- 1. Bishop:Chapter 26 Network Security Based on notes by
Prashanth Reddy Pasham
2. Outline
- Availability and Network Flooding
3. Introduction
- How to develop a network infrastructure from security
requirements?
-
-
- Know security requirements
-
-
- it leads to the development of security policy.
-
-
- which in turn suggests the form of the network
- network policyfunctionalities
- distribution of functionalities to various parts of the
networknetwork diagram
- Functionality of each parthost configuration
4. Introduction
- Goals of Dribs Security policy
-
- Data related to company plans is to be kept secret
-
-
- available only to those who need to know
-
- Customer data should be available only to those who fill the
order
-
- Releasing sensitive data requires the consent of the companys
officials and lawyers.
- Our goal is to design a network infrastructure that will meet
these requirements
5. Policy Development
-
- Must provide public access to some information
-
- Limit access to other information even within the company.
- Drib requires a policy that minimizes the threat or data being
leaked to unauthorized entities.
6. Policy Development
- Drib has three internal organizations
-
- Customer Service Group(CSG)
-
-
- Maintains all customer data
-
-
- Serves as interface between the other groups and clients of the
drib
-
-
- Develops, modifies, maintains products
-
-
- Rely on CSG for the description of customer complaints,
suggestions, ideas.
-
-
- No direct talk with customers
-
-
- Handles Drib's debentures, lawsuits, patents and other
corporate level work.
- Policy describes the way information is to flow among these
groups
7. Policy Development
-
-
- Includes product specifications, price information and
marketing literature.
-
- Development data for existing products(DDEP)
-
-
- Available only internally
-
-
- Company lawyers, officers and developers
-
- Development data for future products(DDFP)
-
-
- Available only to developers
-
-
- may change, as may various aspects of development.
-
-
- Information about corporate functions
8. Policy Development
- See table on page 776 for user rights
- Availability: global, 24/7
-
- Does the policy described above meets the goals of the
Drib?
9. Network Organization Mail Server Outer Firewall Mail server
Internal DNS Server(internal) DNS Server(DMZ) Internet Web Server
Inner Firewall Demilitarized Zone (DMZ) Intranet Corporate data
subnet Customer data subnet Development subnet Log Server 10.
Network Organization
-
- Internal Network( Intranet)
-
-
- Filtering firewall:Based on packet headers
-
-
- ex: preventing BackOrifice
-
-
- Proxy firewall:Gives external view that hides intranet
11. Analysis of Network Infrastructure
- Conceal the addresses of the internal network
-
- Internal addresses can be real
-
- Fake addresses:10.b.c.d, 172.[16-31].c.d, 192.168.c.d
-
-
- Network Address Translation Protocol mapsinternal to assigned
address
-
- Map incoming mail to real server
-
- Additional incoming/outgoing checks
12. Firewalls:Configuration
-
-
- External source: IP restrictions
-
-
- What type of traffic:Ports (e.g., SMTP, HTTP)
-
- Proxy between DMZ servers and internet
-
- Traffic restrictions:Ports, From/to IP
-
- Proxy between intranet and outside
13. In the DMZ
-
-
- performs address and content checking on all electronic mail
messages
-
-
- When it receives a letter from the Internet, it performs the
following Steps
-
-
-
- reassembles the message into a set of headers, a letter, and
any attachments
-
-
-
- scans the letter and attachments for any computer virus or
malicious logic.
-
-
-
-
- Restore the attachments to transmit
-
-
-
-
- Rescan it for any violation of SMTP specification
-
-
-
- Scans the recipient address lines.
-
-
-
-
- Addresses that directed the mail to the drib are rewritten to
direct the mail to the internal mail server
14. In the DMZ
-
-
- When it receives a outgoing letter from the internal mail
server
-
-
-
-
- Steps 1 and 2 are the same
-
-
-
-
- In step 3 the mail proxy scans the header lines.
-
-
-
-
- All lines that mention internal hosts are rewritten to identify
the host as drib.org, the name of the outside firewall.
15. In the DMZ
-
- Identifies itself as www.drib.org and uses IP address of the
outside firewall
-
-
-
- DMZ mail, Web and log hosts
-
-
-
- Internal trusted administrative host
16. Availability and Network Flooding
-
- Overwhelm TCP stack on target machine
-
- Prevents legitimate connections
17. SYN flood
-
- The attacker initiates large number of TCP SYN packets and
refuses to execute the 3 rdpart of the TCP three-way handshake for
those packets
-
- If the packets come from multiple sources (the attacking
machines) but have the same destination (the victim
machine)DDOS
18. Syn Flood
- A: the initiator; B: the destination
- TCP connection multi-step
- Sequence numbers then incremented for future messages
-
- Verifies party really initiated connection
19. Syn Flood
- Implementation: A, the attacker; B: the victim
- All space for connections allocated
-
- None left for legitimate ones
Time? 20. Solution Ideas
- Limit connections from one source?
-
- But source is in packet, can be faked
- Ignore connections from illegitimate sources
-
- If you know who is legitimate
-
- And the attacker doesnt know this
- Drop oldest connection attempts
21. Two Approaches to Counter SYN Flood
- Using intermediate hosts to eliminate SYN flood
- Relying on TCP state and memory allocations
22. A. Intermediate Hosts
-
- Using routers to divert or eliminate illegitimate traffic
-
- Resources on the target are not consumed by the attacks.
23. A. Intermediate Hosts
-
- Only legitimate handshakes can reach the firewall.
-
-
- e.g., Cisco routers TCP intercept mode
-
- Network traffic monitor/tracker
-
-
- e.g., Synkill [Schuba, etc. 1997]
24. A. Intermediate Hosts
-
- Router establishes connection to client
-
- When connected establish with server
-
- If the client never sends the ACK (before timing out), then the
initial SYN packet is part of an attack handshake.
-
- The target never sees the illegitimate SYN packets.
-
- The router uses short time-outs to protect itself.
25. A. Intermediate Hosts
-
- An active monitor that analyzes packets being sent to some set
of systems (potential victim targets)
-
- Monitor machine as firewall
-
- Classification of IP addresses into classes
-
-
- Good addresses:history of successful connections
-
-
- Bad addresses:previous timeout attempt
-
- Block and terminate attempts from bad addresses
-
- Dynamically managed classes
-
- Question: How if agoodIP turnsbad?
26. B. TCP State and Memory Allocations
- Problem:Server maintaining state
-
- Dont maintain state on server; let the client track the
state.the SYNcookieapproach
-
- Theadaptive time-outapproach
27. B. TCP State and Memory Allocations
-
-
- The server does not maintain state of connections
-
-
- Q: How does the server know the sequence numbers?
-
-
- Ans: The state is encoded in the initial sequence number of the
ACK; the server retrieves this info from the clients ACK
packet.
28. B. TCP State and Memory Allocations
-
-
- The SYN cookie is encoded in the SYN response
-
-
-
- h(source,destination,random)+sequence+time
-
-
-
- See p.795 for the formula.
-
-
- Client increments this and ACKs
-
-
- Server subtracts h(), time to get sequence
-
-
-
- Knows if this is in valid range
29. B. TCP State and Memory Allocations
-
- Theadaptive time-outapproach
-
-
- Assumption: There is a fixed amount of space for the state of
pending connections
-
-
- Varies the times before the time-outs, depending on the amount
of space available for new pending connections
-
-
- As the amount of available space decreases, so does the amount
of time before the system begins to time out connections.
30. Summary
-
- Many issues and techniques in Network Security
-
- One or more new courses are needed!