Главная
О сайте
Политика защиты авторских прав
Контакты
Spring 2009 CS 155 Network Security Protocols and
DNS-SEC cannot" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-15.jpg" alt="[DWF’ 96, R’ 01] DNS Rebinding Attack
DNS-SEC cannot" /></div> <div class="item"><img class="lazyOwl imgdescription" title="DNS Rebinding Defenses Browser mitigation: DNS Pinning n n n Refuse to switch to" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-16.jpg" alt="DNS Rebinding Defenses Browser mitigation: DNS Pinning n n n Refuse to switch to" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Mobile IPv 6 Architecture Mobile Node (MN) IPv 6 Direct connection via binding update" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-17.jpg" alt="Mobile IPv 6 Architecture Mobile Node (MN) IPv 6 Direct connection via binding update" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Wireless Access Evolution 802. 11 (Wired Equivalent Protocol) n n n Authentication: Open system" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-18.jpg" alt="Wireless Access Evolution 802. 11 (Wired Equivalent Protocol) n n n Authentication: Open system" /></div> <div class="item"><img class="lazyOwl imgdescription" title="What Went Wrong With WEP No Key Management n n Long Lived keys Fix:" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-19.jpg" alt="What Went Wrong With WEP No Key Management n n Long Lived keys Fix:" /></div> <div class="item"><img class="lazyOwl imgdescription" title="802. 11 i Protocol Supplicant Un. Auth/Un. Assoc Auth/Assoc 802. 1 X Blocked 802." src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-20.jpg" alt="802. 11 i Protocol Supplicant Un. Auth/Un. Assoc Auth/Assoc 802. 1 X Blocked 802." /></div> <div class="item"><img class="lazyOwl imgdescription" title="Security Level Rollback Attack Supplicant RSNA enabled Pre-RSNA enabled Authenticator RSNA enabled Pre-RSNA enabled" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-21.jpg" alt="Security Level Rollback Attack Supplicant RSNA enabled Pre-RSNA enabled Authenticator RSNA enabled Pre-RSNA enabled" /></div> <div class="item"><img class="lazyOwl imgdescription" title="802. 11 i: Availability Not an original design objective Physical Layer Do. S attack" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-22.jpg" alt="802. 11 i: Availability Not an original design objective Physical Layer Do. S attack" /></div> <div class="item"><img class="lazyOwl imgdescription" title="The 4 -Way Handshake Supplicant Auth/Assoc 802. 1 X Blocked 802. 1 X PMK" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-23.jpg" alt="The 4 -Way Handshake Supplicant Auth/Assoc 802. 1 X Blocked 802. 1 X PMK" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Error recovery issues Simple Flow 24 Complex Flow " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-24.jpg" alt="Error recovery issues Simple Flow 24 Complex Flow " /></div> <div class="item"><img class="lazyOwl imgdescription" title="Summary of 802. 11 i Design Issues ATTACKS SOLUTIONS security rollback reflection attack each" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-25.jpg" alt="Summary of 802. 11 i Design Issues ATTACKS SOLUTIONS security rollback reflection attack each" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Announcements Project 2 out today n Due in two parts over next two weeks" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-26.jpg" alt="Announcements Project 2 out today n Due in two parts over next two weeks" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Perimeter and Internal Defenses Commonly deployed defenses n Perimeter defenses – Firewall, IDS w" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-27.jpg" alt="Perimeter and Internal Defenses Commonly deployed defenses n Perimeter defenses – Firewall, IDS w" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Basic Firewall Concept Separate local area net from internet Firewall Local network Internet Router" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-28.jpg" alt="Basic Firewall Concept Separate local area net from internet Firewall Local network Internet Router" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Packet Filtering Uses transport-layer information only n n n IP Source Address, Destination Address" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-29.jpg" alt="Packet Filtering Uses transport-layer information only n n n IP Source Address, Destination Address" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Source/Destination Address Forgery 30 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-30.jpg" alt="Source/Destination Address Forgery 30 " /></div> <div class="item"><img class="lazyOwl imgdescription" title="More about networking: port numbering TCP connection n n Server port uses number less" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-31.jpg" alt="More about networking: port numbering TCP connection n n Server port uses number less" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Filtering Example: Inbound SMTP Can block external request to internal server based on port" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-32.jpg" alt="Filtering Example: Inbound SMTP Can block external request to internal server based on port" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Filtering Example: Outbound SMTP Known low port out, arbitrary high port in If firewall" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-33.jpg" alt="Filtering Example: Outbound SMTP Known low port out, arbitrary high port in If firewall" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Stateful or Dynamic Packet Filtering 34 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-34.jpg" alt="Stateful or Dynamic Packet Filtering 34 " /></div> <div class="item"><img class="lazyOwl imgdescription" title="Telnet Server Telnet Client 23 1234 Client opens channel to server; tells server its" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-35.jpg" alt="Telnet Server Telnet Client 23 1234 Client opens channel to server; tells server its" /></div> <div class="item"><img class="lazyOwl imgdescription" title="FTP Server Client opens command channel to server; tells server second port number Server" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-36.jpg" alt="FTP Server Client opens command channel to server; tells server second port number Server" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-37.jpg" alt="Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-38.jpg" alt="Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Packet Fragmentation Attack Firewall configuration n TCP port 23 is blocked but SMTP port" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-39.jpg" alt="Packet Fragmentation Attack Firewall configuration n TCP port 23 is blocked but SMTP port" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Beyond packet filtering Proxying Firewall Application-level proxies n n Tailored to http, ftp, smtp," src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-40.jpg" alt="Beyond packet filtering Proxying Firewall Application-level proxies n n Tailored to http, ftp, smtp," /></div> <div class="item"><img class="lazyOwl imgdescription" title="Firewall with application proxies Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-41.jpg" alt="Firewall with application proxies Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Screened