CNT 5410 - Computer and Network Security: Network Security€¦ · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Security Problems in the TCP/IP Protocol

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

CNT 5410 - Computer and Network Security:

Network Security

Professor Kevin Butler Fall 2015


Reminders• Related Work sections are due Friday.

• Make sure that you turned it into Canvas, and that you included all of your project partners’ names.

• Assignment #3 will be posted this week.

2


Why Discuss Related Work?•Ideally:

• Demonstrate knowledge of other solutions and the wider issue

• Understand failures of those other solutions to solve the problem (or how you can do it better)

• Build on the knowledge of your peers

• Motivate the rest of your research

•Practically: points above, plus ensures that people reviewing your paper see their work cited

3


Where to Put Related Work• Two places where it usually goes:

• Second section of the paper (right after intro)

• Second-last section (right before conclusion)

• General guidelines:

• If you’re doing something fundamentally new or exploring a new area, get to content as fast as possible (put related work last)

• If you’re working in an established space (much of the time), put the related work first so you can convince the reader you know the space well

4


What Should Be Here?• A good paper has a “narrative arc”.

• Narrative thread that runs through all components

• Connects introduction to conclusion with a story

• More critically: gives the reader the ability to read and understand every section

• Consider a good novel: if you can skip large portions of the middle because they don’t develop character or plot, it’s probably not a particularly good book.

• Related work sets the stage for the rest of the work by providing a backdrop for the material

• Gives background, sets the stage for your contribution

5


What Shouldn’t It Be?• Laundry lists of papers

• e.g., Person A did work X [1]. Person B followed with work Y, which improved performance [2]. Person C tried technique Z [3].

• This is a lazy way of doing a related work. It fails to:

• use an opportunity to show why your solution is the right one to pursue

• keep the reader’s attention

• demonstrate deep knowledge of other work in the field and the implication of these approaches

• This is one way to convince a reviewer of your paper that you don’t know what you’re talking about

• Also invites room for willful mis-interpretation (it happens).

• Nobody ever accepted a paper because of the related work, but papers have been rejected because related work was insufficient.

6


What You Need to Do• When you write: figure out where to start and where

to end

• Don’t give the entire history of everything, but make it relevant to the problem at hand

• Knowing where you are and where you have to go, you can create the narrative arc.

• By the end of the section: you should have convinced the reader that your approach is the logical and necessary next step towards solving the problem that you’re motivating.

7


But What Do I Write?• Best way to see what to do: read papers in the area

related to your project, and practice writing your own

• Ask yourself if the related work you’re reading motivates the story and move it forward

• Recognize when the section is doing a poor job

• You’re not writing because you have to: you’re doing this to win over your reader into believing that you’re doing important work worth reading about

• You’re doing the same thing for a reviewer!

8


Networking• Fundamentally about transmitting information between

two devices

• Direct communication is now possible between any two devices anywhere (just about)

• Lots of abstraction involved

• Lots of network components

• Standard protocols

• Wired and wireless

• Works in protection environment

• What about ensuring security?

9


Network Security• Every machine is connected

• What is trust model of the network?

• Not just limited to dogs as users

• What other ‘dogs’ are out there?

10


Exploiting the network ...• The Internet is extremely vulnerable to

attack

• it is a huge open system ...

• which adheres to the end-to-end principle

• smart end-points, dumb network

• Can you think of any large-scale attacks that would be enabled by this setup?

11


E2E Argument• Clark et. al note a property of good systems that says

features should be placed as close to resources as possible

• In communication, this means that we want the middle of the network to be simple, and the end-points to be smart (e.g., do everything you can at the end-points

• “Dumb, minimal network”

• This is the guiding principle of IP (Internet)

• Q: Does this have an effect on security?

• Note: this is a departure from the early networks which smart network, dumb terminals

12


Network Security …• This is a poorly understood engineering discipline.

!

!

!

!

!

!

!

• The following looks at the application of tools …

13


Network security: the high bits• The network is …

• … a collection of interconnected computers

• … with resources that must be protected

• … from unwanted inspection or modification

• … while maintaining adequate quality of service.

• Another way of seeing network security is

• Securing the network infrastructure such that the integrity, confidentiality, and availability of the resources is maintained.

• Q: How do we do this?

14


The network …(perimeter)

(hosts/desktops)

(edge)

(server)(remote hosts/servers)

15

LANInternet

routers


The big picture ….• Internet Protocol (IP)

• Really refers to a whole collection of protocols making up the vast majority of the Internet

• Routing

• How these packets move from place to place

• Network management

• Administrators have to maintain the services and infrastructure supporting everyone’s daily activities

16


Network security – the tools … • Filtering

• Firewalls

• Communication Security and Services

• DNSsec, IPsec, SSH, ...

