8-1
Network Security
All material copyright 1996-2012
J.F Kurose and K.W. Ross, All Rights Reserved
George Parisis
School of Engineering and Informatics
University of Sussex
8-2 Network Security
Network Security
v What is network security?
v Principles of cryptography
v Message integrity, authentication
v Securing e-mail
v Securing TCP connections: SSL
v Network layer security: IPsec
v Operational security: firewalls and IDS
8-3 Network Security
What is network-layer confidentiality ?
between two network entities:
v sending entity encrypts datagram payload,
payload could be:
§ TCP or UDP segment, ICMP message, OSPF
message ….
v all data sent from one entity to other would be
hidden:
§ web pages, e-mail, P2P file transfers, TCP SYN
packets …
v “blanket coverage”
8-4 Network Security
Virtual Private Networks (VPNs)
motivation:
v institutions often want private networks for
security.
§ costly: separate routers, links, DNS infrastructure.
v VPN: institution’s inter-office traffic is sent over
public Internet instead
§ encrypted before entering public Internet
§ logically separate from other traffic
8-5 Network Security
IP
header
IPsec
header
Secure payload
IP
he
ad
er
IP
se
c
he
ad
er
S
ec
ur
e
pa
yl
oa
d
headquarters
branch office
salesperson
in hotel
laptop
w/ IPsec
router w/
IPv4 and IPsec
router w/
IPv4 and IPsec
public
Internet
Virtual Private Networks (VPNs)
8-6 Network Security
Two IPsec protocols
v Authentication Header (AH) protocol
§ provides source authentication & data integrity but
not confidentiality
v Encapsulation Security Protocol (ESP)
§ provides source authentication, data integrity, and
confidentiality
§ more widely used than AH
8-7 Network Security
IPsec – tunneling mode
v edge routers IPsec-
aware
IPsec IPsec
IPsec IPsec
v hosts IPsec-aware
8-8 Network Security
Security associations (SAs)
v before sending data, “security association
(SA)” established from sending to receiving
entity
§ SAs are simplex: for only one direction
v sending, receiving entitles maintain state
information about SA
§ recall: TCP endpoints also maintain state info
§ IP is connectionless; IPsec is connection-oriented!
8-9 Network Security
Example SA from R1 to R2
R1 stores for SA:
v 32-bit SA identifier: Security Parameter Index (SPI)
v origin SA interface (200.168.1.100)
v destination SA interface (193.68.2.23)
v type of encryption used (e.g., 3DES)
v encryption key
v type of integrity check used (e.g., HMAC with MD5)
v authentication key
193.68.2.23 200.168.1.100
172.16.1/24
172.16.2/24
security association
Internet headquarters
branch office
R1
R2
8-10 Network Security
Security Association Database (SAD)
v endpoint holds SA state in security association
database (SAD), where it can locate them during
processing.
v when sending IPsec datagram, R1 accesses SAD to
determine how to process datagram.
v when IPsec datagram arrives to R2, R2 examines
SPI in IPsec datagram, indexes SAD with SPI, and
processes datagram accordingly.
8-11 Network Security
IPsec datagram
focus for now on tunnel mode with ESP
new IP
header
ESP
hdr
original
IP hdr
Original IP
datagram payload
ESP
trl
ESP
auth
encrypted
“enchilada” authenticated
padding
pad
length
next
header SPI
Seq
#
8-12 Network Security
What happens?
new IP
header
ESP
hdr
original
IP hdr
Original IP
datagram payload
ESP
trl
ESP
auth
encrypted
“enchilada” authenticated
padding
pad
length
next
header SPI
Seq
#
193.68.2.23 200.168.1.100
172.16.1/24
172.16.2/24
security association
Internet headquarters
branch office
R1
R2
8-13 Network Security
R1: convert original datagram to IPsec datagram
v appends to back of original datagram (which includes
original header fields!) an “ESP trailer” field.
v encrypts result using algorithm & key specified by SA.
v appends to front of this encrypted quantity the “ESP
header, creating “enchilada”.
v creates authentication MAC over the whole enchilada,
using algorithm and key specified in SA;
v appends MAC to back of enchilada, forming payload;
v creates brand new IP header, with all the classic IPv4
header fields, which it appends before payload.
8-14 Network Security
Inside the enchilada:
v ESP trailer: Padding for block ciphers
v ESP header:
§ SPI, so receiving entity knows what to do
§ Sequence number, to thwart replay attacks
v MAC in ESP auth field is created with shared secret
key
new IP
header
ESP
hdr
original
IP hdr
Original IP
datagram payload
ESP
trl
ESP
auth
encrypted
“enchilada” authenticated
padding
pad
length
next
header SPI
Seq
#
8-15 Network Security
IPsec sequence numbers
v for new SA, sender initializes seq. # to 0
v each time datagram is sent on SA:
§ sender increments seq # counter
§ places value in seq # field
v goal:
§ prevent attacker from sniffing and replaying a packet
§ receipt of duplicate, authenticated IP packets may disrupt service
v method:
§ destination checks for duplicates
§ doesn’t keep track of all received packets; instead uses a window
8-16 Network Security
Network Security
v What is network security?
