Bishop: Chapter 26 Network Security

1
Bishop Chapter 26Network Security

• Based on notes by
• Prashanth Reddy Pasham

2
Outline

• Introduction
• Policy Development
• Network Organization
• Firewalls
• DMZ
• Availability and Network Flooding

3
Introduction

• How to develop a network infrastructure from
  security requirements?
• Know security requirements
• it leads to the development of security policy.
• which in turn suggests the form of the network
• security goals ? policy
• network policy ? functionalities
• distribution of functionalities to various parts
  of the network ? network diagram
• Functionality of each part ? host configuration

4
Introduction

• Goals of Dribs Security policy
• Data related to company plans is to be kept
  secret
• available only to those who need to know
• Customer data should be available only to those
  who fill the order
• Releasing sensitive data requires the consent of
  the companys officials and lawyers.
• Our goal is to design a network infrastructure
  that will meet these requirements

5
Policy Development

• Policies
• Must provide public access to some information
• Limit access to other information even within the
  company.
• Drib requires a policy that minimizes the threat
  or data being leaked to unauthorized entities.
• Unauthorized?

6
Policy Development

• Drib has three internal organizations
• Customer Service Group(CSG)
• Deals with customers
• Maintains all customer data
• Serves as interface between the other groups and
  clients of the drib
• Development Group(DG)
• Develops, modifies, maintains products
• Rely on CSG for the description of customer
  complaints, suggestions, ideas.
• No direct talk with customers
• Corporate group(CG)
• Handles Drib's debentures, lawsuits, patents and
  other corporate level work.
• Policy describes the way information is to flow
  among these groups

7
Policy Development

• Data Classes
• Public Data(PD)
• Available to anyone
• Includes product specifications, price
  information and marketing literature.
• Development data for existing products(DDEP)
• Available only internally
• Company lawyers, officers and developers
• Development data for future products(DDFP)
• Available only to developers
• may change, as may various aspects of
  development.
• Corporate data(CoD)
• Information about corporate functions
• Customer data(CuD)
• Credit card information

8
Policy Development

• User Classes
• Outsiders
• Developers
• Corporation executives
• Employees
• See table on page 776 for user rights
• Availability global, 24/7
• Consistency check
• Does the policy described above meets the goals
  of the Drib?

9
Network Organization
Demilitarized Zone (DMZ)
Inner Firewall

Mail Server
DNS Server(DMZ)
Intranet
Web Server
Corporate data subnet
Customer data subnet
Log Server
Outer Firewall
Internal DNS Server(internal)
Mail server
Internet
Development subnet
10
Network Organization

• Network Regions
• Internet
• Internal Network( Intranet)
• DMZ
• Network Boundaries
• Firewall
• Filtering firewall Based on packet headers
• ex preventing BackOrifice
• Proxy
• Proxy firewall Gives external view that hides
  intranet
• ex mail proxy

11
Analysis of Network Infrastructure

• Conceal the addresses of the internal network
• Internal addresses can be real
• Fake addresses 10.b.c.d, 172.16-31.c.d,
  192.168.c.d
• Network Address Translation Protocol maps
  internal to assigned address
• Mail Server
• Hide internal addresses
• Map incoming mail to real server
• Additional incoming/outgoing checks

12
Firewalls Configuration

• Outer Firewall
• What traffic allowed
• External source IP restrictions
• What type of traffic Ports (e.g., SMTP, HTTP)
• Proxy between DMZ servers and internet
• Internal Firewall
• Traffic restrictions Ports, From/to IP
• Proxy between intranet and outside

13
In the DMZ

• DMZ Mail Server
• performs address and content checking on all
  electronic mail messages
• When it receives a letter from the Internet, it
  performs the following Steps
• reassembles the message into a set of headers, a
  letter, and any attachments
• scans the letter and attachments for any computer
  virus or malicious logic.
• Restore the attachments to transmit
• Rescan it for any violation of SMTP specification
• Scans the recipient address lines.
• Addresses that directed the mail to the drib are
  rewritten to direct the mail to the internal mail
  server

14
In the DMZ

• DMZ Mail Server
• When it receives a outgoing letter from the
  internal mail server
• Steps 1 and 2 are the same
• In step 3 the mail proxy scans the header lines.
• All lines that mention internal hosts are
  rewritten to identify the host as drib.org, the
  name of the outside firewall.

