Network Security Current Status and Future Directions

Transcription

1 Network Security Current Status and Future Directions Edited by Christos Douligeris Dimitrios N. Serpanos Wiley-Interscience A John Wiley & Sons, Inc., Publication

2

3 Network Security

4 IEEE Press 445 Hoes Lane Piscataway, NJ IEEE Press Editorial Board Mohamed E. El-Hawary, Editor in Chief R. Abari T. G. Croda R. J. Herrick S. Basu S. Farshchi M. S. Newman A. Chatterjee S. V. Kartalopoulos N. Schulz T. Chen B. M. Hammerli Kenneth Moore, Director of IEEE Book and Information Services (BIS) Steve Welch, Acquisitions Editor Jeanne Audino, Project Editor Technical Reviewers Stuart Jacobs, Verizon Lakshmi Raman, CableLabs Broadband Access Department

5 Network Security Current Status and Future Directions Edited by Christos Douligeris Dimitrios N. Serpanos Wiley-Interscience A John Wiley & Sons, Inc., Publication

6 Copyright 2007 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) , fax (978) , or on the web at Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) , fax (201) , or online at Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) , outside the United States at (317) or fax (317) Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at Wiley Bicentennial Logo: Richard J. Pacifico. Library of Congress Cataloging-in-Publication Data is available. ISBN Printed in the United States of America

7 To Vicky, Pennie, Kostis, Mariada, and our parents Christos Douligeris To Georgia, Loukia, and my parents Dimitrios N. Serpanos

8

9 Contents Preface Contributors xiii xv 1. Computer Network Security: Basic Background and Current Issues 1 Panayiotis Kotzanikolaou and Christos Douligeris 1.1 Some Terminology on Network Security ISO/OSI Reference Model for Networks Network Security Attacks Mechanisms and Controls for Network Security: Book Overview and Structure 10 References 11 Part One Internet Security 2. Secure Routing 15 Ioannis Avramopoulos, Hisashi Kobayashi, Arvind Krishnamurthy, and Randy Wang 2.1 Introduction Networking Technologies Attacks in Networks State of the Art Conclusion and Research Issues 28 References Designing Firewalls: A Survey 33 Angelos D. Keromytis and Vassilis Prevelakis 3.1 Introduction Firewall Classification Firewall Deployment: Management Conclusions 48 References Security in Virtual Private Networks 51 Srinivas Sampalli 4.1 Introduction VPN Overview VPN Benefits VPN Terminology VPN Taxonomy IPSec Current Research on VPNs Conclusions 61 References IP Security (IPSec) 65 Anirban Chakrabarti and Manimaran Govindarasu 5.1 Introduction IPSec Architecture and Components Benefits and Applications of IPSec Conclusions 81 References IDS for Networks 83 John C. McEachen and John M. Zachary 6.1 Introduction Background Modern NIDSs Research and Trends Conclusions 95 References Intrusion Detection Versus Intrusion Protection 99 Luis Sousa Cardoso 7.1 Introduction Detection Versus Prevention 102 vii

10 viii Contents 7.3 Intrusion Prevention Systems: The Next Step in Evolution of IDS Architecture Matters IPS Deployment IPS Advantages IPS Requirements: What to Look For Conclusions 114 References Denial-of-Service Attacks 117 Aikaterini Mitrokotsa and Christos Douligeris 8.1 Introduction DoS Attacks DDoS Attacks DDoS Defense Mechanisms Conclusions 131 References Secure Architectures with Active Networks 135 Srinivas Sampalli, Yaser Haggag, and Christian Labonte 9.1 Introduction Active Networks SAVE Test bed Adaptive VPN Architecture with Active Networks (SAM) Architecture Conclusions 149 References 150 Part Two Secure Services 10. Security in E-Services and Applications 157 Manish Mehta, Sachin Singh, and Yugyung Lee 10.1 Introduction What Is an E-Service? Security Requirements for E- Services and Applications Security for Future E- Services 175 References Security in Web Services 179 Christos Douligeris and George P. Ninios 11.1 Introduction Web Services Technologies and Standards Web Services Security Standard Conclusions 203 References Secure Multicasting 205 Constantinos Boukouvalas and Anthony G. Petropoulos 12.1 Introduction IP Multicast Application Security Requirements Multicast Security Issues Data Authentication Source Authentication Schemes Group Key Management Group Management and Secure Multicast Routing Secure IP Multicast Architectures Secure IP Multicast Standardization Efforts Conclusions 226 References Voice Over IP Security 229 Son Vuong and Kapil Kumar Singh 13.1 Introduction Security Issues in VoIP Vulnerability Testing Intrusion Detection Systems Conclusions 243 References 245

11 Contents ix 14. Grid Security 247 Kyriakos Stefanidis, Artemios G. Voyiatzis, and Dimitrios N. Serpanos 14.1 Introduction Security Challenges for Grids Grid Security Infrastructure Grid Computing Environments Grid Network Security Conclusions and Future Directions 254 References Mobile Agent Security 257 Panayiotis Kotzanikolaou, Christos Douligeris, Rosa Mavropodi, and Vassilios Chrissikopoulos 15.1 Introduction Taxonomy of Solutions Security Mechanisms for Mobile Agent Systems 264 References 268 Part Three Mobile and Security 16. Mobile Terminal Security 275 Olivier Benoit, Nora Dabbous, Laurent Gauteron, Pierre Girard, Helena Handschuh, David Naccache, Stéphane Socié, and Claire Whelan 16.1 Introduction WLAN and WPAN Security GSM and 3GPP Security Mobile Platform Layer Security Hardware Attacks on Mobile Equipment Conclusion 294 References IEEE Security 297 Daniel L. Lough, David J. Robinson, and Ian G. Schneller 17.1 Introduction Introduction to IEEE Wired Equivalent Privacy Additional IEEE Security Techniques Wireless Intrusion Detection Systems Practical IEEE Security Measures Conclusions 311 References Bluetooth Security 313 Christian Gehrmann 18.1 Introduction Bluetooth Wireless Technology Security Architecture Security Weaknesses and Countermeasures Bluetooth Security: What Comes Next? 327 References Mobile Telecom Networks 331 Christos Xenakis and Lazaros Merakos 19.1 Introduction Architectures Network Security Architectures Research Issues Conclusions 352 References Security in Mobile Ad Hoc Networks 355 Mike Burmester, Panayiotis Kotznanikolaou, and Christos Douligeris 20.1 Introduction Routing Protocols Security Vulnerabilities 360

12 x Contents 20.4 Preventing Attacks in MANETs Trust in MANETs Establishing Secure Routes in a MANET Cryptographic Tools for MANETs 370 References Wireless Sensor Networks 375 Artemios G. Voyiatzis and Dimitrios N. Serpanos 21.1 Introduction Sensor Devices Sensor Network Security Future Directions Conclusions 388 References Trust 391 Lidong Chen 22.1 Introduction What Is a trust Model? How Trust Models Work? Where Trust Can Go Wrong? Why Is It Difficult to Define Trust? Which Lessons Have We Learned? 402 References 403 Part Four Trust, Anonymity, and Privacy 23. PKI Systems 409 Nikos Komninos 23.1 Introduction Origins of Cryptography Overview of PKI Systems Components of PKI Systems Procedures of PKI Systems Current and Future Aspects of PKI Systems Conclusions 416 References Privacy in Electronic Communications 419 Alf Zugenmaier and Joris Claessens 24.1 Introduction Protection from Third Party: Confidentiality Protection from Communication Partner Invasions of Electronic Private Sphere Balancing Privacy with Other Needs Structure of Privacy Conclusion and Future Trends 437 References Securing Digital Content 441 Magda M. Mourad and Ahmed N. Tantawy 25.1 Introduction Securing Digital Content: Need and Challenges Content Protection Techniques Illustrative Application: E- Publishing of E-Learning Content Concluding Remarks 456 References 456 Appendix A. Cryptography Primer: Introduction to Cryptographic Principles and Algorithms 459 Panayiotis Kotzanikolaou and Christos Douligeris A.1 Introduction 459 A.2 Cryptographic Primitives 461 A.3 Symmetric-Key Cryptography 463

13 Contents xi A.4 Asymmetric-Key Cryptography 468 A.5 Key Management 476 A.6. Conclusions and Other Fields of Cryptography 478 References 479 Appendix B. Network Security: Overview of Current Legal and Policy Issues 481 Andreas Mitrakas B.1 Introduction 481 B.2 Network Security as a Legal Requirement 482 B.3 Network Security Policy Overview 484 B.4 Legal Aspects of Network Security 487 B.5 Self-Regulatory Security Frameworks 502 B.6 Conclusions 505 References 505 Appendix C. Standards in Network Security 507 Despina Polemi and Panagiotis Sklavos C.1 Introduction 507 C.2 Virtual Private Networks: Internet Protocol Security (IPSec) 507 C.3 Multicast Security (MSEC) 512 C.4 Transport Layer Security (TLS) 513 C.5 Routing Security 514 C.6 ATM Networks Security 514 C.7 Third-Generation (3G) Mobile Networks 516 C.8 Wireless LAN (802.11) Security 522 C.9 Security 523 C.10 Public-Key Infrastructure (X.509) 526 Index 531 About the Editors and Authors 563

14

15 Preface Network security is a critical parameter in the increasingly connected (networked) world. Advances in communication systems and protocols, wired and wireless, achieving high speeds, high availability and low cost have enabled the development of high bandwidth backbones and have delivered high throughput to end users of private and public networks. Homes today are able to send and receive high bandwidth, real-time data, enabling high quality communication and a wide range of services. The progress in development, deployment and management of large, reliable networks has resulted not only in the evolution of new services, but to an infrastructure that leads to the provision of a wide range of consumer services that are significantly more cost-effective than traditional ones. It is no surprise that the evolution of all these networks, and especially the Internet a public network is changing the economy worldwide. The continuous deployment of network services over this wide range of public and private networks has led to transactions and services that include personal, and sometimes quite sensitive, data. One only needs to consider simple, everyday services from pay-perview and cable telephony to bill payments by phone, credit card charging and Internet banking. Such services require significant effort not only to protect the sensitive data involved in the transactions and services, but to ensure integrity and availability of network services as well. A typical approach to provide these services and increase security and dependability has been to deploy services over private networks, which are easier to protect than public ones. However, the advent of the Internet has changed electronic business models, providing high flexibility, ease of use, and enabling service deployment with substantially lower cost. Thus, the role of network security is significantly more important in emerging network environments, where even private networks connect to the Internet, in order to exploit its multiple advantages. As the view of traditional distributed systems has changed to a network-centric view in all types of application networks financial, citizen support, military, etc. and as the requirement for employing heterogeneous networks and systems becomes increasingly important, the complexity of these systems has led to significant security flaws and problems. The traditional approach to network service development, using several layers and protocols, together with the lack of systematic methods to design and implement secure end systems leads to vulnerabilities and difficulties in implementing and managing security. Attackers continuously find vulnerabilities at various levels, from the network itself to operating systems, and exploit them to crack systems and services. The result of these phenomena is a significant effort by the research community to address the design and implementation of secure computing systems and networks in order to enable the deployment of secure services. Due to the conventional approaches for service development over such complex, and most often heterogeneous networks and systems, the efforts of the networking community have been several and at various fronts. Thus, currently, there exist several approaches to provide security at various levels and degrees: secure protocols, secure protocol mechanisms, secure services (e.g., phone), firewalls, intrusion detection systems (IDS), etc. xiii

16 xiv Preface This book considers and addresses several aspects of network security, in an effort to provide a publication that summarizes the main current status and the promising and interesting future directions and challenges. The presented approaches are state-of-the-art, described by leaders in the field. They include trends at several fronts, from Internet protocols to firewalls and from mobile systems to IDS systems. The chapters of the book are divided into four main sections which consider the main research challenges of today and the important approaches providing promising results for the future: (a) Internet security, (b) secure services, (c) security in mobile systems and (d) trust, anonymity and privacy. In each part several chapters address the main research results and trends. Importantly, we have included 3 appendices of critical background knowledge for the reader who is new to this important research area; the appendices cover (a) a primer in cryptography, (b) legal aspects and (c) standards in network security. Considering the debate about the increasing importance of security in everyday life and the catastrophic results its illegal and unethical use may bring, we believe that the appendices provide a good basis for readers who are interested in the role, restrictions, and limitations of network security in the emerging globally networked world. In our effort to put this book together, we had the support of several authors, who have written the chapters, providing knowledge and insight through their efforts. The 25 chapters constitute a significant effort on their behalf and we thank them for their efforts. The results of these efforts are a collection of high-quality chapters, which enable the reader to understand the main problems, results, and trends in most aspects of modern network security. Also, we thank the reviewers of the book, who have provided insightful comments and helped improve the presentation and the quality of the book. Finally, we thank IEEE for its support to this effort and its high-quality work in the production of the final result. As the overall effort has taken longer than expected, we also appreciate the patience of the authors until the production of the final book. We certainly hope that the publication will prove to be a useful tool to all readers interested in network security. Piraeus, Greece Patras, Greece March 2007 Christos Douligeris Dimitrios N. Serpanos

17 Contributors Ioannis Avramopoulos Department of Computer Science, Princeton University, Princeton, New Jersey Olivier Benoit Security Labs, Gemalto, La Ciotat, France Constantinos Boukouvalas Research and Development, OTE SA, Athens, Greece Mike Burmester Department of Computer Science, Florida State University, Tallahassee, Florida Luis Sousa Cardoso Portugal Telecom, Lisboa, Portugal Anirban Chakrabarti Department of Electrical and Computer Engineering, Iowa State University, Ames, Iowa Lidong Chen Computer Security Division, National Institute of Standards and Technology (NIST), Gaithersburg, Maryland Vassilios Chrissikopoulos Department of Archiving and Library Studies, Ionian University, Corfu, Greece Joris Claessens European Microsoft Innovation Center, Aachen, Germany Nora Dabbous Ingenico, Paris, France Christos Douligeris Department of Informatics, University of Piraeus, Piraeus, Greece Laurent Gauteron Security Labs, Gemalto, La Ciotat, France Christian Gehrmann Ericsson Mobile Platforms AB, Lund, Sweden Pierre Girard Security Labs, Gemalto, La Ciotat, France Manimaran Govindarasu Department of Electrical and Computer Engineering, Iowa State University, Ames, Iowa Yaser Haggag Department of Computer Science, Dalhousie University, Halifax, Canada Helena Handschuh Spansion, Levallois-Perret, France xv

