Скачать презентацию Network Security Netzwerksicherheit Lecture ID ET-IDA-082 2416082 Lecture-21 Скачать презентацию Network Security Netzwerksicherheit Lecture ID ET-IDA-082 2416082 Lecture-21

ac758f38e2443163f09ccec8c8271136.ppt

  • Количество слайдов: 128

Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 (2416082) Lecture-21 Network Defense Firewalls Strong Password Protocols Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 (2416082) Lecture-21 Network Defense Firewalls Strong Password Protocols 17. 07. 2008 , v 1 Prof. W. Adi Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 1

Outlines - Strong Password Protocols - Lamport‘s Hash - Strong Protocols - Firewalls - Outlines - Strong Password Protocols - Lamport‘s Hash - Strong Protocols - Firewalls - Types and applications Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 2

Password Schemes Strong Password Protocols Technical University of Braunschweig IDA: Institute of Computer and Password Schemes Strong Password Protocols Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 3

Challenge-Response • User, system share a secret function f (in practice, f is. Secret Challenge-Response • User, system share a secret function f (in practice, f is. Secret key a ks r known function with unknown parameters, such as a cryptographic key) H f(r) user request to authenticate system user random message r (the challenge) system user f(r) (the response) system Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 4

Pass Algorithms • Challenge-response with the function f itself a secret – Example: • Pass Algorithms • Challenge-response with the function f itself a secret – Example: • Challenge is a random string of characters such as “abcdefg”, “ageksido” • Response is some function of that string such as “bdf”, “gkip” – Can alter algorithm based on ancillary information • Network connection is as above, dial-up might require “aceg”, “aesd” – Usually used in conjunction with fixed, reusable Network Security Page : 5 Module number: ET-IDApassword 082 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005

One-Time Passwords • Password that can be used exactly once – After use, it One-Time Passwords • Password that can be used exactly once – After use, it is immediately invalidated • Challenge-response mechanism – Challenge is number of authentications 1 2 3 …i. . n – Response is password for a particular number i • Problems – Synchronization of user, system – Generation of good random passwords – Password distribution problem Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 6

S/Key • One-time password scheme based on idea of Lamport (1981) • h one-way S/Key • One-time password scheme based on idea of Lamport (1981) • h one-way hash function (MD 5 or SHA-1, for example) • User chooses initial seed k ki h Initialize with K at t=0 • System calculates: h(k) = k 1, h(k 1) = k 2, h(k 2) = k 3 1) = k n …, h(kn– • Passwords are reverse order: p 1 = kn , p 2 = kn– 1, …, pn– 1 =Security Network k 2, Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 p n = k 1 Page : 7

S/Key Protocol System stores maximum number of authentications n, numb of next authentication i, S/Key Protocol System stores maximum number of authentications n, numb of next authentication i, last correctly supplied password pi– user { name } {i} system { pi } system System computes h(pi) = h(kn–i+1) = kn–i = pi– 1. If match with what is stored, system replaces pi– 1 with pi and increments Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 8

Hardware Support • Token-based – Used to compute response to challenge • May encipher Hardware Support • Token-based – Used to compute response to challenge • May encipher or hash challenge • May require PIN from user • Temporally-based – Every minute (or so) different number shown • Computer knows what number to expect when – User enters number and fixed password Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 9

C-R and Dictionary Attacks • Same as for fixed passwords – Attacker knows challenge C-R and Dictionary Attacks • Same as for fixed passwords – Attacker knows challenge r and response f(r); if f encryption function, can try different keys • May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form • Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 10

Encrypted Key Exchange • Defeats off-line dictionary attacks • Idea: random challenges enciphered, so Encrypted Key Exchange • Defeats off-line dictionary attacks • Idea: random challenges enciphered, so attacker Idea: cannot verify correct decipherment of challenge • Assume Alice, Bob share secret password s • In what follows, Alice needs to generate a random public key p and a corresponding private key q • Also, k is a randomly generated session key, and RA and RB are random challenges Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 11

EKE Protocol ( Starting with W as a weak secret password between Alice and EKE Protocol ( Starting with W as a weak secret password between Alice and Bob ) and E is a cipher Alice || Ew( ga mod p) Bob || Ew( gb mod p) Bob Now Alice, Bob share a randomly generated secret session key k = gab mod p Alice Ek(RA) Ek(RARB) Ek(RB) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Bob Bob Network Security Module number: ET-IDA 082 Page : 12

Biometrics • Automated measurement of biological, behavioral features that identify a person – Fingerprints: Biometrics • Automated measurement of biological, behavioral features that identify a person – Fingerprints: optical or electrical techniques Fingerprints: • Maps fingerprint into a graph, then compares with database • Measurements not exact, so approximate matching algorithms used – Voices: speaker verification or recognition Voices: • Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent) • Recognition: checks content of answers (speaker independent) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 13

