Introduction to Computer Security

Transcription

1 Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science

2 Circuit switching vs. packet switching

3 OSI and TCP/IP layered models

4 TCP/IP encapsulation

5 TCP connection synchronization Initial handshake Termination Host Host Host Host Send SYN seq=x Send FIN seq=x Receive SYN Receive FIN Send SYN seq=y, CK x+1 Send CK x+1 Receive SYN + CK Receive CK Send CK y+1 Send FIN seq=y, CK x+1. data transmission Receive CK Receive FIN + CK Send CK y+1 Receive CK

6 What can go wrong: TCP session hijacking C() Seq: x PSH/CK: y (60) Seq: y PSH/CK: x+60 (20) Seq: x+60 PSH/CK: y+20 (30) Seq: y+20 PSH/CK: x+90 (20) Seq: x+90 PSH/CK: y+40 (30) Seq: y+40 PSH/CK: x+120 (20)

7 Example: SYN flood Normal TCP handshake SYN flood

8 Placement of security instruments Network layer Transport layer pplication layer

9 IP layer security: IPsec Objectives: secure connectivity of branch offices secure remote access dvantages: bypass resistence transparency to end users and applications Disadvantages: infrastructure support needed performance degradation

10 IPsec application example User system with IPSec IP IPSec Header Header Secure IP Payload Public (Internet) or Private Network Networking device with IPSec IP Header IPSec Header Secure IP Payload IP IPSec Header Header Secure IP Payload Networking device with IPSec IP Header IP Payload IP Header IP Payload Figure 6.1 n IP Security Scenario

11 IPsec services and protocols Services / Protocols H ESP ESP + auth. ccess control Connectionless integrity Data origin authentication Replay protection Confidentiality Traffic flow confidentiality

12 Transport mode Protection of packet payload Used for end-to-end communication Small performance overhead Tunnel mode Protection of entire packet (payload and headers) Communication between gateways Invisible to intermediate routers Considerable performance overhead IPsec modes

13 (a) efore pplying H orig IP IPv4 TCP Data authenticated except for mutable fields H service IPv6 orig IP extension orig IP headers IPv4 (if present) H TCP Data IPv6 Transport mode orig IP (a) efore pplying H authenticated except for mutable fields authenticated except for mutable fields hop-by-hop, dest, routing, fragment H dest TCP Data orig IP IPv4 H TCP Data (b) Transport Mode IPv6 Tunnel mode orig IP authenticated except for mutable fields authenticated except for mutable fields in the new IP header hop-by-hop, dest, routing, fragment H dest TCP Data New IP orig IP IPv4 H TCP Data (b) Transport Mode IPv6 new IP ext headers authenticated except for mutable fields in new IP header and its extension headers authenticated except for mutable orig IP fields extin the new IP header H headers TCP Data New IP orig IP IPv4 H TCP Data

14 IPv4 orig IP ESP TCP authenticated encrypted Data ESP ESP service trlr auth IPv6 Transport mode orig IP hop-by-hop, dest, routing, fragment ESP authenticated encrypted authenticated dest TCP encrypted Data ESP ESP trlr auth IPv4 orig IP ESP (a) TCP Transport Mode Data ESP ESP trlr auth IPv6 Tunnel mode orig IP authenticated authenticated encrypted encrypted hop-by-hop, dest, ESP dest TCP Data routing, New fragment IP ESP orig IP IPv4 TCP Data (a) Transport Mode ESP ESP ESP trlr auth ESP trlr auth authenticated encrypted new IP ext ESP authenticated orig IP ext ESP ESP

15 Transport layer security: SSL/TLS Objectives: secure information transmission in Internet applications mutual authentication in Internet applications dvantages: secure end-to-end communication over TCP (not limited to HTTP) Disadvantages: PKI support needed potential use of weak cryptographic algorithms (e.g. RC4)

16 SSL architecture SSL connection corresponds to TCP connections. SSL sessions represent an association between a cliend and a server. Sessions define parameters that can be share between connections.

17 SSL Record Protocol Carries out information transfer Provides confidentiality and message integrity services.

18 SSL handshake protocol Client Server Random number Crypto info Random number Crypto info Server certificate Request client auth. Extract server public key Client certificate Hash over prev. messages Extract client public key Random pre-master secret Calculate master secret Calculate master secret Switch to master secret End handshake Switch to master secret End handshake

19 pplication layer security: SSH pplications secure remote login secure services (e.g. FTP, copy) over an insecure network secure port forwarding dvantages various authentication methods a neat way to circumvent firewalls Disadvantages point-to-point only some security vulnerabilities

20 SSH architecture

21 SSH functionality Remote Login Username / password Public key Remote command execution Remote copying (rcp) Secure ftp service (sftp) Remote synchronization (rsync) Port forwarding and tunneling Secure file system mounting (sshfs)

22 SSH port forwarding Syntax: Local forwarding: ssh -L 1521:localhost:23 Remote forwarding: ssh -R 1521:localhost:23

23 SSH port forwarding: examples IMP requiests for an intermal IMP server: ssh -L 8143:exchange.first.fraunhofer.de:993 Sending mail over an internal server: ssh -L 8025:smtpserv.uni-tuebingen.de:25 rowsing with an external IP address: ssh -L 8081:proxy0.first.fraunhofer.de:3128 -L 8080:proxy0.first.fraunhofer.de:3128

24 Summary Network security technologies can be deployed at all layers of network protocols. IP layer security provides a transparent security service; needs, however, infrastructure support. Trasport layer security provides a reliable end-to-end security services. pplication layer security mechanisms can be tailored to specific application needs.