18 xvi Contributors Angelos D. Keromytis Department of Computer Science, Columbia University, New York, New York Hisashi Kobayashi Department of Electrical Engineering, School of Engineering and Applied Science, Princeton University, Princeton, New Jersey Nikos Komninos Athens Information Technology, Peania, Attiki, Greece Panayiotis Kotzanikolaou Department of Informatics, University of Piraeus, Piraeus, Greece Arvind Krishnamurthy Department of Computer Science and Engineering, University of Washington, Seattle, Washington Christian Labonte Department of Computer Science, Dalhousie University, Halifax, Canada Yugyung Lee School of Computing Engineering, University of Missouri Kansas City, Kansas City, Missouri Daniel L. Lough Global Security Consultants, Warrenton, Virginia Rosa Mavropodi Department of Informatics, University of Piraeus, Piraeus, Greece John C. McEachen Department of Electrical and Computer Engineering, Naval Postgraduate School, Monterey, California Manish Mehta School of Computing Engineering, University of Missouri Kansas City, Kansas City, Missouri Lazaros Merakos Department of Informatics and Telecommunications, University of Athens, Athens, Greece Andreas Mitrakas European Network and Information Security Agency (ENISA), Heraklion, Greece Aikaterini Mitrokotsa Department of Informatics, University of Piraeus, Piraeus, Greece Magda M. Mourad IBM Thomas J. Watson Research Center, Yorktown Heights, New York David Naccache Université Paris II, Panthéon-Assas, Paris, France George P. Ninios Department of Informatics, University of Piraeus, Piraeus, Greece Anthony G. Petropoulos Department of Informatics, University of Piraeus, Piraeus, Greece Despina Polemi Department of Informatics, University of Piraeus, Piraeus, Greece

19 Contributors xvii Vassilis Prevelakis Department of Computer Science, Drexel University, Philadelphia, Pennsylvania David J. Robinson Global Security Consultants, Odenton, Maryland Snirivas Sampalli Department of Computer Science, Dalhousie University, Halifax, Canada Ian G. Schneller Global Security Consultants, Odenton, Maryland Dimitrios N. Serpanos Department of Electrical and Computer Engineering, University of Patras, Patras, Greece Kapil Kumar Singh Department of Computer Science, University of British Columbia, Vancouver, Canada Sachin Singh Heartlab, Westerly, Rhode Island Panagiotis Sklavos Technical Department, Expertnet SA, Chalandri, Greece Stéphane Socié Security Labs, Gemalto, La Ciotat, France Ahmed N. Tantawy IBM Thomas J. Watson Research Center, Yorktown Heights, New York Artemios G. Voyiatzis Department of Electrical and Computer Engineering, University of Patras, Patras, Greece Son Vuong Department of Computer Science, University of British Columbia, Vancouver, Canada Randy Wang Microsoft Research, Bangalore, India Claire Whelan School of Computing, Dublin City University, Dublin, Ireland Christos Xenakis Department of Informatics and Telecommunications, University of Athens, Athens, Greece John M. Zachary Department of Electrical and Computer Engineering, Naval Postgraduate School, Monterey, California Alf Zugenmaier DoCoMo Euro-Labs, Munich, Germany Kyriakos Stefanidis Department of Electrical and Computer Engineering, University of Patras, Patras, Greece

20

21 Chapter 1 Computer Network Security: Basic Background and Current Issues Panayiotis Kotzanikolaou and Christos Douligeris 1.1 SOME TERMINOLOGY ON NETWORK SECURITY The purpose of this chapter is to introduce some basic network security terms and lead the reader through the rest of the book. It provides a baseline level of knowledge in the areas of information technology (IT) security and network security for those readers who are unfamiliar with these concepts. It also provides a set of common terms and definitions which will help those readers who already have some basic knowledge in network security to have a common understanding of the chapters that follow. However, advanced readers with a good background in networking and IT security may skip this chapter and proceed to the more specific areas covered in this book. A broad definition of network security can be constructed by defining its two components, security and networks. Security may be given a wide variety of definitions. According to the Oxford Dictionary, security is the freedom from danger or anxiety. Security can also be defined as follows: A situation with no risk, with no sense of threat The prevention of risk or threat The assurance of a sense of confidence and certainty In traditional information theory [1], security is described through the accomplishment of some basic security properties, namely confi dentiality, integrity, and availability of information. Confidentiality is the property of protecting the content of information from all users other than those intended by the legal owner of the information. The nonintended users are generally called unauthorized users. Other terms such as privacy have been used almost synonymously with confidentiality. However, the term privacy represents a human attribute with no quantifiable definition. Integrity is the property of protecting information from alteration by unauthorized users. Availability is the property of protecting information from nonauthorized temporary or permanent withholding of information. Other basic security properties are authentication and nonrepudiation. Authentication is divided into peer-entity authentication and data origin authentication. Peer entity authentication is the property of ensuring the identity of an entity (also called subject), which Network Security: Current Status and Future Directions, Edited by C. Douligeris and D. N. Serpanos Copyright 2007 the Institute of Electrical and Electronics Engineers, Inc. 1

22 2 Chapter 1 Computer Network Security may be a human, a machine, or another asset such as a software program. Data origin authentication is the property of ensuring the source of the information. Finally, nonrepudiation is the property of ensuring that principals that have committed to an action cannot deny that commitment at a latter time. Detailed treatment of security properties can be found in several security standards, such as the ISO/IEC (International Organization for Standardization/International Engineering Consortium) [2] and the ITU-T (International Telecommunication Union) X.800 security recommendation [3]. In a practical approach, IT security involves the protection of information assets [4]. In a traditional IT risk analysis terminology, an asset is an object or resource which is worthy enough to be protected. Assets may be physical (e.g., computers, network infrastructure elements, buildings hosting equipment), data (e.g., electronic files, databases), or software (e.g., application software, configuration files). The protection of assets can be achieved through several security mechanisms, that is, aimed at the prevention, detection, or recovery of assets from security threats and vulnerabilities. A security threat is any event that may harm an asset. When a security threat is realized, an IT system or network is under a security attack. The attacker or threat agent is any subject or entity that causes the attack. The impact of the threat measures the magnitude of the loss that would be caused to the asset or asset owner if the threat were realized against it. A security vulnerability is any characteristic in a system which makes an asset more vulnerable to threats. The combination of threats, vulnerabilities, and assets provides a quantified and/or qualified measure of the likelihood of threats being realized against assets as well as the impact caused due to the realization of a threat. This measure is known as the security risk. Thus, the security mechanisms provide capabilities that reduce the security risk of a system. Note that system and network security do not rely solely on technical security mechanisms. In almost every information system and network, procedural and organizational measures are generally required in addition to technical mechanisms in order to accomplish the desired security goals. A computer network, or simply a network, is a collection of connected computers. Two or more computer systems are considered as connected if they can send and receive data from each other through a shared-access medium. The communicating entities in a computer network are generally known as principals, subjects, or entities. These principals can be further divided into users, hosts, and processes: A user is a human entity responsible for its actions in a computer network. A host is an addressable entity within a computer network. Each host has a unique address within a network. A process is an instance of an executable program. It is used in a client server model in order to distinguish between the client and the server processes: A client process is a process that makes requests of a network service. A server process is a process that provides a network service, for example, a demon process running continuously in the background on behalf of a service. A network is considered as a wired or fi xed network if the access medium is some kind of physical cable connection between the computers, such as a copper cable or a fiber-optic cable. On the other hand, a network is considered as a wireless network if the access medium relies on some kind of signaling through the air, such as radio frequency (RF) communication. A network can also be divided according to its geographical coverage. Depending on its size, a network can be a personal area network (PAN), a local area network (LAN), a metropolitan area network (MAN), or a wide area network (WAN).

23 1.2 ISO/OSI Reference Model for Networks 3 Regardless of the access medium and the coverage of a network, network security can be considered through the achievement of two security goals: computer system security and communication security: The goal of computer system security is to protect information assets against unauthorized or malicious use as well as to protect the information stored in computer systems from unauthorized disclosure, modification, or destruction. The goal of communication security is to protect information during its transmission through a communication medium from unauthorized disclosure, modification, or destruction. 1.2 ISO/OSI REFERENCE MODEL FOR NETWORKS In order to have a deep understanding of the way that networking is performed, network reference models have been developed that group similar functions into abstractions known as layers. Each layer s functions can communicate with the same layer s functions of another network host. On the same host, the functions of a particular layer have interfaces to communicate with the layers below and above it. This abstraction simplifies and properly defines the necessary actions for networking. The ISO Open Systems Interconnection (OSI) reference model [5] defines seven network layers as well as their interfaces. Each layer depends on the services provided by its intermediate lower layer all the way down to the physical network interface card and the wiring. Then, it provides its services to its immediate upper layer, all the way up to the running application. It needs to be noted that not all protocol stacks include all seven layers. The most popular protocol suite, Transmission Control Protocol/Internet Protocol (TCP/IP), has five layers. There are no presentation and no session layers; the functions of these layers are incorporated in the layers above and below. The seven layers of the OSI reference model are briefly described bellow, from the highest to the lowest one: Layer 7: Application Layer. This layer deals with the communication issues of an application. It identifies and establishes the availability of the communicating principals and is also responsible to interface with the user. Examples of application layer protocols include the Session Initiation Protocol (SIP), the HyperText Transfer Protocol (HTTP), the File Transfer Protocol (FTP), the Simple Mail Transfer Protocol (SMTP), and Telnet, to name just a few. Layer 6: Presentation Layer. This layer is responsible for presenting the data to the upper application layer. Essentially, it translates the data and it performs tasks like data compression and decompression and data encryption and decryption. Some of the well-known standards and protocols of this layer include ASCII, ZIP, JPEG, TIFF, RTP, and the MIDI format. Layer 5: Session Layer. This layer is responsible for initiating the contact between two computers and setting up the communication lines. It formats the data for transfer and it maintains the end-to-end connection. Two examples of session layer protocols are the remote procedure call (RPC) and the secure sockets layer (SSL) protocols. Layer 4: Transport Layer. This layer defines how to address the physical locations of the network, establish connections between hosts, and handle network messag-

24 4 Chapter 1 Computer Network Security ing. It also maintains the end-to-end integrity of the session and provides mechanisms to support session establishment for the upper layers. The TCP and the User Datagram Protocol (UDP) are the most widely known protocols of this layer, with the Stream Control Transmission Protocol (SCTP) gaining in usage. Layer 3: Network Layer. This layer is responsible for routing and relaying the data between the network hosts. Its primary function is to send fragments of data called packets from a source to a destination host. It also includes the management of error detection, message routing, and traffic control. The IP belongs at this layer. Layer 2: Data Link Layer. This layer defines the conditions that must be followed by a host in order to access the network. It establishes the link between the hosts over a physical channel. It ensures message delivery to the proper device and translates the transmitted bits for the lowest physical layer. Ethernet and Token Ring are typical examples of protocols that operate at this layer. Layer 1: Physical Layer. This layer defines the physical connection between a host and a network. It mainly converts the bits into physical signaling suitable for transmission, such as voltages or light impulse. The device drivers that handle the communications hardware (network cards, wireless cards etc) operate at this layer. The X.200 [6] recommendation of the ITU-T is aligned with the ISO/IEC standard Security in ISO/OSI Reference Model According to the ISO/IEC [5] standard, each protocol layer is composed of three functional planes: users (also called bearers), signaling and control, and management. In order to secure network communications the security objectives should be accomplished in each appropriate protocol layer and in each suitable functional plane. The ISO/IEC [2] standard and the ITU-T X.800 Security Architecture for Open Systems Interconnection recommendation [3] extend the ISO/OSI reference model (also described in the ITU-T recommendation X.200) to cover security aspects which are general architectural elements of communications protocols. The X.800 recommendation provides a general description of security services and related mechanisms, which may be provided by the reference model. It also defines the positions within the reference model where the services and mechanisms may be provided. Based on [2, 3], the security objectives are accomplished through security policies and security services. A security policy is the set of criteria that define the provision of security services, where a security service is a service which is provided by a layer of communicating open systems, in order to ensure adequate security of the systems or of data transfers. The security services are implemented by security mechanisms which are in general mechanisms that can be used to technically enforce and implement a security service Security Services and Security Mechanisms As described in [2, 3], the basic security services in OSI communications include the following:

25 1.2 ISO/OSI Reference Model for Networks 5 1. Authentication. This service may be used to prove that the claimed identity of a communicating principal is valid (peer entity authentication) or that the claimed source of a data unit is valid (data origin authentication). 2. Access Control. This service can be used to protect the information assets and resources available via OSI from unauthorized access. This service may be applied to various types of access, such as read, write, or execute or combinations of the above. Access to resources may be controlled through various types of access policies, such as rule-based or identity-based security policies. The access control services should cooperate with the authentication services, since granting access rights to a principal requires prior authentication of the principal requesting a particular access. 3. Data Confidentiality. This service protects the data from disclosure to unauthorized principals. According to the X.800 recommendation, variants of this service include connection confi dentiality (when it involves all the layers of the communication), connectionless confi dentiality (when it provides confidentiality in a connectionless service data unit), selective fi eld confi dentiality (when it protects selective fields of the data), and traffi c fl ow confi dentiality (when it protects information that could be potentially derived from observation of traffic flows). 4. Data Integrity. This service ensures that during their transmission the data are not altered by unauthorized principals. This service may have several forms. Connection integrity with recovery provides integrity of the data and also detects modification, insertion, deletion, and replay of data. In contrast, connection integrity with recovery does not attempt recovery. Selective fi eld connection integrity provides integrity for selective data fields within a connection. Connectionless versions of the above services also exist for connectionless data units. 5. Nonrepudiation. This service ensures that a principal cannot deny the transmission or the receipt of a message. This service may take one or both of two forms. With nonrepudiation with proof of origin the recipient of data is provided with proof of the origin of data, so that the sender cannot later deny that he or she sent the particular data. With nonrepudiation with proof of delivery the sender of data is provided with proof of the delivery of data, so that the receiver cannot later deny having received the particular data. Table 1.1 describes the relationship of security services and layers, as described [3]. It should be noted that in the application layer 7 it is possible that the application process itself provides security services. The implementation of the security services is provided through security mechanisms. These can also be divided into several categories: 1. Encipherment Mechanisms. These mechanisms provide data confidentiality services by transforming the data to forms not readable by unauthorized principals. The encipherment mechanisms can also complement a number of other security mechanisms. The encipherment algorithms are generally divided into symmetric (or secret key), where the same secret key is used for both encipherment and decipherment, and asymmetric (or public key), where two mathematically bounded keys are used, the public key for encipherment and the private, or secret, key for decipherment. Knowledge of the public key does not imply knowledge of the secret key. Issues related with the management of the keys are raised both in symmetric and asymmetric encipherment mechanisms. Examples of symmetric encipherment

