Content Distribution Networks (CDN)



Similar documents
A S B

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CS5008: Internet Computing

Chapter 8 Security Pt 2

CMPT 471 Networking II

Firewalls. Chapter 3

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Cryptography and network security

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Security vulnerabilities in the Internet and possible solutions

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CS 356 Lecture 16 Denial of Service. Spring 2013

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Overview. Firewall Security. Perimeter Security Devices. Routers

CSCE 465 Computer & Network Security

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Denial of Service Attacks

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Firewalls, IDS and IPS

Chapter 6: Network Access Control

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Proxy Server, Network Address Translator, Firewall. Proxy Server

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Firewalls and System Protection

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

allow all such packets? While outgoing communications request information from a

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

co Characterizing and Tracing Packet Floods Using Cisco R

What is a DoS attack?

10 Configuring Packet Filtering and Routing Rules

Security Technology White Paper

Internet Security Firewalls

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Chapter 8 Network Security

Internet Security Firewalls

Lecture 23: Firewalls

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Network Security in Practice

12. Firewalls Content

INTRODUCTION TO FIREWALL SECURITY

Security Technology: Firewalls and VPNs

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Multi-layer switch hardware commutation across various layers. Mario Baldi. Politecnico di Torino.

Firewalls and Intrusion Detection

Topics NS HS12 2 CINS/F1-01

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

CSCE 465 Computer & Network Security

Implementing Secure Converged Wide Area Networks (ISCW)

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

About Firewall Protection

Attack Lab: Attacks on TCP/IP Protocols

Firewalls. Network Security. Firewalls Defined. Firewalls

Cisco Configuring Commonly Used IP ACLs

Linux MDS Firewall Supplement

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Chapter 15. Firewalls, IDS and IPS

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Security of IPv6 and DNSSEC for penetration testers

Firewalls. Ahmad Almulhem March 10, 2012

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Attack and Defense Techniques

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Strategies to Protect Against Distributed Denial of Service (DD

Implementing Network Address Translation and Port Redirection in epipe

VLAN und MPLS, Firewall und NAT,

Proxies. Chapter 4. Network & Security Gildas Avoine

Abstract. Introduction. Section I. What is Denial of Service Attack?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewall Technologies. Access Lists Firewalls

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Network Agent Quick Start

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

What would you like to protect?

SECURING APACHE : DOS & DDOS ATTACKS - I

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Transcription:

229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the same farm. A CDN usually consists of the following components: A set of web s and/or cache s A dedicated intelligent distribution mechanism to move data between the various s A mechanism to intelligently match the requesting user with the most efficient. main issues of a CDN: to which replica should a user s request be forwarded how to direct a request ( global redirection ) how to ensure consistency among the various replicas: how to synchronize changes such that the same request to two different replicas at the same time will get the same response Content Distribution Networks (cont.) 230 Like web caching, a CDN helps in reducing the response time to users requests saving expensive bandwidth However, whereas a web cache is usually operated by an ISP, a CDN is operated by (of for) a content provider like CNN.com the CDN saves the cost of an expensive access link from the content provider to its ISP. 115

231 Request-routing using HTTP-redirect The request is received by a single director The director determines the address of the closest to the user It then responds by an HTTP redirect (301) message The client browser transparently connects to the selected. director client in Boston 1 (NY) 2 (LA) GET Redirect (NY) GET Response Request routing using a DNS director when the CDN is operated by a CDN provider A DNS director is used in order to balance the access to mirror s. The client searches for the address of www.com1.com The client local l DNS sends a DNS query for www.com1.com The com1.com DNS refers the client s DNS to dd.cdn.com cdn.com is a CDN provider The local DNS sends to dd.cdn.com a DNS query for www.com1.com Based on address of the calling DNS serve and on information about the location of the relevant mirror s, the distributor director determines the best for the client and returns the address of that to the client. 232 116

new slide Part 6 : Network Attacks and Security 233 Security vulnerabilities are everywhere: In the protocol In In HTTP In routing protocols In DNS, in ARP, and so on Where do the problem come from? Protocol-level vulnerabilities Implicit it trust t assumptions in design Implementation vulnerabilities Both on routers and endhosts Incomplete specifications Often left to the imagination of programmers There is no generic tool for addressing all security vulnerabilities. However, two common tools are very often used: firewalls cryptography 234 spoofing The attacker alters the source address of its packets, so that they appear to have come from another source since the attacker does not get the response packets, this is also considered as a blind spoofing with blind spoofing it is difficult for the attacker to complete the setup of a connection because of the random initial sequence number selected by the Main motivation for address spoofing: to gain access to protected resources, from s that honor requests only from specific addresses to hide the source in a Distributed Denial of Service (DDoS) attack. 117