Host Architecture 42 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-42.jpg" alt="Screened Host Architecture 42 " /></div> <div class="item"><img class="lazyOwl imgdescription" title="Screened Subnet Using Two Routers 43 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-43.jpg" alt="Screened Subnet Using Two Routers 43 " /></div> <div class="item"><img class="lazyOwl imgdescription" title="Dual Homed Host Architecture 44 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-44.jpg" alt="Dual Homed Host Architecture 44 " /></div> <div class="item"><img class="lazyOwl imgdescription" title="Application-level proxies Enforce policy for specific protocols n E. g. , Virus scanning for" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-45.jpg" alt="Application-level proxies Enforce policy for specific protocols n E. g. , Virus scanning for" /></div> <div class="item"><img class="lazyOwl imgdescription" title="References 46 Elizabeth D. Zwicky Simon Cooper D. Brent Chapman William R Cheswick Steven" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-46.jpg" alt="References 46 Elizabeth D. Zwicky Simon Cooper D. Brent Chapman William R Cheswick Steven" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Traffic Shaping Traditional firewall n Allow traffic or not Traffic shaping n n n" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-47.jpg" alt="Traffic Shaping Traditional firewall n Allow traffic or not Traffic shaping n n n" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Stanford computer use 48 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-48.jpg" alt="Stanford computer use 48 " /></div> <div class="item"><img class="lazyOwl imgdescription" title="Packet. Shaper Controls A partition: n n n Rate shaped P 2 P capped" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-49.jpg" alt="Packet. Shaper Controls A partition: n n n Rate shaped P 2 P capped" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Packet. Shaper report: HTTP Outside Web Server Normalized Network Response Times No Shaping 50" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-50.jpg" alt="Packet. Shaper report: HTTP Outside Web Server Normalized Network Response Times No Shaping 50" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Host and network intrusion detection Intrusion prevention n Network firewall w Restrict flow of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-51.jpg" alt="Host and network intrusion detection Intrusion prevention n Network firewall w Restrict flow of" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Tripwire Outline of standard attack n n Gain user access to system Gain root" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-52.jpg" alt="Tripwire Outline of standard attack n n Gain user access to system Gain root" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Is Tripwire too late? Typical attack on server n n Gain access Install backdoor" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-53.jpg" alt="Is Tripwire too late? Typical attack on server n n Gain access Install backdoor" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Detect modified binary in memory? Can use system-call monitoring techniques For example [Wagner, Dean" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-54.jpg" alt="Detect modified binary in memory? Can use system-call monitoring techniques For example [Wagner, Dean" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Example code and automaton open() f(int x) { Entry(g) x ? getuid() : geteuid();" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-55.jpg" alt="Example code and automaton open() f(int x) { Entry(g) x ? getuid() : geteuid();" /></div> <div class="item"><img class="lazyOwl imgdescription" title="General intrusion detection http: //www. snort. org/ Many intrusion detection systems n n Close" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-56.jpg" alt="General intrusion detection http: //www. snort. org/ Many intrusion detection systems n n Close" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Misuse example - rootkit Rootkit sniffs network for passwords n n n Collection of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-57.jpg" alt="Misuse example - rootkit Rootkit sniffs network for passwords n n n Collection of" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Rootkit covers its tracks Modifies netstat, ps, ls, du, ifconfig, login n n Modified" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-58.jpg" alt="Rootkit covers its tracks Modifies netstat, ps, ls, du, ifconfig, login n n Modified" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Detecting rootkit on system Sad way to find out n Disk is full of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-59.jpg" alt="Detecting rootkit on system Sad way to find out n Disk is full of" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Misuse example - port sweep Attacks can be OS specific n n Bugs in" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-60.jpg" alt="Misuse example - port sweep Attacks can be OS specific n n Bugs in" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Anomaly Detection Basic idea n n n Monitor network traffic, system calls Compute statistical" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-61.jpg" alt="Anomaly Detection Basic idea n n n Monitor network traffic, system calls Compute statistical" /></div> <div class="item"><img class="lazyOwl imgdescription" title="[Hofmeyr, Somayaji, Forrest] Anomaly – sys call sequences Build traces during normal run of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-62.jpg" alt="[Hofmeyr, Somayaji, Forrest] Anomaly – sys call sequences Build traces during normal run of" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Difficulties in intrusion detection Lack of training data n n Lots of “normal” network," src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-63.jpg" alt="Difficulties in intrusion detection Lack of training data n n Lots of “normal” network," /></div> <div class="item"><img class="lazyOwl imgdescription" title="Strategic Intrusion Assessment [Lunt] National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-64.jpg" alt="Strategic Intrusion Assessment [Lunt] National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Strategic Intrusion Assessment [Lunt] Test over two-week period n n n AFIWC’s intrusion detectors" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-65.jpg" alt="Strategic Intrusion Assessment [Lunt] Test over two-week period n n n AFIWC’s intrusion detectors" /></div> <div class="item"><img class="lazyOwl imgdescription" title="Summary Network protocol security n n IPSEC BGP instability and S-BGP DNSSEC, DNS rebinding" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-66.jpg" alt="Summary Network protocol security n n IPSEC BGP instability and S-BGP DNSSEC, DNS rebinding" /></div> <div class="item"><img class="lazyOwl imgdescription" title="" src="" alt="" /></div> </div> <div class="columns two"> <br> <!-- single_slide_right.php --> <!-- Present5_post-header_responsive3 --> <!-- Yandex.RTB R-A-271147-5 --> <!-- Yandex.RTB R-A-271147-8 --> <div id="yandex_rtb_R-A-271147-5"></div> <script>window.yaContextCb.push(()=>{ Ya.Context.AdvManager.render({ renderTo: 'yandex_rtb_R-A-271147-5', blockId: 'R-A-271147-5' }) })</script></div> </div> <!-- single_slide_bottom.php --> <!