Microsoft PowerPoint Presentation: 17_1_Security

blueberrystoreΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

108 εμφανίσεις

1

| 57

Communication
systems

17
th

lecture (last)

Chair of Communication Systems

Department of Applied Sciences

University of Freiburg

2006

2

| 57

Communication systems

administrational stuff


Last lecture for this semester


Friday is written exam starting at 11am sharp, Room 03
-
026
in this building (attic, end of stairs)


We gave some hints in last practical course on Tuesday


Please bring a fountain/ballpin pen with you (seats, tables,
writing paper are provided by us)


Grades in oral or written exams will be sent to the
examinations office (an will be available there beginning of
winter term)


If you need a special printed paper


please tell us/send an
email, so we could prepare it


it will be available at the
secretaries of the computing department

3

| 57

Communication systems

administrational stuff


seminar next semester


Professorship will held a block seminar on “Security, trust
and law in the Internet” next winter in cooperation with
MPICC (dept. of Prof. Sieber)


Unfortunately the faculty was not able to held the central
infrormation block on available seminars soon enough


We expect written seminar papers for the end of October, the
three seminar dates are on Friday/Saturday end of November,
beginning of December


Seminar could be taken for the field of specialization #6


Topics like SPAM, cracking, phishing, etc. will be covered


Seminar is in german only!


More information on the several topics could be found on the
homepage

Freiburg
Embedded
Systems Talks
Academia
meets
Industry
Referenten (Auszug):

Prof. Dr.
-
Ing. Dr.
h.c
. Rolf Isermann

Prof. Dr. Leonhard Michael Reindl

Prof. Dr. Wilhelm Schäfer

Prof. Dr.
-
Ing. Peter
Woias

Prof. Dr. Hans
-
Joachim Wunderlich
Themen:

Softwaretechnik

Rekonfigurierbarkeit
/ Fehlertoleranz

Wireless
/
Low
-
Power

Sensor
-
Networks
Vorträge:
16.
-
18. Oktober 2006
Workshops:
19.
-
20. Oktober 2006
Festveranstaltung mit Live
-
Musik:
16. Oktober 2006, ab 18:00 Uhr
Veranstaltungsort:
11. Fakultät, Gebäude 101
Weitere Informationen:
http://
festami.informatik.uni
-
freiburg.de
4

| 57

Freiburg
Embedded
Systems Talks
Academia
meets
Industry
Vorträge:
16.
-
18. Oktober 2006
Workshops:
19.
-
20. Oktober 2006
Festveranstaltung mit Live
-
Musik:
16. Oktober 2006, ab 18:00 Uhr
Veranstaltungsort:
11. Fakultät, Gebäude 101
Weitere Informationen:
http://
festami.informatik.uni
-
freiburg.de
Referenten (Auszug):

Prof. Dr.
-
Ing. Dr.
h.c
. Rolf Isermann

Prof. Dr. Leonhard Michael Reindl

Prof. Dr. Wilhelm Schäfer

Prof. Dr.
-
Ing. Peter
Woias

Prof. Dr. Hans
-
Joachim Wunderlich
Themen:

Softwaretechnik

Rekonfigurierbarkeit
/ Fehlertoleranz

Wireless
/
Low
-
Power

Sensor
-
Networks
Für Studierende und Mitarbeiter ist die Teilnahme kostenlos!
5

| 57

6

| 57


We talked on and demonstrated (in the practical course) SIP


session initialization protocol and H.323 (both might be part
of the written exam questions)


Telephony over IP networks


Only session setup


compression, packet transport left to other services like RTP
and RTCP


the latter define container and control protocols for multimedia
data streams


H.323



standard developed by Telcos
-

ITU


SIP


internet standard, thus they differ definitely in their
designs

Communication systems

Last lecture


SIP and H323

7

| 57

Communication systems

this lecture


security in computer networks


We leave the area of telephony and talk of a complete
different field again


The topic of this lecture will NOT asked in exam questions :
-
)


After some overview on the several network layers


IP v4 and v6 on the third OSI layer (network)


TCP, UDP on the fourth OSI layer (transport)


and several protocols for the underlying first and second layer
(physical and data link layer)