Other Characteristics • Can use several other characteristics – Eyes: patterns in irises unique Other Characteristics • Can use several other characteristics – Eyes: patterns in irises unique Eyes: • Measure patterns, determine if differences are random; or correlate images using statistical tests – Faces: image, or specific characteristics like Faces: distance from nose to chin • Lighting, view of face, other noise can hinder this – Keystroke dynamics: believed to be unique dynamics: • Keystroke intervals, pressure, duration of stroke, where key is struck • Statistical tests used Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 14

Cautions • These can be fooled! – Assumes biometric device accurate in the environment Cautions • These can be fooled! – Assumes biometric device accurate in the environment it is being used in! – Transmission of data to validator is tamperproof, Transmission of data correct Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 15

Location • If you know where user is, validate identity by seeing if person Location • If you know where user is, validate identity by seeing if person is where the user is Requires special-purpose hardware to locate user • GPS (global positioning system) device gives location signature of entity • Host uses LSS (location signature sensor) to get signature for entity Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 16

Multiple Methods • Example: “where you are” also requires entity to have LSS (Location Multiple Methods • Example: “where you are” also requires entity to have LSS (Location Signature Sensor) and/or GPS, so also “which means you have? ” which means you have? • Can assign different methods to different tasks As users perform more and more sensitive tasks, must authenticate in a variety of ways • includes controls on access (time of day, etc. ), resources, and requests to change passwords • Pluggable Authentication Modules (Physical Security) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 17

Key Points • Authentication is not cryptography – You have to consider system components Key Points • Authentication is not cryptography – You have to consider system components • Passwords are here to stay – They provide a basis for most forms of authentication • Protocols are important – They can make attacks harder Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 18

Internal Defenses Firewalls etc. Technical University of Braunschweig IDA: Institute of Computer and Communication Internal Defenses Firewalls etc. Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 19

Perimeter and Internal Defenses • Commonly deployed defenses – Perimeter defenses – Firewall, IDS Perimeter and Internal Defenses • Commonly deployed defenses – Perimeter defenses – Firewall, IDS • Protect local area network and hosts • Keep external threats from internal network – Internal defenses – Virus scanning • Protect hosts from threats that get through the perimeter defenses – Extend the “perimeter” – VPN • Common practices, but could be improved – Internal threats are significant • Unhappy employees • Compromised hosts Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 20

 • Standard perimeter defense mechanisms – Firewall • Packet filter (stateless, stateful) • • Standard perimeter defense mechanisms – Firewall • Packet filter (stateless, stateful) • Application layer proxies – Traffic shaping – Intrusion detection • Anomaly and misuse detection • Methods applicable to network or host Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 21

Basic Firewall Concept • Separate local area net from internet Firewall Local area network Basic Firewall Concept • Separate local area net from internet Firewall Local area network Internet Router All packets between LAN and internet routed through firewall Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 22

Firewall goals • Prevent malicious attacks on hosts – Port sweeps, ICMP echo to Firewall goals • Prevent malicious attacks on hosts – Port sweeps, ICMP echo to broadcast addr, syn flooding, … – Worm propagation • Exploit buffer overflow in program listening on network • Prevent general disruption of internal network – External SMNP packets • Provide defense in depth – Programs contain bugs and are vulnerable to attack – Network protocols may contain; • Design weaknesses (SSH CRC) • Implementation flaws (SSL, NTP, FTP, SMTP. . . ) • Control traffic between “zones of trusts” Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 23

Review: TCP Protocol Stack Application Transport Application protocol TCP, UDP protocol Application Transport Network Review: TCP Protocol Stack Application Transport Application protocol TCP, UDP protocol Application Transport Network IP protocol IP IP protocol Network Link Data Link Network Access Data Link Transport layer provides ports, logical channels identified by number Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 24

Types of Firewalls • Three common types of Firewalls: – Packet-filtering routers – Application-level Types of Firewalls • Three common types of Firewalls: – Packet-filtering routers – Application-level gateways – Circuit-level gateways Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 25

Types of Firewalls • Packet-filtering Router Technical University of Braunschweig IDA: Institute of Computer Types of Firewalls • Packet-filtering Router Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 26

Types of Firewalls • Packet-filtering Router – Applies a set of rules to each Types of Firewalls • Packet-filtering Router – Applies a set of rules to each incoming IP packet and then forwards or discards the packet – Filter packets going in both directions – The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header – Two default policies (discard or forward) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 27