-- Yandex.RTB R-A-271147-1 --> <div id="yandex_rtb_R-A-271147-1"></div> <script>window.yaContextCb.push(()=>{ Ya.Context.AdvManager.render({ renderTo: 'yandex_rtb_R-A-271147-1', blockId: 'R-A-271147-1' }) })</script> <section id="content" class="columns thirteen" role="main"> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "CreativeWork", "image": "https://present5.com/wp-content/uploads/1626706_18ea47ef0fa0bd658bf83da76884dbc3.jpg", "name": "Spring 2009 CS 155 Network Security Protocols and", "inLanguage": "Russian", "datePublished": "2018-03-18", "learningResourceType":"StudentSummary", "author":"", "genre":"Без рубрики", "description":"Презентация объемом слайдов на тему Spring 2009 CS 155 Network Security Protocols and" } </script> <article class="post post-1626706 type-post status-publish format-standard has-post-thumbnail hentry category-1" id="post-1626706"> <div class="featured-img-post"> </div> <!-- .featured-img --> <div class="entry clearfix"> <div id="myIdContainer"></div> <!--<div id="moevideo"></div> <script type="text/javascript"> ( () => { const script = document.createElement("script"); script.src = "https://cdn1.moe.video/player/mvplayer.min.js"; script.onload = () => { addContentRoll({ width: '100%', placement: 10179, promo: true, advertCount: 0, slot: 'page', sound: 'onclick', fly:{ mode: 'stick', animation: 'fly', width: 450, closeSecOffset: 10, }, }); } document.body.append(script); } )() </script>--> <div class="kcc_block"> <!-- single_download_inside.php --> <div style="z-index:999; overflow: visible; float: left; padding: 5px 20px 5px 5px;"> <script> width = document.documentElement.clientWidth; if (width > 749) { /* document.write(atob("PHNjcmlwdCBhc3luYyBzcmM9Ii8vcGFnZWFkMi5nb29nbGVzeW5kaWNhdGlvbi5jb20vcGFnZWFkL2pzL2Fkc2J5Z29vZ2xlLmpzIj48L3NjcmlwdD4KPCEtLSBQcmVzZW50NV9TaW5nbGVfTmVhckRvd25sb2FkIC0tPgo8aW5zIGNsYXNzPSJhZHNieWdvb2dsZSIKICAgICBzdHlsZT0iZGlzcGxheTppbmxpbmUtYmxvY2s7d2lkdGg6MzM2cHg7aGVpZ2h0OjI4MHB4IgogICAgIGRhdGEtYWQtY2xpZW50PSJjYS1wdWItNDE2MjcwMjU5MDk5MjI2MyIKICAgICBkYXRhLWFkLXNsb3Q9IjY4NTg5ODI0MDkiPjwvaW5zPgo8c2NyaXB0PgooYWRzYnlnb29nbGUgPSB3aW5kb3cuYWRzYnlnb29nbGUgfHwgW10pLnB1c2goe30pOwo8L3NjcmlwdD4=")); */ } </script> </div> <img title="Скачать презентацию Spring 2009 CS 155 Network Security Protocols and" class="alignleft" src="https://present5.com/wp-content/plugins/kama-clic-counter/icons/ppt.jpg" alt="Скачать презентацию Spring 2009 CS 155 Network Security Protocols and" > <a title="Скачать презентацию Spring 2009 CS 155 Network Security Protocols and" href="https://present5.com/download/presentacia.php?id=1626706" target="_blank">Скачать презентацию Spring 2009 CS 155 Network Security Protocols and</a> <p style="color: #CCCCCC; font-size: 13px; padding: 0;">18ea47ef0fa0bd658bf83da76884dbc3.ppt</p> <!-- clear --> <ul> <li>Количество слайдов: 66</li> </ul> </div> <div class="slidedescription"> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Spring 2009 CS 155 Network Security Protocols and Defensive Mechanisms John Mitchell " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-1.jpg" alt="Spring 2009 CS 155 Network Security Protocols and Defensive Mechanisms John Mitchell " /> Spring 2009 CS 155 Network Security Protocols and Defensive Mechanisms John Mitchell </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Plan for today Network protocol security n n IPSEC BGP instability and S-BGP DNS" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-2.jpg" alt="Plan for today Network protocol security n n IPSEC BGP instability and S-BGP DNS" /> Plan for today Network protocol security n n IPSEC BGP instability and S-BGP DNS rebinding and DNSSEC Wireless security – 802. 11 i/WPA 2 Standard network perimeter defenses n Firewall w Packet filter (stateless, stateful), Application layer proxies n n Traffic shaping Intrusion detection w Anomaly and misuse detection 2 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Dan’s lecture last Thursday Basic network protocols n IP, TCP, UDP, BGP, DNS Problems" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-3.jpg" alt="Dan’s lecture last Thursday Basic network protocols n IP, TCP, UDP, BGP, DNS Problems" /> Dan’s lecture last Thursday Basic network protocols n IP, TCP, UDP, BGP, DNS Problems with them No SRC authentication: can’t tell where from n Packet sniffing n Connection spoofing, sequence numbers n BGP: advertise bad routes or close good ones n DNS: cache poisoning, rebinding (out of time; cover today) n 3 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="IPSEC Security extensions for IPv 4 and IPv 6 IP Authentication Header (AH) n" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-4.jpg" alt="IPSEC Security extensions for IPv 4 and IPv 6 IP Authentication Header (AH) n" /> IPSEC Security extensions for IPv 4 and IPv 6 IP Authentication Header (AH) n Authentication and integrity of payload and header IP Encapsulating Security Protocol (ESP) n Confidentiality of payload ESP with optional ICV (integrity check value) n 4 Confidentiality, authentication and integrity of payload </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="IPSec Transport Mode Operation 5 http: //www. tcpipguide. com/free/t_IPSec. Modes. Transportand. Tunnel. htm " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-5.jpg" alt="IPSec Transport Mode Operation 5 http: //www. tcpipguide. com/free/t_IPSec. Modes. Transportand. Tunnel. htm " /> IPSec Transport Mode Operation 5 http: //www. tcpipguide. com/free/t_IPSec. Modes. Transportand. Tunnel. htm </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="IPSec Tunnel Mode Operation 6 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-6.jpg" alt="IPSec Tunnel Mode Operation 6 " /> IPSec Tunnel Mode Operation 6 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="VPN Three different modes of use: n n n Remote access client connections LAN-to-LAN" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-7.jpg" alt="VPN Three different modes of use: n n n Remote access client connections LAN-to-LAN" /> VPN Three different modes of use: n n n Remote access client connections LAN-to-LAN internetworking Controlled access within an intranet Several different protocols n n n 7 PPTP – Point-to-point tunneling protocol L 2 TP – Layer-2 tunneling protocol IPsec (Layer-3: network layer) Data layer </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Generic diagram 8 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-8.jpg" alt="Generic diagram 8 " /> Generic diagram 8 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="BGP example [D. Wetherall] 1 27 265 8 2 7265 7 7 7 265" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-9.jpg" alt="BGP example [D. Wetherall] 1 27 265 8 2 7265 7 7 7 265" /> BGP example [D. Wetherall] 1 27 265 8 2 7265 7 7 7 265 327 3 3265 27 6 4 627 5 5 5 Transit: 2 provides transit for 7 Algorithm seems to work OK in practice n 9 BGP is does not respond well to frequent node outages </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="BGP Security Issues BGP is the critical infrastructure for Internet, the basis for all" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-10.jpg" alt="BGP Security Issues BGP is the critical infrastructure for Internet, the basis for all" /> BGP Security Issues BGP is the critical infrastructure for Internet, the basis for all inter-ISP routing Benign configuration errors affect about 1% of all routing table entries