Network Security - Aecessary Job Description

Transcription

1 Network Protection: Macro Scale Question: you re a network/systems admin for a large campus (like UTSC, or IBM Markham) with thousands of networked devices connected to the Internet how do you ensure all these devices are secure against attackers? require all user systems to be administered by IITS or equiv require all user systems to turn off risky services require all user systems to undergo pen-testing by IITS/equiv Other than sheer number of user-systems, diversity is also a problem OS s, versions of OS s, installed software/versions, different hardware configs, probably can t even enumerate this let alone secure it! Attack surface is too large to effectively protect 10 Network Attacks CSCD27 Computer and Network Security 43 Network Protection: Firewalls Approach: focus on the point at which all these usersystems converge your link to the Internet A firewallis a network device/router that can be flexibly configured to open/close network access to hosts (network devices) and/or ports on those hosts going in and/or out of an organization s network Firewall enforces an access-control policy: what IP addresses can exchange packets with other IP addresses, and what services can be accessed (TCP/UDP port # s) inbound packets from the Internet trying to get into local network, outbound going the other way For the most part, we trust the outbound but not the inbound 10 Network Attacks CSCD27 Computer and Network Security 44 CSCD27F Computer and Network Security 1

2 Firewalls firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others administered internal network trusted good guys firewall public Internet untrusted bad guys 10 Network Attacks CSCD27 Computer and Network Security 45 Firewalls: Why? mitigate denial of service attacks: SYN flooding, SMURF attack reduce attacker ability to perform network reconnaissance: port scanning, network mapping mitigate unauthorized access/tampering of internal network data: network-attached databases/storage (NAS), Web sites allow only authorized access to internal network set of authenticated users/hosts three types of firewalls: stateless packet filters stateful packet filters application gateways (not covered here) 10 Network Attacks CSCD27 Computer and Network Security 46 CSCD27F Computer and Network Security 2

3 Network Protection: Firewalls Simple access-control policy: allow inside hosts to connect to any outside host/service outside hosts subject to restrictions: o allowed to connect to internal hosts/services intended to be externally visible, e.g. server, Web server o blocked from connecting to all other internal hosts/services How to handle cases not explicitly mentioned in the policy? Default to allow start by allowing packets to pass, and only turn off when problems arise hmm Default to deny start by blocking packets, and only allow them to pass when users complain ahh, now that s more like it! Gets noticed more quickly by people you know errors less painful than default allow 10 Network Attacks CSCD27 Computer and Network Security 48 Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet viarouter firewall routerfilters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits 10 Network Attacks CSCD27 Computer and Network Security 49 CSCD27F Computer and Network Security 3

4 Stateless packet filtering: example example 1: block incoming and outgoing datagrams with either: IP protocol field = 17 (UDP) or with TCP source or destport = 23 (telnet) result: all incoming, outgoing UDP flows and telnet connections are blocked example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. 10 Network Attacks CSCD27 Computer and Network Security 50 Stateless packet filtering: more examples Policy No outside Web access No incoming TCP connections, except those connecting to the UTSC public Web server Prevent Web-radios from consuming available bandwidth Prevent your network from being used for a smurf DoS attack Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP address, port 80 (http) or 443 (https) Drop all incoming TCP SYN packets to any IP except , port 80 or port 443 Drop all incoming UDP packets - except DNS and router broadcasts Drop all ICMP packets going to a broadcast address (e.g ) Drop all outgoing ICMP TTL expired packets 10 Network Attacks CSCD27 Computer and Network Security 51 CSCD27F Computer and Network Security 4

5 Access Control Lists (ACLs) ACL:table of rules, applied top to bottomto incoming packets: (action: condition) pairs action source address allow allow allow allow dest address protocol source port dest port TCP > flag bit any TCP 80 > 1023 ACK UDP > UDP 53 > deny all all all all all all 10 Network Attacks CSCD27 Computer and Network Security 52 Stateful packet filtering stateless packet filter: blunt instrument admits packets that make no sense, e.g., srcport = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allow TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets makes sense timeout inactive connections at firewall 10 Network Attacks CSCD27 Computer and Network Security 53 CSCD27F Computer and Network Security 5

6 Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet action source address dest address proto source port dest port flag bit check conxion allow TCP > any allow TCP 80 > 1023 ACK Y allow UDP > allow UDP 53 > Y deny all all all all all all 10 Network Attacks CSCD27 Computer and Network Security 54 Intrusion Detection Systems (IDS) packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection:look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets o port scanning o network mapping o DoS attack 10 Network Attacks CSCD27 Computer and Network Security 59 CSCD27F Computer and Network Security 6

7 Intrusion Detection Systems multiple IDS s: different types of checking at different locations in network firewall internal network Internet IDS sensors Web DNS server FTP server server demilitarized zone 10 Network Attacks CSCD27 Computer and Network Security 60 Virtual Private Networks: VPNs How do you provide secure remote access to local network services protected by a firewall? Firewall rules block connections from outside to those services, but employees may need access to restricted resources while travelling, e.g. financial/sales DBs A Virtual Private Network creates a tunnelthrough the Internet to an internal VPN server VPN client/user is assigned an IP on the local network, and so has same access rights as anyone else on local net Provides authentication, confidentiality, integrity, like SSL e.g. OpenVPN, available for most platforms Also protects against MITM attacks such as ISP injection 10 Network Attacks CSCD27 Computer and Network Security 61 CSCD27F Computer and Network Security 7