26 6 Chapter 1 Computer Network Security Table 1.1 Relationship of Security Services and Layers 1 7 Service Peer entity authentication X X X Data origin authentication X X X Access control service X X X Connection confidentiality X X X X X X Connectionless confidentiality X X X X X Selective field confidentiality X X Traffic flow confidentiality X X X Connection integrity with recovery X X Connection integrity without recovery X X X Selective field connection integrity X Connectionless integrity X X X Selective field connectionless integrity X Nonrepudiation of origin X Nonrepudiation of delivery X algorithms are AES, Twofish, and RC5, where examples of asymmetric encipherment algorithms are RSA and ElGamal. These are described in more detail in Appendix A. Network security protocols such as SSL/transport-level security (TLS) and IP Security (IPSec) discussed in Chapter 5 as well as security mechanisms such as virtual private networks (VPNs) discussed in Chapter 4 also use encipherment mechanisms to protect the confidentiality of the communication. 2. Digital Signatures. Digital signatures are the electronic equivalent of ordinary signatures in electronic data. Such mechanisms are constructed by properly applying asymmetric encipherment. The decipherment of a data unit with the private key of an entity corresponds to the signature procedure of the data unit. The result is the digital signature of the particular data unit produced by the holder of the private key. The encipherment of the generated digital signature with the corresponding public key of the particular entity corresponds to the verification procedure. Digital signatures can be used to provide peer entity authentication and data origin authentication, data integrity, and nonrepudiation services. RSA, ElGamal, and DSA are examples of signature algorithms (see Appendix A for more details). 3. Access Control Mechanisms. The access control mechanisms are used to provide access control services. These mechanisms may use the authenticated identity of an entity or other information related with an entity (e.g., membership, permissions, or capabilities of the entity) in order to determine and enforce the access rights of the entity. The access control mechanisms may also report unauthorized access attempts as part of a security audit trail. Examples of access control mechanisms are firewalls (see Chapter 3) and operating system user access privileges. 4. Data Integrity Mechanisms. These mechanisms provide data integrity services by appending some kind of checksums to the data which may prove alteration of the data. Data integrity may involve a single data unit or field or a stream of data units or fields. In general, provision of the second without the first is not practical. The message authentication codes (MACs) and the digital signatures described in Appendix A can be used as data integrity mechanisms.

27 1.3 Network Security Attacks 7 5. Authentication Mechanisms. These mechanisms provide authentication services by assuring the identity of a principal. Examples of such mechanisms are passwords, cryptographic techniques, and biometrics. Authentication mechanisms may also be based on cryptographic techniques and trust infrastructures such as public key infrastructure (PKI), which are analyzed in Chapters 22 and 23, respectively. 6. Traffic-Padding Mechanisms. These mechanisms provide protection from traffic analysis attacks. Several network protocols and security mechanisms include padding mechanisms to protect the exchanged communication. These can be effective only if the traffic padding is protected by a confidentiality service. 7. Routing Control Mechanisms. These mechanisms allow the selection of a specific route for the communicating data, either dynamically or statically through prearranged routes. Moreover, by applying security policies, data carrying certain security labels may be routed through certain subnetworks, relays, or links. Hackers, viruses, and malicious programs frequently exploit the security vulnerabilities of routing protocols in order to launch network security attacks. In Chapter 2, routing security is extensively discussed. Furthermore, Chapter 20 also discusses secure routing for wireless ad hoc networks. 8. Notarization Mechanisms. Finally, notarization mechanisms are used to assure the integrity, the source or destination, and the time of sending or delivering of transmitted data. Such assurance mechanisms may be part of the networking protocols in use and/or of a trusted third party which may be used to assure the communication consistency and nonrepudiation. A notarization mechanism may be supported by other mechanisms such as digital signatures, encipherment, or integrity mechanisms. Table 1.2 describes the relationship between security services and security mechanisms. If a mechanism is indicated as appropriate for a given service, this may be either on its own or in combination with other mechanisms. More details can be found in [3]. Other recommendations extend the security architecture of X.800 to focus on lower layer [7] and upper layer [8] security models. Moreover, the X.810 X.816 recommendations [9 15] focus on security frameworks for open systems and frameworks for authentication, access control, nonrepudiation, confidentiality, integrity, and security audit and alarms. The ISO/IEC standard also defines the corresponding security standards in [16 22] as well as standards for generic upper [23] and lower [24] layer security. 1.3 NETWORK SECURITY ATTACKS It is obvious from the description above that security threats and attacks may involve any layer, from the physical to the application. It is possible that a successful attack in one layer may render useless the security measures taken in the other layers. Some basic network security attacks are described below: Eavesdropping Attacks. These attacks consist of the unauthorized interception of network communication and the disclosure of the exchanged information. This can be performed in several different layers for example, in the network layer by sniffi ng into the exchanged packets or in the physical layer by physically wiretapping the access medium (cabling or wireless medium).

28 Table 1.2 Relationship Between Security Services and Mechanisms Digital Access Data Authentication Traffic Routing Service Encipherment Signature Control Integrity Exchange Padding Control Notarization Peer entity authentication X X X Data origin authentication X X Access control service X Connection confidentiality X X Connectionless confidentiality X X Selective field confidentiality X Traffic flow confidentiality X X X Connection integrity with recovery X X Connection integrity without recovery X X Selective field connection integrity X X Connectionless integrity X X X Selective field connectionless integrity X X X Nonrepudiation of origin X X X Nonrepudiation of delivery X X X 8

29 1.3 Network Security Attacks 9 Logon Abuse Attacks. A successful logon abuse attack would bypass the authentication and access control mechanisms and allow a user to obtain access with more privileges than authorized. Spoofing Attacks. Spoofing is the act of a subject asserting an identity that the subject has no right to use. A simple instance of this type of attacks is IP spoofi ng, through which a system is convinced that it is communicating with a known principal and thus provides access to the attacker. The attacker sends a packet with an IP source address of a known trusted host by altering the packet at the transport layer. The target host may be deceived and accept the modified packet as valid. Intrusion Attacks. These types of attacks focus on unauthorized users gaining access to a system through the network. Such an attack would target specific vulnerabilities in assets. For example, a typical Web server intrusion attack is a buffer overfl ow attack, which occurs when a Web service receives more data than it has been programmed to handle and thus reacts in unexpected and unpredicted ways. Hijacking Attacks. These attacks are essentially attempts to gain unauthorized access to a system by using a legitimate entity s existing connection. For example, at the session layer, if a user leaves an open session, this can be subject to session hijacking by an attacker. An example of session hijacking is the TCP sequence number attack: This attack exploits the communication session which was established between the target host and a legitimate host that initiated the session. The attacker hijacks the session of the legitimate host by predicting a sequence number selected by the target host, which is used by the TCP. Denial-of-Service (DoS) Attacks. These attacks attempt to exhaust the network or server resources in order to render it useless for legitimate hosts and users. A more advance type is the distributed denial-of-service (DDoS) attacks, where the attacker uses resources from a distributed environment against a target host. Some wellknown DoS attacks are as follows: SYN Attack. In a SYN attack, the attacker exploits the inability of a server process to handle unfinished connection requests. The attacker floods a server process with connection requests, but it does not respond when the server answers those requests. This causes the attacked system to crash, while waiting for the proper acknowledgments of the initial requests. Ping of Death. This is an early DoS attack in which an attacker sends a ping request that is larger than 65,536 bytes, which is the maximum allowed size for the IP, causing the system to crash or restart. Such attacks are not in use today, since most operating systems have implemented measures against it. Application-Level Attacks. These attacks are concerned with the exploitation of weaknesses in the application layer and really focus on intrusion attacks in most cases for example, security weaknesses in the Web server, in the specific technology used in the website, or in faulty controls in the filtering of an input on the server side. Examples of these attacks include malicious software attacks (viruses, Trojans, etc.), Web server attacks, remote command execution, Structured Query Language (SQL) injection, and cross-site scripting (XSS).

30 10 Chapter 1 Computer Network Security 1.4 MECHANISMS AND CONTROLS FOR NETWORK SECURITY: BOOK OVERVIEW AND STRUCTURE Several security mechanisms and controls have been developed to provide security services in various network layers for both wired and wireless networks and for various network protocols. Many of these mechanisms and controls are described in the following chapters of this book. Here we refer to some well-known mechanisms in order to familiarize the inexperienced reader with basic security mechanisms. The remainder of the book is organized in four topical parts of network security. Part I (Chapters 2 9) discusses current security issues on today s Internet. At the core of network security is the protection of message routing and relaying. Several mechanisms and controls that deal with secure routing are discussed in Chapter 2. Firewalls are the basic mechanism for access control in networks, which are discussed in Chapter 3. The protection of message confidentiality and integrity in remote communications may rely on security mechanisms that protect the communication as if it was performed in a closed network. These mechanisms are known as VPNs and are discussed in Chapter 4. Chapter 5 continues the study of IP security mechanisms, such as the IPSec and the SSL/TLS protocols. Since the prevention of network attacks in not always successful, several tools have been developed in order to detect possible intrusion attacks. Intrusion detection systems (IDSs) for networks are explained in detail in Chapter 6. Chapter 7 continues on the same subject by analyzing intrusion prevention systems, which also take preventive measures in the presence of an attack. This chapter compares intrusion detection and intrusion prevention. One of the most important categories of attacks against network availability which cannot always be dealt with using the mechanisms described in the previous chapters is DoS attacks. These are discussed in Chapter 8. Finally, security in active networks is discussed in Chapter 9. Secure networks rely heavily on secure network services, which is the topic of Part II (Chapters 10 15). Security in E-services and applications is discussed in Chapter 10, where application layer vulnerabilities are analyzed along with existing security mechanisms. Protection of network communications in the application layer may involve higher level security mechanisms. Chapter 11 describes specific mechanisms of this layer and more particularly Web services security mechanisms. Security in specific network services such as IP Multicast and Voice over IP are analyzed in Chapters 12 and 13, respectively. Furthermore, Chapter 14 discusses the vulnerabilities and the security measures for Grids. Finally, Chapter 15 discusses security issues of mobile code used in networking, such as mobile agent security mechanisms. These are mainly used in another case of specialpurpose networks, mainly intelligent networks. Wireless networks, in general, have special security needs which are not always covered by the traditional network security mechanisms for several reasons, such as the difference in the access medium and the efficiency requirements. Part III (Chapters 16 21) is concerned with security in wireless networks. Chapter 16 discusses the issues of mobile terminal security for several wireless communication protocols. A very popular wireless communications protocol is the Institute of Electrical and Electronics Engineers (IEEE) The security of IEEE is discussed in Chapter 17. Chapter 18 refers to the security issues of another popular wireless protocol, Bluetooth. Chapter 19 analyzes mobile telecom network security, where emphasis is given on the efficiency impact of security measures in these networks.

31 References 11 Another case of wireless networks is the class of wireless ad hoc networks, where the network services are provided through cooperation of the network nodes rather than from static network infrastructures. These networks have special security considerations caused by node mobility. The particular security problems as well as the possible solutions for these networks are presented in Chapter 20, which discusses security in mobile ad hoc networks. Finally, Chapter 21 discusses security in wireless sensor networks, namely wireless ad hoc networks consisting of sensor nodes with very limited capabilities. Security services cannot be established in any system if one cannot depend on peer relations such as trust and anonymity. Trust, anonymity, and privacy issues are the topic of Part IV. The problem of trust in networking is discussed in Chapter 22. Trusted parties can be the basis of various security services that need key distribution and validation, key establishment, or signature services. A well-known trust infrastructure service is PKI, which is described in Chapter 23, along with its applications in network security. Chapter 24 discusses the technical, ethical, and social nature of network security, mainly privacy in electronic communications. Finally, Chapter 25 is concerned with securing digital content, a very sensitive issue in networking due to the open nature and the vast deployment of the Internet. The book also contains three appendices, each of which provides introductory knowledge to specific issues related to network security. Most of the security mechanisms employed in network security described in the chapters implement cryptographic algorithms and protocols for tasks such as encryption, decryption, key exchange, digital signatures, and authentication codes. Appendix A provides a brief introduction on basic definitions of cryptography as well as a description of widely used cryptographic algorithms and protocols. Appendix B is concerned with the legal issues of network security. As explained earlier, network security cannot depend only on technical measures. The validity of digital signatures and copyright issues are some of the legal issues analyzed in Appendix B. Finally, Appendix C lists many security standards which have been published by well-respected standardization bodies. It is generally accepted that in IT innovations cannot be widely implemented and accepted if there are no available set standards to allow the interfacing of different implementation. REFERENCES 1. A. J. Menezes, P. C. Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 2: Security Architecture, ISO/IEC , ISO, Geneva, International Telecommunication Union (ITU), Security Architecture for Open Systems Interconnection for CCIT Applications, Recommendation ITU-T X.800, ITU, Geneva, T. R. Peltier, Information Security Risk Analysis, Auerbach Publications, New York, International Organization for Standardization (ISO), Information Processin g Systems Open Systems Interconnection Part 1: Basic Reference Model, ISO/IEC , ISO, 1984, also ISO/OSI , Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Basic Reference Model: The Basic Model, Recommendation ITU-T X.200, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Lower Layers Security Model, Recommendation ITU-T X.802, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Upper Layers Security Model, Recommendation ITU-T X.802, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Security Frameworks for Open Systems: Overview, Recommendation ITU-T X.810, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection

32 12 Chapter 1 Computer Network Security Security Frameworks for Open Systems: Authentication Framework, Recommendation ITU-T X.811, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Security Frameworks for Open Systems: Access Control Framework, Recommendation ITU-T X.812, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Security Frameworks for Open Systems: Non- Repudiation Framework, Recommendation ITU-T X.813, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Security Frameworks for Open Systems: Confi dentiality Framework, Recommendation ITU-T X.814, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Security Frameworks for Open Systems: Integrity Framework, Recommendation ITU-T X.815, ITU, Geneva, International Telecommunication Union (ITU), Information Technology Open Systems Interconnection Security Frameworks for Open Systems: Security Audit and Alarms Framework, Recommendation ITU-T X.815, ITU, Geneva, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 1: Security Frameworks for Open Systems: Overview, ISO/IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 2: Security Frameworks for Open Systems: Authentication Framework, ISO/IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 3: Security Frameworks for Open Systems: Access Control Framework, ISO/IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 4: Security Frameworks for Open Systems: Non-Repudiation Framework, ISO/IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 5: Security Frameworks for Open Systems: Confi dentiality Framework, ISO/IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 6: Security Frameworks for Open Systems: Integrity Framework, ISO/IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Processing Systems Open Systems Interconnection Part 7: Security Frameworks for Open Systems: Security Audit and Alarms Framework, ISO/ IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Technology Open Systems Interconnection Generic Upper Layers Security: Overview, Models and Notation, ISO/IEC , ISO, Geneva, International Organization for Standardization (ISO), Information Technology Open Systems Interconnection Generic Upper Layers Security: Exchange Service Element (SESE) Service Defi nition, ISO/IEC , ISO, Geneva, 1996.