at any time The current system is highly vulnerable to human errors, and a wide range of malicious attacks n n n links routers management stations MD 5 MAC is rarely used, perhaps due to lack of automated key management, and it addresses only one class of attacks 10 Slide: Steve Kent </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="S-BGP Design Overview IPsec: secure point-to-point router communication Public Key Infrastructure: an authorization framework" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-11.jpg" alt="S-BGP Design Overview IPsec: secure point-to-point router communication Public Key Infrastructure: an authorization framework" /> S-BGP Design Overview IPsec: secure point-to-point router communication Public Key Infrastructure: an authorization framework for all S-BGP entities Attestations: digitally-signed authorizations to advertise specified address blocks Validation of UPDATEs based on a new path attribute, using PKI certificates and attestations Repositories for distribution of certificates, CRLs, and address attestations Tools for ISPs to manage address attestations, process certificates & CRLs, etc. 11 Slide: Steve Kent </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="DNS Lookup Example www. cs. stanford. edu Client Local DNS resolver ww sta. cs." src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-12.jpg" alt="DNS Lookup Example www. cs. stanford. edu Client Local DNS resolver ww sta. cs." /> DNS Lookup Example www. cs. stanford. edu Client Local DNS resolver ww sta. cs. w nf edu rd. anfo st NS NS cs. stanford. e du Aw ww 12 root & edu DNS server du rd. e o =IP ad dr stanford. edu DNS server cs. stanford. edu DNS server DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e. g. used to distribute site public keys (DKIM) ) </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="http: //www. nanog. org/mtg-0410/pdf/crocker. pdf DNSSEC Protocol Extensions to DNS provide n n n" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-13.jpg" alt="http: //www. nanog. org/mtg-0410/pdf/crocker. pdf DNSSEC Protocol Extensions to DNS provide n n n" /> http: //www. nanog. org/mtg-0410/pdf/crocker. pdf DNSSEC Protocol Extensions to DNS provide n n n 13 Data Integrity Origin Authentication of DNS data Authenticated Denial of Existence </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Some DNSSEC Issues Root zone key rollover n Trust in key is established by" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-14.jpg" alt="Some DNSSEC Issues Root zone key rollover n Trust in key is established by" /> Some DNSSEC Issues Root zone key rollover n Trust in key is established by DS Resource Record (RR) w DS RR of a child zone is stored in its parent zone w Carries a "digest" that can uniquely authenticate that DNSKEY n n Root public key relies on communication "out-of-band" to DNS Lots of politics about who gets to operate DNS root What about host names that don't exist in a zone? n n Simple "does not exist" message would allow replay Better: if name is not in zone, return a "gap-spanning" NSEC RR that gives nearest names before and after the queried name NSEC record lets attacker enumerate a zone Better: NSEC 3 record w Cryptographically hashes the names, orders the hashes, w Uses hashes as in NSEC. 14 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="[DWF’ 96, R’ 01] DNS Rebinding Attack <iframe src="http: //www. evil. com"> DNS-SEC cannot" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-15.jpg" alt="[DWF’ 96, R’ 01] DNS Rebinding Attack <iframe src="http: //www. evil. com"> DNS-SEC cannot" /> [DWF’ 96, R’ 01] DNS Rebinding Attack <iframe src="http: //www. evil. com"> DNS-SEC cannot stop this attack www. evil. com? 171. 64. 7. 115 TTL = 0 Firewall corporate web server 192. 168. 0. 100 15 ns. evil. com DNS server 192. 168. 0. 100 www. evil. com web server 171. 64. 7. 115 Read permitted: it’s the “same origin” </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="DNS Rebinding Defenses Browser mitigation: DNS Pinning n n n Refuse to switch to" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-16.jpg" alt="DNS Rebinding Defenses Browser mitigation: DNS Pinning n n n Refuse to switch to" /> DNS Rebinding Defenses Browser mitigation: DNS Pinning n n n Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, … Not consistently implemented in any browser Server-side defenses n n Check Host header for unrecognized domains Authenticate users with something other than IP Firewall defenses n n 16 External names can’t resolve to internal addresses Protects browsers inside the organization </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Mobile IPv 6 Architecture Mobile Node (MN) IPv 6 Direct connection via binding update" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-17.jpg" alt="Mobile IPv 6 Architecture Mobile Node (MN) IPv 6 Direct connection via binding update" /> Mobile IPv 6 Architecture Mobile Node (MN) IPv 6 Direct connection via binding update Corresponding Node (CN) Home Agent (HA) 17 Authentication is a requirement Early proposals weak </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Wireless Access Evolution 802. 11 (Wired Equivalent Protocol) n n n Authentication: Open system" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-18.jpg" alt="Wireless Access Evolution 802. 11 (Wired Equivalent Protocol) n n n Authentication: Open system" /> Wireless Access Evolution 802. 11 (Wired Equivalent Protocol) n n n Authentication: Open system (SSID) and Shared Key Authorization: some vendor use MAC address filtering Confidentiality/Integrity: Completely insecure WPA: Wi-Fi Protected Access n n n Authentication: 802. 1 X Confidentiality/Integrity: TKIP Reuse legacy hardware, still problematic IEEE 802. 11 i (Ratified 2004 ): WPA 2 n n n 18 Mutual authentication Data confidentiality and integrity Key management Availability CCMP: AES-based authenticated encryption (integrity, confidentiality) </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="What Went Wrong With WEP No Key Management n n Long Lived keys Fix:" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-19.jpg" alt="What Went Wrong With WEP No Key Management n n Long Lived keys Fix:" /> What Went Wrong With WEP No Key Management n n Long Lived keys Fix: Use 802. 1 X ( Standard for user, device authentication ) Crypto Issues RC 4 cipher stream n n 19 Key size: 40 bit keys Initialization Vector too small: 24 bit Integrity Check Value based on CRC-32 Authentication messages can be forged </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="802. 11 i Protocol Supplicant Un. Auth/Un. Assoc Auth/Assoc 802. 1 X Blocked 802." src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-20.jpg" alt="802. 11 i Protocol Supplicant Un. Auth/Un. Assoc Auth/Assoc 802. 1 X Blocked 802." /> 802. 11 i Protocol Supplicant Un. Auth/Un. Assoc Auth/Assoc 802. 1 X Blocked 802. 1 X Un. Blocked No Key New GTK PTK/GTK PMK MSK Authentic a-tion Server (RADIUS) No Key MSK Authenticator Un. Auth/Un. Assoc Auth/Assoc 802. 1 X Blocked 802. 1 X Un. Blocked No Key New GTK PTK/GTK PMK 802. 11 Association EAP/802. 