程序代写代做代考 database FTP ER algorithm dns 8-1

8-1

Network Security

All material copyright 1996-2012
J.F Kurose and K.W. Ross, All Rights Reserved

George Parisis
School of Engineering and Informatics

University of Sussex

8-2 Network Security

Network Security

v  What is network security?
v  Principles of cryptography
v  Message integrity, authentication
v  Securing e-mail
v  Securing TCP connections: SSL
v  Network layer security: IPsec
v  Operational security: firewalls and IDS

8-3 Network Security

What is network-layer confidentiality ?

between two network entities:
v  sending entity encrypts datagram payload,

payload could be:
§  TCP or UDP segment, ICMP message, OSPF

message ….
v  all data sent from one entity to other would be

hidden:
§  web pages, e-mail, P2P file transfers, TCP SYN

packets …
v  “blanket coverage”

8-4 Network Security

Virtual Private Networks (VPNs)

motivation:
v institutions often want private networks for
security.

§  costly: separate routers, links, DNS infrastructure.
v VPN: institution’s inter-office traffic is sent over
public Internet instead

§  encrypted before entering public Internet
§  logically separate from other traffic

8-5 Network Security

IP
header

IPsec
header

Secure payload

IP

he
ad

er

IP
se

c
he

ad
er

S

ec
ur

e
pa

yl
oa

d

headquarters
branch office

salesperson
in hotel

laptop
w/ IPsec

router w/
IPv4 and IPsec

router w/
IPv4 and IPsec

public
Internet

Virtual Private Networks (VPNs)

8-6 Network Security

Two IPsec protocols

v  Authentication Header (AH) protocol
§  provides source authentication & data integrity but

not confidentiality
v  Encapsulation Security Protocol (ESP)

§  provides source authentication, data integrity, and
confidentiality

§  more widely used than AH

8-7 Network Security

IPsec – tunneling mode

v  edge routers IPsec-
aware

IPsec IPsec
IPsec IPsec

v  hosts IPsec-aware

8-8 Network Security

Security associations (SAs)

v  before sending data, “security association
(SA)” established from sending to receiving
entity
§  SAs are simplex: for only one direction

v  sending, receiving entitles maintain state
information about SA
§  recall: TCP endpoints also maintain state info
§  IP is connectionless; IPsec is connection-oriented!

8-9 Network Security

Example SA from R1 to R2

R1 stores for SA:
v  32-bit SA identifier: Security Parameter Index (SPI)
v  origin SA interface (200.168.1.100)
v  destination SA interface (193.68.2.23)
v  type of encryption used (e.g., 3DES)
v  encryption key
v  type of integrity check used (e.g., HMAC with MD5)
v  authentication key

193.68.2.23 200.168.1.100

172.16.1/24
172.16.2/24

security association

Internet headquarters
branch office

R1
R2

8-10 Network Security

Security Association Database (SAD)

v  endpoint holds SA state in security association
database (SAD), where it can locate them during
processing.

v  when sending IPsec datagram, R1 accesses SAD to
determine how to process datagram.

v  when IPsec datagram arrives to R2, R2 examines
SPI in IPsec datagram, indexes SAD with SPI, and
processes datagram accordingly.

8-11 Network Security

IPsec datagram
focus for now on tunnel mode with ESP

new IP
header

ESP
hdr

original
IP hdr

Original IP
datagram payload

ESP
trl

ESP
auth

encrypted

“enchilada” authenticated

padding
pad

length
next

header SPI
Seq

#

8-12 Network Security

What happens?

new IP
header

ESP
hdr

original
IP hdr

Original IP
datagram payload

ESP
trl

ESP
auth

encrypted

“enchilada” authenticated

padding
pad

length
next

header SPI
Seq

#

193.68.2.23 200.168.1.100

172.16.1/24
172.16.2/24

security association

Internet headquarters
branch office

R1
R2

8-13 Network Security

R1: convert original datagram to IPsec datagram

v  appends to back of original datagram (which includes
original header fields!) an “ESP trailer” field.

v  encrypts result using algorithm & key specified by SA.
v  appends to front of this encrypted quantity the “ESP

header, creating “enchilada”.
v  creates authentication MAC over the whole enchilada,

using algorithm and key specified in SA;
v  appends MAC to back of enchilada, forming payload;
v  creates brand new IP header, with all the classic IPv4

header fields, which it appends before payload.

8-14 Network Security

Inside the enchilada:

v  ESP trailer: Padding for block ciphers
v  ESP header:

§  SPI, so receiving entity knows what to do
§  Sequence number, to thwart replay attacks

v  MAC in ESP auth field is created with shared secret
key

new IP
header

ESP
hdr

original
IP hdr

Original IP
datagram payload

ESP
trl

ESP
auth

encrypted

“enchilada” authenticated

padding
pad

length
next

header SPI
Seq

#

8-15 Network Security

IPsec sequence numbers

v  for new SA, sender initializes seq. # to 0
v  each time datagram is sent on SA:

§  sender increments seq # counter
§  places value in seq # field

v  goal:
§  prevent attacker from sniffing and replaying a packet
§  receipt of duplicate, authenticated IP packets may disrupt service

v  method:
§  destination checks for duplicates
§  doesn’t keep track of all received packets; instead uses a window

