View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #1
EE579T / CS525TNetwork Security
2: Introduction to Networking
Prof. Richard A. Stanley
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #2
Overview of Tonight’s Class
• Class list issues
• Review of last week’s class
• Network security in the news
• An overview of networking
• Introduction to symmetric cryptography
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #3
Last Week in Review• Computer security is a real need in real
systems
• Without computer security, network security is a pipedream
• Network security is an even more difficult problem than computer security, for a number of reasons
• Absolute security does not exist
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #4
Network Security in the News
• “The rate of growth of our vulnerabilities is exceeding the rate of improvements in security measures.” Michael Vatis, former director, NIPC
• CERT reports for 2001:– 52,658 security breaches– 2,437 computer vulnerabilities– more than a 100% increase over 2000
Source: “Net still seen as a dangerous place,” The Boston Globe, January 21, 2002, p. C4
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #5
Convenience vs. Security
• Universal Plug and Play (Win 9x, ME, XP)– extends local recognition of devices to network– “...just by booting onto a network your client
can discover and install network printers, link to Internet gateways or connect to a wide range of network attached devices or services.”
– listens on TCP port 5000, UDP port 1900– opens opportunity for illicit entry into system
Source: SEARCHSECURITY.COM, Security Tech Tip, January 22, 2002
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #6
Networks• A network is an interconnected group of
communicating devices.• Two primary network types
– Circuit-switched (connection oriented)– Packet-switched (connectionless)
• Span– WAN, MAN, LAN– So what?
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #7
Data Networks
• Almost exclusively packet switched– Higher efficiency than circuit-switched– Computationally intensive to provide– Packet loss rate is very high
• Largely due to collisions rather than circuit faults
– Require extensive protocols to operate• X.25
• TCP
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #8
Network Topology
• The topology of a network is a view of its interconnections, as they would be seen by an observer looking down from great height
• Topology is important because it has implications for security
• Three major topologies: – star
– buss
– ring
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #9
Star Topology
The orange lines depict onestar -- this slide actually shows
a star-star architecture.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #10
Buss Topology
Buss
In a buss topology, all signals pass by all terminals
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #11
Ring Topology
A ring is simply a buss withthe ends connected to one another.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #12
How To Get There?
• Every destination on the network must have an address, just as every postal destination must have an address– Addresses must be unique– Network must know how to recognize address– Various addressing schema, e.g.
• Ethernet
• IP
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #13
Two Network Technologies• Token ring
– Users remain silent until they receive token
– Pioneered by IBM, not widely used
• Ethernet– Carrier-sense, multiple access/collision detect
– Binary exponential backoff on collision sense– This is a radio network! Another vulnerability
– Most widely used architecture today, largely because it is less expensive than token ring
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #14
Other Network Technologies
• Fiber-Distributed Data Interconnect (FDDI)– Self-healing, 100 Mbps dual ring
• Frame relay– Packet data service, built on X.25
• Synchronous Optical Network (SONET)• Asynchronous Transfer Mode (ATM)
– Can operate at gigabit speeds• 53 byte packets; 5 of the bytes are overhead
These are of interest in networking, but not security per se; they will not be discussed further in this course
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #15
Topology Misconceptions
• The physical interconnection of network elements does not necessarily reflect the logical network topology– Ethernet is logically a buss architecture– Ethernet, connected using hubs, uses a physical
star interconnection– Ethernet, connected using coaxial cable, uses a
physical buss interconnection
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #16
Some Network Security Issues• Users not necessarily registered at the node they
are accessing– How to authenticate users?
– What is basis for access control decisions?