1 X/RADIUS Authentication MSK 4 -Way Handshake Group Key Handshake Data Communication 20 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Security Level Rollback Attack Supplicant RSNA enabled Pre-RSNA enabled Authenticator RSNA enabled Pre-RSNA enabled" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-21.jpg" alt="Security Level Rollback Attack Supplicant RSNA enabled Pre-RSNA enabled Authenticator RSNA enabled Pre-RSNA enabled" /> Security Level Rollback Attack Supplicant RSNA enabled Pre-RSNA enabled Authenticator RSNA enabled Pre-RSNA enabled Bogus Beacon (Pre-RSNA only) Beacon + AA RSN IE Probe Request Bogus Probe Response (Pre-RSNA only) Probe Response + AA RSN IE 802. 11 Authentication Request 802. 11 Authentication Response Bogus Association Request (Pre-RSNA only) Association Request + SPA RSN IE 802. 11 Association Response Pre-RSNA Connections 21 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="802. 11 i: Availability Not an original design objective Physical Layer Do. S attack" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-22.jpg" alt="802. 11 i: Availability Not an original design objective Physical Layer Do. S attack" /> 802. 11 i: Availability Not an original design objective Physical Layer Do. S attack n Inevitable but expensive and detectable Network and upper Layer Do. S attack n Depend on protocols, not our focus Link Layer Do. S attack n n 22 n Flooding attack: could be detected and located Some Known Do. S attacks on 802. 11 networks Do. S attack on Michael countermeasure in TKIP RSN IE Poisoning/Spoofing 4 -Way Handshake Blocking </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="The 4 -Way Handshake Supplicant Auth/Assoc 802. 1 X Blocked 802. 1 X PMK" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-23.jpg" alt="The 4 -Way Handshake Supplicant Auth/Assoc 802. 1 X Blocked 802. 1 X PMK" /> The 4 -Way Handshake Supplicant Auth/Assoc 802. 1 X Blocked 802. 1 X PMK Un. Blocked PTK/GTK Authenticator Auth/Assoc 802. 1 X Blocked 802. 1 X PMK Un. Blocked PTK/GTK 802. 11 Association Authenti ca-tion Server (RADIUS ) No Key EAP/802. 1 X/RADIUS Authentication {AA, ANonce, sn, msg 1, PMKID} {SPA, SNonce, SPA RSN IE, sn, msg 2, MIC} {AA, ANonce, AA RSN IE, GTK, sn+1, msg 3, MIC} {SPA, sn+1, msg 4, MIC} Group Key Handshake Data Communication 23 MSK </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Error recovery issues Simple Flow 24 Complex Flow " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-24.jpg" alt="Error recovery issues Simple Flow 24 Complex Flow " /> Error recovery issues Simple Flow 24 Complex Flow </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Summary of 802. 11 i Design Issues ATTACKS SOLUTIONS security rollback reflection attack each" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-25.jpg" alt="Summary of 802. 11 i Design Issues ATTACKS SOLUTIONS security rollback reflection attack each" /> Summary of 802. 11 i Design Issues ATTACKS SOLUTIONS security rollback reflection attack each participant plays the role of either authenticator or supplicant; if both, use different PMKs. attack on Michael countermeasures cease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated. RSN IE poisoning Authenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage; Relax the condition of RSN IE confirmation. 4 -way handshake blocking 25 supplicant manually choose security; authenticator restrict pre-RSNA to only insensitive data. adopt random-drop queue, not so effective; authenticate Message 1, packet format modified; re-use supplicant nonce, eliminate memory Do. S. </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Announcements Project 2 out today n Due in two parts over next two weeks" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-26.jpg" alt="Announcements Project 2 out today n Due in two parts over next two weeks" /> Announcements Project 2 out today n Due in two parts over next two weeks Discussion section Friday n 26 Will cover background for project </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Perimeter and Internal Defenses Commonly deployed defenses n Perimeter defenses – Firewall, IDS w" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-27.jpg" alt="Perimeter and Internal Defenses Commonly deployed defenses n Perimeter defenses – Firewall, IDS w" /> Perimeter and Internal Defenses Commonly deployed defenses n Perimeter defenses – Firewall, IDS w Protect local area network and hosts w Keep external threats from internal network n Rest of this lecture Internal defenses – Virus scanning w Protect hosts from threats that get through the perimeter defenses n Extend the “perimeter” – VPN Common practices, but could be improved n Internal threats are significant w Unhappy employees w Compromised hosts 27 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Basic Firewall Concept Separate local area net from internet Firewall Local network Internet Router" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-28.jpg" alt="Basic Firewall Concept Separate local area net from internet Firewall Local network Internet Router" /> Basic Firewall Concept Separate local area net from internet Firewall Local network Internet Router All packets between LAN and internet routed through firewall 28 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Packet Filtering Uses transport-layer information only n n n IP Source Address, Destination Address" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-29.jpg" alt="Packet Filtering Uses transport-layer information only n n n IP Source Address, Destination Address" /> Packet Filtering Uses transport-layer information only n n n IP Source Address, Destination Address Protocol (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type Examples n DNS uses port 53 w Block incoming port 53 packets except known trusted servers Issues n n n 29 Stateful filtering Encapsulation: address translation, other complications Fragmentation </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Source/Destination Address Forgery 30 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-30.jpg" alt="Source/Destination Address Forgery 30 " /> Source/Destination Address Forgery 30 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="More about networking: port numbering TCP connection n n Server port uses number less" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-31.jpg" alt="More about networking: port numbering TCP connection n n Server port uses number less" /> More about networking: port numbering TCP connection n n Server port uses number less than 1024 Client port uses number between 1024 and 16383 Permanent assignment n Ports <1024 assigned permanently w 20, 21 for FTP 23 for Telnet w 25 for server SMTP 80 for HTTP Variable use n n Ports >1024 must be available for client to make connection Limitation for stateless packet filtering w If client wants port 2048, firewall must allow incoming traffic n Better: stateful filtering knows outgoing requests w Only allow incoming traffic on high port to a machine that has initiated an outgoing request on low port 31 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Filtering Example: Inbound SMTP Can block external request to internal server based on port" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-32.jpg" alt="Filtering Example: Inbound SMTP Can block external request to internal server based on port" /> Filtering Example: Inbound SMTP Can block external request to internal server based on port number 32 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Filtering Example: Outbound SMTP Known low port out, arbitrary high port in If firewall" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-33.jpg" alt="Filtering