Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen - PowerPoint PPT Presentation

Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen Slides credit: Vern Paxson, Dawn Song 1

network security 2

’ s T o d a y L e c t u r e • Networking overview + security issues Keep in mind, networking is: • Complex topic with many facets – We will omit concepts/details that are not very security- relevant – We’ll mainly look at IP, TCP, DNS and DHCP • Networking is full of abstractions – Goal is for you to develop apt mental models / analogies – ASK questions when things are unclear o (but we may skip if not ultimately relevant for security, or postpone if question itself is directly about security) 3

N e t w o r k i n g O v e r v i e w 4

K e y C o n c e p t # 1 : P r o t o c o l s • A protocol is an agreement on how to communicate • Includes syntax and semantics – How a communication is specified & structured o Format, order messages are sent and received – What a communication means o Actions taken when transmitting, receiving, or timer expires • E.g.: asking a question in lecture? 1.Raise your hand. 2.Wait to be called on. 3.Or: wait for speaker to pause and vocalize 4.If unrecognized (after timeout): vocalize w/ “excuse me” 5

E x a mp l e : I P P a c k e t H e a d e r 4-bit 8-bit 4-bit 16-bit Total Length (Bytes) Header Type of Service Version Length (TOS) 3-bit 13-bit Fragment Offset 16-bit Identification Flags Header is like a letter envelope: 8-bit Time to 8-bit Protocol 16-bit Header Checksum contains all info Live (TTL) needed for delivery 32-bit Source IP Address 32-bit Destination IP Address Payload IP = Internet Protocol

K e y C o n c e p t # 2 : D u mb N e t w o r k • Original Internet design: interior nodes (“routers”) have no knowledge* of ongoing connections going through them • Not : how you picture the telephone system works – Which internally tracks all of the active voice calls • Instead: the postal system! – Each Internet message (“packet”) self-contained – Interior “routers” look at destination address to forward – If you want smarts, build it “end-to-end” – Buys simplicity & robustness at the cost of shifting complexity into end systems * Today’s Internet is full of hacks that violate this 7

K e y C o n c e p t # 3 : L a y e r i n g • Internet design is strongly partitioned into layers – Each layer relies on services provided by next layer below … – … and provides services to layer above it • Analogy: – Consider structure of an Code You Write application you’ve written Run-Time Library and the “services” each System Calls layer relies on / provides Magnetic Domains } Device Drivers Fully isolated Voltage Levels / from user programs 9

“ P ” ) I n t e r n e t L a y e r i n g ( r o t o c o l S t a c k 7 Application 4 Transport 3 (Inter)Network 2 Link 1 Physical 10

“ P ” ) I n t e r n e t L a y e r i n g ( r o t o c o l S t a c k } Implemented only at hosts, 7 Application not at interior routers 4 Transport (“dumb network”) 3 (Inter)Network 2 Link 1 Physical 11

“ P ” ) I n t e r n e t L a y e r i n g ( r o t o c o l S t a c k 7 Application 4 Transport } 3 (Inter)Network 2 Link Implemented everywhere 1 Physical 12

“ P ” ) I n t e r n e t L a y e r i n g ( r o t o c o l S t a c k 7 Application 4 Transport } 3 (Inter)Network ~Same for each Internet “hop” } 2 Link Different for each Internet “hop” 1 Physical 13

H o p - B y - H o p v s . E n d - t o - E n d L a y e r s Host A communicates with Host D Host C Host D Host A Router 1 Router 2 Router 3 Router 5 Host B Host E Router 7 Router 6 Router 4 14

H o p - B y - H o p v s . E n d - t o - E n d L a y e r s Host A communicates with Host D Host C Host D Host A E.g., Ethernet Router 1 Router 2 Router 3 E.g., Wi-Fi Router 5 Host B Host E Router 7 Router 6 Router 4 Different Physical & Link Layers (Layers 1 & 2) 15