v Principles of cryptography
v Message integrity, authentication
v Securing e-mail
v Securing TCP connections: SSL
v Network layer security: IPsec
v Operational security: firewalls and IDS
8-17 Network Security
Firewalls
isolates organization’s internal net from larger Internet,
allowing some packets to pass, blocking others
firewall
administered
network
public
Internet
firewall
trusted “good guys” untrusted “bad guys”
8-18 Network Security
Firewalls: why
prevent denial of service attacks:
v SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections
prevent illegal modification/access of internal data
v e.g., attacker replaces CIA’s homepage with
something else
allow only authorized access to inside network
v set of authenticated users/hosts
three types of firewalls:
v stateless packet filters
v stateful packet filters
v application gateways
8-19
Network Security
Stateless packet filtering
v internal network connected to Internet via router
firewall
v router filters packet-by-packet, decision to forward/
drop packet based on:
§ source IP address, destination IP address
§ TCP/UDP source and destination port numbers
§ ICMP message type
§ TCP SYN and ACK bits
Should arriving
packet be allowed in?
Departing packet let
out?
8-20 Network Security
Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any IP
address, port 80
No incoming TCP connections,
except those for institution’s
public Web server only.
Drop all incoming TCP SYN packets
to any IP except 130.207.244.203,
port 80
Prevent Web-radios from eating
up the available bandwidth.
Drop all incoming UDP packets –
except DNS and router broadcasts.
Prevent your network from being
used for a smurf DoS attack.
Drop all ICMP packets going to a
“broadcast” address (e.g.
130.207.255.255).
Prevent your network from being
tracerouted
Drop all outgoing ICMP TTL expired
traffic
Stateless packet filtering: examples
8-21 Network Security
action
source
address
dest
address
protocol
source
port
dest
port
flag
bit
allow 222.22/16
outside of
222.22/16
TCP > 1023 80
any
allow
outside of
222.22/16
222.22/16
TCP 80 > 1023 ACK
allow 222.22/16
outside of
222.22/16
UDP > 1023 53 —
allow
outside of
222.22/16
222.22/16
UDP 53 > 1023 —-
deny all all all all all all
Access Control Lists
v ACL: table of rules, applied top to bottom to
incoming packets: (action, condition) pairs
8-22 Network Security
Stateful packet filtering
v stateless packet filter:
§ admits packets that “make no sense,” e.g., dest port = 80,
ACK bit set, even though no TCP connection established:
action
source
address
dest
address
protocol
source
port
dest
port
flag
bit
allow
outside of
222.22/16
222.22/16
TCP 80 > 1023 ACK
v stateful packet filter: track status of every TCP connection
§ track connection setup (SYN), teardown (FIN): determine
whether incoming, outgoing packets “makes sense”
§ timeout inactive connections at firewall: no longer admit
packets
8-23 Network Security
Application gateways
v filters packets on
application data as well as
on IP/TCP/UDP fields.
v example: allow select
internal users to telnet
outside.
host-to-gateway
telnet session
gateway-to-remote
host telnet session
application
gateway
router and filter
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet
connection to dest host. Gateway relays data
between 2 connections
3. router filter blocks all telnet connections not
originating from gateway.
8-24 Network Security
Application gateways
v filter packets on
application data as well
as on IP/TCP/UDP
fields.
v example: allow select
internal users to telnet
outside
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet
connection to dest host. Gateway relays data
between 2 connections
3. router filter blocks all telnet connections not
originating from gateway.
application
gateway
host-to-gateway
telnet session
router and filter
gateway-to-remote
host telnet session
8-25 Network Security
Limitations of firewalls, gateways
v IP spoofing: router can’t
know if data “really”
comes from claimed
source
v if multiple apps need
special treatment, each
has own gateway
v client software must know
how to contact gateway.
§ e.g., must set IP
address of proxy in
Web browser
v filters often use all or
nothing policy for UDP
v tradeoff: degree of
communication with
outside world, level of
security
v many highly protected
sites still suffer from
attacks
8-26 Network Security
Intrusion detection systems
v packet filtering:
§ operates on TCP/IP headers only
§ no correlation check among sessions
v IDS: intrusion detection system
§ deep packet inspection: look at packet contents
(e.g., check character strings in packet against
database of known virus, attack strings)
§ examine correlation among multiple packets
• port scanning
• network mapping
• DoS attack
8-27 Network Security
Web
server FTP
server
DNS
server
Internet
demilitarized
zone
firewall
IDS
sensors
Intrusion detection systems
v multiple IDSs: different types of checking at
different locations
internal
network
8-28 Network Security
Network Security
v What is network security?
v Principles of cryptography
v Message integrity, authentication
v Securing e-mail
v Securing TCP connections: SSL
v Network layer security: IPsec
v Operational security: firewalls and IDS
8-29 Network Security
Network Security (summary)
basic techniques……
§ cryptography (symmetric and public)
§ message integrity
§ end-point authentication
…. used in many different security scenarios
§ secure email
§ secure transport (SSL)
§ IP sec
operational security: firewalls and IDS