Example: Outbound SMTP Known low port out, arbitrary high port in If firewall" /> Filtering Example: Outbound SMTP Known low port out, arbitrary high port in If firewall blocks incoming port 1357 traffic then connection fails 33 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Stateful or Dynamic Packet Filtering 34 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-34.jpg" alt="Stateful or Dynamic Packet Filtering 34 " /> Stateful or Dynamic Packet Filtering 34 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Telnet Server Telnet Client 23 1234 Client opens channel to server; tells server its" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-35.jpg" alt="Telnet Server Telnet Client 23 1234 Client opens channel to server; tells server its" /> Telnet Server Telnet Client 23 1234 Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets 234” PORT 1 “ “ACK” Server acknowledges Stateful filtering can use this pattern to identify legitimate sessions 35 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="FTP Server Client opens command channel to server; tells server second port number Server" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-36.jpg" alt="FTP Server Client opens command channel to server; tells server second port number Server" /> FTP Server Client opens command channel to server; tells server second port number Server acknowledges Server opens data channel to client’s second port Client acknowledges 36 20 Data FTP Client 21 Command 5150 1” RT 515 “PO 5151 “OK” DATA C HANNEL K TCP AC </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-37.jpg" alt="Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet" /> Complication for firewalls Normal IP Fragmentation Flags and offset inside IP header indicate packet fragmentation 37 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-38.jpg" alt="Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host" /> Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host 38 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Packet Fragmentation Attack Firewall configuration n TCP port 23 is blocked but SMTP port" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-39.jpg" alt="Packet Fragmentation Attack Firewall configuration n TCP port 23 is blocked but SMTP port" /> Packet Fragmentation Attack Firewall configuration n TCP port 23 is blocked but SMTP port 25 is allowed First packet n n Fragmentation Offset = 0. DF bit = 0 : "May Fragment" MF bit = 1 : "More Fragments" Destination Port = 25. TCP port 25 is allowed, so firewall allows packet Second packet n n Fragmentation Offset = 1: second packet overwrites all but first 8 bits of the first packet DF bit = 0 : "May Fragment" MF bit = 0 : "Last Fragment. " Destination Port = 23. Normally be blocked, but sneaks by! What happens n n 39 Firewall ignores second packet “TCP header” because it is fragment of first At host, packet reassembled and received at port 23 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Beyond packet filtering Proxying Firewall Application-level proxies n n Tailored to http, ftp, smtp," src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-40.jpg" alt="Beyond packet filtering Proxying Firewall Application-level proxies n n Tailored to http, ftp, smtp," /> Beyond packet filtering Proxying Firewall Application-level proxies n n Tailored to http, ftp, smtp, etc. Some protocols easier to proxy than others Policy embedded in proxy programs n n n Proxies filter incoming, outgoing packets Reconstruct application-layer messages Can filter specific application-layer commands, etc. w Example: only allow specific ftp commands w Other examples: ? Several network locations – see next slides 40 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Firewall with application proxies Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-41.jpg" alt="Firewall with application proxies Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy" /> Firewall with application proxies Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy SMTP daemon Network Connection Daemon spawns proxy when communication detected … 41 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Screened Host Architecture 42 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-42.jpg" alt="Screened Host Architecture 42 " /> Screened Host Architecture 42 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Screened Subnet Using Two Routers 43 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-43.jpg" alt="Screened Subnet Using Two Routers 43 " /> Screened Subnet Using Two Routers 43 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Dual Homed Host Architecture 44 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-44.jpg" alt="Dual Homed Host Architecture 44 " /> Dual Homed Host Architecture 44 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Application-level proxies Enforce policy for specific protocols n E. g. , Virus scanning for" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-45.jpg" alt="Application-level proxies Enforce policy for specific protocols n E. g. , Virus scanning for" /> Application-level proxies Enforce policy for specific protocols n E. g. , Virus scanning for SMTP w Need to understand MIME, encoding, Zip archives n Flexible approach, but may introduce network delays “Batch” protocols are natural to proxy n n SMTP (E-Mail) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol Must protect host running protocol stack n n 45 Disable all non-required services; keep it simple Install/modify services you want Run security audit to establish baseline Be prepared for the system to be compromised </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="References 46 Elizabeth D. Zwicky Simon Cooper D. Brent Chapman William R Cheswick Steven" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-46.jpg" alt="References 46 Elizabeth D. Zwicky Simon Cooper D. Brent Chapman William R Cheswick Steven" /> References 46 Elizabeth D. Zwicky Simon Cooper D. Brent Chapman William R Cheswick Steven M Bellovin Aviel D Rubin </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Traffic Shaping Traditional firewall n Allow traffic or not Traffic shaping n n n" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-47.jpg" alt="Traffic Shaping Traditional firewall n Allow traffic or not Traffic shaping n n n" /> Traffic Shaping Traditional firewall n Allow traffic or not Traffic shaping n n n Limit certain kinds of traffic Can differentiate by host addr, protocol, etc Multi-Protocol Label Switching (MPLS) w Label traffic flows at the edge of the network and let core routers identify the required class of service The real issue here on Campus: n n P 2 P file sharing takes a lot of bandwidth 1/3 of network bandwidth consumed by Bit. Torrent w Students: what are Bit. Torrent, Gnutella, Kazaa, … used for? 47 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Stanford computer use 48 " src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-48.jpg" alt="Stanford computer use 48 " /> Stanford computer use 48 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Packet. Shaper Controls A partition: n n n Rate shaped P 2 P capped" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-49.jpg" alt="Packet. Shaper Controls A partition: n n n Rate shaped P 2 P capped" /> Packet. Shaper Controls A partition: n n n Rate shaped P 2 P capped at 