15
In the DMZ

• DMZ WWW Server
• Identifies itself as www.drib.org and uses IP
  address of the outside firewall
• DMZ DNS Server
• It contain entries for
• DMZ mail, Web and log hosts
• Internal trusted administrative host
• Outer firewall
• Inner firewall
• DMZ Log Server

16
Availability and Network Flooding

• Flooding
• Overwhelm TCP stack on target machine
• Prevents legitimate connections
• Limit availability by
• Overwhelming service
• Examples
• SYN flood
• Overwhelms TCP stack

17
SYN flood

• A form of DOS attack
• The attacker initiates large number of TCP SYN
  packets and refuses to execute the 3rd part of
  the TCP three-way handshake for those packets
• If the packets come from multiple sources (the
  attacking machines) but have the same destination
  (the victim machine) ? DDOS

18
Syn Flood

• A the initiator B the destination
• TCP connection multi-step
• A SYN to initiate
• B SYNACK to respond
• C ACK gets agreement
• Sequence numbers then incremented for future
  messages
• Ensures message order
• Retransmit if lost
• Verifies party really initiated connection

19
Syn Flood

• Implementation A, the attacker B the victim
• B
• Receives SYN
• Allocate connection
• Acknowledge
• Wait for response
• See the problem?
• What if no response
• And many SYNs
• All space for connections allocated
• None left for legitimate ones

Time?
20
Solution Ideas

• Limit connections from one source?
• But source is in packet, can be faked
• Ignore connections from illegitimate sources
• If you know who is legitimate
• Can figure it quickly
• And the attacker doesnt know this
• Drop oldest connection attempts

21
Two Approaches to Counter SYN Flood

• Using intermediate hosts to eliminate SYN flood
• Relying on TCP state and memory allocations

22
A. Intermediate Hosts

• Basic idea
• Using routers to divert or eliminate illegitimate
  traffic
• Resources on the target are not consumed by the
  attacks.

23
A. Intermediate Hosts

• Approaches
• Only legitimate handshakes can reach the
  firewall.
• e.g., Cisco routers TCP intercept mode
• Network traffic monitor/tracker
• e.g., Synkill Schuba, etc. 1997

24
A. Intermediate Hosts

• TCP intercept
• Router establishes connection to client
• When connected establish with server
• If the client never sends the ACK (before timing
  out), then the initial SYN packet is part of an
  attack handshake.
• The target never sees the illegitimate SYN
  packets.
• The router uses short time-outs to protect itself.

25
A. Intermediate Hosts

• Synkill
• An active monitor that analyzes packets being
  sent to some set of systems (potential victim
  targets)
• Monitor machine as firewall
• Classification of IP addresses into classes
• Good addresses history of successful
  connections
• Bad addresses previous timeout attempt
• New addresses
• Block and terminate attempts from bad addresses
• Dynamically managed classes
• Question How if a good IP turns bad ?

26
B. TCP State and Memory Allocations

• Problem Server maintaining state
• Runs out of space
• Solutions
• Dont maintain state on server let the client
  track the state. ? the SYN cookie approach
• The adaptive time-out approach

27
B. TCP State and Memory Allocations

• The SYN cookie approach
• The server does not maintain state of connections
• Q How does the server know the sequence numbers?
• Ans The state is encoded in the initial sequence
  number of the ACK the server retrieves this info
  from the clients ACK packet.

28
B. TCP State and Memory Allocations

• The SYN cookie approach
• The SYN cookie is encoded in the SYN response
• h(source,destination,random)sequencetime
• See p.795 for the formula.
• Client increments this and ACKs
• Server subtracts h(), time to get sequence
• Knows if this is in valid range

29
B. TCP State and Memory Allocations

• The adaptive time-out approach
• Assumption There is a fixed amount of space for
  the state of pending connections
• Varies the times before the time-outs, depending
  on the amount of space available for new pending
  connections
• As the amount of available space decreases, so
  does the amount of time before the system begins
  to time out connections.

30
Summary

• A brief overview
• Many issues and techniques in Network Security
• One or more new courses are needed!