EE579T/1 #1 Spring 2005 © 2000-2005, Richard A. Stanley WPI EE579T / CS525T Network Security 1: Course Overview and Computer Security Review Prof. Richard.

Spring 2005© 2000-2005, Richard A. Stanley

WPI EE579T/1 #1

EE579T / CS525TNetwork Security

1: Course Overview and Computer Security Review

Prof. Richard A. Stanley


WPI EE579T/1 #2

Overview of Tonight’s Class

• Administration

• Is network security a problem, or just an interesting topic?

• What is different between computer security and network security?

• Review of computer security


WPI EE579T/1 #3

Administration


WPI EE579T/1 #4

Organizational Details

• Prof. Stanley contact information– Office: A-K 316– Hours: Mon/Tue 5:00-6:00 PM and by

appointment– Phone: (508) 276-1060 / (508) 831-5352– Email: [email protected]


WPI EE579T/1 #5

Administrivia• Class will normally meet 6:00 - 8:50 PM

every Tuesday here. Please be on time.

• Break from approx. 7:15 to 7:30 PM

• If class is cancelled for bad weather, you should receive notice. Double-check with ECE Dept. (5231) or with me if in doubt.

• It may be necessary to cancel a class during the term. If so, you will be notified.


WPI EE579T/1 #6

Course Text

• Network Security Essentials, 2nd Edition William Stallings, Prentice Hall, 1999 ISBN 0-13-016093-8

• Additional material will be in the form of handouts and pointers to research materials


WPI EE579T/1 #7

Course Web Page

• http://www.ece.wpi.edu/courses/ee579t/

• Slides will be posted to the page before class, barring any unfortunate problems


WPI EE579T/1 #8

Grading

• Mid-term exam (20%)

• Homework (10%)

• Class participation (10%)

• Final exam (30%)

• Course project (30%)


WPI EE579T/1 #9

Course Projects Overview• Teams of 2-4 individuals, ~4 preferred• Identify, through research, a meaningful network

security problem (reported on as a historical event or one you can hypothesize)

• Analyze the problem– Why did it occur?– How could you have prevented or mitigated it?

• Prepare report and present to the class


WPI EE579T/1 #10

Policies - 1• STUDENT CONDUCT: Students are required to

adhere to the Student Conduct Policy. • There is a difference between working in teams

and submitting the same work. If work is a team product, it must be clearly labeled as such. Plagiarism will not be tolerated.

• “Incomplete” grades will not be given unless there is a true emergency, and only by prearrangement


WPI EE579T/1 #11

Policies - 2

• Homework is due at the class following the one in which it is assigned. It will be accepted up to the second class after that in which it is assigned, but not after that, except in truly emergency situations. By definition, emergencies do not occur regularly.


WPI EE579T/1 #12

Getting to Know You

• Your interests and expertise in this area

• My interest and experience in this area

• What you would like from the course


WPI EE579T/1 #13

Is Network Security Really an Important Problem?


WPI EE579T/1 #14

Network Security: What’s the Big Deal?

• Not a new problem

• Not just a creation of the press

• Not just for rocket scientists

• As professionals, failure to understand and implement appropriate security can come back to haunt you in terms of liability and reputation


WPI EE579T/1 #15

Points to Ponder• 80% of businesses surveyed reported insider

attacks against their networks in 2003• Reported financial losses totaled $201.8M -- this

represents only the 251 companies willing to share this information! Decrease from 2002.

• Theft of proprietary information and denial of service attacks top the list of losses

• Majority of attacks now from outside, but disgruntled employees blamed for 77%.

Source: "Issues and Trends: 2003 CSI/FBI Computer Crime and Security Survey"


WPI EE579T/1 #16

What’s the Problem?

• Financial liability– Due diligence– Simple negligence– Gross negligence

• Goodwill

• One bad press release cancels 1000 attaboys

This is a “you bet your business” issue


WPI EE579T/1 #17

Computer Securityversus

Network Security


WPI EE579T/1 #18

Computer security involves preventing, detecting, and responding to unauthorized

actions on a computer system.

Network security means the same thing for a group of

networked computers

To understand network security, you must first understandcomputer security. There is no “easy” way around this.


WPI EE579T/1 #19

One View

Computer Security

NetworkSecurity

WWWSecurity


WPI EE579T/1 #20

Why Networks Matter• If computers cannot be secured individually,

the network cannot be secure

• Networking makes the most individually secure computer on the network only as secure as the least individually secure computer on the network.

• Networking offers new vulnerabilities

• Speed of mischief increases exponentially


WPI EE579T/1 #21

And Most Especially...

• Mobile code is a basic staple of the internet, and other networks as well– This a wholly new paradigm

• Users are not usually aware of mobile code

• Novelty and convenience trump security every time– Consider the dancing pigs


WPI EE579T/1 #22

Analogy• One can easily define the security perimeter of a

single computer. You can probably even literally “put your arms around it.”