300 kbps Rate shaped HTTP/SSL to give better performance 49 Creates a virtual pipe within a link for each traffic class Provides a min, max bandwidth Enables efficient bandwidth use </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Packet. Shaper report: HTTP Outside Web Server Normalized Network Response Times No Shaping 50" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-50.jpg" alt="Packet. Shaper report: HTTP Outside Web Server Normalized Network Response Times No Shaping 50" /> Packet. Shaper report: HTTP Outside Web Server Normalized Network Response Times No Shaping 50 Shaping Inside Web Server Normalized Network Response Times No Shaping </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Host and network intrusion detection Intrusion prevention n Network firewall w Restrict flow of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-51.jpg" alt="Host and network intrusion detection Intrusion prevention n Network firewall w Restrict flow of" /> Host and network intrusion detection Intrusion prevention n Network firewall w Restrict flow of packets n System security w Find buffer overflow vulnerabilities and remove them! Intrusion detection n Discover system modifications w Tripwire n Look for attack in progress w Network traffic patterns w System calls, other system events 51 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Tripwire Outline of standard attack n n Gain user access to system Gain root" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-52.jpg" alt="Tripwire Outline of standard attack n n Gain user access to system Gain root" /> Tripwire Outline of standard attack n n Gain user access to system Gain root access Replace system binaries to set up backdoor Use backdoor future activities Tripwire detection point: system binaries n n 52 Compute hash of key system binaries Compare current hash to hash stored earlier Report problem if hash is different Store reference hash codes on read-only medium </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Is Tripwire too late? Typical attack on server n n Gain access Install backdoor" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-53.jpg" alt="Is Tripwire too late? Typical attack on server n n Gain access Install backdoor" /> Is Tripwire too late? Typical attack on server n n Gain access Install backdoor w This can be in memory, not on disk!! n Use it Tripwire n n n Is a good idea Wont catch attacks that don’t change system files Detects a compromise that has happened Remember: Defense in depth 53 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Detect modified binary in memory? Can use system-call monitoring techniques For example [Wagner, Dean" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-54.jpg" alt="Detect modified binary in memory? Can use system-call monitoring techniques For example [Wagner, Dean" /> Detect modified binary in memory? Can use system-call monitoring techniques For example [Wagner, Dean IEEE S&P ’ 01] n Build automaton of expected system calls w Can be done automatically from source code n n Monitor system calls from each program Catch violation Results so far: lots better than not using source code! 54 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Example code and automaton open() f(int x) { Entry(g) x ? getuid() : geteuid();" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-55.jpg" alt="Example code and automaton open() f(int x) { Entry(g) x ? getuid() : geteuid();" /> Example code and automaton open() f(int x) { Entry(g) x ? getuid() : geteuid(); x++ } close() g() { fd = open("foo", O_RDONLY); exit() f(0); close(fd); f(1); Exit(g) exit(0); } Entry(f) getuid() geteuid() Exit(f) If code behavior is inconsistent with automaton, something is wrong 55 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="General intrusion detection http: //www. snort. org/ Many intrusion detection systems n n Close" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-56.jpg" alt="General intrusion detection http: //www. snort. org/ Many intrusion detection systems n n Close" /> General intrusion detection http: //www. snort. org/ Many intrusion detection systems n n Close to 100 systems with current web pages Network-based, host-based, or combination Two basic models n Misuse detection model w Maintain data on known attacks w Look for activity with corresponding signatures n Anomaly detection model w Try to figure out what is “normal” w Report anomalous behavior Fundamental problem: too many false alarms 56 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Misuse example - rootkit Rootkit sniffs network for passwords n n n Collection of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-57.jpg" alt="Misuse example - rootkit Rootkit sniffs network for passwords n n n Collection of" /> Misuse example - rootkit Rootkit sniffs network for passwords n n n Collection of programs that allow attacker to install and operate a packet sniffer (on Unix machines) Emerged in 1994, has evolved since then 1994 estimate: 100, 000 systems compromised Rootkit attack n n 57 Use stolen password or dictionary attack to get user access Get root access using vulnerabilities in rdist, sendmail, /bin/mail, loadmodule, rpc. ypupdated, lpr, or passwd Ftp Rootkit to the host, unpack, compile, and install it Collect more username/password pairs and move on </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Rootkit covers its tracks Modifies netstat, ps, ls, du, ifconfig, login n n Modified" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-58.jpg" alt="Rootkit covers its tracks Modifies netstat, ps, ls, du, ifconfig, login n n Modified" /> Rootkit covers its tracks Modifies netstat, ps, ls, du, ifconfig, login n n Modified binaries hide new files used by rootkit Modified login allows attacker to return for passwords Rootkit fools simple Tripwire checksum n n 58 Modified binaries have same checksum But a better hash would be able to detect rootkit </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Detecting rootkit on system Sad way to find out n Disk is full of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-59.jpg" alt="Detecting rootkit on system Sad way to find out n Disk is full of" /> Detecting rootkit on system Sad way to find out n Disk is full of sniffer logs Manual confirmation n Reinstall clean ps and see what processes are running Automatic detection n n Rootkit does not alter the data structures normally used by netstat, ps, ls, du, ifconfig Host-based intrusion detection can find rootkit files w As long as an update version of Rootkit does not disable your intrusion detection system … 59 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Misuse example - port sweep Attacks can be OS specific n n Bugs in" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-60.jpg" alt="Misuse example - port sweep Attacks can be OS specific n n Bugs in" /> Misuse example - port sweep Attacks can be OS specific n n Bugs in specific implementations Oversights in default configuration Attacker sweeps net to find vulnerabilities n n Port sweep tries many ports on many IP addresses If characteristic behavior detected, mount attack w SGI IRIX responds TCPMUX port (TCP port 1) w If machine responds, SGI IRIX vulnerabilities can be tested and used to break in Port sweep activity can be detected 60 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Anomaly Detection Basic idea n n n