33 Part One Internet Security The Internet is characterized by the substantial advantage of increased connectivity, which has resulted in a growing number of services. However, this advantage is exploited by malicious intruders in order to carry out various attacks against the integrity of the Internet s infrastructure and the privacy of its users. A broad range of solutions have been proposed in order to ensure data confidentiality, integrity, source authenticity, nonrepudiation, and availability for data communication between users over the Internet. In this part, many aspects of network security, including possible threats and proactive as well as reactive ways to combat them, are described. More specifically, in this part we will focus on secure routing, firewalls, virtual private networks (VPNs), Internet Protocal (IP) level security, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), denial-ofservice (DoS) attacks, and security issues concerning active networks. Secure routing, the delivery of packets from a source to a destination, represents the most important function that supports networks. Network technologies that can be used to achieve secure routing as well as possible threats that focus on disrupting the packet delivery service are described. Moreover, possible countermeasures against these threats and protection mechanisms of network technologies are described in order to demonstrate common grounds between them. A firewall is a collection of components that can be used to enforce an organizationwide policy on all network traffic entering or leaving the organization s network. In this part the concept of the network firewall as well as its redundancy and performance issues and its forms of internal (partitioning) distributed, personal, and layer 2 are discussed. In addition VPN technology, which represents an effective means of providing secure communication between geographically distributed network entities, is discussed. More specifically, in this part a comprehensive overview of VPNs, including its operation, taxonomy, and configuration, is presented as well as a discussion of security mechanisms in VPNs and current research issues concerning VPNs. Network Security: Current Status and Future Directions, Edited by C. Douligeris and D. N. Serpanos Copyright 2007 the Institute of Electrical and Electronics Engineers, Inc. 13

34 14 Part One Internet Security IPSec (IP Security) constitutes a security solution that is possible to be widely deployed over the Internet due to its substantial capability to achieve data confidentiality, integrity, source authentication, and availability. A detailed description of IPSec, which guarantees privacy and integrity of IP data packets irrespective of security features at application and socket layers, is presented. Furthermore, IDSs as a second layer of defense are presented thoroughly. The focus is on network-based intrusion detection systems (NIDSs) compared to host-based IDSs. A definition of NIDSs as well as some historical background on NIDSs is provided, followed by a discussion of trends in NIDSs and current research issues in NIDSs. An IPS is a convergence of a firewall and an IDS. A thorough description of IDSs and a comparison of IDSs versus IPSs are presented. One of the most challenging issues to availability are DoS attacks. Denial-of-service attacks constitute one of the major threats and are among the hardest security problems in today s Internet. The main aim of a DoS attack is the disruption of services by attempting to limit access to a machine or service. The problem of DoS attacks is investigated and the motivation and the defense problems are presented. Moreover the problem of distributed DoS (DDoS) attacks is introduced, while the basic characteristics of well-known DDoS tools, the various types of DDoS attacks, and various types of DDoS defense mechanisms are presented. Active networks are a new networking technology which adds programming capability to network nodes and datagrams traveling in the network. This leads to the creation of a dynamic adaptive network that is able to offer advantages such as dynamic creation and execution of network services and distributed processing and management. Active networks are used in order to design two secure architectures. The first is an adaptive VPN framework that can offer flexible, portable services and customizable VPN mechanisms to provide ondemand secure tunnels in a dynamic environment. The second architecture deploys secure multicasting on a VPN through the use of active networks. The main security issues, both in real-world environments as well as in research settings, are discussed in this part of the book. Chapter 2 looks at the main issues regarding the secure routing of information on today s Internet. Chapter 3 surveys techniques to design efficiently and effectively firewalls and the main issues that arise in their deployment. The benefits in security from the use of VPNs are analyzed in Chapter 4. Chapter 5 presents in detail the IPsec protocol to enhance security in an IP environment. Chapters 6 and 7 analyze techniques to detect and protect networks from attacks, such as DoS and DDOS which are discussed in Chapter 8. A testbed that can provide a reference framework to validate the previous techniques is given in Chapter 9.

35 Chapter 2 Secure Routing Ioannis Avramopoulos, Hisashi Kobayashi, Arvind Krishnamurthy, and Randy Wang 2.1 INTRODUCTION Multihop communication networks form the basis of technologies that support the operation of critical functions and the trend is toward further adoption of networking in such technologies. Therefore, the impact that an adversary may have by successfully attacking networks can be severe. Among the functions that support networks, routing, that is, the delivery of packets from a source to a destination through intermediate hops (routers and links), is perhaps the single most important one. In this chapter, we are interested in attacks against the routing function that have two major characteristics: Their purpose is to prevent the availability of the packet delivery service. They are mounted from routers that are initially assumed to be trusted. Note that adversaries may have other goals when attacking the routing infrastructure; for example, they may want to attract traffic in order to eavesdrop on the data [1]. These attacks are not within the scope of this chapter. Furthermore, note that damage on the infrastructure can be inflicted from compromised hosts in the so-called infamous denialof-service (DoS) or distributed denial-of-service (DDoS) attacks, discussed in Chapter 8. We will not focus on such attacks but we will comment upon their possible impacts on the problem under consideration. Survivability was a major objective in the design of packet-switched networks since their inception. However, the first networks were designed under a different threat model of fail-stop (i.e., fail and stop working) failures that may be the outcome of the physical destruction of routers and links. Most of the routing research has focused on that threat model. In this chapter, we consider an adversary that has compromised a subset of the routers and links in the network and has, thus, gained the advantage to mount attacks as an insider. Work on the latter threat model started recently. We will first give a brief introduction to networking technologies, followed by a description of attacks that the adversary may mount with the goal of disrupting the packet delivery service. We will subsequently describe possible countermeasures against these attacks. We will cover protection mechanisms of different networking technologies so as Network Security: Current Status and Future Directions, Edited by C. Douligeris and D. N. Serpanos Copyright 2007 the Institute of Electrical and Electronics Engineers, Inc. 15

36 16 Chapter 2 Secure Routing to demonstrate common grounds between the protection mechanisms and dispositions. We note that secure routing research on different networking technologies has already crosspollinated. We will end with a conclusion and directions for future research. 2.2 NETWORKING TECHNOLOGIES Networks of today have evolved in diverse forms and can be broadly classified as fixedinfrastructure, overlay, and wireless ad hoc. We will give an overview of each such type of network. For background reading on networking and network protocols the interested reader may consult [2] or other textbooks on networking. References for an in-depth coverage of the specific technologies are given in the corresponding sections Fixed-Infrastructure Networks Fixed-infrastructure networks are comprised of routers and wired (such as point-to-point and Ethernet) or wireless (such as satellite) links. The fixed-infrastructure network of interest in this chapter is the Internet, and descriptions of its organizational structure as well as of the routing protocols that support its structure follow next. Note first that the routing process roughly consists of two steps: topology or route discovery (in which the paths that packets are going to be forwarded are discovered) and data packet forwarding. Topology and route discovery protocols are referred to as routing protocols. Data packet forwarding can be either hop-by-hop routing, in which packet forwarding decisions are made independently by the intermediate routers, or source routing, in which the source specifies the sequence of routers that the packet should traverse. The Internet is divided into autonomous systems (ASs) (also referred to as domains ) that are networks under a single administrative authority. Routing within an AS is regulated by an intradomain routing protocol, such as OSPF (open shortest path first) [3] and RIP (Routing Information Protocol) [4], and routing across ASs is regulated by an interdomain routing protocol such as BGP (Border Gateway Protocol) [5]. OSPF is a link state protocol, RIP is a distance vector protocol, and BGP is a path vector protocol. Brief descriptions of these protocols follow next. Detailed descriptions can be found in, for example [6 8]. In link state routing, routers discover their neighbors (other routers that are one hop away) by periodically sending beacons (or HELLO packets). The discovery of neighbors follow broadcasts of link state advertisement packets by a fl ooding algorithm that announce to the network the discovered neighbor associations. Flooding is a broadcast process according to which the source transmits the corresponding packet to all neighbors which repeat the same. Duplicates are suppressed by a sequence number that is carried in the packet and that is temporarily stored after its reception. Using the received link state advertisements, routers build the topology of the network that is converted into a routing table after a shortest path computation. In distance vector routing, routers maintain a vector of distances to the other routers or destinations of the network as well as the corresponding next hop. The distance vectors are transmitted to neighbors. On receipt of the distance vector of a neighbor, a comparison with the stored vector follows, and for those destinations that the corresponding neighbor is at a shorter distance than the current next hop, the distance vector is updated. Distance vector protocols are susceptible to routing loops and several algorithms have been proposed to address this issue. One of these algorithms is path vector routing.

37 2.2 Networking Technologies 17 In path vector routing, routers maintain a vector of paths to the destinations of the network. This vector is updated similarly to distance vector protocols; the difference is that the whole path rather than the distance is advertised and propagated. Loop detection is, therefore, straightforward. For scalability reasons, each path in BGP consists of a sequence of autonomous systems, rather than a sequence of routers Overlay Networks In its effort for scalability, BGP compresses the routing information by suppressing redundancies (e.g., it combines, or aggregates, routes before advertising them further). However, redundancies are particularly helpful in recovery from failures. Overlay networks that consist of application layer routers that are attached to the infrastructure have been proposed to discover and expose to the applications redundancies, mainly for recovery purposes. The RON (resilient overlay networks) architecture [9] has been particularly influential in the field. Architectures and protocols for overlay networks are investigated in the PlanetLab Consortium ( Wireless Ad Hoc Networks If a fixed-infrastructure is difficult, expensive, time consuming, or impossible to deploy, wireless ad hoc networks may be a preferable choice. In ad hoc networking, peer devices (possibly mobile) with wireless communication capabilities act as routers so that distant destinations are reachable without the need of an infrastructure. All such devices participate in a routing protocol. Routing protocols for mobile ad hoc networks can be classified as reactive, proactive, and hybrid. A corresponding standardization process is ongoing at the MANET Working Group of the IETF ( In reactive routing protocols, such as DSR (dynamic source routing) [10] and AODV (ad hoc on-demand distance vector routing) [11], routes are discovered on demand. When the source (or origin) has a packet to send in the DSR protocol, it floods the network with multiple copies of a route request packet. As each packet propagates, the sequence of visited routers is recorded on the packet. On receipt of the route request, the destination reverses the recorded route and source routes a route reply to the origin. Subsequently, data packets are source routed to the destination. In AODV, visited routers are not recorded in the route request. Instead, a reverse path to the source is built during the broadcast of the route request by storing the upstream router from which the route request arrived. Similarly, when the route reply is unicasted from the destination to the source, the forward path is built. Proactive routing protocols, such as OLSR (optimized link state routing) [12], TBRPF (topology dissemination based on reverse path forwarding) [13], and DSDV (destination sequenced distance vector) [14], continuously maintain routes to all destinations irrespective of the traffic pattern. OLSR and TBRPF are link state routing protocols that reduce communication overhead using techniques which decrease the size of link state advertisements and the number of transmissions in the flooding process. DSDV is a distance vector protocol that prevents the formation of routing loops using sequence numbers. ZRP (Zone Routing Protocol) [15] divides the network in zones that communicate with each other using a reactive protocol and internally using a proactive protocol.

38 18 Chapter 2 Secure Routing 2.3 ATTACKS IN NETWORKS In this section we describe attacks that an adversary may mount from routers and links that it has compromised in the routing infrastructure. There are attacks that pertain to individual networking technologies and attacks that are technology independent. Attacks may be targeted at topology discovery or data packet forwarding (or both). The list of attacks that we describe is by no means exhaustive. In general, attacks also depend on the routing system and its protocols. Even if the routing system is secured, attacks will be possible to the secured system as well (which may not have such an adverse impact as they would have to an unsecured system) Adversarial Models In the literature, several models have appeared regarding the capabilities of the adversary. One powerful routing attack is possible with an adversary that does not control any legitimate routers in the network, and this model has been assumed in some works. In other works, the adversary is assumed to control a single router or several adversaries are assumed to control one router each, without coordinating their actions. In yet other works, multiple adversaries are present each controlling multiple routers without any coordination between them and, finally, a single adversary is assumed to be present that controls (and coordinates) all malicious routers. The model of a single malicious router or multiple uncoordinated malicious routers is an important special case with applications in the context of selfi shness in ad hoc networks as well as other applications. The model of multiple adversaries controlling multiple routers has been proposed in the context of peer-to-peer networks that consist of a very large number of routers. The latter model of a single adversary is the strongest one for a given set of faulty routers and links and has been addressed in the literature. Other restrictions on the capabilities of the adversary have also appeared. For example, some works have assumed the existence of intrusion detection systems or security modules running on the compromised routers that are not themselves compromised Data Packet Forwarding Adversarial routers may appear in forwarding paths, obtained in the route discovery step by nonfaulty routers, but subsequently drop the corresponding packets that are forwarded in those paths without giving any indication that they are doing so. For example, if the network employs link layer hop-by-hop acknowledgments, a malicious router that performs this attack would return the acknowledgment without forwarding the corresponding packet. Should the network employ end-to-end acknowledgments, if a malicious router performed this attack, then the source would be uncertain of the individual router (or link) in the path to which the failure should be attributed. Even if the network employs probing troubleshooting mechanisms, malicious routers can behave well to the probes and yet misbehave against data packets. Similarly, adversarial routers may modify packets or insert packets with a counterfeited source address (commonly referred to as spoofi ng) so as to force the corresponding destination to accept forged data. End-to-end cryptographic protection will be able to prevent this. Still, the source would be uncertain of the location of the modification of the