8 Domain Name System (DNS) DNS maps symbolic names to numeric IP addresses What s the IP address for k.root-server.net Client (local) DNS Server.ca cctld server.google.ca DNS server 10 Network Attacks CSCD27 Computer and Network Security 62 DNS Root Name Servers root name servers for top-level domains Authoritative name servers for subdomains Local name resolvers contact authoritative servers when they do not know IP address for a name e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 36 other locations) b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA a Verisign, Dulles, VA c Cogent, Herndon, VA (also LA) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 21 locations) k RIPE London (also 16 other locations) i Autonomica, Stockholm (plus 28 other locations) m WIDE Tokyo (also Seoul, Paris, SF) DoS attack on root DNS servers, consequence? 10 Network Attacks CSCD27 Computer and Network Security 63 CSCD27F Computer and Network Security 8

9 DNS Caching DNS responses are cached important optimization for repeated translations (very common). How does this speed lookups? other queries may reuse parts of lookup o e.g. NS records for domains (e.g. utsc.utoronto.ca) DNS negative queries also cached don t have to repeat past mistakes o e.g. misspellings s.a. goggle.com Cached data periodically times out. Why? lifetime (TTL) of data controlled by owner of data. What s the motive for TTL? TTL transmitted with every DNS record 10 Network Attacks CSCD27 Computer and Network Security 64 DNS Vulnerabilities Users/hosts trust the host-address mapping provided by DNS: Used as basis for many security policies, e.g. browser same-origin policy Obvious problems Interception of requests or compromise of DNS servers can result in incorrect or malicious responses o e.g.: hijack BGP route to spoof DNS Solution authenticated requests/responses o provided by DNS-SEC but DNS-SEC deployment is spotty 10 Network Attacks CSCD27 Computer and Network Security 65 CSCD27F Computer and Network Security 9

10 DNS Authentication Response accepted if TXID is the same Can remain in cache for long time (TTL) Request contains random 16-bit TXID What s the IP address for k.root-server.net Client (local) DNS Server.ca cctld server.google.ca DNS server 10 Network Attacks CSCD27 Computer and Network Security 66 DNS cache poisoning Victim machine visits attacker s Web site (e.g. blog or spamlinked), downloads some JavaScript user browser Query: a.bank.com local DNS resolver a.bank.com TXID=x 1 IPaddr ns.bank.com Attacker wins if j: x 1 = y j and attacker response arrives first 256 responses: Random TXID y 1, y 2, NS bank.com=ns.bank.com A ns.bank.com=attackerip Response cached and attacker owns bank.com for TTL!! attacker 10 Network Attacks CSCD27 Computer and Network Security 67 CSCD27F Computer and Network Security 10

11 If at first you don t succeed Victim machine visits attacker s web site, downloads JavaScript user browser Query: b.bank.com local DNS resolver b.bank.com TXID=x 2 IPaddr ns.bank.com 256 responses: Random TXID y 1, y 2, NS bank.com=ns.bank.com A ns.bank.com=attackerip attacker wins if j: x 2 = y j success after 256 tries attacker 10 Network Attacks CSCD27 Computer and Network Security 68 Solving DNS Spoofing Problem Long TTL for legitimate responses Does this really solve the problem? Randomize port in addition to TXID 32-bits of randomness, increases effort of birthdaycollision attack from 2^8 to 2^16 to guess TXID DNS-SEC Cryptographic authentication of host-address mappings 10 Network Attacks CSCD27 Computer and Network Security 69 CSCD27F Computer and Network Security 11

12 DNS Spoofing Defense: DNS-SEC Authentication, integrity of DNS requests/responses PK-DNSSEC (public key) DNS server signs its data (can be done in advance) How do other servers learn the public key? SK-DNSSEC (symmetric key) Encryption and MAC: E k (m, MAC(m)) Each message contains a nonce to avoid replay Each DNS node shares a symmetric key with its parent Zone root server has a public key (hybrid approach) 10 Network Attacks CSCD27 Computer and Network Security 70 DNS Rebinding Attack Consider a Web server intranet.utoronto.ca Private IP: , inaccessible outside utoronto.ca network Hosts security-sensitive PHP applications and data Attacker at blackhat.com gets utoronto.ca user to browse Places JavaScript on that accesses sensitive application on intranet.utoronto.ca Attack fails because JavaScript is restricted by the sameorigin policy (more when we cover Web security) but wait, attacker controls blackhat.com DNS 10 Network Attacks CSCD27 Computer and Network Security 71 CSCD27F Computer and Network Security 12

13 DNS Rebinding Attack <script src=" ">malware</script> <iframe src=" "> DNS-SEC cannot stop this attack ns.blackhat.com TTL = 0 DNS server Intranet Web server Firewall web server iframe read permitted: considered same origin 10 Network Attacks CSCD27 Computer and Network Security 72 Mobile Phone Security The GSM mobile phone system is vulnerable to IMSI catchers due to its authentication design (phones authenticate to towers but not vice versa) The above image shows IMSI catchers detected in the Washington DC central city Fake cell towers have been detected across the US and EU, and in China signal hijacking is reported to be at epidemic levels (more than 13 million fake connections/day in 2014) A US company sells versions of IMSI catchers that can be worn as body gear, or installed in drones 10 Network Attacks CSCD27 Computer and Network Security 73 CSCD27F Computer and Network Security 13

14 Mobile Phone Security Rayzonesells gear/apps to track users in real-time worldwide, and to perform IMSI catching on selected targets IMSI targets can have their phone id info captured, security downgraded, communication jammed, and batteries drained Both GSM and 3G AKA protocols lack forward-secrecy protection, and require the key for only the tower side of a connection 10 Network Attacks CSCD27 Computer and Network Security 74 CSCD27F Computer and Network Security 14