Network Security

aurorabellyΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

93 εμφανίσεις

Network Security

Presenter : Youngdoo Kang

14d

Regional Training Course on Information Security for Nuclear Organizations Managers

15
-
18, December 2008

2

This session covers,


Introduction of Network Security Objectives


Layered Models and Network Attacks


Tools and Techniques for Network Security



Considerations


Unfortunately, we have just
20’





It’s for Nuclear Organizations Managers

3

Intro
-

Network Security Objectives

Network (networks)


Nodes & links (WAN, LAN, MAN… “clouds”)





Convenient venue for attack

A “cornerstone” for Information & Computer Security


As a channel for attacks


As a target for attackers


As a defense against attacks

4

Intro
-

Network Security Objectives

Access Control

Network = #1 entry point of IT systems… so good point
to enforce access control!

Confidentiality

The data has to be delivered only to the right recipient,
protected from eavesdropping

Integrity

Protect against unauthorized modifications on the wire

Availability:

A key business requirement, a prime and easy target

5

Layered Models and Network Attacks

Two commonly used models


The OSI Reference Model


OSI = Open System Interconnect


7 layers


International standard ISO/IEC 7498
-
1, conceptual

The TCP/IP model


4 layers


“Real world” model

Choice: OSI model as a reference

Anyway, they can match

Concepts/technologies can encompass several layers

6


Application


Network Access



2

3

4

5

6

7

Data Link

Network

Transport

Session

Presentation

Application

1

Physical


Internetwork


Transport

MAC

LLC

ARP

IP

ICMP

UDP

TCP

HTTP

FTP

SNMP

SMTP

DHCP

Telnet

Layered Models and Network Attacks

OSI Reference Model

TCP/IP Model and protocols

7

Layered Models and Network Attacks

Simply, general network architecture

System
B

Application

Presentation

Session

Transport

Network

Data Link

Physical

System
A

Application

Presentation

Session

Transport

Network

Data Link

Physical


Communication Medium

Packet

Packet

Receive

Send

Receive

Send

7 Layers

Layer 1

L1 Header

Tail

Layer N (upper layer)

Layer (i)

Layer 2

L3 Header

L2 Header

Application

Physical communication

8

Layered Models and Network Attacks

Each layer has vulnerabilities;


Layer 1


Wiretapping : interrupt directly the physical cable,


Layer 2


Eavesdropping : share the media (e.g., CSMA) and every
node can receive data


Layer 3


Spoofing : ack, nak


Layer 4


Syn Flood attack : overflow


. . .

9

Layered Models and Network Attacks

Main roles and functions


Data transfer across

networks


Routing between segments


Forwarding, Addressing


Congestion control


Packet

sequencing

Main examples


Internet Protocol (IP), IP Sec


Routing protocols (RIP, OSPF, BGP…)


2

3

4

5

6

7

Data Link

Transport

Session

Presentation

Application

1

Physical


ICMP (Internet Control Management Protocol)


ping etc.

Network

10

SYN Flood attack (layer 4)


Half open connections !


Resource exhaustion


Layered Models and Network Attacks

A

B

Some DoS on the stack implementation


Land attack: set source IP@ = destination IP@


Teardrop attack: contradictory length, fragmentation


Smurf attack: targeted a “ping” avalanche

C

11

Layered Models and Network Attacks

Wiretapping (from layer 1)


Interrupt directly the physical wire, and then listen…

Eavesdropping (layer 2)


Ethernet shares the LAN media


Everyone receives Ethernet frames


Only the recipient consider it


Promiscuous mode: listen everything

12

Generic Plant Network Architecture

13

Tools and Techniques for Network Security

Firewall

IDS / IPS

Graded approach / zone model

Segmentation

One
-
way communication




14

Firewall

Basic Definition


In building construction, keep a fire from spreading
from one part of the building to another


In network security, a component (or a set) that
restricts access between two networks

Functions


Gatekeeper,
controlling traffic that crosses inbound
and outbound


separation between (less) un
-
trusted networks (e.g.
Internet) and (more) trusted networks

Un
-
trusted

Network

Trusted and protected

Internal Network

let pass or block ?

15

IDS and IPS

Intrusion Detection System vs Prevention Systems


IDS is “passive”, installed on derivation


IPS is “active”, installed on the wire


Network IDS/IPS and Host IDS/IPS


On the hosts or servers / On the network (with sensors)


Approaches


Signature based vs Anomaly based


Hybrid


Remember the FAR/FRR for biometrics?


Software, dedicated appliance or add
-
ons

16


A possible practical implementation of the
graded approach

is to categorize computer
systems into logical zones, where graded
protective principles are applied for each zone.



The assignment of computer systems to
different levels and zones should be based on
their relevance to safety and security.
Nonetheless, the risk assessment process
should be allowed to feed back into and
influence the graded approach.

Zone Model of Protection

17

Zone Levels


Example


NPP Zones


Zone 1


Protection and limitation systems


This zone comprises all computers which belong to safety relevant digital and
software based I&C systems. These systems acquire and calculate process data and
output control commands to the plant process


Zone 2
-

Process
-
control and Process
-
computing systems (operational and
technical support systems)


This zone comprises all computers which belong to digital electro
-
technical and
digital I&C systems. Unlike systems of zone 1, these computers are not relevant to
safety or do not work with any direct control to the plant process


Zone 3
-

Administrative computer systems


This zone comprises all computers and IT systems that are used for administrative
purposes.


