other defenses threat model beyond tls
play

Other defenses Threat model (beyond TLS) TLS = confidentiality, - PowerPoint PPT Presentation

Other defenses Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity Metadata leaks Resource starvation Topic Virtual Private Networks (VPNs) Run as closed networks on Internet Use IPSEC to secure


  1. Other defenses

  2. Threat model (beyond TLS) • TLS = confidentiality, integrity, authenticity • Metadata leaks • Resource starvation

  3. Topic • Virtual Private Networks (VPNs) • Run as closed networks on Internet • Use IPSEC to secure messages Internet Introduction to Computer Networks 61

  4. Motivation • The best part of IP connectivity • You can send to any other host • The worst part of IP connectivity • Any host can send packets to you! • There’s nasty stuff out there … Internet Introduction to Computer Networks 62

  5. Motivation (2) • Often desirable to separate network from the Internet, e.g., a company • Private network with leased lines • Physically separated from Internet Leased line Site C Site A Site B No way in! Introduction to Computer Networks 63

  6. Motivation (3) • Idea: Use the public Internet instead of leased lines – cheaper! • Logically separated from Internet … • This is a Virtual Private Network (VPN) Virtual link Site C Site A Internet Site B Maybe … Introduction to Computer Networks 64

  7. Goal and Threat Model • Goal is to keep a logical network (VPN) separate from the Internet while using it for connectivity • Threat is Trudy may access VPN and intercept or tamper with messages Ideal Introduction to Computer Networks 65

  8. Tunneling • How can we build a virtual link? With tunneling! • Hosts in private network send to each other normally • To cross virtual link (tunnel), endpoints encapsulate packet Tunnel endpoint Tunnel endpoint Virtual link or tunnel Private Network A Public Internet Private Network B Introduction to Computer Networks 66

  9. Tunneling (2) • Tunnel endpoints encapsulate IP packets (“IP in IP”) • Add/modify outer IP header for delivery to endpoint App App Tunnel Many Tunnel Endpoint Routers! Endpoint TCP TCP IP IP IP IP IP IP IP IP 802.11 802.11 802.11 802.11 Ethernet Ethernet Private Network A Public Internet Private Network B 67

  10. Tunneling (3) • Simplest encapsulation wraps packet with another IP header • Outer (tunnel) IP header has tunnel endpoints as source/destination • Inner packet has private network IP addresses as source/destination Outer (Tunnel) IP Inner packet HTTP IP IP TCP Introduction to Computer Networks 68

  11. Tunneling (4) • Tunneling alone is not secure … • No confidentiality, integrity/ authenticity • Trudy can read, inject her own messages • We require cryptographic protections! • IPSEC (IP Security) is often used to secure VPN tunnels Introduction to Computer Networks 69

  12. IPSEC (IP Security) • Longstanding effort to secure the IP layer • Adds confidentiality, integrity/authenticity • IPSEC operation: • Keys are set up for communicating host pairs • Communication becomes more connection-oriented • Header and trailer added to protect IP packets Tunnel Mode Introduction to Computer Networks 70

  13. Takeaways • VPNs are useful for building networks on top of the Internet • Virtual links encapsulate packets • Alters IP connectivity for hosts • VPNs need crypto to secure messages • Typically IPSEC is used for confidentiality, integrity/authenticity Introduction to Computer Networks 71

  14. Tor • “The Onion Router” • Basic idea: 1. Many volunteers act as routers in the overlay 2. Generate circuit of routers that you know will send packet 3. Encrypt the packet in layers for each router in circuit 4. Send the packet 5. Each router receives, decrypts their layer, and forwards based on new info 6. Routers maintain state about circuit to route stuff back to sender • But again, only know the next hop

  15. Resource Attacks

  16. Topic • Distributed Denial-of-Service (DDOS) • An attack on network availability Yum! Internet Introduction to Computer Networks 74

  17. Topic • Distributed Denial-of-Service (DDoS) • An attack on network availability Uh oh! Internet Introduction to Computer Networks 75

  18. Motivation • The best part of IP connectivity • You can send to any other host • The worst part of IP connectivity • Any host can send packets to you! Uh oh! Internet Introduction to Computer Networks 76

