Enhancing Network Security Education with Research and Development Content

Transcription

1 Enhancing Network Security Education with Research and Development Content Mostafa Bassiouni Department of Elec. Eng. & Computer Science University of Central Florida Orlando, Florida USA Ratan Guha Department of Elec. Eng. & Computer Science University of Central Florida Orlando, Florida USA ABSTRACT Network Security (CNT 4403) is an undergraduate course offered for the IT and Computer Science majors at the University of Central Florida. In the recent offering of this course, we enhanced its teaching by adding research-oriented content. In this paper, we discuss our enhancement effort and give two examples. Through our research and graduate teaching, we identified important security aspects of the anycast technology that are overlooked by traditional textbooks on network security. We added content on anycast to give the undergraduate students better experience with emerging security applications. Similarly, we added content on the experimental Robust ECN protocol to give students exposure to new trends in combating malicious user behavior. Categories and Subject Descriptors K3.2 [Computers and Education]: Computer and Information Science Education, C.2.0 [Computer-Communication Networks]: General-Security and protection; C.2.2 [Computer- Communication Networks]: Network Protocols. General Terms Security, Experimentation. Keywords Computer Science Curriculum, Network Security, Research and Development. 1. INTRODUCTION In this paper, we describe our experience with teaching an undergraduate course on Networking Security and its enhancement by adding research-oriented content. The Networking Course is one of four security related courses offered to Computer Science and Information Technology undergraduate students. The other three courses are Security in Computing, Cryptography, and Secure Operating Systems. The four courses are carefully put together to advance the undergraduate student quickly from novice to subject matter expert in the field of information security. An NSF-supported project to enhance the four courses using a modular approach is underway. The goal of the NSF-funded project is to contribute positively to the development of a security-proficient workforce and help meet the increasing demand by the federal government, industry and academia for security administrators, counter-hacking professionals, and security researchers. The organization of the paper is as follows. In Section 2, we briefly describe the modular curricular approach, which is used for developing both undergraduate courses as well as faculty enhancement workshops. An outline of the Networking Security course is given in Section 3. In Section 4, we describe the enhancement that added material on the emerging anycast technology and its impact on security. The second enhancement that added material on the experimental Robust Explicit Congestion Notification protocol is presented in Section 5. The outcome and classroom experience are discussed in Section 6. The paper is concluded in Section THE MODULAR CURRICULAR APPROACH Our rationale for developing the curriculum modules is that the delivery system of technical materials should depend on the type and the background of the targeted audience. Since we are creating delivery systems for different groups, our approach is to gather technical information in a modularized fashion. Specifically, we developed several modules consisting of different technical materials relevant to computer and network security. The modules are then synthesized suitably to develop four courses in the area of information security and protection. These courses are: Security in Computing (CIS 3360), Cryptography and Information Security (CIS 3362), Secure Operating Systems and Administration (CIS 4361), and Network Security and Privacy (CNT 4403). Figure 1 shows the high level architecture of the modular approach. In this paper, we focus on the Network Security and Privacy course (CNT 4403) which we have taught once every year. We discuss our approach for enhancing the educational experience of students in this course by adding research and development content. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIGITE 11, October 20 22, 2011, West Point, New York, USA. Copyright 2011 ACM /11/10...$10.00.

2 Curricular Modules Figure 1. Synthesis of courses from the curricular modules 3. THE NETWORK SECURITY COURSE In most IT programs, students take a variety of networking and security courses [7]. Network Security and Privacy (CNT 4403) is an undergraduate course offered in the Spring Semester by the Computer Science Division of our department. It attracts Information Technology and Computer Science majors, normally in the senior year. The course contents are assembled from the curricular modules on Cryptography, Computer Networks, and Security protocols. Two textbooks [3] and [6] are used in this course. Topics covered in this course include: Message Integrity and Authentication Digital Signature Entity Authentication Key Management Transport Layer Security Network Layer Security Security Application Layer Security Intrusion Detection and Firewalls Wireless LAN Security The course covers the details of major network-related security protocols including: SSL, TLS, IPSec, PGP, S/MIME, HTTPS, SSH, and i. In the most recent offering of this course, we enhanced the teaching of some of these protocols by adding research-oriented and current development contents. In this paper, we give two examples of the enhancement contents, namely, Anycast and Robust ECN (Explicit Congestion Notification). Anycast is used to enhance the teaching of standard security protocols, especially the IP Security (IPSec) protocol. We typically teach the design and implementation of Native and Proxy Anycast in an advanced graduate networking course using research articles such as [2]. Through our involvement in research and graduate teaching, we identified important security aspects of the anycast technology that are overlooked by traditional textbooks on network security. We introduced anycast in the undergraduate network security course to give students better experience about emerging applications of traditional security protocols such as IPSec. Similarly, we added teaching the experimental Robust ECN protocol to give the undergraduate students exposure to new trends in combating the malicious behavior of some TCP receivers. We discuss anycast in Section 4 and Robust ECN in Section ANYCAST SECURITY ISSUES Anycast is an important emerging technology whereby multiple distinct machines are allowed to have the same IP address. We first compare anycast to unicast, multicast and broadcast. In unicast, there is a one-to-one association between a network address and a network endpoint: each destination address uniquely identifies a single receiver endpoint. In broadcast and multicast, there is a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, to which all information is replicated. In anycast, there is also a one-tomany association between network addresses and network endpoints, but only one of the receiver endpoints is chosen at any given time to receive information from any given sender. Anycast is therefore designated as a one-to-any association between network addresses and network endpoints.