Zone 4
-

External systems


This zone comprises all computers and IT systems that are assigned to external
applications.


18

No handshaking / No acknowledgement


Non reliable communications

One
-
way Communication

Highest
Security Zone

Application
server

File deposit
server

Lower
Security Zone

FTP

Server

One
-
way


Specific protocol

FTP

Server

19

Remote Access


A major concern


Famous example of Davis
-
Besse NPP (2003)


More and more requested by users…


…and by third parties!


Sometimes, no choice



A clear policy is needed


Integrated in the graded approach / zone
model

20

Remote Access Policy


Indications from the IAEA draft guide


Level 1:
“don’t even think about it”


Level 2 & 3:
“only if absolutely necessary”

//R.A

o
may be allowed on a case
-
by
-
case access

o
for a defined working period

o
must be protected with strong measures, and

o
Respect a defined security policy (contractual)


Level 4:
“Go for it, but pay attention”

o
allowed for authorized users provided that
appropriate controls are in place

21


Wireless is attractive

to get rid off this…






To avoid costs of new wires in existing buildings


General trend in I.T. but also for industrial
environments (ref. EPRI, WINA, ISA…)

Consideration on Wireless

22

Wireless Technologies

From ISA100 ORLN presentation (
Wayne W. Manges, Apr 2007)


23

Wireless security


Channel Security


Confidentiality & Integrity: ~ OK (e.g. 802.11i)

o
Use the latest technologies (forget WEP)


Availability: still a problem…


Big issues

o
Denial of Service

o
Easy access to the media



Still some unresolved security problem…


EMI/RFI

issue…

24

Defensive model with defense in depth to
SCADA
-

INL

IDS

Zone

Firewall

DMZ

Network
segmentation


. . .

25

Network Architecture examples 2/2

From ISA
-
d99.00.01 Draft

26



Questions?

27

Supplement

28

Layered Models and Network Attacks

Main role and functions


Portal to network based services for applications


Main examples


HTTP, FTP, Telnet, SMTP…

Crafted malicious codes


Worms, spywares,…


Cf. Don’s presentation

Direct connections to applications


This is what network is about


Unprotected / No Access Control

Buffer overflows, exploited remotely


Malicious inputs, stack overflow, underun…

Application

2

3

4

5

6

7

Data Link

Network

Transport

Session

Presentation

1

Physical

29

Layered Models and Network Attacks

Main role and functions


Handles encoding, encryption, etc...


Protocol Conversion, Data
Translation, Encryption,
...

Presentation

2

3

4

5

6

7

Data Link

Network

Transport

Session

Application

1

Physical

Main examples


Formats:
ASCII, EBCDIC, GIF, JPEG, ZIP…


In fact, encryption and compression often done elsewhere

Some phishing attacks are based on encoding

30

Layered Models and Network Attacks

Main role and functions


Creates, maintains and stops logical
persistent connections between hosts


Synchronization: keeps track of long
messages



Duplex / half
-
duplex / simplex

Main examples


NFS, SQL, RPC, (SSL/TLS)

SSL / TLS session hijacking

2

3

4

5

6

7

Data Link

Network

Transport

Presentation

Application

1

Physical

Session

31

Layered Models and Network Attacks

Main role and functions


Ensures End
-
to
-
end connection


Manage upper layers data flows


Manipulate “Packets”

2

3

4

5

6

7

Data Link

Network

Session

Presentation

Application

1

Physical

Transport

Main examples


TCP (Transmission Control Protocol)


connection
oriented, reliable


UDP (User Datagram Protocol)


connectionless

32

Layered Models and Network Attacks

Main roles and functions


Data transfer across

networks


Routing between segments


Forwarding, Addressing


Congestion control


Packet

sequencing

Main examples


Internet Protocol (IP), IP Sec


Routing protocols (RIP, OSPF, BGP…)


2

3

4

5

6

7

Data Link

Transport

Session

Presentation

Application

1

Physical


ICMP (Internet Control Management Protocol)


ping etc.

Network

33

SYN Flood attack (layer 4)


Half open connections !


Resource exhaustion


Layered Models and Network Attacks

A

B

Some DoS on the stack implementation


Land attack: set source IP@ = destination IP@


Teardrop attack: contradictory length, fragmentation


Smurf attack: targeted a “ping” avalanche

C

34

Layered Models and Network Attacks

2

3

4

5

6

7

Network

Transport

Session

Presentation

Application

1

Physical

Data Link

Main roles and functions


Machine to Machine data transfer,
on the same segment


Frame creation and sequence


Error detection and correction


Main examples


Ethernet, ISDN, ATM, but also protocols
like ARP, L2TP… Wireless (WiFi)

35

Layered Models and Network Attacks

Main roles and functions


Specifies the physical signals

o
E.g. Voltage Levels, bits per sec.


Network interfaces and cabling


Main examples


RS232, Ethernet/100bT, Coax


USB, Firewire (encompass several layers)

Physical

2

3

4

5

6

7

Data Link

Network

Transport

Session

Presentation

Application

1