Network Security Review and Beyond Network Security

1
Network Security Review and Beyond Network
Security
2
From a Computer to Internet

• Building a network of global scale
• Start from a collection of computers
• Direct link network ? internetwork
• Transport layer
• connectionless v.s. connection-oriented
• Network protocol stack

Application
Application
TCP/UDP
TCP/UDP
IP
IP
IP
IP
Link
Link
Link
Link
Internet
3
From a Computer to Internet

• Security issues
• Single computer
• Networking environment
• Secure communication in a public environment
• Computer system security with remote access

Application
Application
TCP/UDP
TCP/UDP
IP
IP
IP
IP
Link
Link
Link
Link
Internet
4
Security Goals

• Goals
• Confidentiality
• Data and traffic
• Integrity
• Data integrity (Data authentication )
• Origin Integrity (Source Authentication)
• Peer authentication and data origin
  authentication
• Non-repudiation
• Source and Destination
• Availability

• Mechanisms
• Authentication
• Access control
• Encryption
• Data integrity protection Digital Signature
• Traffic control
• Routing, padding

Application
Application
TCP/UDP
TCP/UDP
IP
IP
IP
IP
Link
Link
Link
Link
Internet
5
Security Mechanisms

• Security issues
• Single computer
• Networking environment
• Secure communication in a public environment
• Computer system security with remote access

• This course -- Network Security
• Cryptographic Approach
• Encryption
• Data integrity protection Digital Signature
• Authentication
• Network Approach
• Traffic control
• System Approach
• Intrusion detection systems
• Firewall
• System Security
• Authentication
• Access Control (Authorization)
• Multi-level Security
• Program Security

• Mechanisms
• Authentication
• Access control
• Encryption
• Data integrity protection Digital Signature
• Traffic control
• Routing, padding
• Methodology
• Examine all possible vulnerabilities of the
  system
• Consider available countermeasures.

6
Integrity Data integrity source authentication
Confidentiality
Non-repudiation
DSS
SHA
CBC
HMAC
Modes of operation (block ? stream)
MAC
Hash function
Asymmetric key algorithm key exchange, e.g.,
Diffie-Hellman
Asymmetric key algorithm -- digital signature
e.g., DSA
Symmetric encryption algorithm Block
cipher e.g., DES, 3DES, AES
Asymmetric encryption algorithm Block
cipher e.g., RSA, ECC
Symmetric encryption algorithm -- Stream
cipher e.g., RC4
Key establishment
7
From Principle to Practice

• Application/Transport layer based solutions
• Secure network-based applications
• Web SSL, transportation layer solution
• Email PGP, application layer solution
• Secure network support for application
• IPsec
• Internet Security
• BGP security
• Wireless Security
• IEEE 802.11 security

IPSec
8
GPG
Put things together
9
SSL (I)

• Services
• Confidentiality symmetric encryption
• Message Integrity MAC

Application data
fragment
compress
fragment
MAC

• Content type
• Version
• Compressed length

Encrypted
Encrypted
SSL record header
10
SSL (II)
Certificate, RBob
I want to talk to you, RAlice
Alice
Bob
Certificate, RBob
E(KUbob,S)
E(KUbob,S)
Secure communication via keys derived from K
Secure communication via keys derived from K
11
IPSec

• Transport mode
• Encrypts the payload data from upper-layer
  protocol
• IP header in clear text
• Tunnel-mode
• Encrypts the entire IP packets including the IP
  header
• Adding a new IP header

Encrypted
IP header
Encrypted data payload
IPSec header
12
BGP

• Overview
• AS Internet routers are grouped into management
  domains called Autonomous Systems (AS).
• BGP Routing information between AS is exchanged
  via BGP UPDATE messages.
• Threat
• BGP does not have any security protection over
  routing information, for example
• Routing information source authentication
• UPDATE message integrity protection
• If malicious attacker injects or modifies routing
  information (UPDATE messages), BPG routing will
  be interrupted and packets will get dropped.

13
S-BGP

• Three security mechanisms are employed
• Public Key Infrastructure (PKI) is used to
  support the authentication of AS's identity, and
  BGP router's identity.
• BGP transitive path attribute is employed to
  carry digital signatures covering the routing
  information in a BGP UPDATE message.
• IPsec is used to provide data and partial
  sequence integrity, and to enable BGP routers to
  authenticate each other for exchanges of BGP
  control traffic.
• Further reading
• Stephen Kent, Charles Lynn, and Karen Seo, Secure
  Border Gateway Protocol (Secure-BGP), IEEE
  Journal on Selected Areas in Communications Vol.
  18, No. 4, April 2000, pp. 582-592
• Stephen Kent, Charles Lynn, J. Mikkelson, and
  Karen Seo, Secure Border Gateway Protocol (S-BGP)
  -- Real World Performance and Deployment Issues,
  in ISOC Symposium on Network and Distributed
  System Security, 2000.

14
Security in Wireless LAN

• WEP (Wireless Equivalent Privacy)
• a link-level security mechanism defined in IEEE
  802.11
• Stream cipher RC4 used in a nonstandard way
• A base key is concatenated with a 24-bit
  per-packet nonce, and is used as a per-packet RC4
  key.
• CRC checksum is used for integrity protection
• Fluher, Mantin, and Shamir Attack
• An eavesdropping can deduce the base RC4 key
  based on several millions encrypted packets whose
  first byte of plaintext is known.
• Stubblefield, Ioannidis, and Rubin demonstrated
  its feasibility
• Problems with WEP A summary
• 24-bit IVs are too short to provide
  confidentiality
• CRC checksum is insecure, and can not protect
  packet integrity
• The way that IV is combined with the key is
  subject to cryptanalysis. Passive eavesdroppers
  can learn the key after observing a few million
  encrypted packets
• Lack of source and destination address
  authentication

15
Improved 802.11i Architecture
Stage 1 Network and security capability
discovery
802.1X failure
Stage 2 802.1X authentication and key
establishment (mutual authentication,
establish shared secret, ciphersuite)
Association failure
Stage 3 Secure association
(management frames protected)
Four-way handshake timeout
Stage 4 Four-way handshake (master
key confirmation, session key derivation,
group key distribution)
Group key handshake timeout
Stage 5 Group key handshake
Invalid MIC or other security failures
Stage 6 Secure data communications
Security Analysis and Improvements for IEEE
802.11i, He and Mitchell, NDSS05
16
Web Security

• Authentication of Web Service
• Cookies
• Scripts
• Java Scripts
• XSS
• SQL injection
• Active X

17
Worm DoS

• Availability Issues

• Probes of Slammer worm from Dshield data set
• Initially matched random scanning worm
• Soon slowed down due to bw saturation and
  network failures

Probe rate of Code red worm (a typical
random-scanning worm)
18
Firewall IDS

• Deployment

HTTP
Internet
SMTP
FTP
TELNET
Packet filter
Application gateway