“security” is a very broad topic not only connected to
networks but many other aspects of computers

8

| 57

Communication systems

this lecture


security in computer networks


This lecture


short introduction into problems of open
networks, types and points of possible attacks


more than introduction is not possible


whole lectures may be held on that topic


Security measures do not focus on a single network layer


Different measures try to solve different problems that might
occur


There is no single measure, which will solve all security
issues at once


There will evolve new types of attacks and new types of
counter measures

9

| 57

Communication systems

network insecurity


simple packet snapshot (pract. course)

10

| 57

Communication systems

network insecurity


IP packets are easily readable (if provided with the proper
tools)


e.g.
ethereal

can provide the user/network administrator


with a graphical userinterface for interpreting packets


can grab all packets visible to a machine (promiscous mode in
LANs like ethernets)


can sort out TCP streams (check which packets are part of a
certain communication)


can interpret most of protocol packets


You should be familiar with this tool (and others like
tcpdump
) from the several practical courses

11

| 57

Communication systems

network insecurity


why packets are as easily readable?


all communication has to follow standards


otherwise no
communication would be possible (think of people talk in different
languages with each other)


even not open protocols, like certain implementations of windows
network service are interpretable


such the samba service is
developed through trial
-
and
-
error and reverse engineering


such: no security by obscurity!!


in the beginning of "The Internet”


very few participants in networks


very few computers connected to each other


very few people with deep understanding of networking


not many network analyzation tools available (for free)

12

| 57

Communication systems

network insecurity


restricted computing power of connected machines


protocols should be very simple and should not impose high loads
on the machine


encryption technologies were not common knowledge / restricted for
export ("strategic technology”)


and: simplicity of TCP/IP protocol suite helped the rapid growth of
the Internet and fast adaptation for the different operating
systems


by now: the Internet is one of base technologies for information
exchange and communication


wide range of businesses directly depend on this network (online
shops, auctions, b2b, games, advertisements, porn sites, ... :
-
))

13

| 57

Communication systems

network insecurity


inner and intra firm communication moves from the classic
communication media telephone and fax over to mail and similar
technologies


sending and reception of a wide range of digital objects


e.g. with the “melissa” virus you could observe employees
entering their offices at eight and leaving them at half past
nine (no mail and online communication was available


most
MS operated networks)


production and development heavily depend on networks


most information between firms is directly interchanged
between databases over the net


in the future: move of telecommunications into IP networks to
avoid duplicated infrastructure and cut communication costs

14

| 57

Communication systems

network insecurity


networks could be attacked on all layers


layer 1 and 2


e.g. ARP spoofing in broadcast networks for man
-
in
-
the
-
middle attack, redirection of default gateway traffic over the
attackers host (fifth lecture)


“dialer” programs


redirection of internet traffic over costly
dial
-
in lines (attack is of course induced via web applications,
trojan horses, ...)


layer 3


IP spoofing


forging of IP addresses for good or malicious
reasons (explained later) for motivation of IPsec


attacking router protocols, e.g. RIP (II) for redirecting traffic in
LANs

15

| 57

Communication systems

network insecurity


networks could be attacked on all layers


layer 1 and 2


rather simple within WLANs (unguided media with no distinct
boundaries):


spamming with corrupt packets or simply noise (microwave
oven)


frequency band is rendered unusable


breaking the weak WEP algorithm


e.g. ARP spoofing in broadcast networks for man
-
in
-
the
-
middle attack, redirection of default gateway traffic over the
attackers host (earlier lecture)


“dialer” programs


redirection of internet traffic over costly
dial
-
in lines (attack is of often initiated via web applications,
trojan horses, ...)

16

| 57

Communication systems

network insecurity


layer 4


very simple to send unsolicited UDP packets


connectionless
service (such spoof protocols like SNMP, DHCP, DNS, ...)


take over open TCP connections


grab an open telnet, mail, http
session to use an authenticated session to a remote host


TCP syn attacs (open as many TCP connections as possible from
different hosts and leave them in open state without further
communication


type of distributed denial of service DdoS)


dynamic routing protocols (drop in replacement for TCP or UDP)
have their weaknesses too ...