39 2.3 Attacks in Networks 19 data and the destination would be uncertain of the true source of the spoofed packet (that information would be useful for a penalty imposition). Adversarial routers can also forge destination acknowledgments (or even hop-by-hop ones) in order to deceive the source into believing that the destination accepted the data. Packet replay is an attack according to which malicious routers store packets and reinsert them in the network so as to force the corresponding destinations to accept untimely data and, possibly, force those destinations to confuse new with old data. Replayed packets may also introduce an increased load at intermediate routers that will not be able to distinguish the old from the new packets, so as to discard the former. Delaying packets is still another attack that has the impact of degrading the performance of the network in a way that is hard to identify (e.g., malicious routers can feign congestion). Reordering packets by the adversary can also have major performance impacts. The effects of packet reordering in a nonmalicious environment have been studied, for example, in [16, 17]. Adversarial routers may also overwhelm the network with spurious packets so as to force nonfaulty routers to drop legitimate traffic. Even if the network is capable of providing quality of service (QoS) (by weighted fair queuing [18], generalized processor sharing [19, 20], or other techniques), malicious routers can employ impersonation in order to cause the QoS mechanism to fail. Similarly, adversarial routers may overwhelm links with spurious traffic so as to disable their correct operation. For example, in an ad hoc network, an adversarial router may be able to prevent all communication at routers that are within its range of interference. In an overlay network, adversarial routers can disable links by performing DoS at the intermediate underlying routers of which the corresponding (overlay) links are composed. Fixed-infrastructure networks that consist of point-to-point links are more resilient to attacks against the link level (assuming that physical access to the wire is harder). Finally, adversarial routers may selectively attack certain sources (or destinations) without attempting to block all transfers (that could potentially initiate a more ardent countermeasure against the adversary) Topology/Route Discovery Topology or route discovery attacks can be targeted at the mechanism that propagates topological information or even the neighbor discovery protocol. Malicious routers can try to prevent any correct topological information about the network from reaching the source so that the destination will appear unreachable to the source even if a nonfaulty path exists between the endpoints. For example, in DSR and AODV, adversarial routers can modify the destination address field of the route request packet so that the intended destination may not reply (the legitimate route request may be dropped due to the flooding mechanism that suppresses duplicates using the sequence number of the request). In OSPF, adversarial routers can modify a link state advertisement so that a victim router appears in a crafted position in the network. In another example, adversarial routers can impersonate another router so that the discovered route is incorrect. Similar attacks are possible in BGP; a malicious or subverted AS can, for example, modify path vectors before announcing them further. In another attack, malicious routers can deceive nonfaulty routers into believing the existence of fictitious links (or AS peering relationships). The following three

40 20 Chapter 2 Secure Routing combinations regarding the faultiness of the endpoints of a coerced fictitious link are possible: 1. Faulty and faulty 2. Faulty and nonfaulty 3. Nonfaulty and nonfaulty The first possibility is very hard to prevent in the absence of prior knowledge about connectivity. Regarding the second possibility, we can (safely) assume that any malicious router can impersonate any other malicious router (even in the presence of strong cryptographic mechanisms), and, thus, if a single malicious router is a neighbor of a nonfaulty router, then the nonfaulty router can be deceived that all malicious routers are its neighbors. Similarly, in the absence of knowledge of the identities of routers that can participate in the network, malicious routers can create fi ctitious routers in order to increase the number of fictitious links. The third possibility can be achieved by manipulating neighbor discovery with socalled dumb relays [21] that relay HELLO packets from two endpoints without modifying them or with the creation of wormholes [22]. In wormhole attacks, two malicious nodes that are positioned in distant locations in an ad hoc network use a low-latency out-of-band communication link to tunnel packets between those distant locations so as to create an adversarially controlled link that may attract a large volume of traffic. The consequence of the successful formation of a wormhole is a severe downgrade of the packet delivery ratio of the network. Wormhole attacks are a major threat as they can be mounted from adversaries that do not possess legitimate routers (an adversary that controls two distantly located routers that are authenticated in the network can mount an attack with the same impact by advertising a fictitious link between those routers). Fictitious routers and links severely degrade the effectiveness of recovery procedures at the source. Note, however, that for some fixed-infrastructure networks the topological map may be available to network management. 2.4 STATE OF THE ART In this section, we describe mechanisms and protocols that mitigate or eliminate possible impacts of the aforementioned attacks. Topology discovery protection and data packet forwarding protection are treated in separate sections but not independently. In fact, a routing system that will employ protections at both steps of the routing process will be more likely to survive coordinated attacks than a system that protects one of the steps only Role of Cryptography Cryptography has an essential role in the protection of routing. The reason is that it is the primary tool that can thwart impersonation and forging. By impersonating other routers and by forging messages, malicious routers can force destinations to accept false data, partition the network, and deceive sources as if their data were flowing properly to the destinations. The cryptographic tools that have been commonly used for the protection of routing are digital signatures, message authentication codes (MACs), encryption, one-way hash

41 2.4 State of the Art 21 functions, and hash chains. We will briefly explain their functionality. For background reading on cryptographic techniques and security protocols the reader may consult [23, 24]. For additional background reading on security techniques the reader may consult [25, 26] and Chapter 23 and Appendix A of this book. A digital signature of a message is the output of an operation on the message performed with a key known only to the party that is performing the operation (signer), also known as the private key. A digital signature can prove that the origin of the message is indeed the signer to any party (verifier) that holds the corresponding public key and also that the original message has not been modified (integrity). A digital signature, thus, has the capability to authenticate a message to multiple recipients (broadcast authentication.) The most commonly used digital signature algorithm is RSA [27]. A certifi cation authority with a well-known public key normally issues (and revokes) certificates for the public keys of the signers (public key infrastructure). Digital signatures have the disadvantage that they are computationally expensive. A message authentication code (MAC) is the output of a more efficient operation that provides, however, limited capability as compared to digital signatures. A MAC computation receives as input a message and a secret key known by two parties only. The output of this operation can prove to the recipient that knows the secret key the origin and integrity of the message. The most commonly used MAC algorithm is hashed MAC (HMAC) [28]. An encryption operation replaces one message (the plain text) with another message (a cipher text). It ensures that knowledge of the cipher text cannot reveal the plain text unless the corresponding secret key is known. In public key encryption the plain text is encrypted with the public key of the recipient and can only be decrypted with the corresponding private key, whereas in symmetric key encryption the plain text is encrypted with the secret key that is shared between the two parties. A commonly used encryption algorithm is the advanced encryption standard (AES) [29]. A one-way hash function receives as input a message and produces a hash or image of the message with the following property: Given the image and the hash function it is computationally infeasible to find any message that hashes to the image. One-way hash functions have important applications in hash chains. A hash chain is precomputed by choosing a random element and repeatedly applying a one-way hash function to the random element. If the last element of the hash chain is securely announced (by means, e.g., of a digital signature), then the source of the hash chain can authenticate itself by releasing hash elements in reverse order (as compared to the order of their computation). The authenticity of these elements can be verified by recipients by hashing them and comparing them to previously released authentic hash elements. Hash chains were first proposed in [30]. TESLA [31] is an efficient broadcast authentication protocol that relies on a hash chain, MACs computed using the elements of the hash chain as keys, and clock synchronization. In TESLA, a hash chain is precomputed at the source whose last element is securely announced, by means of a digital signature, to the intended recipients. Data packets that are subsequently broadcasted carry a MAC that is computed with a yetundisclosed key. Recipients store these data packets until disclosure of the corresponding key. When the key is disclosed, its authenticity is first verified, using previously released keys, followed by a verification of the MAC. Clock synchronization, in combination with the announcement of a time schedule for the disclosure of keys, protects recipients from deeming as authentic packets whose corresponding keys have already being disclosed and could, thus, have been forged by the adversary. TESLA certificates are investigated in [32].

42 22 Chapter 2 Secure Routing Secure Topology/Route Discovery The objective of topology discovery is to provide paths along which data packets can be successfully forwarded. Malicious routers can attack topology discovery so as to prevent the discovery of any paths by nonfaulty routers, coerce nonfaulty routers to discover forged paths that do not correspond to the physical topology, or coerce nonfaulty routers to discover only paths that contain malicious routers. Several countermeasures have been proposed to mitigate the impact of these attacks on the topology discovery protocols. These countermeasures are the topic of this section Secure Flooding Flooding is a routing mechanism used in most routing protocols; OSPF, DSR, and AODV are such examples. The protection of flooding was addressed in one of the first works on secure routing [21]. In Perlman s proposal [21], packets that are propagated by the flooding mechanism carry a digital signature computed by their source router. The digital signature authenticates the source of the packet and prevents modification of its content. The verification of the origin of the packet also ensures that network resources that have been preallocated for the corresponding source are indeed allocated to the packet. Pěrlman observed that malicious routers can prevent delivery of packets by overwhelming the network with spurious packets that will prevent the use of network resources by legitimate packets. She therefore proposed that each source should a priori reserve one buffer 1 at each other router in the network, in order to prevent buffer overflow, in combination with round-robin packet scheduling so that each source receives a fair portion of the bandwidth. According to her scheme, replay attacks, whereby malicious routers store packets and reinsert them in the network at a later time so as to consume the resources of new packets, can be thwarted by monotonically increasing sequence numbers. A secure flooding protocol based on the TESLA broadcast authentication protocol, rather than digital signatures, was more recently proposed in [33] Secure Routing Protocols for Fixed-Infrastructure Networks Link state routing was one of the first routing protocols that were deployed at early stages of the Internet and is still widely used in intradomain routing. It is also one of the first protocols that were secured; Perlman s thesis [21] had an emphasis on protective measures for link state routing and the aforementioned secure flooding protocol was developed in this context. The protection of the OSPF (link state routing) protocol using digital signatures is the topic of [34, 35]. Techniques for reducing the overhead of digital signatures in a secured link state routing protocol using hash chains are proposed in [36]. The protection of distance vector routing protocols is addressed in [37]. In unprotected distance vector protocols, distance vectors are built upon reception of distance vector updates from neighboring routers; if the distance of a neighbor to a destination is less than the known distance, then the forwarding table is pointed to that neighbor for packets heading to the corresponding destination. A malicious router can, therefore, announce small distances to remote destinations and attract the corresponding traffic. Smith et al. 1 The reservation of one buffer is sufficient if flooding is used in the context of a link state routing protocol for the dissemination of link state advertisements (LSAs), as Perlman suggested, but other protocols may require more than one reserved buffers.

43 2.4 State of the Art 23 [37] correct this by adding predecessor information to the updates, thus permitting routers to verify complete paths by starting from the destination and following its predecessors. Routing updates are authenticated with digital signatures. The protection of distance vector routing (in fixed-infrastructure or wireless ad hoc networks), as well as of path vector routing, is addressed in [38]. Hu et al. present additional protective measures to their earlier work in [39] that proposes the SEAD (secure efficient ad hoc distance vector routing) protocol, which is based on the DSDV protocol. SEAD uses efficient hash chains in a way that prevents adversarial routers from arbitrarily claiming short distances to remote destinations but does not prevent a number of attacks such as the relay of distance vector updates without increasing the distance field or the insertion of spurious updates with the purpose of forcing nonfaulty routers to do excessive hash computations in order to discard such updates. Hu et al. introduce new techniques to address these attacks, such as tree-authenticated one-way chains (that prevent the first type of attack), skiplists, and MW chains (that prevent the second type of attack). For example tree-authenticated one-way chains incorporate node identifiers in hash elements so as to prevent one router from advertising the distance of another router that is closer to the destination. Border Gateway Protocol (BGP) is the interdomain routing protocol of the Internet that unifies networks of different scales, geographic locations, and administrative authorities. This role makes the protection of BGP imperative but also challenging because of the Internet s scale. The S-BGP (Secure-BGP) protocol is proposed in [40] to address many of BGP s vulnerabilities. It makes extensive use of digital signatures and introduces the concepts of address and route attestations. Attestations are tickets that the attester grants to autonomous systems and which permit them to advertise a route to the attester. Attestations prevent subverted networks from arbitrarily claiming direct connectivity to address ranges of their choice and also ensure path integrity. Validation of attestations requires knowledge of corresponding certificates and, thus, S-BGP assumes the existence of a public key infrastructure to issue and revoke certificates at the scale of the Internet which has impeded its widespread deployment. The IRV (Internet routing validation) protocol is proposed in [41] for the protection of BGP against accidental failures and attacks. IRV takes a different approach from S- BGP; instead of securing the BGP protocol itself, Goodell et al. [41] propose IRV as a separate protocol that will act as a companion to BGP. The idea behind IRV is that recipients of route announcements will securely communicate with the ASs that appear in the announcements in order to verify their validity. The authentication mechanism for performing the validations is not specified but several options, such as digital signatures or MACs, are considered. Listen and Whisper are proposed in [42] for BGP protection. They combine use of cryptographic techniques (that do no rely on a public key infrastructure) that are incorporated in the BGP protocol (Whisper) and data packet flow monitors that verify whether the routes obtained by Whisper are operational (Listen). Listen and Whisper introduce the interesting concept of detection and containment of faulty ASs using primarily the routing protocol. Such detection and containment is more accurate under the threat model of noncolluding adversaries. Subramanian et al. [42] propose countermeasures against colluding adversaries that require, however, changes to the providers policies. The reader interested in BGP vulnerabilities and countermeasures may also consult the works in [43, 44] and [38] (which protects BGP updates using MACs) and the more recent work in [45].