Packet-filtering Router • Advantages: – Simplicity – Transparency to users – High speed • Packet-filtering Router • Advantages: – Simplicity – Transparency to users – High speed • Disadvantages: – Difficulty of setting up packet filter rules – Lack of Authentication Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 28

Packet-filtering Router • Possible attacks and appropriate countermeasures – IP address spoofing – Source Packet-filtering Router • Possible attacks and appropriate countermeasures – IP address spoofing – Source routing attacks – Tiny fragment attacks Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 29

Types of Firewalls • Application-level Gateway Technical University of Braunschweig IDA: Institute of Computer Types of Firewalls • Application-level Gateway Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 30

Types of Firewalls • Application-level Gateway – Also called proxy server – Acts as Types of Firewalls • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 31

Application-level Gateway • Advantages: – Higher security than packet filters – Only need to Application-level Gateway • Advantages: – Higher security than packet filters – Only need to scrutinize a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 32

Types of Firewalls • Circuit-level Gateway Technical University of Braunschweig IDA: Institute of Computer Types of Firewalls • Circuit-level Gateway Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 33

Circuit-level Gateway • Circuit-level Gateway – Stand-alone system or – Specialized function performed by Circuit-level Gateway • Circuit-level Gateway – Stand-alone system or – Specialized function performed by an Application-level Gateway – Sets up two TCP connections – The gateway typically relays TCP segments from one connection to the other without examining the contents Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 34

Circuit-level Gateway • Circuit-level Gateway – The security function consists of determining which connections Circuit-level Gateway • Circuit-level Gateway – The security function consists of determining which connections will be allowed – Typically use is a situation in which the system administrator trusts the internal users – An example is the SOCKS package Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 35

Firewall Configurations • In addition to the use of simple configuration of a single Firewall Configurations • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible • Three common configurations Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 36

Firewall Configurations • Screened host firewall system (single-homed bastion host) Technical University of Braunschweig Firewall Configurations • Screened host firewall system (single-homed bastion host) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 37

Firewall Configurations • Screened host firewall, single-homed bastion configuration • Firewall consists of two Firewall Configurations • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems: – A packet-filtering router – A bastion host Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 38

Firewall Configurations • Configuration for the packetfiltering router: – Only packets from and to Firewall Configurations • Configuration for the packetfiltering router: – Only packets from and to the bastion host are allowed to pass through the router • The bastion host performs authentication and proxy functions Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 39

Firewall Configurations • Greater security than single configurations because of two reasons: – This Firewall Configurations • Greater security than single configurations because of two reasons: – This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) – An intruder must generally penetrate two separate systems Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 40

Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public information server, e. g. Web server) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 41

Firewall Configurations • Screened host firewall system (dualhomed bastion host) Technical University of Braunschweig Firewall Configurations • Screened host firewall system (dualhomed bastion host) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 42

Firewall Configurations • Screened host firewall, dual-homed bastion configuration – The packet-filtering router is Firewall Configurations • Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 43

Firewall Configurations • Screened-subnet firewall system Technical University of Braunschweig IDA: Institute of Computer Firewall Configurations • Screened-subnet firewall system Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 44

Firewall Configurations • Screened subnet firewall configuration – Most secure configuration of the three Firewall Configurations • Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 45

Firewall Configurations • Advantages: – Three levels of defense to thwart intruders – The Firewall Configurations • Advantages: – Three levels of defense to thwart intruders – The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 46

Firewall Configurations • Advantages: – The inside router advertises only the existence of the Firewall Configurations • Advantages: – The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 47

Trusted System Technology • One way to enhance the ability of a system to Trusted System Technology • One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 48

Screening router for packet filtering Illustrations: Simon Cooper Technical University of Braunschweig IDA: Institute Screening router for packet filtering Illustrations: Simon Cooper Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 49

Packet Filtering • Uses transport-layer information only – – – IP Source Address, Destination Packet Filtering • Uses transport-layer information only – – – IP Source Address, Destination Address Protocol (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type • Examples – DNS uses port 53 • Block incoming port 53 packets except known trusted servers • Issues – Stateful filtering – Encapsulation: address translation, other complications – Fragmentation Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 50

Source/Destination Address Forgery Victim Technical University of Braunschweig IDA: Institute of Computer and Communication Source/Destination Address Forgery Victim Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 51

More about networking: port numbering • TCP connection – Server port uses number less More about networking: port numbering • TCP connection – Server port uses number less than 1024 – Client port uses number between 1024 and 16383 • Permanent assignment – Ports <1024 assigned permanently • 20, 21 for FTP 23 for Telnet • 25 for server SMTP 80 for HTTP • Variable use – Ports >1024 must be available for client to make connection – Limitation for stateless packet filtering • If client wants port 2048, firewall must allow incoming traffic – Better: stateful filtering knows outgoing requests • Only allow incoming traffic on high port to a machine that has initiated an outgoing request on low port Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 52