17

| 57

Communication systems

network insecurity


application layers (layer 5


7)


SPAM attack on productivity in every organization, network /
overload mail boxes to stop reception of further email


redirection of users/traffic through modification of DNS replies,
DNS caches


crack passwords to gain access to accounts, databases ...


by now: so called “bot
-
nets”


groups of computers corrupted by some worm or system /
service weakness


waiting for special incoming packets for distributed denial
of service (DDoS) attacks, SPAM relaying, file exchange,
...

18

| 57

Communication systems

network security measures


different security measures for different network layers and
protocols


application layers: e.g. PGP for mail


end
-
to
-
end mail
encryption
-

advantages:


PGP/GnuPG available for many OS / mail clients


independent of admin permissions of the underlying OS


key ring could be put to USB stick (or similar) and
deployed on more than one machine


disadvantages:


available for mail / filesystem encryption only


mail header (and all protocols below), end
-
to
-
end
communication visible to every one along the route

19

| 57

Communication systems

network security measures


Transport layer as an extension to service protocols put
between TCP and higher level protocol


Secure socket layer (SSL: initially developed by Netscape to
secure http connections to allow secure applications
prerequisite for online shopping, homebanking, ...)


Transport layer security (TLS, or SSL v3)


modern version of
SSL

20

| 57

Communication systems

network security measures


by now implemented to a wide range of TCP applications


Web: https


port 443


Mailboxes: imap4


imaps, port 993


Hierarchical database: ldap


ldaps, port 636


OpenSSL


open source implementation of the SSL
library


SSL requires certificate authorities (CA) to really know
how the communication partner is


hierarchical structures of trust are rather costly


information of CA has to be put into application, e.g. Web
browser


Rather strong requirement in the rather “unregulated”
Internet

21

| 57

Communication systems

network security measures


Advantages of SSL/TLS:


Library functions which could be relatively easily applied to
every TCP application


Freely available for all common OS


Relatively wide spread through use with HTTP
communication


Relatively mature (some security flaws where detected and
fixed)


For not SSL enabled / rather old applications or protocols
secure tunnels via
SSH (secure shell)
could be
established


Some certificate authorities are available

22

| 57

Communication systems

network security measures


Disadvantages of SSL/TLS:


Not available for applications using UDP (or more difficult
to apply), no SSH tunnels possible


Incompatibilities with/of older versions of SSL


CA are rather expensive and not really compatible with
each other


e.g. University of Freiburg uses some CA but would
pay extra money to enable every virtual web / mail host
to use authorized certificate (e.g. examine the
certificate of the mail server ...)


Every CA has to be known to the web browsers and
protocols using SSL

23

| 57

Communication systems

network security measures


By now many universities and scientific organizations use the
services of DFN CA


This CA is available free of charge to the members of that
network


The Root certificate is integrated into the popular open
source browsers (of course not into IE


M$ will most
probably charge for that :
-
))


There is a more “general” solution to link encryption and
authentication than SSL/TLS

24

| 57

Communication systems

network security measures


Network layer:
IP sec

protocol


Mostly in parallel to the SSL development need for secured IP
connections was stated


IETF created work group which should backport IP v6 security
features to IP v4 networks


Many participants in that workgroup


Long processes


Many incompatibilities between different vendors

25

| 57

Communication systems

network security measures


Data link layer: PPTP or L2TP


PPTP (point
-
to
-
point
-
tunneling
-
protocol) is a Microsoft
development for security enhancements to the PPP


PPP allows to transport more than one network layer protocol
(e.g. IPX) beside IP


PPTP was cracked some years ago


some security issues
not solved ...