Monitor network traffic, system calls Compute statistical" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-61.jpg" alt="Anomaly Detection Basic idea n n n Monitor network traffic, system calls Compute statistical" /> Anomaly Detection Basic idea n n n Monitor network traffic, system calls Compute statistical properties Report errors if statistics outside established range Example – IDES (Denning, SRI) n For each user, store daily count of certain activities w E. g. , Fraction of hours spent reading email n n Maintain list of counts for several days Report anomaly if count is outside weighted norm Big problem: most unpredictable user is the most important 61 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="[Hofmeyr, Somayaji, Forrest] Anomaly – sys call sequences Build traces during normal run of" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-62.jpg" alt="[Hofmeyr, Somayaji, Forrest] Anomaly – sys call sequences Build traces during normal run of" /> [Hofmeyr, Somayaji, Forrest] Anomaly – sys call sequences Build traces during normal run of program n Example program behavior (sys calls) open read write open mmap write fchmod close n Sample traces stored in file (4 -call sequences) open read write open mmap write fchmod close n Report anomaly if following sequence observed open read open mmap write fchmod close 62 Compute # of mismatches to get mismatch rate </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Difficulties in intrusion detection Lack of training data n n Lots of “normal” network," src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-63.jpg" alt="Difficulties in intrusion detection Lack of training data n n Lots of “normal” network," /> Difficulties in intrusion detection Lack of training data n n Lots of “normal” network, system call data Little data containing realistic attacks, anomalies Data drift n n Statistical methods detect changes in behavior Attacker can attack gradually and incrementally Main characteristics not well understood n By many measures, attack may be within bounds of “normal” range of activities False identifications are very costly 63 n Sys Admin spend many hours examining evidence </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Strategic Intrusion Assessment [Lunt] National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-64.jpg" alt="Strategic Intrusion Assessment [Lunt] National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting" /> Strategic Intrusion Assessment [Lunt] National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting Centers International/Allie Reporting Center Organizational Security Centers Local Intrusion Detectors 64 www. blackhat. com/presentations/bh-usa-99/teresa-lunt/tutorial. ppt </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Strategic Intrusion Assessment [Lunt] Test over two-week period n n n AFIWC’s intrusion detectors" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-65.jpg" alt="Strategic Intrusion Assessment [Lunt] Test over two-week period n n n AFIWC’s intrusion detectors" /> Strategic Intrusion Assessment [Lunt] Test over two-week period n n n AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessions Manual review identified 12, 000 suspicious events Further manual review => four actual incidents Conclusion n 65 Most alarms are false positives Most true positives are trivial incidents Of the significant incidents, most are isolated attacks to be dealt with locally </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Summary Network protocol security n n IPSEC BGP instability and S-BGP DNSSEC, DNS rebinding" src="https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-66.jpg" alt="Summary Network protocol security n n IPSEC BGP instability and S-BGP DNSSEC, DNS rebinding" /> Summary Network protocol security n n IPSEC BGP instability and S-BGP DNSSEC, DNS rebinding Wireless security – 802. 11 i/WPA 2 Standard network perimeter defenses n Firewall w Packet filter (stateless, stateful), Application layer proxies n n Traffic shaping Intrusion detection w Anomaly and misuse detection 66 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="" src="" alt="" /> </p> </div> </div> <div id="inputform"> <script>$("#inputform").load("https://present5.com/wp-content/plugins/report-content/inc/report-form-aj.php"); </script> </div> </p> <!--end entry-content--> </div> </article><!-- .post --> </section><!-- #content --> <div class="three columns"> <div class="widget-entry"> </div> </div> </div> </div> <!-- #content-wrapper --> <footer id="footer" style="padding: 5px 0 5px;"> <div class="container"> <div class="columns twelve"> <!--noindex--> <!--LiveInternet counter--><script type="text/javascript"><!-- document.write("<img src='//counter.yadro.ru/hit?t26.10;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+ ";"+Math.random()+ "' alt='' title='"+" ' "+ "border='0' width='1' height='1'><\/a>") //--></script><!--/LiveInternet--> <a href="https://slidetodoc.com/" alt="Наш международный проект SlideToDoc.com!" target="_blank"><img src="https://present5.com/SlideToDoc.png"></a> <script> $(window).load(function() { var owl = document.getElementsByClassName('owl-carousel owl-theme owl-loaded owl-drag')[0]; document.getElementById("owlheader").insertBefore(owl, null); $('#owlheader').css('display', 'inline-block'); }); </script> <script type="text/javascript"> var yaParams = {'typepage': '1000_top_300k', 'author': '1000_top_300k' }; </script> <!-- Yandex.Metrika counter --> <script type="text/javascript" > (function(m,e,t,r,i,k,a){m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)}; m[i].l=1*new Date(); for (var j = 0; j < document.scripts.length; j++) {if (document.scripts[j].src === r) { return; }} k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym"); ym(32395810, "init", { clickmap:true, trackLinks:true, accurateTrackBounce:true, webvisor:true }); </script> <noscript><div><img src="https://mc.yandex.ru/watch/32395810" style="position:absolute; left:-9999px;" alt="" /></div></noscript> <!-- /Yandex.Metrika counter --> <!--/noindex--> <nav id="top-nav"> <ul id="menu-top" class="top-menu clearfix"> </ul> </nav> </div> </div><!--.container--> </footer> <script type='text/javascript'> /* <![CDATA[ */ var wpcf7 = {"apiSettings":{"root":"https:\/\/present5.com\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"}}; /* ]]> */ </script> <script type='text/javascript' src='https://present5.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.1.4'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/jquery.shuffle.js?ver=4.9.26'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/scripts.js?ver=1.13'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/shuffle.js?ver=4.9.26'></script> <!--[if lt IE 9]> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/selectivizr.js?ver=1.0.2'></script> <![endif]--> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/notify.js?ver=1770491247'></script> <script type='text/javascript'> /* <![CDATA[ */ var my_ajax_object = {"ajax_url":"https:\/\/present5.com\/wp-admin\/admin-ajax.php","nonce":"33a1179831"}; /* ]]> */ </script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/filer.js?ver=1770491247'></script> </body> </html>
![BGP example [D. Wetherall] 1 27 265 8 2 7265 7 7 7 265](https://present5.com/presentation/18ea47ef0fa0bd658bf83da76884dbc3/image-9.jpg "BGP example [D. Wetherall] 1 27 265 8 2 7265 7 7 7 265")
