IEEE Press 445 Hoes Lane Piscataway, NJ IEEE Press Editorial Board Mohamed E. El-Hawary, Editor in Chief

Transcription

1 Network Security

2 IEEE Press 445 Hoes Lane Piscataway, NJ IEEE Press Editorial Board Mohamed E. El-Hawary, Editor in Chief R. Abari T. G. Croda R. J. Herrick S. Basu S. Farshchi M. S. Newman A. Chatterjee S. V. Kartalopoulos N. Schulz T. Chen B. M. Hammerli Kenneth Moore, Director of IEEE Book and Information Services (BIS) Steve Welch, Acquisitions Editor Jeanne Audino, Project Editor Technical Reviewers Stuart Jacobs, Verizon Lakshmi Raman, CableLabs Broadband Access Department

3 Network Security Current Status and Future Directions Edited by Christos Douligeris Dimitrios N. Serpanos Wiley-Interscience A John Wiley & Sons, Inc., Publication

4 Copyright 2007 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) , fax (978) , or on the web at Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) , fax (201) , or online at Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) , outside the United States at (317) or fax (317) Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at Wiley Bicentennial Logo: Richard J. Pacifico. Library of Congress Cataloging-in-Publication Data is available. ISBN Printed in the United States of America

5 To Vicky, Pennie, Kostis, Mariada, and our parents Christos Douligeris To Georgia, Loukia, and my parents Dimitrios N. Serpanos

6 Contents Preface Contributors xiii xv 1. Computer Network Security: Basic Background and Current Issues 1 Panayiotis Kotzanikolaou and Christos Douligeris 1.1 Some Terminology on Network Security ISO/OSI Reference Model for Networks Network Security Attacks Mechanisms and Controls for Network Security: Book Overview and Structure 10 References 11 Part One Internet Security 2. Secure Routing 15 Ioannis Avramopoulos, Hisashi Kobayashi, Arvind Krishnamurthy, and Randy Wang 2.1 Introduction Networking Technologies Attacks in Networks State of the Art Conclusion and Research Issues 28 References Designing Firewalls: A Survey 33 Angelos D. Keromytis and Vassilis Prevelakis 3.1 Introduction Firewall Classification Firewall Deployment: Management Conclusions 48 References Security in Virtual Private Networks 51 Srinivas Sampalli 4.1 Introduction VPN Overview VPN Benefits VPN Terminology VPN Taxonomy IPSec Current Research on VPNs Conclusions 61 References IP Security (IPSec) 65 Anirban Chakrabarti and Manimaran Govindarasu 5.1 Introduction IPSec Architecture and Components Benefits and Applications of IPSec Conclusions 81 References IDS for Networks 83 John C. McEachen and John M. Zachary 6.1 Introduction Background Modern NIDSs Research and Trends Conclusions 95 References Intrusion Detection Versus Intrusion Protection 99 Luis Sousa Cardoso 7.1 Introduction Detection Versus Prevention 102 vii

7 viii Contents 7.3 Intrusion Prevention Systems: The Next Step in Evolution of IDS Architecture Matters IPS Deployment IPS Advantages IPS Requirements: What to Look For Conclusions 114 References Denial-of-Service Attacks 117 Aikaterini Mitrokotsa and Christos Douligeris 8.1 Introduction DoS Attacks DDoS Attacks DDoS Defense Mechanisms Conclusions 131 References Secure Architectures with Active Networks 135 Srinivas Sampalli, Yaser Haggag, and Christian Labonte 9.1 Introduction Active Networks SAVE Test bed Adaptive VPN Architecture with Active Networks (SAM) Architecture Conclusions 149 References 150 Part Two Secure Services 10. Security in E-Services and Applications 157 Manish Mehta, Sachin Singh, and Yugyung Lee 10.1 Introduction What Is an E-Service? Security Requirements for E- Services and Applications Security for Future E- Services 175 References Security in Web Services 179 Christos Douligeris and George P. Ninios 11.1 Introduction Web Services Technologies and Standards Web Services Security Standard Conclusions 203 References Secure Multicasting 205 Constantinos Boukouvalas and Anthony G. Petropoulos 12.1 Introduction IP Multicast Application Security Requirements Multicast Security Issues Data Authentication Source Authentication Schemes Group Key Management Group Management and Secure Multicast Routing Secure IP Multicast Architectures Secure IP Multicast Standardization Efforts Conclusions 226 References Voice Over IP Security 229 Son Vuong and Kapil Kumar Singh 13.1 Introduction Security Issues in VoIP Vulnerability Testing Intrusion Detection Systems Conclusions 243 References 245

