CS 5950/6030 Network Security Class 24 (W, 10/26/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

CS 5950/6030 Network SecurityClass 24 (W, 10/26/05)

Leszek LilienDepartment of Computer Science

Western Michigan University

Based on Security in Computing. Third Edition by Pfleeger and Pfleeger.Using some slides courtesy of:

Prof. Aaron Striegel — at U. of Notre DameProf. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington

Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands

Slides not created by the above authors are © by Leszek T. Lilien, 2005Requests to use original slides for non-profit purposes will be gladly granted upon a written

request.

2

4. Protection in General-Purpose OSs...4.5. User Authentication ...

SKIPPING FOR NOW:5. Designing Trusted OSs6. Database Security

7. Security in Networks7.1. Network Concepts

a) Introductionb) The networkc) Mediad) Protocols—PART 1

Class 23

3

To help you with your network security projects, we’re skipping for now two chapters:

5. Designing Trusted OSs6. Database Security We’ll cover these chapters later.

4

7. Security in Networks Network attacks are critical problems due to:

Widespread use of networks Fast changes in network technology

We’ll discuss security issues in network Design / Development / Usage

Outline7.1. Network Concepts

7.2. Threats in Networks7.3. Network Security Controls7.4. Tools

7.4.1. Firewalls7.4.2. Intrusion Detection Systems7.4.3. Secure E-Mail

7.5. Conclusions

5

7.1. Network Concepts Outline

a) Introductionb) The networkc) Mediad) Protocols

e) Types of networksf) Topologiesg) Distributed systemsh) APIsi) Advantages of computing networks

6

Media (3)5) Infrared

Line-of-sight transmission Convenient for portable devices Typically used in protected space (an office)

6) Satellitea. Geosynchronous orbit (incl. geostationary orbit over

equator) Speeding satellite seems to be fixed over a point on earth

22,240 miles (35,786 km) orbit, period: 1 day For some communication apps, satellites are alternative

to intercontinental cables on the ocean bottom Good for TV Bad for telephones – Delay: earth-satellite-earth

b. Low earth orbit (LEO) Seen from earth as moving satellites

~95 miles (150 km) above the earth, period: 90 minutes

Cover~660 miles (1000 km) radius For full coverage require a satellite constellation

E.g., Iridium has 66 satellites

7

d. Protocols (1) Media independence – we don’t care what media

used for communications

Protocols provide abstract view of communications View in terms of users and data The ‘how’ details are hiden

Protocol stack – layered protocol architecture Each higher layer uses abstract view (what)

provided by lower layer (which hides the ‘how’ details) Each lower layer encapsulates higher layer (in an

‘envelope’ consisting of header and/or trailer)

Two popular protocol stacks:1) Open Systems Interconnection (OSI)2) Transmission Control Protocol / Internet Protocol

(TCP/IP)

8

Protocols (2)

1) ISO OSI Reference Model (ISO = Int’l Standards Organization)

OSILaye

r

Name Activity

7 Application User-level messages

6 Presentation

Standardized data appearance, blocking, text compression

5 Session Sessions/logical connections among parts of an app; msg sequencing, recovery

4 Transport Flow control, end-to-end error detection & correction, priority service

3 Network Routing, msg same-sized packets

2 Data Link Reliable data delivery over physical medium; transmission error recovery, packets same-sized frames

1 Physical Actual communication across physical medium; transmits bits

9

Protocols (7)

OSI is a conceptual model — not actual implementation

Shows all activities required for communication Would be to slow and inefficient with 7 layers

An example implementation: TCP/IP

10

End of Class 23

11

4. Protection in General-Purpose OSs...4.5. User Authentication ...

SKIPPING FOR NOW:5. Designing Trusted OSs6. Database Security

7. Security in Networks7.1. Network Concepts—PART 1

a) Introductionb) The networkc) Mediad) Protocols—PART 1

d) Protocols—PART 2e) Types of networksf) Topologiesg) Distributed systemsh) APIsi) Advantages of computing networks

Class 23

Class 24

12

Protocols (8)

2) Transmission Control Protocol/Internet Protocol (TCP/IP)

Invented for what eventually became Internet Defined in terms of protocols not layers

but can be represented in terms of four layers: Application layer Host-to-host (e2e =end-to-end) transport layer Internet layer Physical layer

Actually not TCP/IP but:TCP/IP/UDP (user datagram protocol)

13

Protocols (9)

TCP/IP vs. OSI

OSI Laye

r

Name Activity

7 Application

User-level data

6 Presentation

Standardized data appearance

5 Session Logical connection among parts

4 Transport Flow control

3 Internet(Network)

Routing

2 Data Link Reliable data delivery

1 Physical Actual communication across physical medium

[cf. B. Endicott-Popovsky and D. Frincke]

14

Protocols (10)

TCP/IP

Layer Action Responsibilities

Application Prepare messages from user interaction

User interaction, addressing

Transport Convert messages to packets

Sequencing of packets, reliability (integrity), error correction

Internet Convert packets to datagrams

Flow control, routing

Physical Transmit datagrams as individual bits

Actual data communication

15

Protocols (11)