Filtering Example: Inbound SMTP Can block external request to internal server based on port Filtering Example: Inbound SMTP Can block external request to internal server based on port num Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 53

Filtering Example: Outbound SMTP Known low port out, arbitrary high port in If firewall Filtering Example: Outbound SMTP Known low port out, arbitrary high port in If firewall blocks incoming port 1357 traffic then connection fai Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 54

Stateful or Dynamic Packet Filtering Technical University of Braunschweig IDA: Institute of Computer and Stateful or Dynamic Packet Filtering Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 55

Telnet Server Telnet Client 23 1234 Client opens channel to server; tells server its Telnet Server Telnet Client 23 1234 Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets “POR T 1234” “ACK” Server acknowledges Stateful filtering can use this pattern to identify legitimate sessions Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 56

FTP Server Client opens command channel to server; tells server second port number Server FTP Server Client opens command channel to server; tells server second port number Server acknowledges Server opens data channel to client’s second port 20 Data FTP Client 21 Command 5150 1” RT 515 PO “ “OK” DATA C H ANNEL Client acknowledges Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering 5151 K TCP AC Security Network W. Adi 2005 Module number: ET-IDA 082 Page : 57

NAT: Network Address Translation rest of Internet local network (e. g. , home network) NAT: Network Address Translation rest of Internet local network (e. g. , home network) 10. 0. 0/24 10. 0. 0. 1 10. 0. 0. 4 10. 0. 0. 2 138. 76. 29. 7 10. 0. 0. 3 All datagrams leaving local network have same single source NAT IP address: 138. 76. 29. 7, different source port numbers Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Datagrams with source or destination in this network have 10. 0. 0/24 address for source, destination (as usual) W. Adi 2005 Network Security Module number: Kurose Illustration: ET-IDA 082 and. Page : 58 Ross

Advantages of NAT • Motivations for NAT – Limited address space – Prevent unsolicited Advantages of NAT • Motivations for NAT – Limited address space – Prevent unsolicited inbound requests • Port numbering: host behind NAT not reachable as server – Avoid renumbering if provider changes • Small/mid-sized LANs inherit address space from ISP • Addresses hidden by NAT – Normal routing • Outgoing msg from 171. 64. 78. 90 contains sending address • Recipient or observer can access 171. 64. 78. 90 – Addressing with NAT Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering • Network Security Page Module number: ET-IDANAT rewrites outgoing packet so recipient sees public : 59 W. Adi 2005 082

Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet fragmentation Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 60

Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 61

Packet Fragmentation Attack • Firewall configuration – TCP port 23 is blocked but SMTP Packet Fragmentation Attack • Firewall configuration – TCP port 23 is blocked but SMTP port 25 is allowed • First packet – – Fragmentation Offset = 0. DF bit = 0 : "May Fragment" MF bit = 1 : "More Fragments" Destination Port = 25. TCP port 25 is allowed, so firewall allows packet • Second packet – Fragmentation Offset = 1: second packet overwrites all but first 8 bits of the first packet – DF bit = 0 : "May Fragment" – MF bit = 0 : "Last Fragment. " – Destination Port = 23. Normally be blocked, but sneaks by! • What happens – Firewall ignores second packet “TCP header” because it is fragment of first – At host, packet reassembled and received at port 23 Technical University of Braunschweig Network Security IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 62

Beyond packet filtering Proxying Firewall • Several network locations – see next slides • Beyond packet filtering Proxying Firewall • Several network locations – see next slides • Two kinds of proxies – Circuit-level proxies • Works at session layer (which I omitted from OSI diagram) – Application-level proxies • Tailored to http, ftp, smtp, etc. • Some protocols easier to proxy than others • Policy embedded in proxy programs – Proxies filter incoming, outgoing packets – Reconstruct application-layer messages – Can filter specific application-layer commands, Technical University of Braunschweig Network Security etc. Page : 63 IDA: Institute of Computer and Communication Network Module number: ET-IDAEngineering 082 • Example: only allow specific ftp commands W. Adi 2005

Screened Host Architecture Technical University of Braunschweig IDA: Institute of Computer and Communication Network Screened Host Architecture Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 64

Screened Subnet Using Two Routers Technical University of Braunschweig IDA: Institute of Computer and Screened Subnet Using Two Routers Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 65

Dual Homed Host Architecture Technical University of Braunschweig IDA: Institute of Computer and Communication Dual Homed Host Architecture Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 66