• One cannot easily define the perimeter of a group of networked computers, except under a set of trivial conditions that are meaningless in practice.

• So, where to put the security? And HOW to make it happen?


WPI EE579T/1 #23

Role of Technology

• Technology is a useful tool, not a panacea.

• A clear policy, evenly enforced, is the most critical element of success.

• Don’t ignore the fundamentals.– Caterpillar’s entire network was compromised

by not revoking a former employee’s password.

• Perfection does not exist in the real world


WPI EE579T/1 #24

In theory, there is no difference between theory and practice.

In practice, there is. Yogi Berra

Why Isn’t This Topic More Theoretical?


WPI EE579T/1 #25

Remember the Security Theorem

• Proving a computer to be secure required:– Knowledge of the security of each state

transition – An exhaustive catalog of all possible states– Knowledge of the initial conditions

• Now, how do we apply this approach to a network with changing topology?


WPI EE579T/1 #26

Why Is A Proof Elusive?

• A secure network must be secure under all conditions of operation

• This demands proof that there is no condition under which it could operate that is insecure, i.e. the negative proposition.

• However, formal logic teaches us it is impossible to prove a negative

• Q.E.D.


WPI EE579T/1 #27

Networks• A network is an interconnected group of

communicating devices.• Two primary network types

– Circuit-switched (connection oriented)– Packet-switched (connectionless)

• Span– WAN, MAN, LAN– So what?


WPI EE579T/1 #28

Data Networks

• Almost exclusively packet switched– Higher efficiency than circuit-switched– Computationally intensive to provide– Packet loss rate is often very high

• Largely due to collisions rather than circuit faults

– Require extensive protocols to operate• X.25

• IP


WPI EE579T/1 #29

Network Topology

• The topology of a network is a view of its interconnections, as they would be seen by an observer looking down from great height

• Topology is important because it has implications for security

• Three major topologies: – star

– buss

– ring


WPI EE579T/1 #30

Star Topology

The orange lines depict onestar -- this slide actually shows

a star-star architecture.


WPI EE579T/1 #31

Buss Topology

Buss

In a buss topology, all signals pass by all terminals


WPI EE579T/1 #32

Ring Topology

A ring is simply a buss withthe ends connected to one another.


WPI EE579T/1 #33

How To Get There?

• Every destination on the network must have an address, just as every postal destination must have an address– Addresses must be unique– Network must know how to recognize address– Various addressing schema, e.g.

• Ethernet

• IP


WPI EE579T/1 #34

Two Network Technologies• Token ring

– Users remain silent until they receive token

– Pioneered by IBM, not widely used

• Ethernet– Carrier-sense, multiple access/collision detect

– Binary exponential backoff on collision sense– This is a radio network! Another vulnerability

– Most widely used architecture today, largely because it is less expensive than token ring


WPI EE579T/1 #35

Other Network Technologies

• Fiber-Distributed Data Interconnect (FDDI)– Self-healing, 100 Mbps dual ring

• Frame relay– Packet data service, built on X.25

• Synchronous Optical Network (SONET)• Asynchronous Transfer Mode (ATM)

– Can operate at gigabit speeds• 53 byte packets; 5 of the bytes are overhead

These are of interest in networking, but not security per se; they will not be discussed further in this course


WPI EE579T/1 #36

Topology Misconceptions

• The physical interconnection of network elements does not necessarily reflect the logical network topology– Ethernet is logically a buss architecture– Ethernet, connected using hubs, uses a physical

star interconnection– Ethernet, connected using coaxial cable, uses a

physical buss interconnection


WPI EE579T/1 #37

Some Network Security Issues• Users not necessarily registered at the node they

are accessing– How to authenticate users?

– What is basis for access control decisions?

• Some options:– User ID

– User address

– Service being invoked

– Cryptographic-based solutions


WPI EE579T/1 #38

Ethernet Misconceptions

• IEEE 802.3 = Ethernet– Nope! Pure Ethernet is 802.2

• All Ethernets are created equal – Vendor implementation issues

• The faster the network speed, the faster I can work– Signaling speed data throughput

• Ethernet maps to the internet


WPI EE579T/1 #39

CSMA/CD Throughput

Throughput

Users

Signaling speed

~40%


WPI EE579T/1 #40

Ethernet Addresses

• 48 bits long

• Address space managed by the IEEE

• Usually fixed in hardware at time of manufacture, but increasingly in EEPROM

• Hardware must recognize at least it’s own physical address and the network multicast address, and possibly alternate addresses


WPI EE579T/1 #41

Ethernet Frame

NOTE: The proper term in this context for groups of 8 bits is an octet, not a byte.