3 Anycast is usually implemented by using the BGP (Border Gateway Protocol) routing protocol to simultaneously announce the same destination IP address range from many different places on the Internet [1]. This causes packets addressed to destination addresses in this range to be routed to the "nearest" point on the network announcing the given destination IP address. Hijacker An important application of IP anycast is the Domain Name System (DNS) [4]. Some of the thirteen Internet root name servers are currently implemented as multiple hosts using anycast addressing. The A, C, F, I, J, K, L and M servers exist in multiple locations on different continents, using anycast address announcements to provide a decentralized service. Anycast has accelerated the deployment of physical root servers outside the United States. For example, the F-Root Name Server has an IP address Currently, the number of F-Root servers is 46 and increasing. All F-Root servers have the same IP address and receive DNS requests based on anycast. Anycast has allowed a single root name server to be implemented as a cluster of machines placed in different cities and countries. This has made denial of service (DoS) attacks on the root name servers more difficult and less harmful. We provide students with information on important historical attacks such as the 2002 DoS attack described below. On October 21, 2002, the Internet Domain Name System's root name servers sustained a denial of service attack. A coordinated DDoS (distributed denial of service) attack was launched and lasted more than one hour. All thirteen DNS root name servers were targeted simultaneously. This attack was unusual in that it was synchronized to take place against all thirteen root name servers simultaneously. Attack volume was approximately 50 to 100 Mbits/sec per root name server, yielding a total attack volume of approximately 900 Mbits/sec. The typical source for DDoS attacks is a large number of "drones", each sending only a small amount of traffic, using randomized source addresses. The impact of the attack was very noticeable and some root name servers were unreachable from many parts of the global Internet. Many valid queries were unable to reach some root name servers due to attack-related congestion effects, and thus went unanswered. 4.1 BGP Man-In-The-Middle (MITM) Attack Since anycast is implemented through BGP update messages, we expose the students to the basic idea of BGP Man-In-The-Middle (MITM) Attack. A BGP Update message from a BGP router announces a new route or withdraws a previously announced route. The BGP update process has the following vulnerability: all of Internet routing is based on trust; BGP routers can announce any IP address space they want and there is no mechanism in place to handle a node that goes rogue, basically there is no Internet police! The BGP MITM Attack Scenario is illustrated in Figure 2. An attacker (compromised BGP router) announces a currently used IP space that belongs to a legitimate entity (victim) located somewhere else on the Internet. This basically creates another anycast address for the legitimate entity. Legitimate traffic gets diverted to the hijacker and the victim can be effectively taken off the Internet. Victim Figure 2. BGP man-in-the-middle attack We provided students with information about two historical examples of BGP MITM Attack. Example 1: The YouTube address /22 used in February 2008 was hijacked by a badly configured announcement of the address /24 from a BGP router in Asia. In BGP, the most specific route to an IP address wins (the mask /24 is longer and more specific than /22). YouTube was globally unreachable for two hours. Example 2: In April 1997, a misconfigured router flooded Internet with incorrect advertisements announcing AS7007 as origin of best route to essentially the entire Internet. AS7007 became a major traffic sink and disrupted reachability to many networks for hours causing an Internet-wide blackout. 4.2 The Role of IPSec Protocol In order to minimize the risk of BGP man-in-the-middle attack, secure file transfer methods and strong authentication should be used for all BGP transfers. Running BGP over IPSec would protect it against MITM attacks. IPSec enables BGP peers to verify or detect BGP message integrity Peer entity authentication Replayed BGP messages

