The Network Protocol Stack Revisited

THE NETWORK PROTOCOL STACK REVISITEDNetwork Security

Spyridon Dosis

RECAP

Ethernet TCP/IP Message Confidentiality

Symmetric Asymmetric

Message Integrity Digital Certificates – PKI User/Host Authentication

Kerberos SSL

NETWORK SECURITY ⊃ CRYPTOGRAPHY

Protocol Attacks Device Implementation Attacks Access Control Network Security Monitoring

Placement of security services At Higher Layers

Application-oriented protection Granular security services

At Lower Layers Transparent to users and applications Interoperability / Automation

L2 SECURITY

Problem : MAC Spoofing / CAM Flooding Port Security

Dynamically or statically learn MAC – Switch Port mappings switchport port-security

mac-address 685D.4356.C61A Maximum Number of MACs

per port Protect/Restrict/Shutdown Port Security Aging Sticky Ports

Port Unicast/Multicast Blocking

L2 SECURITY

Problem : Large Broadcast Domains / Network Isolation

Virtual LANs (VLANs) Logical Grouping of Ports

regardless physical location Static/Dynamic VLAN (VMPS) VLAN Trunking/Tagging 802.1q/ISL Protocols VLAN Hopping

Switch Spoofing (DTP) Double Tagging

Explicit Configuration

Images taken from B.Hartpence – Packet Guide to Switching and Routing

L2 SECURITY

Problem : ARP Spoofing Static IP-MAC Mappings

ArpWatch ARP ACLs

Dynamic ARP Inspection DHCP snooping Rate Limiting Incoming ARP packets

Trusted and Untrusted Ports Dropping and Logging

L2 SECURITY Port-based Network Access Control IEEE 802.1X 802.1X Port Access

Entity (Un-)Authorized

Port State EAP -> RADIUS RADIUS is a UDP-based

network protocol providing AAA

RADIUS clients can be VPN server, 802-1X switches, Network Access Server etc.

Support for authentication schemes such as CHAP, and EAP and integration with AD, Kerberos, RDBMS

Attribute-Value pairs (VSAs also)Images taken from http://en.wikipedia.org/wiki/IEEE_802.1X

L3 SECURITY Problem : IP Spoofing IP Spoofing is not used to hide your IP IP Spoofing is “mostly” a “blind” attack

MitM attacks DoS attacks Email Spam IP address authentication (rlogin, rsh etc.)

Source routing RFC 2827 – Defeating Dos Attacks which employ IP

Source Address Spoofing (Egress Filtering) Blackhole Filtering Network Scanning with Decoys DHCP Snooping TCP has implicit defense mechanism

L3 SECURITY

Problem : Predictable IP ID value IP header contains a “fragment identification”

number. Used to reassembly the fragments of a packet.

Many OS increment it sequentially The value difference of IP ID between two

probes reveals the number of sent packets Idlescan Traffic Analysis OS Detection Peer-specific IP IDs Zero IP ID when DF

Images taken from http://en.wikipedia.org/wiki/Idle_scan

L3 SECURITY

Problem : IP Fragmentation Handling Fragmentation Reassemble Timeout

Overlapping Fragments (Duplicate Fragments)

Overlapping Fragments (Malformed offsets) Teardrop AttackImage taken from http://jdecool.free.fr/modules.php?name=News&file=read_article&sid=34&mode=thread&order=0&thold=0

L3 SECURITY

Problem : IP TTL Handling Knowledge of the topology (“traceroute”)

Snort’s min_ttl configuration option

Image taken from http://jdecool.free.fr/modules.php?name=News&file=read_article&sid=34&mode=thread&order=0&thold=0

L3 SECURITY

Problem : ICMP Protocol Misuse ICMP Sweep ICMP Tunneling

Loki OS Fingerprinting ICMP Redirect Attacks Ping of Death Ping Flood Smurf Attack ICMP Nuke Attack

L3 SECURITY

Problem : Traffic Flow Control Standard Access Control Lists

Filtering based on source IP address Extended Access Control Lists

Filtering based on source and destination IP addresses, port numbers, upper-layer protocols

Implied Deny for not permitted traffic Time-based Access Control Lists Reflexive Access Control Lists

L3 SECURITY

Problem : IP Address Conversation, Private Networks

Private IP Address Spaces (e.g 192.168.0.0/16)

Network Address Translationtranslates the private addresses in the internal network into legal addresses forwarded to other networks

Static / Dynamic NAT 1:1 n:1, n:m (PAT)

Image taken from http://www.blindhog.net/cisco-how-to-configure-nat-overload-pat/

L3 SECURITY

PAT

Image taken from http://technet.microsoft.com/en-us/library/cc756722(v=ws.10).aspx

L3 SECURITY

NAT Port Forwarding / Mapping Packets received at a specific port at the

external link of the NAT gateway are forwarded to a particular port of a specific machine on the internal network

Image taken from http://www.simongoodier.com/home/smtp/smtp-firewall-ports-and-nat/