44 24 Chapter 2 Secure Routing Secure Routing Protocols for Wireless Ad Hoc Networks The SRP (secure routing protocol) is proposed in [46] for the protection of routing protocols that employ source routing, such as DSR or, possibly, ZRP, primarily against noncolluding adversaries. SRP protects the discovery of routes without requiring intermediate routers to perform any cryptographic computations; the source and destination only need to share a secret key for the authentication of route requests and replies using MACs. The protection that SRP provides is mainly derived from the aforementioned minimal cryptographic protection and the observation that many attacks can be prevented by relying on the topological properties of the network. Ariadne is proposed in [47] for routing protection based on the DSR protocol. Ariadne may be used with several authentication mechanisms such as digital signatures, MACs computed with pairwise secret keys, or TESLA. The latter option is described in [47]. Each route request is authenticated using elements of a hash chain that serve the purpose of preventing adversarial routers from overwhelming the network with spurious route requests that would consume network resources. The integrity of the discovered paths is protected with a combination of TESLA authenticators (MACs) that are appended by intermediate routers and a hashing technique. The protection of the AODV protocol is addressed in [48]. Sanzgiri et al. [48] propose the ARAN (authenticated routing for ad hoc networks) protocol that relies on digitalsignature-based authentication of route requests and route replies as well as route errors (which are messages generated by intermediate routers of a path to report a broken link to their upstream). Route requests are digitally signed by the source and as they propagate toward the destination they are digitally signed hop by hop by intermediate routers (i.e., a digital signature by an intermediate router of a route request has a span of one hop) in order to prevent an adversarial router from inserting in the route a router of its choice by, for example, impersonating it. Protections against wormhole attacks (which were outlined in Section 2.3.3) can be found in [22, 49, 50]. In [22] the proposed defense mechanism is packet leashes that restrict the maximum transmission range of a packet with a combination of an authentication mechanism, such as TESLA, and either timestamps and tight clock synchronization or location information. In [49], the proposed defense mechanism is based on authentication using MACs, computed with pairwise secret keys, and directional antennas. In [50], the rushing attack is presented, according to which adversarial routers quickly forward route discovery packets so that they will have a higher chance of appearing in the discovered paths. The proposed protection is based on enforcing router diversity in the route discovery process. In this context a wormhole prevention mechanism is presented based on roundtrip-time measurements. This mechanism is used in [33] in order to prevent packet forgeries. Recently, we discovered that a similar mechanism was proposed in [51] in the context of verifying location claims. The reader that is further interested in secure routing protocols for wireless ad hoc networks may consult [52, 53] and also [54], which proposes a framework for adapting the security capabilities of the routing protocol based on the capabilities of the adversary that are estimated with an intrusion detection system Secure Data Packet Forwarding Without a secured protocol that discovers routes in a network, it is unlikely that the network will survive a coordinated attack. However, even if route discovery is secured,

45 2.4 State of the Art 25 the adversary may still have the capability to, in part, prevent discovery of nonfaulty routes, contaminate discovered routes with nonexistent links, position its routers in discovered routes with the purpose of attracting data traffic in order to block it, or significantly delay packets with the purpose of subjecting the network to a severe performance degradation that is more difficult to detect and avoid. It is then the responsibility of the data packet forwarding mechanism to overcome these attacks. Any data packet forwarding protection mechanism must (at least) be evaluated with respect to the following two parameters. The first is the additional overhead that it incurs when the network operates with protection without being attacked as compared to the data packet forwarding mechanism that does not offer any protection. This is the cost induced by the fear of an attack and can be significant. The second is the recovery capability of the protection mechanism when the network is under attack; that is, how fast is communication reestablished after it has been disrupted by the adversary. Ideally, the data packet forwarding protection mechanism should have Byzantine robustness [21]; that is, it should be able to recover from a disruption in the communication as long as at least one nonfaulty path exists between the source and the destination in a nonexcessive amount of time. Note that the aforementioned parameters can be conflicting; that is, a protection mechanism with low overhead may take a large amount of time to recover and vice versa. Also note that the protection mechanism can be adaptive based on, for example, an estimate of the threat that the adversary poses so that under a low threat a less expensive mechanism may be adopted whereas under a high threat a costlier but faster recovery procedure will be put in action. This latter possibility is largely unexplored in the literature. A first step toward achieving the objective of bypassing malicious routers is to identify the locations of packet delivery failures. An ideal detection procedure would pinpoint culpable routers and communication links; however, using currently known techniques, this is not possible in the presence of malicious routers. We are going to describe detection procedures that identify the locations of packet delivery failures at various granularities Multipath Routing A first approach to protecting data packet forwarding is to exploit a possible redundancy at the discovered routes and forward packets over multiple paths. Perlman [21] proposed two packet forwarding mechanisms for recovery from routing attacks using multipath routing and disjoint paths. The less computationally intensive of these mechanisms relies on a route establishment phase that is protected with digital signatures, which is followed by a forwarding phase that only requires end-to-end cryptographic protection of data packets. We note here that Perlman also proposed in [21] an approach to fault diagnosis that can be seen as a precursor to Byzantine detection protocols that are described in the next section. Another approach to data packet forwarding protection by multipath routing is the secure message transmission (SMT) protocol of [55, 56]. The authentication mechanism of SMT is a single message authentication code per packet computed with the secret key that is shared between the source and the destination. Thus, SMT is highly efficient. SMT does not prevent the adversary from successfully attacking the intermediate nodes of a path. However, SMT dynamically adapts to network conditions; it monitors the delivery ratios of the simultaneously used paths and directs the traffic to the paths that are the most successful. It, therefore, significantly increases the resources that must be available to the adversary to successfully attack all paths by DoS and impersonation attacks. Performance

46 26 Chapter 2 Secure Routing measurements in [55, 56] show that SMT provides significant protection against capable adversaries. Multipath protection is appealing because of its small cryptographic overhead. However, an adversary that is able to insert a large number of fictitious links in the topological views can severely affect its recovery capability Byzantine Detection A resilient forwarding faults detector was proposed in [57] to detect Byzantine failures at link-level granularity using a combination of acknowledgments (ACKs), timeouts, disconnection notifications, and cryptographic techniques (that were not specified by the authors). We will refer to protocols that are based on this detection paradigm as Byzantine detection protocols. Herzberg and Kutten [57] used an abstract model to define a class of detectors and explored trade-offs between fault detection time and communication overhead; they showed that these parameters can be adjusted using the timeout values and ACKs from intermediate routers. In the Byzantine detection protocol of [58], a probe list is associated with each message that is cryptographically protected with a combination of MACs and encryption. The probe list of a given path is the subset of routers in the path that participate in Byzantine detection. Every node in the list is required to send an ACK to the source. Each ACK is protected with a MAC that is computed using the secret key that the source and the probe share and, thus, its authenticity can only be verified at the source. Upon reception of the acknowledgments, the source can determine whether the packet reached the destination and, in the event that the packet was dropped, the source can also determine the location of the failure at the granularity of a link (by observing the point of disruption of the ACK list). In order to save communication overhead and to prevent the adversary from selectively dropping ACKs, downstream ACKs are accumulated in a single packet before they are forwarded, that is, encrypted using the secret key that the probe shares with the source. Note that the probe list need not contain all the nodes in the path. Instead, the source could refine the probe list based on responses to previous probes, thereby identifying Byzantine nodes using O(logn p ) probe attempts, where n p is the number of nodes on path p. An evaluation through simulation of the benefits of a combination of this protocol with a secure route discovery protocol against various attacks can be found in [59]. In the Byzantine detection protocol of [60, 61], authentication is based on MACs (that protect data packets) and multiple short hash chains (that protect ACKs and fault announcements). This protocol is enhanced to protect from delays that are invoked by adversarial routers in order to degrade protocol performance. The proposed mechanism is based on announcements of delays that packets experience as they are forwarded in the path, measurements of round-trip times, and the subsequent comparison of measured round-trip times and announced delays. A fundamental ambiguity in detecting faults is also identified in [60, 61]; malicious sources can exploit the replay protection mechanism so that nonfaulty routers will drop packets simply because a source is faulty. Therefore, when a timeout expires that indicates a drop, the only router that can accurately interpret the corresponding fault announcement is the source. This ambiguity makes the problem of sharing fault knowledge difficult. In particular, it is shown that a basic mechanism of sharing fault knowledge that globally announces faulty links leads to an intractable combinatorial problem. Finally, protocols are developed that block the traffic originating from malicious routers. Such protocols can be used to effectuate recovery procedures; for example, in

47 2.4 State of the Art 27 decentralized networks, blocking the traffic of misbehaving routers may serve as an incentive for compliance with packet forwarding agreements. One of the main applications of Byzantine detection is in achieving Byzantine robustness. In this regard, Byzantine detection provides the network s fault patterns based on which routing decisions must be made. Innocuous drops, that is, drops that are not instigated by the adversary, complicate these routing decisions (e.g., see [62] for a protocol that adapts to the fault pattern). Congestion drops are an example of innocuous drops that are particularly challenging to handle. Specifically, a routing procedure that forwards packets to the paths of least congestion can destabilize the network (i.e., traffic will oscillate and will tend to be forwarded to congested paths) [63, 64]. This issue is identified here for the first time and further work is required to address this problem Secure Traceroute Traceroute uses ICMP (Internet control message protocol) messages to either incrementally determine the full path from a source to a destination or identify the first router upstream to a black hole. Traceroute has fine link-level detection granularity but cannot prevent the preferential treatment of its packets by an adversary who can in this way avoid detection. Similar to traceroute, secure traceroute [65] incrementally determines the full path from a source to a destination but in a secure fashion that determines packet delivery failures at link-level granularity. The idea in secure traceroute is to embed secret identifiers in data packets to single out some these packets as probes. These probes look indistinguishable from normal traffic and, therefore cannot receive preferential treatment by an adversary Testing for Conservation of Flow The approach to secure data packet forwarding in [66] is based on the conservation-offlow principle. The idea in [66] is that if malicious routers drop packets, then conservation of flow will not hold in the network. This invariant can be tested if routers measure the volume of flows that enter and leave their incident links and compare the measured flows in a global coordination phase. Misbehaving routers will, thus, be detected in this phase. Bradley et al. [66] do not consider, however, protection against malicious routers that modify packets, typically provided by authentication mechanisms, which is a critical parameter to the performance of the routing system Intrusion Detection Systems (IDSs) An IDS is a system that statistically analyzes input data (e.g., network traffic) with the purpose of detecting whether an intrusion has occurred or is occurring. Routing protection mechanisms have been designed to conform to the IDS general principles, but also traditional IDS systems have been adapted in order to protect the security of routing. In [67, 68], an IDS for the protection of routing is proposed that is based on a traffic validation component that monitors traffic characteristics and looks for anomalous behavior, a distributed detection component that coordinates the traffic monitors and detects faulty routers or groups that contain faulty routers, and a response component that takes countermeasures against detected faulty routers (or groups). The distributed

48 28 Chapter 2 Secure Routing detection component is discussed in detail in [67], where two protocols are proposed that trade off detection accuracy and overhead. Two important characteristics of the proposed detection protocols are time synchronization that facilitates the comparison of collected traffic and Byzantine consensus [69] which ensures uniform decisions on detected faulty network paths. IDSs have also been proposed for the protection of mobile ad hoc network routing. The reader with a further interest in this area may consult [70, 71]. A detailed discussion on IDSs is also found in Chapter 6 of this book Nuglets: A Penalty Reward System The approaches that we described up to now secured data packet forwarding by either exploiting path redundancy or detecting adversarial locations. The approach in [72] is different in that it proposes a mechanism to stimulate cooperation in packet forwarding by requiring from routers to maintain a nuglet counter that is protected by a tamperresistant hardware module. The counter is decremented at a router whenever it acts as a source and incremented whenever it forwards packets for the benefit of other nodes. In this way, selfish routers that do not forward packets will not have enough nuglets to insert new packets into the network. 2.5 CONCLUSION AND RESEARCH ISSUES In this chapter, we have described attacks on the routing function and reviewed the literature on routing protection mechanisms in the topology/route discovery step and in the data packet forwarding step. Despite the recent attention to the routing security problem, several approaches for the protection of different networking technologies and their routing protocols have been proposed. The problem, in spite of its complexity, is tractable but there remain several open issues to be addressed. Some of these issues were outlined in the previous sections and we also outline some more issues in this section. Overlay Networks With the exception of the work in [73] that applies to peer-to-peer networks the protection of (RON) overlay networks is largely unexplored. An interesting property in such networks is that almost every pair of overlay routers can communicate directly. Topology discovery is, thus, primarily concerned with finding not workable routes but, rather, routes with good performance. Failure Models Byzantine failures may occur in a network not only because of an adversary being present in the network but also because of accidents and human error, that is, misconfigurations and software bugs [74 76]. Creating models of failures that are due to misconfigurations is an active research topic. However, modeling failures due to router compromise is a topic that has not been investigated to the best of our knowledge. Such a model would give very useful insight into the secure routing problem and would allow cross-fertilization between the two areas. Adapting to Adversary The resulting failure models are likely to require from the protection mechanism different levels of protection and, as a result, different levels of performance that the network will operate in anticipation of and during a Byzantine failure. We, therefore, propose the development of mechanisms that will balance the performance

49 References 29 of the network with its recovery capability according to the threat that the adversary poses to the packet delivery service. A first approach in this regard is taken in [77]. ACKNOWLEDGMENTS Ioannis Avramopoulos and Hisashi Kobayashi have been supported, in part, by a grant from the New Jersey Center for Wireless and Internet Security (NJWINS) and a wireless testbed project (ORBIT) grant from the National Science Foundation. Arvind Krishnamurthy has been supported by National Science Foundation (NSF) grants CCR , ANI , and CCR Randy Wang has been supported by NSF grants CCR and CCR We thank Dr. Bill Leighton and Dr. Jennifer Rexford of AT&T Research for describing to us Byzantine failures in operational networks and providing useful suggestions and references in the course of our research in this topic. We also thank Alper Mizrak of the University of California, San Diego, for pointing out the packet reordering attack, the review of an earlier draft of this chapter, and providing useful references. Finally we thank Professor Wade Trappe of Rutgers University and the editors of this book for helpful suggestions in the organization of this chapter. REFERENCES 1. S. Bellovin and E. Gansner, Using Link Cuts to Attack Internet Routing, draft, May L. Peterson and B. Davie, Computer Networks: A Systems Approach, 2nd ed., Morgan Kauffmann, San Francisco, J. Moy, OSPF version 2, RFC 2328, Internet Engineering Task Force, Apr G. Malkin, RIP version 2, RFC 1723, Internet Engineering Task Force, Nov Y. Rekhter, A border gateway protocol 4 (BGP-4), RFC 1654, Internet Engineering Task Force, org, Mar C. Huitema, Routing in the Internet, Prentice-Hall, 2nd ed., Upper Saddle River, NJ, R. Perlman, Interconnections: Bridges, Routers, Switches, and Internet-Working Protocols, Addison-Wesley Professional, 2nd ed., Reading, MA, J. Stewart, BGP4: Inter-Domain Routing in the Internet, Addison-Wesley Professional, Reading, MA, D. Andersen, H. Balakrishnan, F. Kaashoek, and R. Morris, Resilent overlay networks, in Proceedings of the ACM Symposium on Operating System Principles, Banff, Canada, Oct D. Johnson, D. Maltz, and Y.-C. Hu, The Dynamic Source Routing Protocol for Mobile Ad Hoc Networks (DSR), Internet draft (work in progress), Apr C. Perkins, E. Belding-Royer, and S. Das, Ad hoc on-demand distance vector (AODV) routing, RFC 3561, Internet Engineering Task Force, July T. Clausen and P. Jacquet, Optimized link state routing protocol (OLSR), RFC 3626, Internet Engineering Task Force, Oct R. Ogier, F. Templin, and M. Lewis, Topology dissemination based on reverse-path forwarding (TBRPF), RFC 3684, Internet Engineering Task Force, org, Feb C. Perkins and P. Bhagwat, Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers, ACM SIGCOMM Computer Communication Review, 24(4): , Oct Z. Haas and M. Pearlman, The performance of query control schemes for the zone routing protocol, ACM/ IEEE Transactions on Networking, 9(4): , Aug J. Bellardo and S. Savage, Measuring packet reordering, in Proceedings of the ACM SIGCOMM Internet Measurement Workshop, Marseille, France, Nov J. Bennett, C. Partridge, and N. Shectman, Packet reordering is not pathological network behavior, IEEE/ ACM Transactions on Networking, 7(6): , A. Demers, S. Keshav, and S. Shenker, Analysis and simulation of a fair queueing algorithm, ACM SIGCOMM Computer Communication Review, 19(4): 1 12, Sept A. Parekh and R. Gallager, A generalized pro - cessor sharing approach to flow control in integrated services networks: The single-node case, IEEE/ACM Transactions on Networking, 1(3): , June 1993.