4 node deployed with the same address of the victim node DDOS ATTACK Victim Server node deployed with the same address of the victim node Figure 3. Mitigating denial of service (DoS) attack using anycast 4.3 DoS attack mitigation using anycast Anycast distribution of a service provides the opportunity for traffic to be handled closer to its source. Deploying anycast services on the Internet can be used to prevent or mitigate Denialof-Service (DoS) attacks. Figure 3 shows this approach for a Distributed DoS Attack. Multiple anycast sink nodes are deployed to collect the attack traffic generated from different attack sources. 5. ROBUST ECN Robust Explicit Congestion Notification, or Robust ECN, is an Experimental Protocol for the Internet community. Robust ECN is defined in Request for Comments 3540 [5]. Robust ECN is an optional addition to the Explicit Congestion Notification (ECN) protocol defined in RFC The Robust ECN protocol catches a misbehaving receiver with a high probability, and never implicates an innocent receiver. It is cheap in both per-packet overhead and processing requirements; it uses one single bit in the TCP FLAGS field. Robust ECN protects against attacks that sabotage the main congestion control mechanism of the Internet, namely, the TCP congestion control mechanism. Two forms of this type of attack are A TCP accelerator sends optimistic TCP acknowledgements to "fast start" the TCP session to a preset bandwidth quickly and maintain this bandwidth for the entire lifetime of the TCP session. A malicious TCP receiver conceals packet losses from the TCP sender. This causes the sender to transmit at high bandwidth for the entire lifetime of the TCP session. The TCP accelerator sends optimistic TCP acknowledgements, in which TCP segments are acknowledged before they have been received. Figure 4 shows the growth of the congestion transmission widow for an honest receiver and Figure 5 shows the comparable growth for a dishonest TCP accelerator.

5 Honest Receiver Figure 4. TCP slow start phase for honest receiver TCP Accelerator Figure 5. TCP slow start phase for dishonest accelerator

6 When Robust ECN is used, packet drops (losses) cannot be concealed from the sender. Packet drops could potentially be concealed by a faulty TCP implementation or a malicious receiver who wants to force the sender to operate at the maximum sending rate as shown in Figure 6. This could be an individual malicious user or a part of a wider congestion control attack. Packet Losses are concealed appreciated that this course covered relevant IT information and linked together many technologies covered in other courses. The students liked that the course went into the specifics of how various algorithms worked and presented topics by explaining it in a context of emerging research. 7. CONCLUSIONS In this paper, we discussed our enhancement effort to improve the teaching of an undergraduate course on Network Security. Through our research and graduate teaching, we identified important security aspects of the anycast technology that are overlooked by traditional textbooks on network security. We added content on anycast to give the undergraduate students better experience with emerging security applications. Similarly, we added content on the experimental Robust ECN protocol to give students exposure to new trends in combating malicious user behavior. The added materials were well received by the students. 7. ACKNOWLEDGMENTS This work has been partially supported by NSF Grant No Malicious Receiver Figure 6. Bandwidth abuse by malicious receiver 6. OUTCOME AND CLASSROOM EXPERIENCE The new materials on Anycast technology and Robust ECN have been well received by the students. The formal online evaluation conducted by the university during the last two weeks of classes for CNT 4403 showed good student reviews. The added materials are attributed to an observed improvement in the rating of certain categories compared to the evaluation of the same course in the previous year (Spring 2010). For example in the category of Learning materials, 53% of the students gave Excellent rating and 46% gave Very Good rating. In the category of Instructor interest in student learning, 75% of the students gave Excellent rating and 12.5% gave Very Good rating. In the category of Stimulation of interest in the course, 46% of the students gave Excellent rating and 46% gave Very Good rating. In the category of Facilitation of learning, 53% of the students gave Excellent rating and 40% gave Very Good rating. Written comments 8. REFERENCES [1] Abley, J. and Lindqvist, K Operation of Anycast Services. IETF Request for Comments: 4786 (December 2006). [2] Ballani, H. and Francis, P Towards a Global IP Anycast Service. Proceedings of the ACM SIGCOMM Conference (Philadelphia, PA, August 2005). [3] Forouzan, B Cryptography and Network Security, 1 st Edition, McGraw Hill (2008). [4] Hardie, T Distributing Authoritative Name Servers via Shared Unicast Addresses. IETF Request for Comments: 3258 (April 2002). [5] Spring, N., Wetherall, D. and Ely, D Robust Explicit Congestion Notification (ECN) Signaling with Nonces. IETF Request for Comments: 3540 (June 2003). [6] Stallings, W Cryptography and Network Security: Principles and Practice, 5 th Edition, Pearson-Prentice Hall (2011). [7] Stockman, M. and and Nyland, J A Teaching Pedagogy for Networking/System Administration Courses; Freshman through Senior Years. Proceedings of the 11th ACM SIGITE Conference on Information Technology Education (Midland, MI, October 2010), pp