8 Contents ix 14. Grid Security 247 Kyriakos Stefanidis, Artemios G. Voyiatzis, and Dimitrios N. Serpanos 14.1 Introduction Security Challenges for Grids Grid Security Infrastructure Grid Computing Environments Grid Network Security Conclusions and Future Directions 254 References Mobile Agent Security 257 Panayiotis Kotzanikolaou, Christos Douligeris, Rosa Mavropodi, and Vassilios Chrissikopoulos 15.1 Introduction Taxonomy of Solutions Security Mechanisms for Mobile Agent Systems 264 References 268 Part Three Mobile and Security 16. Mobile Terminal Security 275 Olivier Benoit, Nora Dabbous, Laurent Gauteron, Pierre Girard, Helena Handschuh, David Naccache, Stéphane Socié, and Claire Whelan 16.1 Introduction WLAN and WPAN Security GSM and 3GPP Security Mobile Platform Layer Security Hardware Attacks on Mobile Equipment Conclusion 294 References IEEE Security 297 Daniel L. Lough, David J. Robinson, and Ian G. Schneller 17.1 Introduction Introduction to IEEE Wired Equivalent Privacy Additional IEEE Security Techniques Wireless Intrusion Detection Systems Practical IEEE Security Measures Conclusions 311 References Bluetooth Security 313 Christian Gehrmann 18.1 Introduction Bluetooth Wireless Technology Security Architecture Security Weaknesses and Countermeasures Bluetooth Security: What Comes Next? 327 References Mobile Telecom Networks 331 Christos Xenakis and Lazaros Merakos 19.1 Introduction Architectures Network Security Architectures Research Issues Conclusions 352 References Security in Mobile Ad Hoc Networks 355 Mike Burmester, Panayiotis Kotznanikolaou, and Christos Douligeris 20.1 Introduction Routing Protocols Security Vulnerabilities 360

9 x Contents 20.4 Preventing Attacks in MANETs Trust in MANETs Establishing Secure Routes in a MANET Cryptographic Tools for MANETs 370 References Wireless Sensor Networks 375 Artemios G. Voyiatzis and Dimitrios N. Serpanos 21.1 Introduction Sensor Devices Sensor Network Security Future Directions Conclusions 388 References Trust 391 Lidong Chen 22.1 Introduction What Is a trust Model? How Trust Models Work? Where Trust Can Go Wrong? Why Is It Difficult to Define Trust? Which Lessons Have We Learned? 402 References 403 Part Four Trust, Anonymity, and Privacy 23. PKI Systems 409 Nikos Komninos 23.1 Introduction Origins of Cryptography Overview of PKI Systems Components of PKI Systems Procedures of PKI Systems Current and Future Aspects of PKI Systems Conclusions 416 References Privacy in Electronic Communications 419 Alf Zugenmaier and Joris Claessens 24.1 Introduction Protection from Third Party: Confidentiality Protection from Communication Partner Invasions of Electronic Private Sphere Balancing Privacy with Other Needs Structure of Privacy Conclusion and Future Trends 437 References Securing Digital Content 441 Magda M. Mourad and Ahmed N. Tantawy 25.1 Introduction Securing Digital Content: Need and Challenges Content Protection Techniques Illustrative Application: E- Publishing of E-Learning Content Concluding Remarks 456 References 456 Appendix A. Cryptography Primer: Introduction to Cryptographic Principles and Algorithms 459 Panayiotis Kotzanikolaou and Christos Douligeris A.1 Introduction 459 A.2 Cryptographic Primitives 461 A.3 Symmetric-Key Cryptography 463

10 Contents xi A.4 Asymmetric-Key Cryptography 468 A.5 Key Management 476 A.6. Conclusions and Other Fields of Cryptography 478 References 479 Appendix B. Network Security: Overview of Current Legal and Policy Issues 481 Andreas Mitrakas B.1 Introduction 481 B.2 Network Security as a Legal Requirement 482 B.3 Network Security Policy Overview 484 B.4 Legal Aspects of Network Security 487 B.5 Self-Regulatory Security Frameworks 502 B.6 Conclusions 505 References 505 Appendix C. Standards in Network Security 507 Despina Polemi and Panagiotis Sklavos C.1 Introduction 507 C.2 Virtual Private Networks: Internet Protocol Security (IPSec) 507 C.3 Multicast Security (MSEC) 512 C.4 Transport Layer Security (TLS) 513 C.5 Routing Security 514 C.6 ATM Networks Security 514 C.7 Third-Generation (3G) Mobile Networks 516 C.8 Wireless LAN (802.11) Security 522 C.9 Security 523 C.10 Public-Key Infrastructure (X.509) 526 Index 531 About the Editors and Authors 563

