CSCE 715: Network Systems Security

About This Presentation

Title:

Description:

Number of Views:42

Avg rating:3.0/5.0

Slides: 22

Provided by: huan75

Category:

more less

Transcript and Presenter's Notes

Title: CSCE 715: Network Systems Security

1
CSCE 715Network Systems Security

2
Network Security Designs

After discussion of cryptographic tools, we turn
to look at various network security designs at
different layers in protocol stack
Link layer secure address resolution
Network layer IPsec, hop integrity
Transport layer SSL/TLS
Application layer Kerberos, X.509 certificate,
firewall design

3
Ethernet

Most widely used LAN technology
Low cost and high flexibility
Versions of different speed 10Mbps, 100Mbps,
Gigabit
Use globally unique media access control (MAC)
address (hardware address) for every interface
card

4
Use of Hardware Address

5
Address Resolution Protocol

Protocol maps each IP address to corresponding
hardware address in subnetwork
For computer i to get hardware address of
computer j, i broadcasts a rqst message with IP
address of j to the subnetwork

rqst(ipa.j)
i
default router
Internet
switch
r
j
6
Address Resolution

If j sees a rqst message from i with its IP
address, j sends a rply message with its IP
address and hardware address to i

rply(ipa.j,hda.j)
i
default router
Internet
switch
r
j
7
Functions of ARP

8
ARP Spoofing Attack

To stop traffic from i to j, an adversary sends
to i a spoofed rply message with IP address of j
and a non-existent hardware address

i
default router
Internet
switch
r
j
A
rply(ipa.j,hda.x)
9
Another ARP Spoofing Attack

To stop traffic from i to default router r, an
adversary sends to i a spoofed rply message with
IP address of r and its own hardware address

i
default router
Internet
switch
r
j
A
rply(ipa.r,hda.A)
10
Countering ARP Spoofing Attacks

Proposed solutions include ARPWATCH and static
ARP caches
ARPWATCH monitors transmission of rqst and rply
messages over Ethernet and check them against a
database of (IP addr, hardware addr) pairings
Static ARP cache stores permanent (IP addr,
hardware addr) pairings of trusted hosts to avoid
sending rqst and rply messages over Ethernet

11
Insufficiencies of Proposed Solutions

ARPWATCH does not support dynamic assignment of
IP addresses
Static ARP caches does not support dynamic
assignment of IP addresses and detection of
destination failures

12
Need for Secure Address Resolution

When a computer receives a message m, it needs to
determine whether m was indeed sent by claimed
source, or was inserted, modified, or replayed by
an adversary
Use secure address resolution protocol between
each computer and a secure server

13
Architecture of Secure Address Resolution
Protocol
14
Adversary

Adversary can perform three types of actions to
disrupt communication between server s and any
computer hi on the Ethernet
Message loss
Message modification
Message replay

15
Secure Address Resolution Protocol

16
Invite-Accept Protocol

Periodically, server s sends out an invt message
to every computer on Ethernet
Every up computer is required to send back an
acpt message including its IP address and
hardware address
s updates its address database according to
received acpt messages

17
Invite-Accept Protocol

18
Request-Reply Protocol

When a computer needs to resolve a destinations
hardware address, it sends a rqst message to
server s
If destinations hardware address is still valid,
s sends back a rply message with address
information
If destinations hardware address is not valid
anymore, s sends back a rply message with no
address information

19
Request-Reply Protocol