PPTP is available to other operating systems too


L2TP (layer
-
2
-
tunneling
-
protocol) is prepared for adding
security features too


but some issues not solved


For layer 2 tunneling
OpenVPN

(open source project available
for OS with tun/tap network device)

26

| 57

Communication systems

network security measures


OpenVPN uses the SSL library to encrypt traffic, could be
used for securing layer 2 and IP connections


Uses UDP packets for easy crossing of masquerading routers


Could deploy TCP connections, connections over HTTP
proxies too


Disadvantages: only point
-
to
-
point connections by now


need to setup of several connection endpoints on a server
with the older 1.N versions


multipoint connections to the same server port would be
available with the 2.0 version


Not an officially standardized protocol, but in broad use in
many setups

27

| 57

Communication systems

network security measures


summary

28

| 57

Communication systems

network insecurity


address spoofing


Talked on ARP and ARP spoofing earlier this lecture /
practical course


Without authentication it is impossible to say which
communication partner generated a certain packet


Same problem on higher layers too


Same problems with WEP (lecture on Wireless LAN), layer 2
security measures ...


IP spoofing is creation of IP packets using some other IP
address as source

29

| 57

Communication systems

IP insecurity


IP spoofing


IP source and destination addresses could be easily modified
(you have only to recompute the headers checksum after it)


e.g.
useful for IP masquerading (hide whole networks behind a masq.
router


common technique for home LANs)


Tools to do so: iptables (Linux firewall package
-

example given in
one of the practical courses), wincap, sendpacket, raw socket, ...

30

| 57

Communication systems

IP insecurity


IP spoofing


forging source IP address causes responses to be misdirected,
meaning that no normal network connection might be created


originates in packet switched type of IP networks


IP routing is done on a hop by hop basis


delivery route is determined by the routers that participate in
the delivery process


routers use the “destination IP” address in order to forward
packets through the Internet, but “ignore” the source address
field


point of attack for IP spoofing


or asymmetric routing


packet is sent out on one interface and
received over another

31

| 57

Communication systems

IP insecurity


IP address spoofing in special scenarios


prerequisite for some type of SAT connections (incoming via
SAT, outgoing via Modem / ISDN)


user makes request using return channel


ISP receives data from Internet and sends it out through
satellite


user receives data through satellite receiver (card)

32

| 57

Communication systems

IP sec


IP v4 insecurity



IP v4 does not implement any security (easy IP spoofing, easy
rewriting of packets, no encryption)


As we will see firewalls does not secure outgoing or inbound
traffic but shields the internal LAN


For secure communication over an insecure network (not
because of lost packets or connections
-

but special agencies
listening on routers and wires) encryption will be needed


If hosts in an secured internetwork should interoperate as easily
as in the classical Internet a standard for secure communication
is needed

33

| 57

Communication systems

IP sec


IP v4 insecurity


IP and transportation headers must be easily readable for routers
and network engines


But packet payload is easily readable too, if the proper tools for
analysis are applied (i.e. Ethereal)


Example of HTTP post packet (login to a wellknown free mail
provider: ID and password could be identified without problem)

34

| 57


IP level security
-
> IPsec


IPSEC is Internet Protocol SECurity


The level above the network layer is the place where IPsec was
put
-

No alteration to the IP was needed, simply the transportation
protocol was interchanged (or and additional security header
introduced)


It uses strong cryptography to provide both authentication and
encryption services


Authentication ensures that packets are from the right sender
and have not been altered in transit


Encryption prevents unauthorized reading of packet contents


Topic covered in other lectures: Telematics/Internet
-
Working

Communication systems

IP sec
-

overview

35

| 57


It allows multiple access for e.g. teleworkers to the company LAN


Without VPN


costly separate infrastructure would be needed


often inflexible


Construction of a VPN


connection of all participating parties to the internet


VPN client asks for secure connection from the server


authentication via username/password, shared secret, key
cards ...


after validation tunnel is set up with special IP routes

Communication systems

IP sec


VPNs

36

| 57


Problems with VPN gateways


gateway machines reachable over the public internet


could be attacked for break
-
in, denial of service


security could be increased through combination of
authentication methods


Security at tunnel end point


split tunnel


unencrypted interface to the internet needed
(transport medium for encrypted traffic)


user machine is not secured against attacks from the internet


“hardened tunnel”
-

no connection/routing to the local LAN is
allowed, user end point machine obtains a private IP from the
internal network

Communication systems

IP sec


VPN problems

37

| 57


By now we discussed encryption and authentication measures put
to different protocol layers to improve security


We ensure this way, that nobody can read/alter the packets of a
communication during transit


We do not secure a machine that way


vulnerability to attacks,
DoS have to be abated some other way


Completely other path of thought


not to protect own traffic from sniffing ...


but allow or block traffic at gateway, router, end system ...


