Chapter 4: Security of the architecture, and lower layer security (network security) 1

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access Appendices 2

1. Security of the architecture Security of the architectures Firewall Proxy NAT DMZ IDS 3

Security of the architectures Security of the architectures specific to each architecture few standards often insufficient Several levels security of the building / computer rooms network security communication security 4

Security of the architectures Security of the building / computer rooms often neglected access control required Network security OSI layers: physical, data link, network, transport often implemented in the kernel 5

Security of the architectures Communication security higher layers often easy and fast to deploy often implemented at the user level 6

Classification of solutions Classification of solutions extension solutions transparent solutions signaling solutions local processing solutions 7

Classification of solutions Extension solutions add new features to existing protocols interoperability problems example: DNSSec Transparent solutions inserted between two protocols does not require modification of adjacent protocols examples: SSL/TLS, SSH 8

Classification of solutions Signaling solutions operate within a layer encapsulation by protocols of the same layer (rather than encapsulation by protocols of lower layers) example: IPSec Local processing solutions most deployed solutions no interoperability problems example: firewall, antivirus, IDS 9

Firewall Firewall packet filtering device filtering rules are predefined Security policies internal to the company external to the company 10

Firewall Default rule allowing packets implicitely: low security rejecting packets implicitely: too restricting Rule processing sequential processing applying first matching rule 11

Firewall: advantages Transparent Filtering at different levels MAC, IP application data by user groups Able to deal with complex network (NAT, DMZ, VPN) Centralized management: simple + easier to audit 12

Firewall: drawbacks Target of attacks Control required for each protocol (MAC, IP, HTTP, HTTPS, SQL,...) Requires to understand filtering rules and their application order 13

Firewall Operation modes stateless: packets are processed independently stateful: the firewall stores a state for each protocol Stateless firewalls simple filtering Stateful firewalls requires more computation power 14

Firewall and ACL Firewall operation analyzes packets (or their headers) exchanged between two entities, located on each side of the firewall uses ACL ACL = Access Control List source IP, source port, destination IP, destination port TCP (opening), TCP (communication) or UDP authorization or rejection 15

Firewall and ACL Source IP and destination IP: mask Source and destination ports: n, >n, list Action authorization rejection log 16

Frequent ports Frequent ports DNS (53) HTTP (80, 8000, 8080) and HTTPS (443) FTP (20 and 21) and TFTP (69) SMTP (25), POP3 (110) and IMAP (143) X (6000 à 6063), RIP (520), NFS (2049), LPD (Line Printer Daemon, 515) 17

Firewall examples Example of specification r1 - accept from 192.168.1.3:* to 193.49.118.1:25 r2 - accept from 192.168.1.0/24:* to *:80 r3 - deny from *:* to *:* 18

Firewall examples Example Cisco (simplified) deny ip 192.168.1.0 0.0.0.255 permit tcp any any established permit tcp any host 192.168.1.3 eq smtp permit tcp any host 192.168.1.3 eq dns permit udp any host 192.168.1.3 eq dns deny tcp any any range 6000 6063 permit tcp any 20 any gt 1024 permit icmp any any 19

Firewall: problems Problems no authentication no confidentiality external connections are not taken into account Remarks network access that bypass the firewall external storage / communication devices (USB sticks) regularly read logs modify rules according to logs 20

Proxy Proxy = intermediate device device on the client side, relaying (and modifying) communications between a client and a server use: filtering, caching, logging, anonymizing Types of proxys transparent proxy anonymizing proxy tunnel (or gateway) = does not modify communications open proxy reverse proxy 21

Reverse proxy Reverse proxy device on the server side, relaying (and modifying) communications between a client and a server use: in front of the main server, caching, loadbalancing, access control, content compression 22

Proxy Generally concerns the following protocols HTTP FTP SSH SMTP 23

Proxy Security aspects can provide anonymity eases / centralizes the application of security policies (access control) logs usage processes entering content (antivirus, anti-spam) and leaving content (information leaking) Drawbacks bypassing security policies 24

NAT Definition: network address translation operation: principle, translation table Advantages private addressing is independent from the public adressing (provides flexibility + hides the private architecture) Drawbacks requires the modification of checksums (IP, TCP) 25

NAT + PAT Definition: network address and port translation IPv4 address space is (nearly) exhausted operation: principle, address and port translation table example: private client accessing a public server mascerading: the public address is the address of the router 26

NAT + PAT Problem: public client accessing a private server Solution: manual configuration Private addresses 10.0.0.0 / 8 172.16.0.0 / 12 192.168.0.0 / 16 27

NAT + PAT Advantages no need to have several public addresses Drawbacks initiated by the client (only) client does not know its own IP address (problems with protocols such as FTP) difficult to create private servers 28

DMZ Description of a DMZ Objectives network partitionning the security of the internal part of the network is independent from the security of the external part DMZ collapse 29

Netfilter Netfilter Linux software firewall manages filtering and NAT (see appendix) 30

IDS IDS = Intrusion Detection System passive component used in addition to firewall Objective: to detect suspicious behaviors, intrusions and attacks NIDS = Network IDS HIDS = Host IDS 31

NIDS Mechanism traffic monitoring NIDS placement key location of the architecture: central location, entrance location 32

