CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz

CMSC 414Computer and Network Security

Lecture 28

Jonathan Katz

Administrivia

Final exam reminder + study guide– DSS students contact me

– A-G in 3258 AVW; H-Z in classroom

Course evaluations– www.CourseEvalUM.umd.edu

SSL in wireshark

IPsec

Overview

IPsec can provide security between any two network-layer entities– host-host, host-router, router-router

Used widely to establish VPNs

IPsec encrypts and/or authenticates network-layer traffic, and encapsulates it within a standard IP packet for routing over the Internet

Overview

IPsec is a complex, over-engineered protocol– Lots of un-needed features

Interoperability is challenging– Defeats the point of having a standard

IPsec is less used than it should(?) be

Overview

IPsec consists of two components– IKE --- Used to establish a key

– AH/ESP --- Used to send data once a key is established (whether using IKE or out-of-band)

AH (authentication header)– Data integrity, but no confidentiality

ESP (encapsulating security payload)– Data integrity + confidentiality

– (Other differences as well)

Security policy database

Nodes maintain a table specifying what is required for each incoming packet– Drop

– Forward/accept without IPsec protection

– Require IPsec protection• Auth only

• Enc only

• Both

Decisions can be based on any information contained in the packet

Security associations (SAs)

When a node receives a packet, it needs to know who it is from– May be receiving IPsec traffic from multiple senders at

the same time -- possibly even with the same IP address

An SA defines a network-layer unidirectional logical connection– For bidirectional communication, need two SAs

The IPsec header indicates which security association to use

Security associations (SAs)

An SA contains crypto keys, the identity/IP address of the other party, a sequence number, and crypto parameters (algorithms, auth/enc/both)

IPsec: IKE

Overview of IKE

IKE provides mutual authentication, establishes a shared key, and creates an SA

Assumes a long-term shared key, and uses this to establish a session key (as well as to provide authentication)

Supported key types– Public signature keys

– Public encryption keys

– Symmetric keys

IKE phases

Phase 1: long-term keys used to derive a session key (and provide authentication)– Roughly analogous to SSL session

Phase 2: the session key is used to derive SAs– Roughly analogous to SSL connection

In theory, can run phase 1 once, followed by multiple executions of phase 2

• E.g., different flows between same endpoints

• Why not use same key for each?

– In practice, this rarely happens

Phase 1 session keys

Two session keys are defined in phase 1– One each for encryption/authentication

These keys are used to protect the final phase 1 messages as well as all phase 2 messages

Key types

As mentioned earlier…

Why are there two PK options?– Signature-based option

• Efficiency (can start protocol knowing only your own public key, then get other side’s key from their certificate)

• Legal reasons/export control

– Encryption-based option• Can be used to provide anonymity in both directions

Adds tremendously to the complexity of implementation

IKE phase 1

Aggressive mode– 3 messages

Main mode– 6 messages

– Additional features:• Anonymity

• Negotiation of crypto parameters

Anonymity Protocols can be designed so that identities of the

parties are hidden from eavesdroppers– Even while providing authentication!

Can also protect anonymity of one side against active attacks– Whom to protect?

• Initiator: since responder’s identity is generally known…• Responder: since otherwise it is easy to get anyone’s identity

Aggressive mode Alice sends ga, “Alice”, crypto algorithms

– Note that choices are restricted by this message

Bob sends gb, choice of crypto algorithm, “proof” that he is really Bob– If Bob does not support any of the suggested

algorithms, he simply does not reply– Note that there is no way to authenticate a refusal, since

no session key yet established

Alice sends “proof” that she is Alice

Derive shared key from gab

Main mode

Negotiate crypto algorithms (2 rounds)

Alice and Bob do regular Diffie-Hellman key exchange (2 rounds)

Alice sends encryption of “Alice” plus a proof that she is Alice, using long-term secret keys plus (keys derived from) gab

Bob does similarly…

Crypto parameters…

Choice of: – Encryption method (DES, 3DES, …)

– Hash function (MD5, SHA-1, …)

– Authentication method (e.g., key type, etc.)