H o p - B y - H o p v s . E n d - t o - E n d L a y e r s Host A communicates with Host D Host C Host D Host A Router 1 Router 2 Router 3 Router 5 E.g., HTTP over TCP over IP Host B Host E Router 7 Router 6 Router 4 Same Network / Transport / Application Layers (3/4/7) (Routers ignore Transport & Application layers) 16

Security Issues 17

R e v i e w : G e n e r a l S e c u r i t y G o a l s : C I A • Confidentiality: No one can read our data / communication unless we – want them to • Integrity No one can manipulate our data / processing / – communication unless we want them to • Availability We can access our data / conduct our processing / use – our communication capabilities when we want to • Also: no additional traffic other than ours ... 18

L a y e r 1 , 2 19

L a y e r 1 : P h y s i c a l L a y e r 7 Application 4 Transport Encoding bits to send them over a single physical link 3 (Inter)Network e.g. patterns of 2 Link voltage levels / photon intensities / 1 Physical RF modulation 20

L a y e r 2 : L i n k L a y e r Framing and transmission of a collection of bits into individual messages sent across a 7 Application single “subnetwork” (one physical technology) 4 Transport 3 (Inter)Network Might involve multiple physical 2 Link links (e.g., modern Ethernet) 1 Physical Often technology supports broadcast transmission ( every “node” connected to subnet receives) 21

Layer 1,2 Threats 22

P h y s i c a l / L i n k - L a y e r T h r e a t s : E a v e s d r o p p i n g • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), get it for “free” – Each attached system ’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o Wireshark (GUI for displaying 800+ protocols) o tcpdump / windump (low-level ASCII printout) • For any technology, routers (and internal “switches”) can look at / export traffic they forward • You can also “tap” a link – Insert a device to mirror physical signal – Or: just steal it! 24

S t e a l i n g P h o t o n s 25

26

P h y s i c a l / L i n k - L a y e r T h r e a t s : D i s r u p t i o n • With physical access to a subnetwork, attacker can Overwhelm its signaling – o E.g., jam WiFi’s RF Send messages that violate the Layer-2 – protocol’s rules o E.g., send messages > maximum allowed size, sever timing synchronization, ignore fairness rules • Routers & switches can simply “drop” traffic • There’s also the heavy-handed approach … 27

28

P h y s i c a l / L i n k - L a y e r T h r e a t s : S p o o fj n g • With physical access to a subnetwork, attacker can create any message they like Termed spoofing – • May require root/administrator access to have full freedom • Particularly powerful when combined with eavesdropping Because attacker can understand exact state of – victim’s communication and craft their spoofed traffic to match it Spoofing w/o eavesdropping = blind spoofing – 29

L a y e r 3 : T h e N e t w o r k L a y e r 30

L a y e r 3 : ( I n t e r ) N e t w o r k L a y e r Bridges multiple “subnets” to provide end-to-end internet connectivity between nodes 7 Application • Provides global addressing 4 Transport Works across different link 3 (Inter)Network technologies 2 Link 1 Physical 31

I P P a c k e t S t r u c t u r e 4-bit 8-bit 4-bit 16-bit Total Length (Bytes) Header Type of Service Version Length (TOS) 3-bit 16-bit Identification 13-bit Fragment Offset Flags 8-bit Time to 8-bit Protocol 16-bit Header Checksum Live (TTL) 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

I P P a c k e t S t r u c t u r e 4-bit 8-bit 4-bit 16-bit Total Length (Bytes) Header Type of Service Version Length (TOS) 3-bit 16-bit Identification 13-bit Fragment Offset Flags 8-bit Time to 8-bit Protocol 16-bit Header Checksum Live (TTL) 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

I P P a c k e t H e a d e r F i e l d s • Version number (4 bits) Indicates the version of the IP protocol – Necessary to know what other fields to expect – Typically “4” (for IPv4), and sometimes “6” (for IPv6) – • Header length (4 bits) Number of 32-bit words in the header – Typically “5” (for a 20-byte IPv4 header) – Can be more when IP options are used – • Type-of-Service (8 bits) Allow packets to be treated differently based on needs – E.g., low delay for audio, high bandwidth for bulk transfer – 34