CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24



Similar documents
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

A S B

CS5008: Internet Computing

Security vulnerabilities in the Internet and possible solutions

Secure Software Programming and Vulnerability Analysis

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Security: Attack and Defense

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Linux Network Security

Denial of Service Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Chapter 8 Security Pt 2

Firewalls and Intrusion Detection

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Network Security Fundamentals

About Firewall Protection

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Network Security in Practice

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Introduction of Intrusion Detection Systems

Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?

Chapter 4 Firewall Protection and Content Filtering

Client Server Registration Protocol

How To Classify A Dnet Attack

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Solution of Exercise Sheet 5

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

General Network Security

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Chapter 4 Firewall Protection and Content Filtering

Firewalls, Tunnels, and Network Intrusion Detection

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Firewalls. Chapter 3

CMS Operational Policy for Firewall Administration

Denial Of Service. Types of attacks

Firewall Firewall August, 2003

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Denial of Service Attacks

Content Distribution Networks (CDN)

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Cryptography and network security

TCP/IP Security Problems. History that still teaches

Denial of Service. Tom Chen SMU

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

CMPT 471 Networking II

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Directory and File Transfer Services. Chapter 7

Firewall Design Principles Firewall Characteristics Types of Firewalls

TELE 301 Network Management. Lecture 16: Remote Terminal Services

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

RemotelyAnywhere. Security Considerations

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

SECURING APACHE : DOS & DDOS ATTACKS - I

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Reducing the impact of DoS attacks with MikroTik RouterOS

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Attack Lab: Attacks on TCP/IP Protocols

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Management Card Security Implementation

TELE 301 Network Management. Lecture 17: File Transfer & Web Caching

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies


SCP - Strategic Infrastructure Security

Cisco Secure PIX Firewall with Two Routers Configuration Example

Chapter 7. Firewalls

Attack and Defense Techniques

Securing Cisco Network Devices (SND)

Seminar Computer Security

IDS / IPS. James E. Thiel S.W.A.T.

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

SECURING APACHE : DOS & DDOS ATTACKS - II

Detailed Description about course module wise:

Network Defense Tools

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

DoS/DDoS Attacks and Protection on VoIP/UC

How To Protect Your Network From Attack From Outside From Inside And Outside

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

CISCO IOS NETWORK SECURITY (IINS)

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Certified Ethical Hacker Exam Version Comparison. Version Comparison

co Characterizing and Tracing Packet Floods Using Cisco R

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

FIREWALL AND NAT Lecture 7a

Transcription:

Introduction to Computer Networks Lecture24 Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Key Distribution a first step How can we be sure a key belongs to the entity that purports to own it? Solution = certificates special type of digitally signed document: I certify that the public key in this document belongs to the entity named in this document, signed X. X is the name of the entity doing the certification Only useful to the entity which knows the public key for X Certificates themselves do not solve key distribution problem but they are a first step Certified Authority (CA) administrative entity that issues certificates useful only to someone that already holds the CA s public key can trust more than one CA

Key Distribution (cont) Chain of Trust if X certifies that a certain public key belongs to Y, and Y certifies that another public key belongs to Z, then there exists a chain of certificates from X to Z someone that wants to verify Z s public key has to know X s public key and follow the chain X.509 is a standard for certificates Certificate Revocation List Means for removing certificates Periodically updated by CA Key Distribution (cont.) PGP (Pretty Good Privacy) provides email encryption and authentication Uses web of trust instead of chain of trust You assign various levels of trust to public keys (e.g. if you got the key when you met face to face you trust it a lot) People certify others public keys You trust a public key if it has enough chains of trust The more disjoint paths in the trust graph the better The shorter the paths the better The more you trust the heads of the paths the better Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples

Secure Shell (SSH) Overview SSH is a secure remote virtual terminal application Provides encrypted communication over an insecure network Assumes eavesdroppers can hear all communications between hosts Provides different methods of authentication Encrypts data exchanged between hosts Intended to replace insecure programs such as telnet, rsh, etc. Includes capability to securely transfer file SCP Can forward X11 connections and TCP ports securely Very popular and widely used Not invulnerable! SSH authentication Client authenticates server The client caches the public keys of all servers it talks to User can add new keys to the cache Otherwise the user is warned when first connecting to a given server Server authenticates client Through user s password Public RSA key the user puts ahead of time on the server Other, riskier methods At connection setup server and client agree on a session key used to encrypt communication Many algorithms allowed (IDEA, Blowfish, Triple DES, etc.) SSH in Practice Host public/private key is generated when SSH is installed Public key must be in ~/.ssh/known_hosts on remote systems ssh-keygen command is used to generate users public/private keys Public key copied to ~/.ssh/authorized_keys on remote systems Each private key in ~/.ssh/identity requires a pass phrase when used Ssh-agent eliminates need for repeated typing of pass phrase Password authentication is vulnerable to guessing attacks Server logs all unsuccessful login attempts X11 and port forwarding enable encrypted pipe through the Internet Can be used to securely access insecure application eg. SMTP Can be used to circumvent firewalls

Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Firewalls overview Firewalls restrict communication between an organization s computers and the outside world Keep the bad guys on the outside from exploiting vulnerabilities on the inside Without restricting legitimate traffic NAT boxes implement a popular firewall policy Allow internal clients to connect to outside servers Do not allow inbound connections Two types of firewalls Filter based (layer 4) Proxy based (application layer) Firewalls Rest of the Internet Firewall Local site Filter-Based Solution Apply a set of rules to packets Look at packet headers Example of rules action ourhost port theirhost port block * * BLASTER * allow OUR_GW 25 * * Default: forward or not forward? How dynamic? comment We don t trust this system Connects to our SMTP srvr

Proxy-Based Firewalls Problem: complex policy Example: web server Remote company user Internet Firewall Company net Web server Random external user Solution: proxy External client Firewall Proxy Local server External HTTP/TCP connection Internal HTTP/TCP connection Design: transparent vs. classical Limitations: attacks from within Network security (continued) Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Denial of Service (DoS) Attacks A general form of attacking inter-networked systems Based on overloading end systems (or network) Result is sever reduction in performance or complete shutdown of target systems Focus of attack can be links, routers (CPU) or end hosts Flooding attacks pretty common nowadays Other most general form of attack is a break-in Port scans Buffer overflows Password cracking

Overloading a System The goal of DoS is to drown legitimate traffic in a sea of garbage traffic Clients experience delays due to congestion Dropped packets lead to exponential backoff in timeouts Routers can become overloaded Servers become overloaded by increased number of connect requests TCP connection setup requires state on server Server is required to respond to SYN from clients Clients don t respond to server s response IP Spoofing Insert a different source IP address in TCP and IP headers DoS attackers spoof for two reasons They don t want to be discovered Spoofing can add additional load If attacker spoofs a legitimate IP address Reset can be triggered by either attacked host or actual IP host Frees resources immediately on server Carefully chosen sequence #s block new connections from host Attackers spoof with random IP addresses Server response to client SYN will be lost Server will not free resources for 75 seconds (typically) SYN cookies on allow server kernel not to keep state Key Elements of DoS Attack Expansion in required work Easy for me, harder for you Expansion in IP spoofing Me: generate SYNs as fast as possible (microseconds) You: Timeout a SYN open every 75 seconds Best effort protocols Drop tail queues No source specificity Clients can be starved or slowed to crawl

DoS Attack Characteristics Expansion makes a only a few systems necessary DDoS: attack from as many places as possible Enables better utilization of network resources Helps to prevent countermeasures Helps to obscure attackers DoS software readily available Most found in IRC chat rooms DoS attacks frequently preceded by break-ins to install DoS software onto zombies Enables even more anonymity for attacker Things making DoS Attacks easy Lots of systems Large networks Naïve users with high speed Internet access Savvy bad guys Lots of free DoS software Poor operating and management policies Hugely complex software (on endhosts) with lots of well publicized holes Lack of means for stopping attacks Dealing with DoS Attacks Don t reserve state until receipt of client ACK DOS attackers using spoofing don t send these Otherwise they would have to keep state Use of crypto to avoid saving state Send one-use key with server response to SYN Response ACK must return key Intrusion detection tools Cut off an attack at a firewall if you recognize it Bro, Snort IP traceback methods There are lots of companies in this space!

Example of (D)DoS Code Red Worm Released and identified on July 19, 2001 Infected over 250k systems in 9 hours Takes advantage of hole in IIS on Win NT or Win 2k And the fact that most people don t know IIS ON is default Infected systems are completely compromised Code Red installs itself in OS kernel Small and efficient V1 could be eliminated by reboot Spends half its time trying to infect other systems, and half its time DoS ing the White House and Pentagon

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information