Firewall with application proxies Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy Firewall with application proxies Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy SMTP daemon Network Connection Daemon spawns proxy when communication Network Security IDA: Module number: ET-IDAdetected … Technical University of Braunschweig Institute of Computer and Communication Network Engineering W. Adi 2005 082 Page : 67

Application-level proxies • Enforce policy for specific protocols – E. g. , Virus scanning Application-level proxies • Enforce policy for specific protocols – E. g. , Virus scanning for SMTP • Need to understand MIME, encoding, Zip archives – Flexible approach, but may introduce network delays • “Batch” protocols are natural to proxy – SMTP (E-Mail) NNTP (Net news) – DNS (Domain Name System) NTP (Network Time Protocol • Must protect host running protocol stack – Disable all non-required services; keep it simple Network Security Page : 68 Module – Install/modify services you want number: ET-IDA 082 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005

Configuration issues Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Configuration issues Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 69

Solsoft Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Solsoft Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 70

Securify Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Securify Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 71

Problems with Firewalls • Performance – Firewalls may interfere with network use • Limitations Problems with Firewalls • Performance – Firewalls may interfere with network use • Limitations – They don't solve deeper problems • Buggy software • Bad protocols – Generally cannot prevent Denial of Service – Ineffective against insider attacks • Administration – Many commercial firewalls permit very complex configurations Technical University of Braunschweig Network Security IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 72

References Elizabeth D. Zwicky Technical Simon Cooper University of Braunschweig IDA: Institute of Computer References Elizabeth D. Zwicky Technical Simon Cooper University of Braunschweig IDA: Institute of Computer and Communication Network D. Brent Chapman Engineering William R Cheswick Steven M Bellovin Network Security Module number: Aviel D Rubin ET-IDA- W. Adi 2005 082 Page : 73

Traffic Shaping • Traditional firewall – Allow traffic or not • Traffic shaping – Traffic Shaping • Traditional firewall – Allow traffic or not • Traffic shaping – Limit certain kinds of traffic – Can differentiate by host addr, protocol, etc – Multi-Protocol Label Switching (MPLS) • Label traffic flows at the edge of the network and let core routers identify the required class of service • The real issue here on Campus: Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Network Security – P 2 P file sharing takes a lot of bandwidth ET-IDAModule number: W. Adi 2005 082 Page : 74

Stanford computer use Technical University of Braunschweig IDA: Institute of Computer and Communication Network Stanford computer use Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 75

Sample traffic distribution Packeteer white paper example; not Stanford data Network Security Technical University Sample traffic distribution Packeteer white paper example; not Stanford data Network Security Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 76

Traffic shaping functions • Classify and analyze traffic – Classify by IP address and Traffic shaping functions • Classify and analyze traffic – Classify by IP address and port number – Use application-specific information (layer 7) • Control traffic – Selectively slow certain classes of traffic • Monitor network performance – Collect performance data, used to improve policies • Network resilience Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Network Security Module number: ET-IDA 082 – Active traffic management can provide W. Adi 2005 Page : 77

Packet. Shaper Classification Application Presentation 5 Session 4 Transport 3 Network 2 Data Link Packet. Shaper Classification Application Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical Most Routers Switches 6 Classify 400+ Apps at OSI Layers 2 -7 Packet. Shaper 7 Peer-to-Peer Apps: • Aimster • Audio. Galaxy • Cute. MX • Direct. Connect • Gnutella • Hotline • i. Mesh • Ka. Za. A/Morpheus • Napster • Scour. Exchange • Tripnosis…. Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Some Other Apps: • H. 323 • RTP-I/RTCP-I • PASV FTP • HTTP • Real • Win. Media • Shoutcast • MPEG • Quicktime • RTSP • Chatting Apps Network Security • Games W. Adi 2005 Module number: ET-IDA 082 Page : 78

Packet. Shaper Controls A partition: – Creates a virtual pipe within a link for Packet. Shaper Controls A partition: – Creates a virtual pipe within a link for each traffic class – Provides a min, max bandwidth – Enables efficient bandwidth use Rate shaped P 2 P capped at 300 kbps Rate shaped HTTP/SSL to give better performance Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 79

Packet. Shaper report: HTTP Outside Web Server Normalized Network Response Times No Shaping Technical Packet. Shaper report: HTTP Outside Web Server Normalized Network Response Times No Shaping Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Inside Web Server Normalized Network Response Times Network Security Page : 80 Module number: ET-IDA W. Adi 2005 No Shaping 082

Host and network intrusion detection • Intrusion prevention – Network firewall • Restrict flow Host and network intrusion detection • Intrusion prevention – Network firewall • Restrict flow of packets – System security • Find buffer overflow vulnerabilities and remove them! • Intrusion detection – Discover system modifications • Tripwire – Look for attack in progress Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering • Network traffic patterns W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 81

