decryption algorithm has the property that only a
    private key Kprivate can decrypt the ciphertext
  • Based on the difficulty of factoring the product
    of two prime s
  • Even though attacker knows the public key Kpublic
    and the encryption algorithm, the attacker still
    does not know the private key Kprivate
  • Example RSA encryption algorithm
Write a Comment
User Comments (0)
About PowerShow.com