internet services & protocols internet (in)security (in)security dresden, july 10 2006. ... no...

Department of Computer Science Institute for System Architecture, Chair for Computer Networks

Dipl.-Inform. Stephan GroßRoom: GRU314E-Mail: stephan.gross@tu-dresden.de

Internet Services & Protocols

Internet (In)Security

Dresden, July 10 2006

Stephan Groß, July 10 2006 Internet Services & Protocols 2

Why is Security crucial for the Internet?

• Internet = Network of networks• Wide-spread use of the Internet for transportation of

sensitive informations– Online Banking– E-Commerce– E-Government

• Problem: The Internet's roots were based on the academic world and the free exchange of information– If at all, security was only a secondary design goal– The basic Internet protocols suffer from severe security holes

Stephan Groß, July 10 2006 Internet Services & Protocols 3

Today's Agenda

• What is to be protected?– Protection Goals

• Against what to protect?– Threats and fundamental problems of the Internet

• How to protect?– Firewalls– Virtual Private Networks (VPN)

Stephan Groß, July 10 2006 Internet Services & Protocols 4

Basic Protection Goals

• Integrityinformation are correct, complete and up-to-date or that is recognizably not the case.

• Confidentiality information only known to entitled users

• Availabilityinformation are accessible where and when they are used by entitled users.

• AuthenticityThe quality or condition of being authentic, trustworthy, or genuine.

Stephan Groß, July 10 2006 Internet Services & Protocols 5

• Address Spoofing– Attacking the authenticity, integrity and availability– Attacker sends IP packets with forged source address– Problem: no authentication of IP addresses– Objective: impersonation, Denial-of-Service, avoid access

control

• Sniffing– Attacking the confidentiality– Everyone within a subnet can “listen” to the whole network

communications

• Routing attacks– Attacking the confidentiality– “Loose Source Routing” to specify a packets route

Security Threats against IP Networks

Stephan Groß, July 10 2006 Internet Services & Protocols 6

Threats against Internet Services

• Internet Services are based on layered ISO/OSI model• “Weakest-Chain-Link” Paradigm• Example 1: Telnet, FTP

– Access control based on username and password– Attacker can obtain both by sniffing login session

• Example 2: DNS– Authentication is based on IP addresses– Attacker can impersonate a DNS server by address spoofing– See also Group Homework (May 8 2006)

Stephan Groß, July 10 2006 Internet Services & Protocols 7

Fundamental Security Problems in IP

• Authentication based on IP addresses• No protection of integrity• No protection of confidentiality• No protection against malicious attacks against availability

• Security has not been a design goal in the first line!

One part of the solution: IPv6However, there remain some problems, e.g. Complexity and Transition from IPv4 to IPv6

Stephan Groß, July 10 2006 Internet Services & Protocols 8

Firewall

What is an Internet Firewall?– Restricts people to entering at a carefully controlled point– Restricts people to leaving at a carefully controlled point

A firewall is a component or set of components that restricts access between a protected network and the Internet, or between other sets of networks.

Stephan Groß, July 10 2006 Internet Services & Protocols 9

Firewall

What Can a Firewall Do?– A firewall is a focus for security decisions– A firewall can enforce security policy– A firewall can log Internet activity– A firewall limits your exposure

What Can't a Firewall Do?– A firewall can't protect against malicious insiders– A firewall can't protect against connections that don't go

through it– A firewall can't protect against completely new threats– A firewall can't protect against viruses

Stephan Groß, July 10 2006 Internet Services & Protocols 10

Some Firewall Definitions

Bastion hostA computer system that must be highly secured because it is exposed to the Internet and thus, it is vulnerable to attack.

Dual-homed hostA general-purpose computer system that has at least two network interfaces (or homes)

Perimeter networkA network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ, which stands for De-Militarized Zone.

Packet filteringThe action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice versa).

Proxy serverA program that deals with external servers on behalf of internal clients.

Stephan Groß, July 10 2006 Internet Services & Protocols 11

Packet Filtering

• Filtering is based on IP header information

• Pros and Cons:– Cheap and easy– Authenticity and Integrity

of IP header– Stateless filtering versus

dynamically assigned port numbers (FTP, H.323, ...)