Tripwire • Outline of standard attack – Gain user access to system – Gain Tripwire • Outline of standard attack – Gain user access to system – Gain root access – Replace system binaries to set up backdoor – Use backdoor future activities • Tripwire detection point: system binaries – Compute hash of key system binaries Network Security – Compare current hash to hash stored Module number: ET-IDA- Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 082 Page : 82

Is Tripwire too late? • Typical attack on server – Gain access – Install Is Tripwire too late? • Typical attack on server – Gain access – Install backdoor • This can be in memory, not on disk!! – Use it • Tripwire – Is a good idea – Wont catch attacks that don’t change system files Network Security – Detects a compromise that has happened Module number: ET-IDA- Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Page : 83 W. Adi 2005 082

Detect modified binary in memory? • Can use system-call monitoring techniques • For example Detect modified binary in memory? • Can use system-call monitoring techniques • For example [Wagner, Dean IEEE S&P ’ 01] – Build automaton of expected system calls • Can be done automatically from source code – Monitor system calls from each program – Catch violation Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 84

Example code and automaton open() f(int x) { Entry(g) x ? getuid() : geteuid(); Example code and automaton open() f(int x) { Entry(g) x ? getuid() : geteuid(); x++ } close() g() { fd = open("foo", O_RDONLY); exit() f(0); close(fd); f(1); Exit(g) exit(0); } Entry(f) getuid() geteuid() Exit(f) If code behavior is inconsistent with automaton, something is wrong Network Security Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 85

General intrusion detection http: //www. snort. org/ • Many intrusion detection systems – Close General intrusion detection http: //www. snort. org/ • Many intrusion detection systems – Close to 100 systems with current web pages – Network-based, host-based, or combination • Two basic models – Misuse detection model • Maintain data on known attacks • Look for activity with corresponding signatures – Anomaly detection model Security Network Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering • Try to figure out what is “normal” W. Adi 2005 Module number: ET-IDA 082 Page : 86

Misuse example - rootkit • Rootkit sniffs network for passwords – Collection of programs Misuse example - rootkit • Rootkit sniffs network for passwords – Collection of programs that allow attacker to install and operate a packet sniffer (on Unix machines) – Emerged in 1994, has evolved since then – 1994 estimate: 100, 000 systems compromised • Rootkit attack – Use stolen password or dictionary attack to get user access – Get root access using vulnerabilities in rdist, sendmail, /bin/mail, loadmodule, rpc. ypupdated, Technical University of Braunschweig Network Security Page : 87 IDA: Institute oflpr, or passwd Network Computer and Communication Module number: ET-IDAEngineering W. Adi 2005 082

Rootkit covers its tracks • Modifies netstat, ps, ls, du, ifconfig, login – Modified Rootkit covers its tracks • Modifies netstat, ps, ls, du, ifconfig, login – Modified binaries hide new files used by rootkit – Modified login allows attacker to return for passwords • Rootkit fools simple Tripwire checksum – Modified binaries have same checksum – But a better hash would be able to detect rootkit Network Security Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 88

Detecting rootkit on system • Sad way to find out – Disk is full Detecting rootkit on system • Sad way to find out – Disk is full of sniffer logs • Manual confirmation – Reinstall clean ps and see what processes are running • Automatic detection – Rootkit does not alter the data structures normally used by netstat, ps, ls, du, ifconfig – Host-based intrusion detection can find rootkit files Network Security Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Module number: ET-IDA 082 Page : 89 • As long as an update version of Rootkit does W. Adi 2005

Detecting network attack (Sept 2003) • Symantec honeypot running Red Hat Linux 9 • Detecting network attack (Sept 2003) • Symantec honeypot running Red Hat Linux 9 • Attack – Samba ‘call_trans 2 open’ Remote Buffer Overflow (BID 7294) – Attacker installed a copy of the SHV 4 Rootkit • Snort NIDS generated alerts, from this signature alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "NETBIOS SMB trans 2 open buffer overflow attempt"; flow: to_server, established; content: "|00|"; offset: 0; depth: 1; More info: https: //tms. symantec. com/members/ content: "|ff|SMB|32|"; offset: 4; depth: 5; Network Security Technical University of Braunschweig Analyst. Reports/030929 -Analysis-SHV 4 Rootkit. pdf Page : 90 IDA: Institute of Computer and Communication Network content: "|00 14|"; offset: 60; depth: 2; Module number: ET-IDAEngineering W. Adi 2005 082