L4 SECURITY

Problem : TCP Handshake Misuse SYN Flood SYN Scan Other variations

Connect Scan FIN Scan XMAS Scan ACK Scan Window Maimon

L4 SECURITY

Problem : TCP Session Hijacking Sequence Number Prediction Initial Sequence Number

Prediction TCP Reset Randomness of ISNs ISN rate of change

Image taken from http://www.techrust.info/2012/01/simple-tcp-spoofing-attack.html

L7 SECURITY

Problem : DHCP Protocol Misuse DHCP Starvation Attack

Port Security DHCP Rogue Server

Untrusted Switch Ports Client Hardware Address

(CHADDR) DHCP Snooping

DNS PROTOCOL

Distributed Hierarchical TLDs – ccTLDs Recursive Queries Iterative Queries Record Types

A NS CNAME, SRV, MX …

Question ID Bailiwick Checking

Image taken from http://davidwills.net/cmit265/tcpip.html

L7 SECURITY

Problem : DNS Protocol Misuse DNS Blocking (DNS-based Blackhole List /

Wikipedia against PIPA) DNS Spoofing / DNS Pharming DNS ID Hacking

Random Guessing Sequential values

DNS Kaminsky Cache Poisoning Spoof NS entry of target domain to attacker’s IP

Query : www.example.com (Attacker) Answer :

example.com. 86400 IN NS www.example.com.www.example.com. 604800 IN A 10.10.10.20

L7 SECURITY

DNS Amplification Attack

Image taken from http://securitytnt.com/dns-amplification-attack/

L7 SECURITY

Problem : Exploiting the DNS TTL value Fast Flux Networks Round-robin IP

addresses + Short TTL values + Proxy redirection = Hard to detect

Image taken from http://www.honeynet.org/papers/ff/

L7 SECURITY

Problem : Secure Email Communication SMTP / POP / IMAP No inherent support for confidentiality /

integrity / authentication / non-repudiation First proposal – Privacy Enhanced Email

(PEM) MIC-CLEAR MIC-ONLY ENCRYPTED

Assumed a single root PKI that never really happened.

L7 SECURITY

S/MIME (Secure Multipurpose Internet Mail Extensions)

Uses the Cryptographic Message Syntax (similar to PKCS#7)

Combines MIME support for non-text data (e.g. binary) multiple part e-mails with encrypted/signed message formatting

Separate keys for encryption and signing (key escrow and non-repudiation)

S/MIME and Web-mail clients

L7 SECURITY

PGP – Pretty Good Privacy OpenPGP (RFC 4880) GnuPG (and various graphical clients or

plugins) Web of Trust Key trust levels

Complete Marginal Untrusted

Trust signatures

Image taken from http://support.gpgtools.org

L7 SECURITY

STARTTLS Extension to plain text protocols Support for IMAP / POP3 / SMTP / XMPP / LDAP /

NNTP

FTPS Explicit – Implicit Mode

SSH – Secure Shell Public-Key Cryptography More secure option than telnet, rlogin, rsh SFTP / SCP

PROTOCOL TUNNELING

A delivery protocol encapsulates a payload protocol that operates at the same or higher layer.

Can be used to bypass network traffic access lists, authentication mechanisms, sniffing

PROTOCOL TUNNELING - SSH

Encrypted Tunnel between two hosts HTTP/SMTP/FTP etc. over SSH Local Port Forwarding

ssh [email protected] –L 25000:www.google.com:80

http://localhost:25000

PROTOCOL TUNNELING - SSH

Remote Port Forwarding ssh [email protected] -R

10000:192.168.1.10:25 Dynamic Port Forwarding

Send data to one/multiple destination server(s) via the SSH server

SSH server acts as a SOCKS proxy server ssh –D 10000 [email protected] In the case of HTTP use, DNS requests are still

submitted in clear. Solution: forward DNS requests also to the SSH server.

PROTOCOL TUNNELING – HTTP(S)

Network security policy commonly permit outgoing TCP 80(HTTP) and 443(HTTPS)

HTTP proxies (Squid) may use ACLs disallowing specific sites

Public HTTP Proxy (Apache mod_proxy)

PROTOCOL TUNNELING – HTTP(S)

An example of HTTP tunneling

PROTOCOL TUNNELING – DNS

Captive Portals A transparent proxy forces an HTTP client to

authenticate first (payment acceptable user policy)

DNS Server must though be accessible by unauthenticated users and may allow unrestricted DNS resolution

DNS tunnel server acting as authoritative for a sub-domain

PROTOCOL TUNNELING - DNS

Query similar tozi05aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ.home.inbroker.ax.lt

BOTNETS

A large set of compromised systems controlled by a Bot-Master

System compromise via malware distribution channels

Part of large-scale DDoS attacks or Spam distribution

IRC-based HTTP(S)-based P2P-based

HONEYPOTS

A computing resource with the goal of being probed, attacked, accessed in any possible unauthorized manner.

Attack monitoring and analysis purposes Server-side and client-side honeypots High-interaction and low-interaction

honeypots Physical and virtual honeypots Web application / SSH / VoIP / USB / Bluetooth

/ Generic honeypots

Q&A