• Some options:– User ID
– User address
– Service being invoked
– Cryptographic-based solutions
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #17
Ethernet Misconceptions
• IEEE 802.3 = Ethernet– Nope! Pure Ethernet is 802.2
• All Ethernets are created equal – Vendor implementation issues
• The faster the network speed, the faster I can work– Signaling speed data throughput
• Ethernet maps to the internet
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #18
CSMA/CD Throughput
Throughput
Users
Signaling speed
~40%
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #19
Ethernet Addresses
• 48 bits long
• Address space managed by the IEEE
• Usually fixed in hardware at time of manufacture, but increasingly in EEPROM
• Hardware must recognize at least it’s own physical address and the network multicast address, and possibly alternate addresses
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #20
Ethernet Frame
NOTE: The proper term in this context for groups of 8 bits is an octet, not a byte.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #21
Network Size
• Networks cannot grow to be arbitrarily large– Address space– Physical interconnection limitations– Increasing collisions as users increase– Protocol/OS/machine incompatibilities
• So, how to extend the ability to interconnect an arbitrarily large number of computers?
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #22
The ARPANET
• Father of the Internet; first elements in 1969• Began as an attempt to conduct and share research
to ensure continuity of communications after nuclear war, so– Connectionless
– Assured delivery
– Self-reconfiguring (sort of)
• Demonstrated feasibility of internetworking disparate computer networks and machines
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #23
Internetworking• Internetworking is the interconnection of
networks
• The Internet is an internetwork; all internetworks are not the Internet
• Very few modern networks exist in isolation; most are internetworked
• This has important security and legal implications
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #24
Internetworking Concepts
• Networks are interconnected by routers or gateways– More about this later in the course
• Routers route a packet using the destination network address, not the destination host address– Analogous to the world postal system and how
letters are routed
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #26
Extended Internetworking
Net 1 R Net 2
Net 3R
Clearly, this can beextended ad infinitum,
to form very large internetworks.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #27
Some Terms
• TCP = transmission control protocol
• IP = internet protocol
• These protocols have become widely used outside the formally-defined Internet
• They have some serious flaws, but they work– They were not planned to have/need security
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #29
Class Discrimination
• Address space is 32 bits long (IPv4)– Therefore, at most 232 possible addresses (or
4,294,967,296 in decimal notation)
• Easy to extract netid from address
• There is not a one-to-one correspondence between IP addresses and physical devices– Consider the router
• Address with hostid=0 refers to network
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #30
IP Addressing Weaknesses
• If a host moves to another network, its IP address must change
• If a network grows beyond its class size (B or C), it must get a new address of the next larger size
• Because routing is by IP address, the path taken by packets to a multiple-addressed host depends on the address used
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #31
IP Address Presentation
• Usually done in dotted decimal, e.g.,
• What class of network address is this?
• As you see, each notation has its uses
10000000 00001010 00000010 00011110
is usually written as
128.10.2.30
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #32
Address Limits
Class Lowest Address Highest Address A 0.1.0.0 126.0.0.0 B 128.0.0.0 191.255.0.0 C 192.0.1.0 223.255.255.0 D 224.0.0.0 239.255.255.255 E 240.0.0.0 247.255.255.255
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #33
Special Purpose Addresses• 0.0.0.0 Addresses current host
• 255.255.255.255 Addresses hosts on current network
• Host bits zero Identifies a network
• Host bits one Addresses hosts on addressed network
• Network bits zero Addresses specific host on current network
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #34
Reserved Addresses
• First Quad=127 is used for loopback– Traffic doesn’t leave the computer– Routed to the IP input queue– Usually see 127.0.0.1
• Unregistered addresses– Class A 10.0.0.0 thru 10.255.255.255– Class B 172.16.0.0 thru 172.31.255.255– Class C 192.168.0.0 thru 198.168.255.255
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #35
The Future of IP
• IPv4 has shortcomings that are becoming important for modern networking
• The IETF’s solution is a new version of IP, Version 6, written as IPv6– Increased address space (128 vs. 32 bits)– Support for network autoconfiguration– Better support for routing– Better security support
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #36
IPv6 Issues
• It is not backwards compatible with IPv4– Given the change in address space alone, how could it be?– Requires translator to go v4v6, vice versa
• Huge investment in installed IPv4 mitigates against rapid changeover