– Diffie-Hellman group (e.g., (g, p), etc.)

A complete set of protocols (a security suite) must be specified

Negotiating parameters

Many protocols allow parties to negotiate cryptographic algorithms and parameters– Allows users to migrate to stronger crypto; increases

inter-operability (somewhat)

But, opens up a potential attack if not authenticated somehow…

Also makes for more complicated implementations

“Proofs of identity”

Depend on which type of long-term shared key is being used

Similar (in spirit) to the authentication protocols discussed in class

IPsec: AH/ESP

AH vs. ESP

Two header types…

Authentication header (AH)– Provides integrity only

Encapsulating security payload (ESP)– Provides encryption + integrity

Both provide cryptographic protection of everything beyond the IP headers – AH additionally provides integrity protection of some

fields of the IP header

Transport vs. tunnel mode

Transport mode: add IPsec information between IP header and rest of packet– IP header | IPsec | [ packet ]

Designed for end-to-end secure communication

protected

Firewalls and transport mode

Transport mode may cause problems if there are firewalls between the communicating hosts– Firewalls can’t inspect higher-layer information, like

ports or applications

Tunnel mode was suggested to overcome this…– Traffic secured between the firewalls (or between one

firewall and the other end host)

– End host(s) can be oblivious to what is being done

Transport vs. tunnel mode Tunnel mode: keep original IP packet intact but

protect it; add new header information outside– New IP header | IPsec | [ old IP header | packet ]

– Can be used when IPSec is applied at intermediate points along path (e.g., for firewall-to-firewall traffic)

• Treat the link as a secure tunnel

– New IP header different from old header since, e.g., src/dest have changed

protected

Transport vs. tunnel mode

Note that tunnel mode subsumes transport mode…– …but transport mode is more efficient

Tunnel mode also hides (some information about) the communicating parties

More on AH

AH provides integrity protection on header– But some fields change en route!

Immutable fields included in the integrity check

Mutable but predictable fields are also included in the integrity check– The final value of the field is used

More on ESP

ESP provides both confidentiality and integrity– On data only, not header

• Header can’t be encrypted

More on AH vs. ESP

ESP can already provide encryption and/or authentication

So why do we need AH?– AH also protects the IP header

– Export restrictions

– Firewalls need some high-level data to be unencrypted

None of these are compelling…

Intrusion detection

Prevention vs. detection Firewalls (and other security mechanisms) aim to

prevent intrusion

IDS aims to detect intrusion in case it occurs

Use both in tandem!– Defense in depth, full prevention impossible– Outsider vs. insider attacks– The sooner intrusion is detected, the less the damage– IDS can also be a deterrent, and can be use to detect

weaknesses in other security mechanisms

IDS tradeoff

IDS based on the assumption that attacker behavior is (sufficiently) different from legitimate user behavior

In reality, there will be overlap– Some legitimate behavior may appear malicious

– Intruder can attempt to disguise their behavior as that of an honest user

False positives/negatives

False positive– Alarm triggered by acceptable behavior

False negative– No alarm triggered by illegal behavior

Always a tradeoff between the false positive and false negative rate

False alarms?

Say we have an IDS that is 99% accurate– I.e., Pr[alarm | attack] = 0.99 and

Pr[no alarm | no attack] = 0.99

An alarm goes off -- what is the probability that an attack is taking place?

To increase this probability, what should we focus on improving??

False alarms

Say the probability of an attack is 1/1000

Use Bayes’ law:Pr[attack | alarm] = Pr[alarm | attack] Pr[attack] / Pr[alarm] = 0.99 * 0.001 / (0.99 * 0.001 + 0.01 * 0.999) ≈ 0.001/(0.001 + 0.01) ≈ 0.1

I.e., when an alarm goes off, 90% of the time it will be a false alarm!

How best to lower this number?