– Severe performance issues of dynamic filtering

Stephan Groß, July 10 2006 Internet Services & Protocols 12

Proxy Services

• Also known as Application-Level Gateways

• Control application-level data flows

• Pros and Cons:– Intrusion Detection using

stateful inspection– Accounting– Performance issues– Dedicated proxy for each

service

Stephan Groß, July 10 2006 Internet Services & Protocols 13

Firewall Architectures

• Dual-Homed Host– Isolating network segments (no

routing/forwarding)– Based on Bastion host (Proxy +

packet filter)– Scalability issues and single-

point-of-failure

• Screened Host– Bastion host connected to the

internal network– Additional packet filter (critical

component)– Circumvent proxy for specific

applications -> more flexibility (but also more risks)

Stephan Groß, July 10 2006 Internet Services & Protocols 14

Firewall Architectures (continued)

• Screened Subnet– Today's state of the art– Additional net segment for

exposed systems isolated from both, internal and external network

– Hides internal network structure from external view

– Circumvent proxy for specific applications but do not allow access to interior from exterior network

– Good balance between flexibility and security

Stephan Groß, July 10 2006 Internet Services & Protocols 15

Problems with Firewalls

• Complexity -> Expert knowledge necessary for the definition of security policies, configuration and administration

• Open standard ports, e.g. 80– increasing dissemination of web services

• Tunnelling• Mobile devices• Multimedia applications

Stephan Groß, July 10 2006 Internet Services & Protocols 16

Virtual Private Networks (VPNs)

• Network infrastructure to transparently connect private networks over a public transportation network like the Internet

Stephan Groß, July 10 2006 Internet Services & Protocols 17

VPN Characteristics

• Interconnection of (physically) secured private networks using tunnelling techniques– Company headquarters and branch office– Business partners– Mobile worker– Telecommuter

Extends geographic connectivity• Connection completely transparent for the end-user

– Appears to be a separate physical network, but is not– VPN maintains addressing and routing– VPN has to enforce local security restrictions

• Reduce operational costs versus traditional WAN and RAS• Show a good economy of scale

Stephan Groß, July 10 2006 Internet Services & Protocols 18

Types of VPNs

• Site-to-Site– Connecting two local

networks– VPN-Gateway (aka

concentrator)

• Site-to-End– Connecting single host with

local network– VPN Client Software

connecting to a VPN-Gateway

– Also used to secure WLAN

• Secure VPNs– use cryptographic protocols

to provide confidentiality, authentication, and message integrity

– e.g. L2TP, PPTP, IPSec, SSL

• Trusted VPNs– do not use cryptographic

tunneling– rely on the security of a

single provider's network to protect the traffic.

– e.g. BGP/MPLS VPN [RFC 2547bis]

Stephan Groß, July 10 2006 Internet Services & Protocols 19

BGP/MPLS VPN Network Components

• Customer Edge (CE) deviceProvides customer access to the service provider network over a data link to one or more PE routers

• Provider Edge (PE) deviceExchanges routing information with CE routers using static routing, RIP, OSPF or EBGP

• Provider (P) deviceAny router in the provider's network that does not attach to CE devices

Stephan Groß, July 10 2006 Internet Services & Protocols 20

Operational Model – Sample Network Topology

Stephan Groß, July 10 2006 Internet Services & Protocols 21

Operational Model – First Control Subflow

Exchange of routing information between CE and PE routers at the edges of the provider's backbone and between PE routers across the backbone

Stephan Groß, July 10 2006 Internet Services & Protocols 22

Operational Model – Second Control Flow

Establish LSPs across provider's backbone between PE routers using LDP or RSVP

Stephan Groß, July 10 2006 Internet Services & Protocols 23

Operational Model – Data Flow

Host 10.2.3.4 at site 2 communicates with server 10.1.3.8 at site 1 across the service provider's backbone.

Stephan Groß, July 10 2006 Internet Services & Protocols 24

Benefits of BGP/MPLS VPN

• Standards based technology• Equivalent Privacy to Frame Relay and ATM• Core and Access flexibility

– Core: IP, FR, ATM, Leased Line– Access: dial, DSL

• Support for DiffServ QoS architecture• Benefits for end customer

– Simplicity• Well suited for customers with relatively simple networks• Shift complexities from subscriber's CE route to the PE router

– Low-cost managed services

Stephan Groß, July 10 2006 Internet Services & Protocols 25

Final Examination – Relevant Topics

• Of course, all lecture slides are relevant for the final examination.

• The same applies for the lecture's exercises

• Relevant group homework:– Secure DNS– Web Services– Streaming multimedia data

• Registration for CE and ISE students ends today!