11 Preface Network security is a critical parameter in the increasingly connected (networked) world. Advances in communication systems and protocols, wired and wireless, achieving high speeds, high availability and low cost have enabled the development of high bandwidth backbones and have delivered high throughput to end users of private and public networks. Homes today are able to send and receive high bandwidth, real-time data, enabling high quality communication and a wide range of services. The progress in development, deployment and management of large, reliable networks has resulted not only in the evolution of new services, but to an infrastructure that leads to the provision of a wide range of consumer services that are significantly more cost-effective than traditional ones. It is no surprise that the evolution of all these networks, and especially the Internet a public network is changing the economy worldwide. The continuous deployment of network services over this wide range of public and private networks has led to transactions and services that include personal, and sometimes quite sensitive, data. One only needs to consider simple, everyday services from pay-perview and cable telephony to bill payments by phone, credit card charging and Internet banking. Such services require significant effort not only to protect the sensitive data involved in the transactions and services, but to ensure integrity and availability of network services as well. A typical approach to provide these services and increase security and dependability has been to deploy services over private networks, which are easier to protect than public ones. However, the advent of the Internet has changed electronic business models, providing high flexibility, ease of use, and enabling service deployment with substantially lower cost. Thus, the role of network security is significantly more important in emerging network environments, where even private networks connect to the Internet, in order to exploit its multiple advantages. As the view of traditional distributed systems has changed to a network-centric view in all types of application networks financial, citizen support, military, etc. and as the requirement for employing heterogeneous networks and systems becomes increasingly important, the complexity of these systems has led to significant security flaws and problems. The traditional approach to network service development, using several layers and protocols, together with the lack of systematic methods to design and implement secure end systems leads to vulnerabilities and difficulties in implementing and managing security. Attackers continuously find vulnerabilities at various levels, from the network itself to operating systems, and exploit them to crack systems and services. The result of these phenomena is a significant effort by the research community to address the design and implementation of secure computing systems and networks in order to enable the deployment of secure services. Due to the conventional approaches for service development over such complex, and most often heterogeneous networks and systems, the efforts of the networking community have been several and at various fronts. Thus, currently, there exist several approaches to provide security at various levels and degrees: secure protocols, secure protocol mechanisms, secure services (e.g., phone), firewalls, intrusion detection systems (IDS), etc. xiii

12 xiv Preface This book considers and addresses several aspects of network security, in an effort to provide a publication that summarizes the main current status and the promising and interesting future directions and challenges. The presented approaches are state-of-the-art, described by leaders in the field. They include trends at several fronts, from Internet protocols to firewalls and from mobile systems to IDS systems. The chapters of the book are divided into four main sections which consider the main research challenges of today and the important approaches providing promising results for the future: (a) Internet security, (b) secure services, (c) security in mobile systems and (d) trust, anonymity and privacy. In each part several chapters address the main research results and trends. Importantly, we have included 3 appendices of critical background knowledge for the reader who is new to this important research area; the appendices cover (a) a primer in cryptography, (b) legal aspects and (c) standards in network security. Considering the debate about the increasing importance of security in everyday life and the catastrophic results its illegal and unethical use may bring, we believe that the appendices provide a good basis for readers who are interested in the role, restrictions, and limitations of network security in the emerging globally networked world. In our effort to put this book together, we had the support of several authors, who have written the chapters, providing knowledge and insight through their efforts. The 25 chapters constitute a significant effort on their behalf and we thank them for their efforts. The results of these efforts are a collection of high-quality chapters, which enable the reader to understand the main problems, results, and trends in most aspects of modern network security. Also, we thank the reviewers of the book, who have provided insightful comments and helped improve the presentation and the quality of the book. Finally, we thank IEEE for its support to this effort and its high-quality work in the production of the final result. As the overall effort has taken longer than expected, we also appreciate the patience of the authors until the production of the final book. We certainly hope that the publication will prove to be a useful tool to all readers interested in network security. Patras, Greece March 2007 Christos Douligeris Dimitrios N. Serpanos