False alarms

Improving Pr[alarm | attack] to 100% givesPr[attack | alarm] ≈ 0.1 (essentially unchanged)

Improving Pr[no alarm | no attack] to 99.9% gives Pr[attack | alarm] ≈ 0.5

Two types of IDS

Signature-based ≈ looks for improper behavior– Roughly analogous to blacklisting

Anomaly-based ≈ looks for atypical behavior– Roughly analogous to whitelisting

Signature (rule-based) detection

Define a set of “bad patterns” (e.g., known exploit characteristics, known bad events)

Detect these patterns if they occur

Example rules

Incoming packets with a certain pattern match a known exploit

Users should not read files in other users’ directories

Users should not be logged in simultaneously from more than one location

Users do not make copies of system programs

No incoming requests except to port 80

Anomaly detection

Monitor behavior and compare to some “baseline” behavior using statistical tests– Look for deviations from “normal behavior”

“Normal behavior” can be defined on a global level or a per-user level

“Normal behavior” can be specified by a human, or learned automatically over time

Overlap in observed or expected behavior

Profile of authorized user behavior

Profile of Intruder behaviorProbability

density function

Average behaviour of intruder

Average behaviour of authorized user

Measurable behaviour parameter

Metric Model Justification

Login frequency by date and time

Mean and standard deviation

Intruders are more likely to login during off-hours

Frequency of login at different locations

Mean and standard deviation

Intruders may login from a location that a legitimate user does not

Time since last login Markov (time series) Break-in to unused account

Length of session Mean and standard deviation

Masquerader may run a much shorter or longer session

Large amount of data copied to some location

Mean and standard deviation

Detect attempt to copy large amounts of sensitive data

Password failures at login

Unusual event/ operational

Detect attempt to guess passwords

Two places IDS can be run

Host-based IDS (HIDS)

Network-based IDS (NIDS)

Host-based IDS

Monitors events on a single host

Can (potentially) observe the effects of an attack (in addition to possibly detecting the attack itself)

Can detect both internal and external intrusions

Distributed host-based IDS

Combine information collected at many different hosts in the network

One or more machines in the network will collect and analyze the network data– Can correlate information across multiple hosts

– E.g., same event occurring simultaneously across all machines might be suspicious

– Or, an event occurring on only one machine might be suspicious

Network-based IDS

Monitors traffic at selected points on the network– Real time; packet-by-packet

By looking at all network traffic, can potentially get a global view

Sensor types Inline sensor

– Inserted in network path; all traffic passes through the sensor

Passive sensor– Monitors a copy of network traffic

Passive sensor more efficient; inline sensor can block attacks immediately

Sensor placement Inside firewall?

– Can detect attacks that penetrate firewall– Can detect firewall misconfiguration– Can examine outgoing traffic more easily to detect

insider attacks– Can configure based on network resources being

accessed (e.g., configure differently for traffic directed to web server)

Outside firewall?– Can document attacks (types/locations/number) even if

prevented by firewall (can then be handled out-of-band)

Drawbacks of NIDS

Cannot analyze encrypted traffic

Cannot observe attack effects

Honeypots

Decoy systems to lure potential attackers– Divert attackers from critical systems

– Collect information about attacker’s activity

– Delay attacker long enough to respond

Since honeypot is not legitimate, any access to the honeypot is suspicious

Can have honeypot computers, or even honeypot networks

Honeypot placement

Outside firewall– Can detect attempted connections to unused IP

addresses, port scanning

– No risk of compromised system behind firewall

– Does not divert internal attackers

Fully internal honeypot– Catches internal attacks

– Can detect firewall misconfigurations/vulnerabilities

– If compromised, run the risk of a compromised system

Course summary

What should you take away from this course (after the final)? Security mind-set

– Not limited to computers/networks!

Security is complex– Draws on many different disciplines

– Need to know what you are doing

Security is hard, still evolving– We did not cover some of the most important present-

day attacks: spam, phishing, DDos, viruses, …

Security is challenging…but fun!

Thank you!