Traffic / packet filtering on different levels is another concept to
increase security


parts of it will be discussed next part of lecture
...

Communication systems


network security


other directions to look

38

| 57


Take a completely new track now ...


Firewalls are traffic / packet filters that operate on different layers
of our OSI protocol stack


Try for a definition: “A Firewall is a network security device
designed to restrict access to resources (information or services)
according to a security policy”


Important remark is to be made here:


Firewalls are not a “magic solution” to network security
problems, nor are they a complete solution for remote attacks
or unauthorized access to data!!


Firewalls could be circumvented in several ways and may
increase the complexity of network and this way decrease the
level of security!

Communication systems

network security


“the magic device”: firewall

39

| 57


A Firewall is a often a network security device, but can be or
simply is implemented directly into the end systems


It serves to connect two parts of a network a control the traffic
(data) which is allowed to flow between them


Often installed between an entire organization's network and the
Internet


A Firewall is always the single path of communication between
protected and unprotected networks


Of course there are special cases of multiple Firewalls, redundant
connections, fault
-
tolerant failover etc.


A Firewall can only filter traffic which passes through it


If traffic can get to a network by other means, the Firewall cannot
block it

Communication systems


network security


firewalls

40

| 57


Types of firewalling concepts:


(MAC / ethernet frame filter)


Packet filter


Circuit
-
level proxy


Stateful packet filter


Application
-
level proxy


Filtering on data link layer


ethernet packets contain source and destination addresses: MAC


allow only frames to be delivered from known sources, block frames
with unknown MACs

Communication systems

network security


firewalls

41

| 57


Filtering on network layer


Source & destination IP addresses


Source address


Destination address


Both are numerical


it is not easy for a Firewall to deal
with machine or domain names


e.g. www.hotmail.com


Request: client = source, server = destination


Response: server = source, client = destination

Communication systems


network security


firewalls

42

| 57


Filtering on transport level


This is where we deal with (mostly) TCP and UDP port
numbers


e.g.: 25 SMTP


sending email (TCP)


110 POP3


collecting email (TCP)


143 IMAP


collecting email (TCP)


389 LDAP


directory service (TCP)


636 LDAPS


TLS secured directory service (TCP)


80 HTTP


web pages (TCP)


443 HTTPS


secure web pages (TCP)


53 DNS


name lookups (UDP)


68, 69 DHCP


dynamic end system IP config (UDP)

Communication systems


network security


firewalls

43

| 57


Most Firewalls and their administrators assume that the port
number defines the service


not necessarily


who could stop me from sending or receiving mail over the
HTTP port


who could stop users from tunneling all their IP traffic over an
open port (AOL left UDP 53 completely open for DNS traffic
some year ago :
-
))


Here we get major problem: If users are blocked from using a
service and try to avoid the blocking firewall they might find a way
through


the admin still thinks all is fine with the network, but the
situation might be even worse than without firewall at all ...

Communication systems


network security


firewalls

44

| 57


Layer 7


Application


There is where we find all the 'interesting' stuff ...


Web requests


Images


Executable files


Viruses


Email addresses


Email contents


Usernames


Passwords

Communication systems


network security


firewalls

45

| 57


packet filter


a special router that have the ability to throw packets
away independently of network congestion


Examines TCP/IP headers of every packet going through the
Firewall, in either direction


Choice of whether to allow or block packet based on:


(MAC source & destination)


IP source & destination addresses (layer 3)


TCP / UDP source & destination ports (layer 4)


Stateful filter


Same as a packet filter, except initial packets in one direction
are remembered, and replies are automatically allowed fo


Simpler rules than simple port based packet filter

Communication systems


network security


firewalls

46

| 57


Packet filter use rules specify which packets are allowed through
the Firewall, and which are dropped


Rules must allow for packets in both directions


Rules may specify source / destination IP addresses, and
source / destination TCP / UDP port numbers


Certain (common) protocols are very difficult to support
securely (e.g. FTP, IRC, SIP, ...)