50 30 Chapter 2 Secure Routing 20. A. Parekh and R. Gallager, A generalized processor sharing approach to flow control in integrated services networks: The multiple node case, IEEE/ACM Transactions on Networking, 2(2): , Apr R. Perlman, Network layer protocols with Byzantine robustness, PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, Aug Y.-C. Hu, A. Perrig, and D. Johnson, Packet leashes: A defense against wormhole attacks in wireless networks, in Proceedings of the IEEE Infocom, San Fransisco, CA, Mar C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communications in a Public World, Prentice-Hall, 2nd ed., Upper Saddle River, NJ, B. Schneier, Applied Cryptography: Protocols, Algorithms, Source Code in C. Wiley, 2nd ed., New York, R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, New York, W. Cheswick, S. Bellovin, and A. Rubin, Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley, 2nd ed., Reading, MA, R. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, 21(2): , Feb H. Krawczyk, M. Bellare, and R. Canetti, HMAC: Keyed-hashing for message authentication, RFC 2104, Internet Engineering Task Force, Feb J. Daemen and V. Rijmen, The block cipher rijndael, in J.-J. Quisquater and B. Scheier, Eds., Smart Card Research and Applications, LNCS 1820, Springer- Verlag, New York, 2000, pp L. Lamport, Password authentication with insecure communication, Communications of the ACM, 24(11): , Nov A. Perrig, R. Canetti, D. Song, and D. Tygar, Efficient and secure source authentication for multicast, in Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, M. Bohge and W. Trappe, An authentication framework for hierarchical ad hoc sensor networks, in Proceedings of the ACM Workshop on Wireless Security, San Diego, CA, Sept I. Avramopoulos and H. Kobayashi, Guaranteed delivery flooding protocols for mobile ad hoc networks, in Proceedings of the IEEE Wireless Communications and Networking Conference, Atlanta, GA, Mar S. Murphy and M. Badger, Digital signature protection of the OSPF routing protocol, in Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, S. Murphy, M. Badger, and B. Wellington, OSPF with digital signatures, RFC 2154, Internet Engineering Task Force, June R. Hauser, T. Przygienda, and G. Tsudik, Reducing the cost of security in link state routing, in Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, Feb B. Smith, S. Murthy, and J. Garcia-Luna-Aceves, Securing distance-vector routing protocols, in Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, Y.-C. Hu, A. Perrig, and D. Johnson, Efficient security mechanisms for routing protocols, in Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, Feb Y.-C. Hu, D. Johnson, and A. Perrig, SEAD: Secure efficient distance vector routing for mobile wireless ad hoc networks, Ad Hoc Networks, 1: , S. Kent, C. Lynn, and K. Seo, Secure border gateway protocol (Secure-BGP), IEEE Journal on Selected Areas in Communications, 18(4): , Apr G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin, Working around BGP: An incremental approach to improving security and accuracy of interdomain routing, in Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, Feb L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz, Listen and whisper: Security mechanisms for BGP, In Proceedings of the Symposium on Networked Systems Design and Implementation, San Francisco, CA, Mar S. Murphy, BGP Security Vulnerabilities Analysis, Internet draft (work in progress), Oct B. Smith and J. Garcia-Luna-Aceves, Securing the border gateway routing protocol, in Proceedings of the Global Internet, London, Nov Y.-C. Hu and A. Perrig, SPV: A secure path vector routing scheme for securing BGP, in Proceedings of the ACM SIGCOMM 2004, Portland, OR, Sept P. Papadimitratos and Z. Haas, Secure routing for mobile ad hoc networks, in Proceedings of the Communication Networks and Distributed Systems Modeling and Simulation Conference, San Antonio, TX, Jan Y.-C. Hu, A. Perrig, and D. Johnson, Ariadne: A secure on-demand routing protocol for ad hoc networks, in Proceedings of the Eighth Annual International Conference on Mobile Computing and Networking, Atlanta, GA, Sept K. Sanzgiri, B. Dahill, B. Levine, C. Shields, and E. Belding-Royer, A secure routing protocol for ad hoc networks, in Proceedings of the IEEE International Conference on Network Protocols, Paris, France, Nov L. Hu and D. Evans, Using directional antennas to prevent wormhole attacks, in Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, Feb Y.-C. Hu, A. Perrig, and D. Johnson, Rushing attacks and defense in wireless ad hoc network routing proto-

51 References 31 cols, in Proceedings of the ACM Workshop on Wireless Security, San Diego, CA, Sept B. Waters and E. Felten, Secure, private proofs of location, Technical Report , Princeton University Computer, Princeton, NJ, Jan P. Papadimitratos and Z. Haas, Secure link state routing for mobile ad hoc networks, in Proceedings of the IEEE Workshop on Security and Assurance in Ad Hoc Networks, Orlando, FL, Jan M. Zapata and N. Asokan, Securing ad hoc routing protocols, in Proceedings of the ACM Workshop on Wireless Security, Atlanta, GA, Sept E. Metcalfe, A proposed framework for a hybrid secure routing protocol using intrusion detection techniques, Master s thesis, Princeton University, Princeton, NJ, May P. Papadimitratos and Z. Haas, Secure data transmission in mobile ad hoc networks, in Proceedings of the ACM Workshop on Wireless Security, San Diego, CA, Sept P. Papadimitratos and Z. Haas, Secure message transmission in mobile ad hoc networks, Elsevier Ad Hoc Networks Journal, 1(1): , July A. Herzberg and S. Kutten, Early detection of message forwarding faults, SIAM J. Comput., 30(4): , B. Awerbuch, D. Holmer, C. Nita-Rotaru, and H. Rubens, An on-demand secure routing protocol resilient to Byzantine failures, in Proceedings of the ACM Workshop on Wireless Security, Atlanta, GA, Sept B. Awerbuch, R. Curtmola, D. Holmer, C. Nita- Rotaru, and H. Rubens, Mitigating Byzantine attacks in ad hoc wireless networks, Technical Report, Johns Hopkins University, Baltimore, MD, Mar I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy, Amendment to highly secure and efficient routing, Feb iavramopoulos/amendent.pdf. 61. I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy, Highly secure and efficient routing, in Proceedings of the IEEE Infocom 2004, Hong Kong, Mar B. Awerbuch, D. Holmer, and H. Rubens, Swarm intelligence routing resilient to Byzantine adversaries, in Proceedings of the IEEE International Zurich Seminar on Communications, Zurich, Switzerland, Feb D. Bertsekas, Dynamic behavior of shortest path routing algorithms for communication networks, IEEE Transactions on Automatic Control, 27(1):60 74, Feb J. Wang, L. Li, S. Low, and J. Doyle, Can shortest path routing and TCP maximize utility, in Proceedings of the IEEE Infocom, San Frascisco, CA, Mar V. Padmanabhan and D. Simon, Secure traceroute to detect faulty or malicious routing, in Proceedings of the ACM SIGCOMM HotNets Workshop, Princeton, NJ, Oct K. Bradley, S. Cheung, N. Puketza, B. Mukherjee, and R. Olsson, Detecting disruptive routers: A distributed network monitoring approach, IEEE Network Magazine, Sept./Oct A. Mizrak, K. Marzullo, and S. Savage, Detecting malicious routers, Technical Report CS , University of California at San Diego, Department of Computer Science, May A. Mizrak, K. Marzullo, and S. Savage, Faulttolerant forwarding in the face of malicious routers, in Proceedings of the Second Bertinoro Workshop on Future Directions in Distributed Computing, Bertinoro, Italy, June L. Lamport, R. Shostak, and M. Pease, The Byzantine generals problem, ACM Transactions on Programming Languages and Systems (TOPLAS), 4(3): , A. Mishra, K. Nadkarni, and A. Patcha, Intrusion detection in wireless ad hoc networks, IEEE Wireless Communications Magazine, 11(1):48 60, Feb Y. Zhang, W. Lee, and Y.-A. Huang, Intrusion detection techniques for mobile wireless networks, ACM/ Kluwer Wireless Networks, 9(5): , L. Buttyan and J.-P. Hubaux, Stimulating cooperation in self-organizing mobile ad hoc networks, ACM/ Kluwer Mobile Networks and Applications, 8(5): , M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. S. Wallach, Secure routing for structured peerto-peer overlay networks. SIGOPS Operating Systems Review, 36(SI): , D. Caldwell, A. Gilbert, J. Gottlieb, A. Greenberg, G. Hjalmtysson, and J. Rexford, The cutting EDGE of ip router configuration, in Proceedings of the ACM SIGCOMM HotNets Workshop, Cambridge, MA, Nov N. Feamster, Practical verification techniques for wide-area routing, in Proceedings of the ACM SIGCOMM HotNets Workshop, Cambridge, MA, Nov R. Mahajan, D. Wetherall, and T. Anderson, Understanding BGP misconfiguration, in Proceedings of the ACM SIGCOMM Conference, Pittsburgh, PA, Aug I. Avramopoulos, A. Krishnamurthy, H. Kobayashi, and R. Wang, Nicephorus: Striking a balance between the recovery capability and the overhead of Byzantine detection, Technical Report TR , Princeton University, Department of Computer Science, Princeton, NJ, Aug I. Avramopoulos, H. Kobayashi, A. Krishnamurthy, and R. Wang, Opt and vent: An efficient protocol for Byzantine detection in wireless ad hoc network routing, Technical Report TR , Princeton University, Department of Computer Science, Princeton, NJ, Aug

52 32 Chapter 2 Secure Routing 79. I. Avramopoulos, H. Kobayashi, and R. Wang, A routing protocol with Byzantine robustness, in Proceedings of the IEEE Sarnoff Symposium, Princeton, NJ, Mar R. Ellison, D. Fisher, R. Linger, H. Lipson, T. Longstaff, and N. Mead, Survivability: Protecting your critical systems, IEEE Internet Computing, Nov./Dec. 1999, pp R. Canetti et al., Multicast security: A taxonomy and some efficient constructions, in Proceedings of the IEEE Infocom, New York, NY, Mar S. Marti, T. Giuli, K. Lai, and M. Baker, Mitigating routing misbehavior in mobile ad hoc networks, in Proceedings of the Sixth ACM International Conference on Mobile Computing and Networking, Boston, MA, Aug

53 Chapter 3 Designing Firewalls: A Survey Angelos D. Keromytis and Vassilis Prevelakis 3.1 INTRODUCTION A fi rewall is a collection of components interposed between two networks that filter traffic between them according to some security policy [1]. Typically, firewalls rely on restrictions in the network topology to perform this filtering. One key assumption under this model is that everyone on the protected network(s) is trusted, since internal traffic is not seen by the firewall and thus cannot be filtered; if that is not the case, then additional, internal firewalls have to be deployed in the internal network. Most of the complexity in using firewalls today lies in managing a large number of firewalls and ensuring they enforce a consistent policy across an organization s network. The typical firewall configuration, shown in Figure 3.1, usually comprises two packet filtering routers creating a restricted access network called the DMZ (demilitarized zone). The DMZ acts as a buffer between the internal (trusted) and external (untrusted) networks. This configuration attempts to satisfy a number of goals: Protect hosts on the internal (inside) network from attacks from the outside Allow machines located in the DMZ to be accessed from the outside and thus be able to provide services to the outside world or serve as stepping stones linking hosts from the internal network to the hosts in the outside world Enforce an organizationwide security policy, which may include restrictions unrelated to security, for example, access to certain websites during office hours For a firewall to be effective, it must be strategically placed so that all traffic between the internal network and the outside world passes through it. This implies that firewalls traditionally are located at the points where the internal network is connected to the outside network (e.g., the Internet service provider). These are called the choke points. By placing the firewall at the choke points we control all traffic that enters or leaves the internal network. However, as the speed of the network connections increases and the policies that must be applied by firewalls become more complex, firewalls may become bottlenecks restricting the amount of legitimate information that may pass through them. Network Security: Current Status and Future Directions, Edited by C. Douligeris and D. N. Serpanos Copyright 2007 the Institute of Electrical and Electronics Engineers, Inc. 33

54 34 Chapter 3 Designing Firewalls: A Survey Figure 3.1 Typical firewall configuration Demilitarized Zone The DMZ is a special part of the network that enjoys only partial protection from the firewall. This allows the firewall administrator to establish a special set of policies for these machines. So, for example, while the main security policy may dictate that internal hosts may not be contacted from the outside network, a special DMZ policy may allow exceptions so that a Web server located in the DMZ may be contacted over the Transmission Control Protocol (TCP) port 80 or so that the server may be contacted over the SMTP (Simple Mail Transfer Protocol) port, TCP port 25. The positioning of the hosts in the DMZ also makes them more vulnerable, which is why they are usually configured with special attention to their security. Such hosts are sometimes referred to as bastion hosts. Bastion hosts, while they are general-purpose computers running a general-purpose operating system, usually have highly specialized configurations allowing them to run only the designated services and nothing more. Sometimes, these machines run with statically assigned operational parameters [e.g., using the /etc/hosts file for name resolution rather than the domain name system (DNS)]. This is so as to minimize the risk that an attacker may use a service unrelated to the function of the machine to gain a foothold. Moreover, the software installed on bastion hosts is a subset of the standard distribution (e.g., may lack compilers, network monitoring tools, etc.) so that a potential intruder will not be able to use the compromised machine to launch attacks on other machines in the network. Administrators must assume that eventually hosts in the DMZ will be compromised and establish recovery strategies. Such strategies may include steps to contain the attack, to gather evidence of the break-in or information about the attacker, and so on. Regardless of the adopted strategy, the system administrator must be able to restore service on the compromised machine as soon as possible. This implies that the entire configuration of