HIDS Mechanism monitoring of error logs, audit logs, file access rights, used resources Placement on each monitored system 33

Detection methods Signature-based detection detection of known attack schemes example: attack of "large ICMP packets" against "BlackIce Defender" firewalls Suspicious behavior detection comparison between usual behavior and current behavior example: resource use at an unusual time 34

Detection methods Integrity check based detection verification of file integrity file integrity updated at each legitimate file update 35

Drawbacks of IDSs Produces false positives alarm generated for a legitimate behavior Produces false negatives no alarm generated for an illegitimate behavior Not all attacks are detected Does not block intrusions Deployment problems 36

Software IDS Example: SNORT open-source free software signature-based IDS signatures are updated frequently 37

2. Access control AAA = Authentication, Authorization, Accounting autentication authorization access control tracking Architecture client-server single user database, several servers 38

AAA Often used by internet access providers (or by a company for its private network) NAS = Network Access Server network access point several NASs RAS = Remote Access Server centralized access policy information on clients and access rights configures NASs 39

RADIUS RADIUS = Remote Authentication Dial-In User Service autentication via a shared database example: Internet access, POP, apache client/server protocol based on requests/responses data is encrypted using a (pre-)shared key UDP port 1812 40

RADIUS RADIUS server communicates with an external database (LDAP, SQL, user accounts) Operation NAS acts as an intermediate between users and the RAS the user requests the NAS (using a login and a password) access-request and access-challenge sequence ends with access-accept or access-reject 41

RADIUS Accounting objective: logging and billing Mechanism START packet when access starts STOP packet when deconnected, or after a timeout expires Legality any Internet access has to be mapped to a bank account 42

RADIUS Drawbacks UDP protocol no security at the transport layer (requires a VPN) no server authentication 43

3. Lower layer security Data link layer PAP CHAP PPP EAP VPN 44

Data link layer Security at the lowest level critical Multipoint type internal network Ethernet Point to point type external connection PPP 45

PAP and CHAP PAP = Password Authentication Protocol sends a pair (login, password) as plaintext verification of the pair CHAP = Challenge Handshake Protocol client sends an identification server sends a random number N (called nonce) client sends hash(n + shared secret) server verifies (using the shared secret) 46

PPP PPP = Point to Point Protocol transmission protocol operating at layer 2, between two hosts supports PAP and CHAP Mecanism encapsulation of packets link control (LCP = Link Control Protocol): manages frame size and authorizes the communication network control (NCP = Network Control Protocol): negociates IP options (timeout,...) 47

EAP EAP = Extensible Authentication Protocol universal authentication mechanism used in point-to-point or in wireless Defines frames having a specific format (EAPrequest, EAP-response, EAP-success, EAPfailure) Extensible predefined authentication mechanisms (OTP = One Time Password,...) any authentication method can be implemented 48

VPN VPN = Virtual Private Networks Objective interconnect distant computers via an existing (unsecure) network form a private network between those computers Example branches of a company 49

VPN Interconnection layer 2: via a PPP link layer 3: via an IP link Mechanism: tunnelling (through encapsulation) Examples layer 2: PPTP, L2F, L2TP layer 3: GRE, IPSEC (see next chapter) 50

VPN - PPTP PPTP = Point-to-Point Tunnelling Protocol RFC 2637, developed by Microsoft client/server protocol (does not work for network/network or client/network modes) Mechanism signalling on TCP port 1723 (opening, closing, authencation) layer 2 protocol that encapsulates PPP frames in IP frames, via GRE 51

VPN - PPTP Advantages supports MPPE (Microsoft Point-to-Point Encryption) supports MPPC (Microsoft Point-to-Point Compression) PPP IP GRE PPP proto 0x0021 proto 47 proto 0x880B proto 0x0021 IP Payload 52

VPN - L2F L2F = Layer Two Forwarding RFC 2341, developed by Cisco Mechanism client/server protocol PPP connection between client and the network access point, and L2F tunnel between the network access point and the server Obsolete protocol 53

VPN - L2TP L2TP = Layer Two Tunnelling Protocol RFC 2661 and RFC 3931, developed by Cisco and Microsoft based on PPTP and L2F Mechanism uses UDP to encapsulate PPP provides robustness for control packets, but not for data packets several VPNs can share the same tunnel 54

VPN - L2TP Prior to the communication: tunnel establishment, session establishment (one session for each communication) Architectures client => LAC (L2TP Access Concentrator) => LNS (L2TP Network Server) => network client LAC => LNS => network PPP IP UDP L2TP PPP IP Payload 55

VPN - L2TP Drawback no confidentiality Solution: L2TP/IPSec IPSec creates a secure channel L2TP creates a tunnel in the secure channel 56

VPN - GRE GRE = Generic Routing Encapsulation RFC 2784, developed by Cisco Simple protocol defines a scheme to encapsulate other protocols stateless IP GRE proto 47 proto 0x0800 IP Payload 57

VPN - GRE Detects broken links if there is no route towards the destination if the interface that brings to the dest. is shut down if the route to the dest. passes through a tunnel Keepalive messages the broken link detection does not take into account packets lost in the tunnel keepalive messages are implemented at each side of the tunnel (with independent timers) 58

4. Appendices Netfilter (Wireless access) (Viruses) 59