Low level of security


Stateful packet filter


Packet filter which understands requests and replies (e.g.: for
TCP: SYN, SYN
-
ACK, ACK)

Communication systems


network security


firewalls

47

| 57


Stateful packet filter


Rules need only specify packets in one direction (from client to
server


the direction of the first packet in a connection)


Replies and further packets in the communication are
automatically processed


Supports wider range of protocols than simple packet filter (eg:
FTP, IRC, H323)


Medium
-
high level of security

Communication systems


network security


firewalls

48

| 57


Layer
-
7 proxy server


application level proxy


Client and server in one box


For every supported application protocol


SMTP, POP3, HTTP, SSH, FTP, NNTP, Q3A, ...


Packets are received and processed by server


New packets generated by client


Prevents the need for direct network connection of clients, no
client packet is directly routed into the Internet, no packet from
Internet is directly handed to the client


Special proxy protocol supported by many applications which
offers authentication: socks5

Communication systems


network security


firewalls

49

| 57


Complete server & client implementation in one box for every
protocol which can be expected through it


Client connects to Firewall


Firewall validates request


Firewall connects to server


Response comes back through Firewall and is also processed
through client/server


Large amount of processing per connection


High level of security


And: lot of funny stuff could be tried with filtering (SPAM, Ads,
porno sites, ...)

Communication systems


network security


firewalls

50

| 57


Packet filters, circuit
-
level proxies and stateful packet filters are like
telephone call
-
barring by number


block or allow mobile calls


block or allow international calls


block or allow 0190/0900 calls


from different internal extensions


Application level proxy is like telephone call monitoring by listening
to the conversations


conversations may still be encoded, or in a foreign language !!

Communication systems


network security


firewall taxonomy

51

| 57


Applications which run on Windows machines


commonest home PCs


often insecure


increasingly connected using ADSL etc.


Packet filter (sometimes stateful)


Learn which applications are permitted to make what type of
connections outbound


Block inbound access except replies


But nobody nows exactly


how personal firewalls are bound to Windows network stack


how firewalls could be disabled by malicious applications

Communication systems


network security


“personal” firewalls

52

| 57


Firewalls control network traffic to and from the protected network


Can allow / block access to services (both internal and external)


Can enforce authentication before allowing access to services


Can monitor traffic in/out of network


Firewalls typically defend a protected network against an attacker,
who tries to access vulnerable services which should not be
available from outside the network

Communication systems


firewalls
-

conclusion

53

| 57


Firewalls are also used to restrict internal access to external
services, for many different reasons:


security (don't want people downloading and installing
unknown applications)


productivity (don't want people wasting time on non
-
work
related websites etc)


cost (many Internet connections, e.g.: Dial
-
Up are charged by
data transferred


ensure this is all necessary)


But firewalls could mislead to total control and monitoring


or distract admins from more important security issues ...

Communication systems


firewalls
-

conclusion

54

| 57


Gave a broad overview on network related issues with focus on
IP and digital telephony networks


Defined a model for network protocol layering


talked on network layer: IP v4 / v6


routing on this layer


DNS as a helper application for the convinience of the Internet
users


physical and data link layer


several lower layer protocols
and techniques for transportation of bitstreams


encoding digital data into analogous signals

Communication systems

conclusion of the lecture

55

| 57

Communication systems

conclusion of the lecture


OSI layers and examples

56

| 57


Many topics were not or rather short covered


Range of lectures which focus on


network security


network programming


dynamic networks and routing protocols


network applications


...


Courses of the professorship next semester


Interdisz. seminar as introduced beginning of lecture ...


Special practical course on OpenSource PBX Asterisk (SIP,
mobile telephony, ...) at Summercampus2006: 16
th

-

19
th

of
August

Communication systems

conclusion of the lecture

57

| 57


Thanks to our hiwis


Rui Zhou


Ahmad Abdul Majeed and Christoph Hanke


Helping preparation of practical courses


Discussing and defining excercises


Correcting excercises


Preparing services and tools


...


Have nice summer holidays!!


See you tomorrow :
-
))

Communication systems

end for today and this semester!!