Misuse example - port sweep • Attacks can be OS specific – Bugs in Misuse example - port sweep • Attacks can be OS specific – Bugs in specific implementations – Oversights in default configuration • Attacker sweeps net to find vulnerabilities – Port sweep tries many ports on many IP addresses – If characteristic behavior detected, mount attack • SGI IRIX responds TCPMUX port (TCP port 1) Network Security Page : 91 Module number: ET-IDA • If machine responds, SGI IRIX vulnerabilities 082 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005

Anomaly Detection • Basic idea – Monitor network traffic, system calls – Compute statistical Anomaly Detection • Basic idea – Monitor network traffic, system calls – Compute statistical properties – Report errors if statistics outside established range • Example – IDES (Denning, SRI) – For each user, store daily count of certain activities • E. g. , Fraction of hours spent reading email Technical University of most unpredictable user is the Security important – Maintain list of counts for several days Big problem: Braunschweig Network most IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 92

[Hofmeyr, Somayaji, Forrest] Anomaly – sys call sequences • Build traces during normal run [Hofmeyr, Somayaji, Forrest] Anomaly – sys call sequences • Build traces during normal run of program – Example program behavior (sys calls) open read write open mmap write fchmod close – Sample traces stored in file (4 -call sequences) open read write open mmap write fchmod Technical University of Braunschweig mmap write fchmod close IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 93

Difficulties in intrusion detection • Lack of training data – Lots of “normal” network, Difficulties in intrusion detection • Lack of training data – Lots of “normal” network, system call data – Little data containing realistic attacks, anomalies • Data drift – Statistical methods detect changes in behavior – Attacker can attack gradually and incrementally • Main characteristics not well Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 94

Strategic Intrusion Assessment [Lunt] National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting Strategic Intrusion Assessment [Lunt] National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting Centers International/Allied Reporting Centers Organizational Security Centers Local Intrusion Detectors Network Security Technical University of Braunschweig Page : 95 IDA: Institute of Computer and Communication Network Module number: ET-IDAwww. blackhat. com/presentations/bh-usa-99/teresa-lunt/tutorial. ppt W. Adi 2005 Engineering 082

Strategic Intrusion Assessment [Lunt] • Test over two-week period – AFIWC’s intrusion detectors at Strategic Intrusion Assessment [Lunt] • Test over two-week period – AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessions – Manual review identified 12, 000 suspicious events – Further manual review => four actual incidents • Conclusion – Most alarms are false positives – Most true positives are trivial incidents Network Security Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 96

Lecture Review • Firewalls – Packet filter (stateless, stateful) – Application-layer proxies • Traffic Lecture Review • Firewalls – Packet filter (stateless, stateful) – Application-layer proxies • Traffic Shaping • Intrusion detection – Anomaly and misuse detection – Host and network intrusion detection Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 97

Chapter 10 Firewalls Blekinge Institute of Technology, Sweden http: //www. its. bth. se/staff/hjo/ +46 Chapter 10 Firewalls Blekinge Institute of Technology, Sweden http: //www. its. bth. se/staff/hjo/ +46 -708 -250375 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 98

Outline • Firewall Design Principles – Firewall Characteristics – Types of Firewalls – Firewall Outline • Firewall Design Principles – Firewall Characteristics – Types of Firewalls – Firewall Configurations • Trusted Systems – Data Access Control – The Concept of Trusted systems – Trojan Horse Defense Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 99

Firewalls • Effective means to protect a local system or network of systems from Firewalls • Effective means to protect a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 100

Firewall Design Principles • Information systems undergo a steady evolution (from small LAN`s to Firewall Design Principles • Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) • Strong security features for all workstations and servers not established Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 101

Firewall Design Principles • The firewall is inserted between the premises network and the Firewall Design Principles • The firewall is inserted between the premises network and the Internet • Aims: – Establish a controlled link – Protect the premises network from Internet-based attacks – Provide a single choke point Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 102

Firewall Characteristics • Design goals: – All traffic from inside to outside must pass Firewall Characteristics • Design goals: – All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) – Only authorized traffic (defined by the local security police) will be allowed to pass Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 103

Firewall Characteristics • Design goals: – The firewall itself is immune to penetration (use Firewall Characteristics • Design goals: – The firewall itself is immune to penetration (use of trusted system with a secure operating system) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 104

Firewall Characteristics • Four general techniques: • Service control – Determines the types of Firewall Characteristics • Four general techniques: • Service control – Determines the types of Internet services that can be accessed, inbound or outbound • Direction control – Determines the direction in which particular service requests are allowed to flow Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 105