8-16 Network Security

Network Security

v  What is network security?
v  Principles of cryptography
v  Message integrity, authentication
v  Securing e-mail
v  Securing TCP connections: SSL
v  Network layer security: IPsec
v  Operational security: firewalls and IDS

8-17 Network Security

Firewalls

isolates organization’s internal net from larger Internet,
allowing some packets to pass, blocking others

firewall

administered
network

public
Internet

firewall
trusted “good guys” untrusted “bad guys”

8-18 Network Security

Firewalls: why
prevent denial of service attacks:

v SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections

prevent illegal modification/access of internal data
v e.g., attacker replaces CIA’s homepage with

something else
allow only authorized access to inside network

v  set of authenticated users/hosts

three types of firewalls:
v stateless packet filters
v stateful packet filters
v application gateways

8-19

Network Security

Stateless packet filtering

v  internal network connected to Internet via router
firewall

v  router filters packet-by-packet, decision to forward/
drop packet based on:
§  source IP address, destination IP address
§  TCP/UDP source and destination port numbers
§  ICMP message type
§  TCP SYN and ACK bits

Should arriving
packet be allowed in?
Departing packet let

out?

8-20 Network Security

Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any IP

address, port 80
No incoming TCP connections,
except those for institution’s
public Web server only.

Drop all incoming TCP SYN packets
to any IP except 130.207.244.203,
port 80

Prevent Web-radios from eating
up the available bandwidth.

Drop all incoming UDP packets –
except DNS and router broadcasts.

Prevent your network from being
used for a smurf DoS attack.

Drop all ICMP packets going to a
“broadcast” address (e.g.
130.207.255.255).

Prevent your network from being
tracerouted

Drop all outgoing ICMP TTL expired
traffic

Stateless packet filtering: examples

8-21 Network Security

action
source

address
dest

address
protocol

source
port

dest
port

flag
bit

allow 222.22/16
outside of
222.22/16

TCP > 1023 80
any

allow

outside of
222.22/16

222.22/16

TCP 80 > 1023 ACK

allow 222.22/16
outside of
222.22/16

UDP > 1023 53 —

allow

outside of
222.22/16

222.22/16

UDP 53 > 1023 —-

deny all all all all all all

Access Control Lists
v ACL: table of rules, applied top to bottom to

incoming packets: (action, condition) pairs

8-22 Network Security

Stateful packet filtering
v  stateless packet filter:

§  admits packets that “make no sense,” e.g., dest port = 80,
ACK bit set, even though no TCP connection established:

action
source

address
dest

address
protocol

source
port

dest
port

flag
bit

allow

outside of
222.22/16

222.22/16

TCP 80 > 1023 ACK

v  stateful packet filter: track status of every TCP connection
§  track connection setup (SYN), teardown (FIN): determine

whether incoming, outgoing packets “makes sense”
§  timeout inactive connections at firewall: no longer admit

packets

8-23 Network Security

Application gateways

v  filters packets on
application data as well as
on IP/TCP/UDP fields.

v  example: allow select
internal users to telnet
outside.

host-to-gateway
telnet session

gateway-to-remote
host telnet session

application
gateway

router and filter

1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet

connection to dest host. Gateway relays data
between 2 connections

3. router filter blocks all telnet connections not
originating from gateway.

8-24 Network Security

Application gateways
v  filter packets on

application data as well
as on IP/TCP/UDP
fields.

v  example: allow select
internal users to telnet
outside

1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet

connection to dest host. Gateway relays data
between 2 connections

3. router filter blocks all telnet connections not
originating from gateway.

application
gateway

host-to-gateway
telnet session

router and filter

gateway-to-remote
host telnet session

8-25 Network Security

Limitations of firewalls, gateways

v  IP spoofing: router can’t
know if data “really”
comes from claimed
source

v  if multiple apps need
special treatment, each
has own gateway

v  client software must know
how to contact gateway.
§  e.g., must set IP

address of proxy in
Web browser

v  filters often use all or
nothing policy for UDP

v  tradeoff: degree of
communication with
outside world, level of
security

v  many highly protected
sites still suffer from
attacks

8-26 Network Security

Intrusion detection systems
v  packet filtering:

§  operates on TCP/IP headers only
§  no correlation check among sessions

v  IDS: intrusion detection system
§  deep packet inspection: look at packet contents

(e.g., check character strings in packet against
database of known virus, attack strings)

§  examine correlation among multiple packets
•  port scanning
•  network mapping
•  DoS attack

8-27 Network Security

Web
server FTP

server

DNS
server

Internet

demilitarized
zone

firewall

IDS
sensors

Intrusion detection systems
v  multiple IDSs: different types of checking at

different locations

internal
network

8-28 Network Security

Network Security

v  What is network security?
v  Principles of cryptography
v  Message integrity, authentication
v  Securing e-mail
v  Securing TCP connections: SSL
v  Network layer security: IPsec
v  Operational security: firewalls and IDS

8-29 Network Security

Network Security (summary)
basic techniques……

§  cryptography (symmetric and public)
§  message integrity
§  end-point authentication

…. used in many different security scenarios
§  secure email
§  secure transport (SSL)
§  IP sec

operational security: firewalls and IDS