  19. Motivation (2) • Flooding a host with many packets can interfere with its IP connectivity • Host may become unresponsive • This is a form of denial-of-service (DoS) Uh oh Internet Hello? Introduction to Computer Networks 77

  20. Goal and Threat Model • Goal is for host to keep network connectivity for desired services • Threat is Trudy may overwhelm host with undesired traffic Hi! Hello! Ideal Internet Trudy Introduction to Computer Networks 78

  21. Internet Reality • DDoS is a huge problem today! • Github attack of 1tbps • There are no great solutions • CDNs, network traffic filtering, and best practices all help Introduction to Computer Networks 80

  22. Denial-of-Service • Denial-of-service means a system is made unavailable to intended users • Typically because its resources are consumed by attackers instead • In the network context: • “System” means server • “Resources” mean bandwidth (network) or CPU/memory (host) Introduction to Computer Networks 81

  23. Host Denial-of-Service • Strange packets can sap host resources! • “Ping of Death” malformed packet • “SYN flood” sends many TCP connect requests and never follows up • Few bad packets can overwhelm host XXX • Patches exist for these vulnerabilities • Read about “SYN cookies” for interest Introduction to Computer Networks 82

  24. Network Denial-of-Service • Network DOS needs many packets • To saturate network links • Causes high congestion/loss Access Link Uh oh • Helpful to have many attackers … or Distributed Denial-of-Service Introduction to Computer Networks 83

  25. Distributed Denial-of-Service (DDOS) • Botnet provides many attackers in the form of compromised hosts • Hosts send traffic flood to victim • Network saturates near victim Ouch L Victim Botnet Introduction to Computer Networks 84

  26. Complication: Spoofing • Attackers can falsify their IP address • Put fake source address on packets • Historically network doesn’t check • Hides location of the attackers • Called IP address spoofing I hate that Bob! From: “Bob” Ha ha! Trudy Alice Introduction to Computer Networks 85

  27. Spoofing (2) • Actually, it’s worse than that • Trudy can trick Bob into really sending packets to Alice • To do so, Trudy spoofs Alice to Bob Huh? 1: To Bob 2: To Alice From: “Alice” From Bob (reply) Trudy Alice Bob Introduction to Computer Networks 86

  28. Best Practice: Ingress Filtering • Idea: Validate the IP source address of packets at ISP boundary (Duh!) • Ingress filtering is a best practice, but deployment has been slow Nope, from Trudy Drat From: Bob Internet Trudy ISP boundary Introduction to Computer Networks 87

  29. Flooding Defenses 1. Increase network capacity around the server; harder to cause loss • Use a CDN for high peak capacity 2. Filter out attack traffic within the network (at routers) • The earlier the filtering, the better • Ultimately what is needed, but ad hoc measures by ISPs today Introduction to Computer Networks 88

  30. End-to-End principle

  31. End-to-end Principle • Broad networking principle • First implementation in French CYCLADES network (after ARPA) (1970) • Articulated in its most recognizable form by Saltzer, Reed, Clark (1981) • Guidance on placing functionality such as reliability, security, etc.—in network or at endpoints (hosts)? • Argues for endpoint placement

  32. Multiple interpretations of the principle • The network cannot be trusted. Do it yourself. • The network can suffer heavy damage • Nuclear attacks (but not DDoS attacks!) • Need end-to-end correctness anyway • Diminishing returns from in-network functionality • Not everyone needs it • Place functionality in the network only when necessary (e.g., for performance)

  33. E2E Example: Error-correcting codes IP: 802.11: Host detects Link detects errors errors

  34. E2E Example: ARQ TCP: 802.11: Host retransmits Link detects drops on failure and retransmits

  35. E2E Example: In-order delivery TCP: SS5: Host enforces in- Network enforces order delivery in-order delivery

  36. E2E Example: Security SSL: GSM: Host encrypts Network encrypts content content

  37. End-to-End limitations • Some functionality cannot be implemented at endpoints • NATs, DoS protection, … the principle is silent on these • Assumes a clear dividing line between network and endpoints • Reality of distributed applications (e.g., CDNs) is more complex • No guidance on how much functionality can go in the network for performance

Recommend


More recommend