13 Contributors Ioannis Avramopoulos Princeton University, Princeton, New Jersey Olivier Benoit Security Labs, Gemalto, La Ciotat, France Constantinos Boukouvalas Research and Development, OTE SA, Athens, Greece Mike Burmester Florida State University, Tallahassee, Florida Luis Sousa Cardoso Portugal Telecom, Lisboa, Portugal Anirban Chakrabarti Department of Electrical and Computer Iowa State University, Ames, Iowa Lidong Chen Computer Security Division, National Institute of Standards and Technology (NIST), Gaithersburg, Maryland Vassilios Chrissikopoulos Department of Archiving and Library Studies, Ionian University, Corfu, Greece Joris Claessens European Microsoft Innovation Center, Aachen, Germany Nora Dabbous Ingenico, Paris, France Christos Douligeris Department of Informatics, University of Piraeus, Laurent Gauteron Security Labs, Gemalto, La Ciotat, France Christian Gehrmann Ericsson Mobile Platforms AB, Lund, Sweden Pierre Girard Security Labs, Gemalto, La Ciotat, France Manimaran Govindarasu Department of Electrical and Computer Iowa State University, Ames, Iowa Yaser Haggag Dalhousie University, Halifax, Canada Helena Handschuh Spansion, Levallois-Perret, France xv

14 xvi Contributors Angelos D. Keromytis Columbia University, New York, New York Hisashi Kobayashi Department of Electrical School of Engineering and Applied Science, Princeton University, Princeton, New Jersey Nikos Komninos Athens Information Technology, Peania, Attiki, Greece Panayiotis Kotzanikolaou Department of Informatics, University of Piraeus, Arvind Krishnamurthy Department of Computer Science and University of Washington, Seattle, Washington Christian Labonte Dalhousie University, Halifax, Canada Yugyung Lee School of Computing University of Missouri Kansas City, Kansas City, Missouri Daniel L. Lough Global Security Consultants, Warrenton, Virginia Rosa Mavropodi Department of Informatics, University of Piraeus, John C. McEachen Department of Electrical and Computer Naval Postgraduate School, Monterey, California Manish Mehta School of Computing University of Missouri Kansas City, Kansas City, Missouri Lazaros Merakos Department of Informatics and Telecommunications, University of Athens, Athens, Greece Andreas Mitrakas European Network and Information Security Agency (ENISA), Heraklion, Greece Aikaterini Mitrokotsa Department of Informatics, University of Piraeus, Magda M. Mourad IBM Thomas J. Watson Research Center, Yorktown Heights, New York David Naccache Université Paris II, Panthéon-Assas, Paris, France George P. Ninios Department of Informatics, University of Piraeus, Anthony G. Petropoulos Department of Informatics, University of Piraeus, Despina Polemi Department of Informatics, University of Piraeus,

15 Contributors xvii Vassilis Prevelakis Drexel University, Philadelphia, Pennsylvania David J. Robinson Global Security Consultants, Odenton, Maryland Snirivas Sampalli Dalhousie University, Halifax, Canada Ian G. Schneller Global Security Consultants, Odenton, Maryland Dimitrios N. Serpanos Department of Electrical and Computer University of Patras, Patras, Greece Kapil Kumar Singh University of British Columbia, Vancouver, Canada Sachin Singh Heartlab, Westerly, Rhode Island Panagiotis Sklavos Technical Department, Expertnet SA, Chalandri, Greece Stéphane Socié Security Labs, Gemalto, La Ciotat, France Ahmed N. Tantawy IBM Thomas J. Watson Research Center, Yorktown Heights, New York Artemios G. Voyiatzis Department of Electrical and Computer University of Patras, Patras, Greece Son Vuong University of British Columbia, Vancouver, Canada Randy Wang Microsoft Research, Bangalore, India Claire Whelan School of Computing, Dublin City University, Dublin, Ireland Christos Xenakis Department of Informatics and Telecommunications, University of Athens, Athens, Greece John M. Zachary Department of Electrical and Computer Naval Postgraduate School, Monterey, California Alf Zugenmaier DoCoMo Euro-Labs, Munich, Germany Kyriakos Stefanidis Department of Electrical and Computer University of Patras, Patras, Greece