• Network address translation (NAT) helps reduce need for new address space
• Some services, like IPSec, now available for IPv4• Bottom line: changeover not likely to be quick
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #37
Ports and Sockets• Ports are associated with services, e.g.,
– Port 53 is usually the domain name service (DNS)
– Port 80 is usually the hypertext transfer protocol service
• A socket is the combination of an IP address and a port, e.g. 192.168.2.45:80
• Sockets enable multiple simultaneous services to run on a single address
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #38
Address Registration
• Internet Corporation for Assigned Names and Numbers (ICANN) handles:– IP address space allocation
– protocol parameter assignment
– domain name system management
– root server system management functions
• Only essential to register addresses that appear on the global network, but registration is preferred
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #40
Protocols
• A protocol is simply an agreed-upon exchange of information required to perform a given task– IP is a protocol– So is TCP
• Networks utilize protocols to accomplish all the important tasks they perform
• Layered protocols are common
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #42
Protocol Layering
• Refers to a protocol running on top of another protocol
• Layered protocols are designed so that layer n at the destination receives exactly the same object sent by layer n at the source
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #43
TCP/IP Layering Model
Application
Transport
Internet
Network Interface
Hardware
Application-specific messages/streams
TCP Packets
IP Datagrams
Ethernet/Token Ring
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #44
Some Common Protocols
• ARP maps IP addresses to physical addresses• RARP determines IP address at startup• IP provides for assured connectionless datagram
delivery• ICMP handles error and control messages• UDP defines user datagrams (no assurance of
delivery)• IKE handles crypto key management functions• TCP provides reliable stream transport
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #48
TCP
• Assumes little about underlying network
• Reliable delivery characteristics:– Stream orientation– Virtual circuit connection– Buffered transfer– Unstructured stream– Full duplex connection
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #50
Positive Acknowledgement With Lost Packet
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #53
TCP
• A communications protocol, NOT a piece of software
• Provides– Data format– Data acknowledgement for reliable transfer– How to distinguish multiple destinations– How to set up and break down a session
• Very complex
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #55
Internet Round Trip DelaysThis data is old, but still meaningful if you
ignore the absolute valuesof the delays.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #56
Delays
• Cannot be avoided or predicted (except statistically)– Packet delivery times will vary– Many packets will simply be lost
• So, as a network designer...– How long do you wait to assume nondelivery?– How do you slide the window?– How do you back off on collision detect?– How do you respond to congestion?– …etc.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #58
Ending a TCP Session
This implies that a TCP session could be left “half open.” That is true.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #60
Other Network Protocols
• NetBIOS
• NetBUI
• IPX
• X.25
• ATM
• Message: TCP/IP is not the only show in town BUT...it is the most popular show in town
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #61
Network Facts
• Most computers today are connected to a network (consider the Internet), at least for part of the time they are in operation
• Most local networks are internetworked
• How to provide authenticity, integrity, confidentiality, availability?
• Cryptography can help provide all the security services except availability
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #62
So....Next, we study cryptography
in some detail.
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #63
Summary• Networks and internetworks have become ubiquitous• Networking allows interconnection of computers
without much concern for the local OS or machine architecture
• Networking raises many serious security issues, which must be solved
• The pace of network security problem development is exceeding the pace of their solution
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #64
Assignment for Next Class
• Re-read course text, Chapter 2– Pay particular attention to Feistel rounds
• Review your notes on symmetric cryptography
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #65
Homework - 1
1. What is the single greatest advantage of having the IP checksum cover only the datagram header and not the data? What is the disadvantage?
2. Exactly how many class A, B, and C networks can exist? How many hosts can a network in each class have?
Spring 2002© 2000-2002, Richard A. Stanley
WPI EE579T/2 #66
Homework - 2
3. How many IP addresses would be needed to assign a unique network number to every home in the U.S.A.? Is the address space sufficient?
4. What is the chief difference between the IP addressing scheme and the North American Numbering Plan used for telephone numbers?