Firewall Characteristics • User control – Controls access to a service according to which Firewall Characteristics • User control – Controls access to a service according to which user is attempting to access it • Behavior control – Controls how particular services are used (e. g. filter e-mail) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 106

Data Access Control • Through the user access control procedure (log on), a user Data Access Control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 107

Data Access Control • General models of access control: – Access matrix – Access Data Access Control • General models of access control: – Access matrix – Access control list – Capability list Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 108

Data Access Control • Access Matrix Technical University of Braunschweig IDA: Institute of Computer Data Access Control • Access Matrix Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 109

Data Access Control • Access Matrix: Basic elements of the model – Subject: An Data Access Control • Access Matrix: Basic elements of the model – Subject: An entity capable of accessing objects, the concept of subject equates with that of process – Object: Anything to which access is controlled (e. g. files, programs) – Access right: The way in which an object is accessed by a subject (e. g. read, write, execute) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 110

Data Access Control • Access Control List: Decomposition of the matrix by columns Technical Data Access Control • Access Control List: Decomposition of the matrix by columns Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 111

Data Access Control • Access Control List – An access control lists users and Data Access Control • Access Control List – An access control lists users and their permitted access right – The list may contain a default or public entry Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 112

Data Access Control • Capability list: Decomposition of the matrix by rows Technical University Data Access Control • Capability list: Decomposition of the matrix by rows Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 113

Data Access Control • Capability list – A capability ticket specifies authorized objects and Data Access Control • Capability list – A capability ticket specifies authorized objects and operations for a user – Each user have a number of tickets Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 114

The Concept of Trusted • Trusted Systems – Protection of data and resources on The Concept of Trusted • Trusted Systems – Protection of data and resources on the basis of levels of security (e. g. military) – Users can be granted clearances to access certain categories of data Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 115

 • The Concept of Trusted Multilevel security Systems – Definition of multiple categories • The Concept of Trusted Multilevel security Systems – Definition of multiple categories or levels of data • A multilevel secure system must enforce: – No read up: A subject can only read an object of less or equal security level (Simple Security Property) – No write down: A subject can only write into an object of greater or equal security level (* -Property) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 116

The Concept of Trusted Systems • Reference Monitor Concept: Multilevel security for a data The Concept of Trusted Systems • Reference Monitor Concept: Multilevel security for a data processing system Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 117

The Concept of Trusted Systems Technical University of Braunschweig IDA: Institute of Computer and The Concept of Trusted Systems Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 118

The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters – The monitor has access to a file (security kernel database) – The monitor enforces the security rules (no read up, no write down) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 119

The Concept of Trusted Reference • Properties of the. Systems. Monitor – Complete mediation: The Concept of Trusted Reference • Properties of the. Systems. Monitor – Complete mediation: Security rules are enforced on every access – Isolation: The reference monitor and database are protected from unauthorized modification – Verifiability: The reference monitor’s correctness must be provable (mathematically) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 120

The Concept of Trusted Systems • A system that can provide such verifications (properties) The Concept of Trusted Systems • A system that can provide such verifications (properties) is referred to as a trusted system Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 121

Trojan Horse Defense • Secure, trusted operating systems are one way to secure against Trojan Horse Defense • Secure, trusted operating systems are one way to secure against Trojan Horse attacks Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 122

Trojan Horse Defense Technical University of Braunschweig IDA: Institute of Computer and Communication Network Trojan Horse Defense Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 123

Trojan Horse Defense Technical University of Braunschweig IDA: Institute of Computer and Communication Network Trojan Horse Defense Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 124

Recommended Reading • Chapman, D. , and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 Recommended Reading • Chapman, D. , and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 • Cheswick, W. , and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 • Gasser, M. Building a Secure Computer System. Reinhold, 1988 • Pfleeger, C. Security in Computing. Prentice Hall, 1997 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 125

Spring 2006 CS 155 Network Defense Tools: Firewalls, Traffic shapers, and Intrusion Detection John Spring 2006 CS 155 Network Defense Tools: Firewalls, Traffic shapers, and Intrusion Detection John Mitchell, Stanford Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 126

Packet filtering examples Compare: Tiny Personal Firewall, Zone. Alarm Technical University of Braunschweig IDA: Packet filtering examples Compare: Tiny Personal Firewall, Zone. Alarm Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 127

Review: Data Formats TCP Header Application message - data message Transport (TCP, UDP) segment Review: Data Formats TCP Header Application message - data message Transport (TCP, UDP) segment Network (IP) frame data TCP data IP TCP data ETH IP TCP data packet Link Layer TCP IP Header Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Link (Ethernet) Header W. Adi 2005 TCP data ETF Link (Ethernet) Trailer Network Security Module number: ET-IDA 082 Page : 128