TCP packet includes: Sequence nr Acknowledgement nr connecting packets of a

session Flags Source port nr Destination port nr

Port – nr of a channel for communication for a particular (type of) application running on a computer

Examples of port-application pairs: 23 – Telnet (remote terminal connection) 25 – SMTP (e-mail) 80 – HTTP (web pages) 161 – SNMP (network mngmt)

App has a waiting process monitoring its port When port receives data, app performs service on it

16

Protocols (12)

UDP - user datagram protocol (connectionless) Faster and smaller than TCP

No error checking/correction 8 bytes of control info (vs. 24 bytes for TCP)

Uses IP => actually UDP/IP

Applications use application-level protocols - which, in turn, use TCP/IP or UDP/IPApps do not use TCP/IP or UDP/IP directly

Examples - cf. Table 7-3, p.379 (shows 4 protocol layers)

Examples of App Protocols using TCP/IP: SMTP (e-mail) / HTTP (web pages) / FTP (file transfer) /

Telnet (remote terminal connection)

Examples of App Protocols using UDP/IP: SNMP (network mngmt) / Syslog (entering log records)

/ Time (synchronizing network device time)

17

Protocols (13)

Network addressing scheme Address – unique identifier for a single point in the

network WAN addressing must be more standardized than

LAN addressing LAN addressing:

Each node has unique address E.g. = address of its NIC (network interface card)

Network admin may choose arbitrary addresses WAN addressing:

Most common: Internet addr. scheme – IP addresses 32 bits: four 8-bit groups In decimal: g1.g2.g3.g4 wher gi [0, 255]

E.g.: 141.218.143.10 User-friendly representation

E.g.: cs.wmich.edu (for 141.218.143.10)

18

Protocols (14)

Parsing IP addresses From right to left Rightmost part, known as top-level domain

E.g., .com, .edu, .net, .org,. gov, E.g., .us, .in, .pl Top-level domain controlled by Internet

Registrars IRs also control 2nd-level domains (e.g., wmich in

wmich.edu) IRs maintain tables of 2nd-level domains within

„their” top-level domains

Finding a service on Internet – e.g., cs.wmich.edu Host looking for a service queries one of tables at

IRs for wmich.edu Host finds numerical IP address for wmich.edu Using this IP address, host queries wmich.edu to get

from its table numerical address for cs.wmich.edu

19

Protocols (15)

Dissemination of routing information Each host knows all other hosts directly connected

to it Directly-connected => distance = 1 hop

Each host passes information about its directly connected hosts to all its neighbors

Example – Fig. 7-2 p.366 System 1 (S1) informs S2 that S1 is 1 hop away

from Clients A, B, and C S2 notifies S3 that S2 is 2 hops away from A, B, C S3 notifes S2 that S3 is 1 hop away from D, E

and S4 S2 notifies S1 that S2 is 2 hops away from D, E

and S4 Etc., etc.

20

e. Types of networks LANs

Small - < 100 users / within 3 km Locally controlled – by a single organization Physically protected – no public access to its nodes Limited scope – supports a single group, dept, project, etc.

WANs Single control of the whole network Covers wide area – even the whole globe Physically exposed – use public communication media

Internetworks (Internets) Internetwork = network of networks A.k.a. internet (lower case „i”) Most popular, largest internet: the Internet (upper case „I”!)

Internet Society controls (loosely) the Internet – basic rules

Internet is: federation / enormous / heterogeneous / exposed

21

f. Topologies Topology can affect security Topologies:

Common bus – Fig.7-11a Convenient for LAN All msgs accessible to every node

Star / Hub – Fig.7-11b Central „traffic controller” (TC) node

TC can easily monitor all traffic TC can defeat covert channels

Msg read only by TC and destination Unique path between any 2 nodes

Ring – Fig.7-11c All msgs accessible to many node

All between source S and destination D on one of the 2 paths between S and D

No central control Natural fault tolerance – 2 paths between any S-D pair

22

g. Distributed systems Distributed system = system in which computation is

spread across ≥ 2 computers Uses multiple, independent, physically separated

computers Computers connected directly / via network

Types of DS include: Client-server systems

Clients request services from servers Peer-to-peer systems

Collection of equals – each is a client and a server

Note:Servers usually protect themselves fr. hostile clientsClients should also protect themselves – fr. rogue servers

23

h. APIs API (Application Programming Interface) = definition

of interfaces to modules / systems Facilitate component reuse Facilitate using remote services

GSSAPI (Generic Security Services API) = template for many kinds of security services that a routine could provide

Template independent of mechanisms, implementation, etc.

Callers need credentials to use GSSAPI routines

CAPI (Cryptographic API) = Microsoft API for cryptographic services

Independent of implementation, etc.

24

i. Advantages of computing networks

Networks advantages include: Resource sharing

For efficient use of common resources Afffordability of devices that individual users could not

afford Workload distribution

Can shift workload to less occupied machines Increased reliability

„Natural” fault tolerance due to redundancy of most of network resources

Easy expandability Can add nodes easily

25

End of Class 23