Transcript Document
Network Security Review and Beyond Network Security Yuan Xue Fall 2009 @Yuan Xue ([email protected]) From a Computer to Internet Building a network of global scale Start from a collection of computers Direct link network internetwork Transport layer connectionless v.s. connection-oriented Network protocol stack Application Application TCP/UDP TCP/UDP IP IP IP IP Link Link Link Link Internet @Yuan Xue ([email protected]) From a Computer to Internet Security issues Single computer Networking environment Secure communication in a public environment Computer system security with remote access Application Application TCP/UDP TCP/UDP IP IP IP IP Link Link Link Link Internet @Yuan Xue ([email protected]) Security Goals Goals Mechanisms Confidentiality Data and traffic Integrity Data integrity (Data authentication ) Origin Integrity (Source Authentication) Peer authentication and data origin authentication Routing, padding Non-repudiation Authentication Access control Encryption Data integrity protection & Digital Signature Traffic control Source and Destination Availability Application Application TCP/UDP TCP/UDP IP IP IP IP Link Link Link Link @Yuan Xue ([email protected]) Internet Security Mechanisms Security issues Single computer Networking environment Secure communication in a public environment Computer system security with remote access This course -- Network Security Cryptographic Approach Encryption Data integrity protection & Digital Signature Authentication Network Approach Traffic control System Approach Intrusion detection systems Firewall System Security Authentication Access Control (Authorization) Multi-level Security Program Security @Yuan Xue ([email protected]) Mechanisms Authentication Access control Encryption Data integrity protection & Digital Signature Traffic control Routing, padding Methodology Examine all possible vulnerabilities of the system Consider available countermeasures. Integrity Data integrity + source authentication Confidentiality Non-repudiation DSS Modes of operation (block stream) Symmetric encryption algorithm -Stream cipher e.g., RC4 Symmetric encryption algorithm – Block cipher e.g., DES, 3DES, AES Key establishment @Yuan Xue ([email protected]) CBC Asymmetric encryption algorithm – Block cipher e.g., RSA, ECC SHA HMAC MAC Hash function Asymmetric key algorithm – key exchange, e.g., Diffie-Hellman Asymmetric key algorithm -digital signature e.g., DSA From Principle to Practice Application/Transport layer based solutions Secure network-based applications Application PGP Web – SSL, transportation layer solution Email – PGP, application layer solution SSL Transport Secure network + support for application IPsec Internet Security Network BGP security Wireless Security IPSec IEEE 802.11 security Link WEP, WPA, IEEE 802.11i @Yuan Xue ([email protected]) Review User ID/Email/Key ID PGP payload FTP HTTP SMTP HTTPS SSL hdr payload Application SSL_CTX SSL SSL SSL_SESSION SSL CW TCP hdr SSL hdr payload port port port CW port IPSec IP IPSec TCP SSL payload Forward (Transport mode) Fragment/Reassemble MAC IP IPSec TCP SSL payload Congestion window Congestion window port Multi/Demultiplex UDP WPA/WPA2 with 802.11 @Yuan Xue ([email protected]) Stream port TCP SADB Routing table Forwarding table IP Address Routing Transport Packet Network Frame Link Comparison PGP SSL IPSec Application Layer Transport Layer (above TCP) Network Layer(above IP) Offline Online/Realtime Online/Realtime Connectionless -Single data message -Data order (n/a) -Replay attack (timestamp) Connection-oriented - A data stream - Data order (via tcp) - defense against replay attack Connectionless - defense against replay attack Protect application payload (only) Protect application payload (only) Transport: Protect tcp hdr + application payload Tunnel: Protect IP hdr + tcp hdr + payload Authentication Entity: User(Key ID) Protected Unit: entire data message @Yuan Xue ([email protected]) Authentication Entity: SSL Session (certificate) Protected Unit: SSL connection/TCP/Port Entity: Security association Improved 802.11i Architecture Stage 1: Network and security capability discovery 802.1X failure Stage 2: 802.1X authentication and key establishment (mutual authentication, establish shared secret, ciphersuite) Association failure Stage 3: Secure association (management frames protected) Four-way handshake timeout Stage 4: Four-way handshake (master key confirmation, session key derivation, group key distribution) Group key handshake timeout Stage 5: Group key handshake Invalid MIC or other security failures Stage 6: Secure data communications Security Analysis and Improvements for IEEE 802.11i, He and Mitchell, NDSS05 @Yuan Xue ([email protected]) Web Authentication In A Picture database User+Password In HTML FORM Client side script Server side script Password file HTTP Authentication Web Browser SSL Authentication via X.509 certificate certificate SSL TCP @Yuan Xue ([email protected]) Web Server certificate HTTPS HTTP SSL TCP Web Application Attacks XSS – Cross-site scripting Problem stems from echoing untrusted input Difficult to prevent; requires care, testing, tools, … XSRF – Cross-site request forgery Forged request leveraging ongoing session Can be prevented (if XSS problems fixed) SQL Injection Bad input checking allows malicious SQL query Known defenses address problem effectively @Yuan Xue ([email protected]) Worm& DoS Availability Issues Probes of Slammer worm from Dshield Probe rate of Code red worm data set (a typical random-scanning worm) • Initially matched random scanning worm • Soon slowed down due to bw saturation and network failures @Yuan Xue ([email protected]) Firewall & IDS Deployment HTTP SMTP Internet FTP TELNET Packet filter @Yuan Xue ([email protected]) Application gateway