235 SYN attack This attack takes advantage of vulnerability of and of. The idea: an attacker sends thousands of SYN packets to a given source, usually from multiple spoofed addresses. The response of the is not received by the attacker, but in any case the attacked machine tries to open a connection. It waits for a long time (naïve implementations wait up to 9 minutes) for the ACK of the initiator, and then drops the connection. The number of pending connections, which wait for an ACK, is upper bounded, and when this maximum is reached, any new SYN is dropped. This attack is popular because: It is very difficult to locate an attacker who uses a spoofed addresses. It is very difficult to block this attack, especially if the attacker uses multiple spoofed addresses. 236 Prevention of source address spoofing RFC-2827 proposes to block packets with spoofed addresses using the concept of ingress filtering. main idea: don t allow a packet to be received over an interface which does not lead to the source. E.g., if R2 receives from Net-5 an packet whose source address belongs to Net-1, the packet is dropped Because the shortest path to Net-1 is through interface Net-2 Net-1 R1 Net-2 R2 Net-7 Net-3 Net-5 R3 Net-4 R4 Net-6 But this approach does not work for Inter-AS routing 118

237 More attack examples An attack on a router: the attacker floods an ISP s router with packets carrying uncommon destination addresses These packets blows the router s router cache, and therefore reduces the router speed substantially. ICMP flooding: send an ICMP Echo Request message whose destination address is directed broadcast and source address is a forged address all the hosts in the destination network will send an ICMP Echo Reply to the forged address DNS cache poison: works if the victim support recursive queries the attacker sends a request to the attacked DNS the forwards this request to another the attacker sends a reply, pretending to be the contacted this requires the attacker to predict the sequence number used by the victim More attack examples (cont.) 238 Web man in the middle attack attacker uses DNS cache poisoning to associate the of its with the name www.abc.com of a real. when a client accesses the attacker, this acts as a proxy it forwards the client request to the real and the s response to the client consequently, the attacker is able to listen to the whole session between the real client and the real 119

239 What s a firewall A security mechanism usually used to protect data and computers on a private network from the uncontrolled activities of untrusted users. Security: enables to selectively permit or deny access to the network, on the basis of protocol used, source/destination hosts, time-of-day etc. Policy: may enforce restrictions on outbound traffic. Auditing: may gather usage statistics. The main issue in the firewall design: at what layer should it operate. higher layer security has more intelligence but lower layer security is more efficient The Internet firewall A Private network 240 Three types of firewalls internal host a packet filtering firewall external host /UDP internal host a transport layer firewall external host internal host an application layer firewall external host App. App. 120

241 A packet filtering firewall Works on a per-packet basis. Looks at the various fields in the and UDP/ headers. Determines whether or not to pass a packet based on the source and destination addresses and port numbers. E.g. a firewall administrator may not allow any incoming packets, except those destined for the local web. E.g. a firewall administrator may allow local users to contact remote web s by allowing outgoing packets whose destination port is 80 and incoming packets whose source port is 80 But this does not work if the remote web sever is set up on port 8080 or any other port. 242 Examples for a packet filtering firewall Using the following rules, only traffic for the local web can pass through the firewall Direction Action Source address Source port No. Dest. address Dest. port No. Protocol inbound allow * > 1023 our web 80 outbound allow our web 80 * > 1023 121

A problem with a packet filtering firewall: SYN attack 243 In SYN attack, the attacker initiates many connections, by sending SYN segments, but does not send the ACK segment in order to avoid the completion of these connections. Therefore, the queue of pending connections (connections that have not been fetched by the application) is filled up consequently, SYN for legal connection are ignored. This attack can be avoided if the host is modified such that queue backlog increases if an ACK is not received within a reasonable time, RST is sent and the connection is dropped. However, this will require to change the software at every computer. Another approach is to employ a transport layer firewall 244 Socket-layer splicing for SYN attack protection client data The firewall accepts every incoming connection. If an ACK is not received within a reasonable time (e.g. 10s), RST is sent and the connection is dropped. If an ACK is received, data is copied in the kernel space: SYN SYN+ACK ACK Namely, after a packet is received on connection A, it is processed by and then is added to the send_buffer of connection B. By not moving the data to the user space, like an Layer firewall would do, many CPU cycles are saved. firewall data SYN SYN+ACK ACK internal Layer Socket Layer / Layer NIC driver NIC Layer Socket Layer / Layer NIC driver NIC 122

245 Another possible solution external client SYN SYN+ACK firewall internal external client SYN SYN+ACK firewall internal ACK data ACK ACK is not received RST time out ACK FIN success failure Main advantage: after connection is established, the gateway does not need to be involved in data transfer (it functions as a router only). Therefore, the processing overhead is avoided. 246 Firewall architectures: (1) a packet filtering firewall The simplest architecture inexpensive but also insecure Internet packet filtering router private network 123

Firewall architectures: (2) a dual-homed application gateway 247 All traffic must go through the application layer firewall no other internal is accessible secure, but has performance limitations Internet private network router application gateway 248 Firewall architectures: (3) a screened host firewall For some protocols: only specific s are accessible E.g., incoming HTTP traffic is accepted only for the public web Traffic of other specific protocols is accepted only if the destination is the gateway. Outbound traffic is accepted from every host. packet filtering router Internet private network application gateway public web 124

249 Firewall architectures: (4) a screened subnet firewall DMZ is a neutral zone between the private and the public networks. the outer router only advertises the DMZ to the external network. this helps in avoiding address spoofing The inner systems are completely isolated from the outer world. The DMZ s are not allowed to initiate connections towards the private network hosts. services open for public access mail public web packet filtering router application gateway packet filtering router Internet services not open for public access 125

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information