WPI EE579T/1 #42

Network Size

• Networks cannot grow to be arbitrarily large– Address space– Physical interconnection limitations– Increasing collisions as users increase– Protocol/OS/machine incompatibilities

• So, how to extend the ability to interconnect an arbitrarily large number of computers?


WPI EE579T/1 #43

The ARPANET

• Father of the Internet; first elements in 1969• Began as an attempt to conduct and share research

to ensure continuity of communications after nuclear war, so– Connectionless

– Assured delivery

– Self-reconfiguring (sort of)

• Demonstrated feasibility of internetworking disparate computer networks and machines


WPI EE579T/1 #44

Internetworking• Internetworking is the interconnection of

networks

• The Internet is an internetwork; all internetworks are not the Internet

• Very few modern networks exist in isolation; most are internetworked

• This has important security and legal implications


WPI EE579T/1 #45

Internetworking Concepts

• Networks are interconnected by routers or gateways– More about this later in the course

• Routers route a packet using the destination network address, not the destination host address– Analogous to the world postal system and how

letters are routed


WPI EE579T/1 #46

Internetwork Architecture

Net 1 R Net 2


WPI EE579T/1 #47

Extended Internetworking

Net 1 R Net 2

Net 3R

Clearly, this can beextended ad infinitum,

to form very large internetworks.


WPI EE579T/1 #48

Some Terms

• TCP = transmission control protocol

• IP = internet protocol

• These protocols have become widely used outside the formally-defined Internet

• They have some serious flaws, but they work– They were not planned to have/need security


WPI EE579T/1 #49

IP Addressing


WPI EE579T/1 #50

Class Discrimination

• Address space is 32 bits long (IPv4)– Therefore, at most 232 possible addresses (or

4,294,967,296 in decimal notation)

• Easy to extract netid from address

• There is not a one-to-one correspondence between IP addresses and physical devices– Consider the router

• Address with hostid=0 refers to network


WPI EE579T/1 #51

IP Addressing Weaknesses

• If a host moves to another network, its IP address must change

• If a network grows beyond its class size (B or C), it must get a new address of the next larger size

• Because routing is by IP address, the path taken by packets to a multiple-addressed host depends on the address used


WPI EE579T/1 #52

IP Address Presentation

• Usually done in dotted decimal, e.g.,

• What class of network address is this?

• As you see, each notation has its uses

10000000 00001010 00000010 00011110

is usually written as

128.10.2.30


WPI EE579T/1 #53

Consider This Address

• 256.75.301.116

• What type of network is represented by this address?

• Why?


WPI EE579T/1 #54

Address Limits

Class Lowest Address Highest Address A 0.1.0.0 126.0.0.0 B 128.0.0.0 191.255.0.0 C 192.0.1.0 223.255.255.0 D 224.0.0.0 239.255.255.255 E 240.0.0.0 247.255.255.255


WPI EE579T/1 #55

Special Purpose Addresses• 0.0.0.0 Addresses current host

• 255.255.255.255 Addresses hosts on current network

• Host bits zero Identifies a network

• Host bits one Addresses hosts on addressed network

• Network bits zero Addresses specific host on current network


WPI EE579T/1 #56

Reserved Addresses

• First Quad=127 is used for loopback– Traffic doesn’t leave the computer– Routed to the IP input queue– Usually see 127.0.0.1

• Unregistered addresses– Class A 10.0.0.0 thru 10.255.255.255– Class B 172.16.0.0 thru 172.31.255.255– Class C 192.168.0.0 thru 198.168.255.255


WPI EE579T/1 #57

The Future of IP

• IPv4 has shortcomings that are becoming important for modern networking

• The IETF’s solution is a new version of IP, Version 6, written as IPv6– Increased address space (128 vs. 32 bits)– Support for network autoconfiguration– Better support for routing– Better security support


WPI EE579T/1 #58

IPv6 Issues• It is not backwards compatible with IPv4

– Given the change in address space alone, how could it be?

– Requires translator to go v4v6, vice versa

• Huge investment in installed IPv4 mitigates against rapid changeover– But the Defense Department is going there now

• Network address translation (NAT) helps reduce need for new address space

• Some services, like IPSec, now available for IPv4

• Bottom line: changeover not likely to be quick


WPI EE579T/1 #59

Ports and Sockets• Ports are associated with services, e.g.,

– Port 53 is usually the domain name service (DNS)

– Port 80 is usually the hypertext transfer protocol service

• A socket is the combination of an IP address and a port, e.g. 192.168.2.45:80

• Sockets enable multiple simultaneous services to run on a single address


WPI EE579T/1 #60

Address Registration

• Internet Corporation for Assigned Names and Numbers (ICANN) handles:– IP address space allocation

– protocol parameter assignment

– domain name system management

– root server system management functions

• Only essential to register addresses that appear on the global network, but registration is preferred