55 3.1 Introduction 35 the machine has been backed up and procedures exist for the reinitialization of the infected machine and the restoration of its configuration and associated data sets. Unless the method used by the attacker is identified, merely bringing the machine back online with a clean configuration is not enough. The attacker will simply use the same attack vector to compromise the machine once again. We need to identify the vulnerability that allowed the attack to take place and fix it before the machine can be connected to the network. Detecting and understanding the attacks that take place against hosts in the DMZ or perhaps the internal network are important aspects of a firewall. Traffic monitoring and event logging are the primary tools of the network administrator. Intrusion detection systems (IDSs) may also be installed in the DMZ to detect and sometimes respond to attacks Packet Filters Versus Application-Level Gateways The two routers in the example above employ some rules (e.g., an access control list) to determine which types of packets to allow through. Packet-level filtering is rather coarse as it is positioned at the network and transport layers and hence has little or no information about what is happening at the application level. Thus, policies such as only user X may access over HTTP during working hours cannot be expressed. Higher level policies that require specific knowledge of the application (e.g., virus scanners) or user authentication are best handled by proxy servers, also known as application-level gateways. Such machines typically are located in the DMZ and process traffic for specific applications. One such example is the gateway. Typically, the server is located in the protected network as it has to deal with internal as well. In order to prevent a compromise of the server, we do not want to allow it to accept direct connections from the outside network (Internet). We therefore position an proxy in the DMZ which simply collects inbound . The server then contacts the proxy at regular intervals to pick up any that may have arrived in the meantime. Notice that the e- mail proxy is totally passive; it is waiting to be contacted by the internal server or by outside hosts. This ensures that even if the proxy were to be compromised, the intruder would not be able to probe or attack the internal server. Of course, this arrangement can only protect against network attacks; it cannot protect from data bombs such as viruses. Additional analysis has to be carried out of the contents of the messages in order to determine whether they contain suspicious content. To do this, the gateway needs to understand the way messages are constructed (i.e., encoding standards such as Multipurpose Internet Mail Extension (MIME), uuencode, zip, etc.). Since attackers constantly come up with different strategies, the defenders need to be very rigorous in keeping up with security advisories and virus signatures. This increasingly looks like a full-time task, and often companies subcontract the analysis of inbound to outside security firms. In such cases, may be diverted over the Internet to the site of a security firm where it is analyzed and evaluated. that is considered safe is then returned to the proxy where it may be picked up by the internal server Stateful Firewalls Originally, firewalls were designed to deal with each packet individually, forcing the firewall to determine whether to allow a packet through only on the basis of the information contained within that packet.

56 36 Chapter 3 Designing Firewalls: A Survey This created difficulties with protocols that relied on secondary connections for the exchange of additional information [e.g., File Transfer Protocol (FTP)]. Since the firewall could not know whether the (secondary) connection request was issued by an existing connection or it was created independently, the firewall was forced to reject it. Stateful firewalls employ state machines to maintain state associated with established protocol connections. Decisions are made on the basis of the information in the packet plus the state of the connection maintained by the firewall. Thus, a TCP packet with the SYN flag cleared will be rejected unless it belongs to an already established connection. Even in cases where information is exchanged without setting up a connection [connectionless communications such as those carried over the User Datagram Protocol (UDP)], the firewall can make a note that a request packet has passed on its way out of the protected network and thus allow the reply through [e.g., a Simple Network Management Protocol (SNMP) query from an internal network management station to an agent located in the DMZ] Additional Services In many situations, firewalls also provide a number of additional services which, while not strictly part of the firewall job description, have been used so widely that they are now considered an integral part of a firewall Network Address Translation The ever-increasing scarcity of Internet Protocol (IP) addresses has been forcing network administrators to use special IP addresses that are considered private. Such addresses may be used only within the boundaries of a given network but are meaningless on the Internet. This is because they are not unique, so the backbone routers carry no routing information about them. If hosts with private IP addresses require access to the Internet, they must use an intermediary host that has a global address. Such a host may act as a proxy, relaying the request to the final destination. However, proxies may not always be usable because of limitations of the protocol, the use of end-to-end encryption, but, most importantly, the additional administrative cost of setting up and maintaining separate proxies for each of the desired services. In such cases the use of network address translation (NAT, or IP masquerade) is recommended. Under a NAT regimen the intermediary host modifies the outgoing packet changing the source address to its own address. In this way, the response will be received by the intermediary host which will again modify the packet s destination address to that of the internal host. Given the location of firewall assets in the network, its is quite natural to assign the NAT task to them. This is because firewalls already have to examine (for packet filtering purposes) packets that cross the network boundaries and also because firewalls already maintain state about the connections that exist between internal and external hosts Split-Horizon DNS The DNS provides information related to the mapping between IP addresses and hostnames. This information may be used by an attacker to identify targets (e.g., a machine

57 3.1 Introduction 37 called mailhost is likely to be the mail server of the organization and hence have mailrelated services activated). For this reason two DNS servers are often employed, one for the internal network and one on the DMZ providing information to outside hosts. The internal DNS server maintains information about all hosts in the internal network, while the server in the DMZ stores only information that should be known to outside parties (generally names of machines that are accessible from the outside) Mitigating Host Fingerprinting Computer systems are to a large extent deterministic, and this can be used as a means of identification (fingerprinting) or, worse, as a means of subverting a system by anticipating its response to various events. Fingerprinting is a technique that allows remote attackers to gather enough information about a system so that they can determine its type and software configuration (version of operating system, applications, etc.). This information can then be used to determine what vulnerabilities may be present in that configuration and thus better plan an attack. Many packet filtering firewalls include a scrub function that normalizes and defragments incoming packets. This allows applications and hosts on the internal network some protection against hand-crafted packets designed to trigger vulnerabilities. Another approach is to apply a similar technique to outgoing packets in order to hide identifying features of the IP stack implementation. 1 A key part of the obfuscation process is protection against time-dependent probes. Different TCP implementations have variations in their timeout counters, congestion avoidance algorithms, and so on. By monitoring the response of the host under inspection to simulated packet loss, the timing probe can determine the version of the TCP implementation and by extension that of the operating sys - tem (OS). Also the use of various techniques for rate-limiting Internet Control Message Protocol (ICMP) messages by the victim system can provide hints to the attacker. The effectiveness of such probes can be reduced by homogenizing the rate of ICMP traffic going through the firewall or by introducing random delays to ICMP replies Intrusion Detection Systems A corollary of the there is no perfect security rule is that your firewall assets will be eventually compromised. With this in mind, it is imperative to have a strategy for detecting and responding to the security breach. Intrusion detection systems (IDSs) are naturally placed within the DMZ and may be traffic monitors or booby-trapped hosts. Traffic monitoring systems tap into all traffic that crosses the DMZ and attempt to identify patterns that may indicate an attack. Booby-trapped systems (also known as honeypots) are systems that are configured to look like potential targets for attack (e.g., running many services, running old versions of software that are known to contain vulnerabilities, etc.). Since authorized users of the network know that they should not be using the honeypot host, anybody who does try to access this host is, by definition, an intruder. Output from the IDS is used as a signal to trigger attack containment and mitigation actions that are described later in this chapter. IDSs are discussed in greater detail in Chapter

58 38 Chapter 3 Designing Firewalls: A Survey Limitations of Firewalls Firewalls are widely considered to be necessary as general-purpose computers are difficult to protect. Nevertheless, a mythical general-purpose firewall would be essentially useless. In order to be effective, firewalls need to be customized to the needs of their environment. For example, home firewalls generally block incoming connections, but if the home owner wishes to set up a website to be able to receive , then the firewall would have to be reconfigured. Despite the advances made in the past 10 years, firewall configuration is still a difficult and error-prone procedure, requiring careful verification and testing to ensure that the firewall does exactly what we want. In order to do this, the administrator needs to understand the requirements of the network that will be protected by the firewall, the requirements and the protocols used by the various applications that should be allowed through the firewall, and, finally, the way the firewall itself enforces the configuration defined by the administrator. Subtle differences between what we expect the firewall to do and what it actually does may cause difficulties with the operation of authorized applications or, perhaps, allow unauthorized traffic through the firewall. The short-packet attack is a good example of a situation where the attacker tries to force the firewall to make a decision with insufficient data. This attack relies on the observation that since many firewalls do not reassemble fragmented packets they must base their decision on the first fragment of the packet and allow the rest through, essentially unchecked. The short-packet attack fragments packets so that the first fragment does not contain the entire TCP header (and thus lacks information such as the destination port). Modern firewalls typically reject such packets. Other limitations of traditional firewalls include the following: Due to the increasing line speeds and the more computationally intensive protocols that a firewall must support, firewalls tend to become congestion points. This gap between processing and networking speeds is likely to increase, at least for the foreseeable future: While computers (and hence firewalls) are becoming faster (following Moore s law), protocols and the tremendous increase in the amount of data that must be processed by the firewall have been and will likely continue to outpace Moore s law [2]. The increasing scale of modern networks typically implies a large number of attachments to the Internet for performance, fault tolerance, and other reasons. Firewalls need to be deployed on all these links, greatly increasing the management problem. The increased scale also means that often there are attackers already on the inside network, for example, a disgruntled employee. Traditional firewalls can do very little, if anything, against such a threat. Furthermore, the use of wireless ( or similar) networks, whether authorized or not, 2 means that administrators do not necessarily have tight control on the network entry points: Attackers or free-loaders can appear from inside the network. Similar concerns arise due to the increased use of telecommuting facilities, which 2 For example, consider the case of a user who simply connects a wireless base station on the corporate local area network (LAN) so that he can work from the corporate lounge.

59 3.2 Firewall Classification 39 de facto extend the boundary of the protected network to include infrastructure resident in, for example, employees premises. While firewalls are generally not intended to guard against misbehavior by insiders, there is a tension between internal needs for more connectivity and the difficulty of satisfying such needs with a centralized firewall. End-to-end encryption can also be a threat to firewalls, as it prevents them from looking at the packet fields necessary to do filtering. Allowing end-to-end encryption through a firewall implies considerable trust to the users on behalf of the administrators. There are protocols that firewalls find relatively difficult to handle because they involve multiple, seemingly independent packet flows. One example is FTP, where a control connection is initiated by the client to the server but (at least in some configurations) data connections are initiated by the server to the client. Although modern firewalls can and do handle these protocols, such solutions are viewed as architecturally unclean and in some cases too invasive. Finally, there is an increasing need for finer grained (and even application-specific) access control which standard firewalls cannot readily accommodate without greatly increasing their complexity and processing requirements. Despite their shortcomings, firewalls are still useful in providing some measure of security. The key reason that firewalls are still useful is that they provide an obvious, mostly hassle-free, mechanism for enforcing network security policy. For legacy applications and networks, they are the only mechanism for security. While newer protocols sometimes have some provisions for security, older protocols (and their implementations) are more difficult, often impossible, to secure. Furthermore, firewalls provide a convenient first-level barrier that allows quick responses to newly discovered bugs. 3.2 FIREWALL CLASSIFICATION Apart from the typical firewall configuration described in the introduction to this chapter, there exist a number of other firewalls that are customized for particular applications or environments. In this section we examine some of the most popular configurations Personal Firewall The term personal fi rewall generally refers to software that runs on your workstation and acts as a packet filtering firewall. The advantage of the personal firewall is that it can associate rules with programs so that, for example, your Web browser can connect to hosts all over the Internet over the HyperText Transfer Protocol (HTTP) port (port 80), but your word processor cannot. This works because the firewall is located on the same machine as the process that sends the packets. The personal firewall installs kernel-level software that monitors and intercepts network-related calls. In this way the firewall can determine which process is sending the packets. Nevertheless, the concept of the personal firewall has a number of weaknesses. Namely, it runs under a general-purpose operating system and must coexist with services that run with elevated privileges (sometimes without the user even being aware of it). If a privileged process is compromised, then the firewall can be confused or even subverted.

60 40 Chapter 3 Designing Firewalls: A Survey Lately, one of the first actions of viruses that take over machines is to turn off the virus checking software. It is only a matter of time before they start disabling the personal firewall on that machine. Another major limitation is based on the fact that the trust associated with a process is inherited by its children. So while a virus cannot make a process perform actions that are not part of its authorized execution profile, it can take advantage of all the privileges enjoyed by that process. Thus, assuming that network-aware processes can be infected, the intruder will have all the privileges of the infected process, which may be more than adequate to carry out its mission. One such exploit that runs under the Windows operating system has recently been described in great detail by Rattle [3] Distributed Firewall Conventional firewalls rely on topology restrictions and controlled network entry points to enforce traffic filtering. Furthermore, a firewall cannot filter traffic it does not see, so, effectively, everyone on the protected side is trusted. While this model has worked well for small- to medium-size networks, networking trends such as increased connectivity, higher line speeds, Extranets, and telecommuting threaten to make it obsolete. To address the shortcomings of firewalls while retaining their advantages, [4] proposed the concept of a distributed fi rewall. In distributed firewalls, security policy is defined centrally but enforced at each individual network endpoint (hosts, routers, etc.). The system propagates the central policy to all endpoints. Policy distribution may take various forms. For example, it may be pushed directly to the end systems that have to enforce it, or it may be provided to the users in the form of credentials that they use when trying to communicate with the hosts, or it may be a combination of both. The extent of mutual trust between endpoints is specified by the policy. To implement a distributed firewall, three components are necessary: A language for expressing policies and resolving requests. In their simplest form, policies in a distributed firewall are functionally equivalent to packet filtering rules. However, it is desirable to use an extensible system (so other types of applications and security checks can be specified and enforced in the future). The language and resolution mechanism may also support credentials for delegation of rights and authentication purposes [5]. A mechanism for safely distributing security policies. The integrity of the policies transfered must be guaranteed, either through the communication protocol or as part of the policy object description (e.g., they may be digitally signed). A mechanism that applies the security policy to incoming packets or connections, providing the enforcement part Layer 2 Firewall As we have seen in the earlier sections, firewalls typically operate at the internetwork (IP) layer. This is mainly due to the placement of most firewalls: They usually replace the traditional router that connects the internal network with the external untrusted network. Thus, the firewalls were designed to operate at the same layer as the machine that they replaced (the routers).