• Isolation

• VPNs, VLANs

• Detection and mitigation

• intrusion detection

• DDOS tools

17


Security Problems in the TCP/IP Protocol Suite

• Bellovin’s observations about security problems in IP

• Not really a study of how IP is misused, e.g., IP addresses for authentication, but really what is inherently bad about the way in which IP is setup

• A really nice overview of the basic ways in which security and the IP design is at odds

18


Sequence number prediction• TCP/IP uses a three-way handshake to establish a connection

• C -> S: QC

• S -> C: QS, ack(QC) where sequence number QS is nonce

• C -> S: ack(QS) … then send data

• However assume the bad guy does not hear msg 2, if he can guess QS, then he can get S to accept whatever data it wants (useful if doing IP authentication, e.g., “rsh”)

19

Adversary

Client Server


Sequence Number Prediction (fixes)• The only way you really fix this problem to stop

making the sequence numbers predictable:

• Randomize them -- you can use DES or some other mechanism to generate them randomly

• There is an entire sub-field devoted to the creation and management of randomness in OSes

• Also, you could look for inconsistencies in timing information

• Assumption: the adversary has different timing than

• OK, maybe helpful, but far from definitive

20


Routing Manipulation• RIP - routing information protocol

• Distance vector routing protocol used for local network

• Routers exchange reachability and “distance” vectors for all the sub-networks within (a typically small) domain

• Use vectors to decide which is best, notification of changes is propagated quickly

• So, the big problem is that you receive vast amounts of data that a router uses to form the routing table

• So, just forge that, and the game is up

• Manipulate paths, DOS, hijack connections, etc.

• Solutions:

• Authenticate data, but this is less than obvious how to do this efficiently (a whole lot of people are trying)

21


Internet Control Message Protocol (ICMP)

• ICMP is used as a control plane for IP messages

• Ping (connectivity probe)

• Destination Unreachable (error notification)

• Time-to-live exceeded (error notification)

• These are used for good purposes, and are largely indispensable tools for network management and control

• Error notification codes can be used to reset connections without any auth.

• Solution: verify/sanity check sources and content

• ICMP “returned packets”

• Real solution: filter most of ICMP, ignore it

22


The “ping of death” …• In 1996, someone discovered that many operating systems, routers, etc.

could be crash/rebooted by sending a single malformed packet

• It turns out that you can send a IP packet larger than 65,535 (216), it would crash the system

• The real reason lies in the way fragmentation works

• It allows somebody to send a packet bigger than IP allows

• Which blows up most fixed buffer size implementations

• … and dumps core, blue screen of death, etc.

• Note: this is not really ICMP specific, but easy (try it)

• % ping -s 65510 your.host.ip.address

• This was a popular pastime of early hackers

• Solution: patch the implementations

23


Address Resolution Protocol (ARP)• Protocol used to map IP address onto the physical layer

addresses (MAC)

• 1) ARP request: who has x.x.x.x?

• 2) ARP response: me!

• Policy: last one in wins

• Used to forward packets on the appropriate interfaces by network devices (e.g., bridges)

!

!

• Q: Why would you want to spoof an IP address?

24


ARP poisoning• Attack: replace good entries with your own

• Leads to

• Session hijacking

• Man-in-the-middle attacks

• Denial of service, etc.

• Lots of other ways to abuse ARP.

• Nobody has really come up with a good solution

• Except smart bridges, routers that keep track of MACs, SARP, TARP

• However, some not worried

• If adversary is in your perimeter, you are in big trouble

25


Legacy flawed protocols/services

•Finger user identity (my advisor hated this)

‣ host gives up who is logged in, existence of identities!!% finger butler!Login: butler Name: Kevin Butler!Directory: /home/faculty/butler Shell: /bin/zsh!Last login Thu Feb 10 23:58 (EST) on ttys000!No Mail.!No Plan.!

!

•This is horrible in a distributed environment

‣ Privacy, privacy, privacy …

‣ Lots of information to start a compromise of the user.

26


POP/SMTP/FTP• Post office protocol - mail retrieval

• Passwords passed in the clear (duh)

• Solution: SSL, SSH, Kerberos

• Simple mail transport protocol (SMTP) - email

• Nothing authenticated: SPAM

• Nothing hidden: eavesdropping

• Solution: your guess is as good as mine

• File Transfer protocol - file retrieval

• Passwords passed in the clear (duh)

• Solution: SSL, SSH, Kerberos

27

Documents

CNT 5410 - Computer and Network Security: Network Security€¦ · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Security Problems in the TCP/IP Protocol