WPI EE579T/1 #61

Routing


WPI EE579T/1 #62

Protocols

• A protocol is simply an agreed-upon exchange of information required to perform a given task– IP is a protocol– So is TCP

• Networks utilize protocols to accomplish all the important tasks they perform

• Layered protocols are common


WPI EE579T/1 #63

ISO Protocol Model


WPI EE579T/1 #64

Protocol Layering

• Refers to a protocol running on top of another protocol

• Layered protocols are designed so that layer n at the destination receives exactly the same object sent by layer n at the source


WPI EE579T/1 #65

TCP/IP Layering Model

Application

Transport

Internet

Network Interface

Hardware

Application-specific messages/streams

TCP Packets

IP Datagrams

Ethernet/Token Ring


WPI EE579T/1 #66

Some Common Protocols

• ARP maps IP addresses to physical addresses• RARP determines IP address at startup• IP provides for assured connectionless datagram

delivery• ICMP handles error and control messages• UDP defines user datagrams (no assurance of

delivery)• IKE handles crypto key management functions• TCP provides reliable stream transport


WPI EE579T/1 #67

How Protocol Layering Works


WPI EE579T/1 #68

Protocol Layering & Internet


WPI EE579T/1 #69

Important Boundaries


WPI EE579T/1 #70

TCP

• Assumes little about underlying network

• Reliable delivery characteristics:– Stream orientation– Virtual circuit connection– Buffered transfer– Unstructured stream– Full duplex connection


WPI EE579T/1 #71

Positive Acknowledgement


WPI EE579T/1 #72

Positive Acknowledgement With Lost Packet


WPI EE579T/1 #73

Sliding Window


WPI EE579T/1 #74

Positive ACK With Sliding Window


WPI EE579T/1 #75

TCP

• A communications protocol, NOT a piece of software

• Provides– Data format– Data acknowledgement for reliable transfer– How to distinguish multiple destinations– How to set up and break down a session

• Very complex


WPI EE579T/1 #76

Conceptual TCP Layering


WPI EE579T/1 #77

Internet Round Trip DelaysThis data is old, but still meaningful if you

ignore the absolute valuesof the delays.


WPI EE579T/1 #78

Delays

• Cannot be avoided or predicted (except statistically)– Packet delivery times will vary– Many packets will simply be lost

• So, as a network designer...– How long do you wait to assume nondelivery?– How do you slide the window?– How do you back off on collision detect?– How do you respond to congestion?– …etc.


WPI EE579T/1 #79

Establishing a TCP Session


WPI EE579T/1 #80

Ending a TCP Session

This implies that a TCP session could be left “half open.” That is true.


WPI EE579T/1 #81

TCP State Machine


WPI EE579T/1 #82

Other Network Protocols

• NetBIOS

• NetBUI

• IPX

• X.25

• ATM

• Message: TCP/IP is not the only show in town BUT...it is the most popular show in town


WPI EE579T/1 #83

Network Facts

• Most computers today are connected to a network (consider the Internet), at least for part of the time they are in operation

• Most local networks are internetworked

• How to provide authenticity, integrity, confidentiality, availability?

• Cryptography can help provide all the security services except availability


WPI EE579T/1 #84

Summary• Networks and internetworking have become ubiquitous• Networking allows interconnection of computers

without much concern for the local OS or machine architecture

• Networking raises many serious security issues, which must be solved for networks to be useful in modern business settings

• The pace of network security problem development far exceeds the pace of their solution


WPI EE579T/1 #85

Assignment for Next Class

• Read Stallings on authentication and PGP• Review your prior class notes on cryptography

– We will not study cryptography in this course; you are assumed to have a working knowledge of it, both symmetric and asymmetric

– Pay attention to refreshing your memory on digital signatures and certificates


WPI EE579T/1 #86

Homework - 1

1. What is the single greatest advantage of having the IP checksum cover only the datagram header and not the data? What is the disadvantage?

2. Exactly how many class A, B, and C networks can exist? How many hosts can a network in each class have?


WPI EE579T/1 #87

Homework - 2

3. How many IP addresses would be needed to assign a unique network number to every home (not person) in the U.S.A.? Is the address space sufficient? If not, what can be done within the existing IPv4 standard.

4. What is the chief difference between the IP addressing scheme and the North American Numbering Plan used for telephone numbers?


WPI EE579T/1 #88

Homework - 3

5. Complete routing tables for all routers shown on slide 61.

6. Can you think of any security issues, hardware or software, that arise from what you have studied so far?

EE579T/1 #1 Spring 2005 © 2000-2005, Richard A. Stanley WPI EE579T / CS525T Network Security 1: Course Overview and Computer Security Review Prof. Richard.

Documents

stanley slide

class slide

stanley wpi policies

course slide

prearrangement slide

class participation

course overview

computer security review