cmsc 414 computer and network security lecture 28 jonathan katz
TRANSCRIPT
![Page 1: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/1.jpg)
CMSC 414Computer and Network Security
Lecture 28
Jonathan Katz
![Page 2: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/2.jpg)
Administrivia
Final exam reminder + study guide– DSS students contact me
– A-G in 3258 AVW; H-Z in classroom
Course evaluations– www.CourseEvalUM.umd.edu
![Page 3: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/3.jpg)
SSL in wireshark
![Page 4: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/4.jpg)
IPsec
![Page 5: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/5.jpg)
Overview
IPsec can provide security between any two network-layer entities– host-host, host-router, router-router
Used widely to establish VPNs
IPsec encrypts and/or authenticates network-layer traffic, and encapsulates it within a standard IP packet for routing over the Internet
![Page 6: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/6.jpg)
Overview
IPsec is a complex, over-engineered protocol– Lots of un-needed features
Interoperability is challenging– Defeats the point of having a standard
IPsec is less used than it should(?) be
![Page 7: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/7.jpg)
Overview
IPsec consists of two components– IKE --- Used to establish a key
– AH/ESP --- Used to send data once a key is established (whether using IKE or out-of-band)
AH (authentication header)– Data integrity, but no confidentiality
ESP (encapsulating security payload)– Data integrity + confidentiality
– (Other differences as well)
![Page 8: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/8.jpg)
Security policy database
Nodes maintain a table specifying what is required for each incoming packet– Drop
– Forward/accept without IPsec protection
– Require IPsec protection• Auth only
• Enc only
• Both
Decisions can be based on any information contained in the packet
![Page 9: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/9.jpg)
Security associations (SAs)
When a node receives a packet, it needs to know who it is from– May be receiving IPsec traffic from multiple senders at
the same time -- possibly even with the same IP address
An SA defines a network-layer unidirectional logical connection– For bidirectional communication, need two SAs
The IPsec header indicates which security association to use
![Page 10: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/10.jpg)
Security associations (SAs)
An SA contains crypto keys, the identity/IP address of the other party, a sequence number, and crypto parameters (algorithms, auth/enc/both)
![Page 11: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/11.jpg)
IPsec: IKE
![Page 12: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/12.jpg)
Overview of IKE
IKE provides mutual authentication, establishes a shared key, and creates an SA
Assumes a long-term shared key, and uses this to establish a session key (as well as to provide authentication)
Supported key types– Public signature keys
– Public encryption keys
– Symmetric keys
![Page 13: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/13.jpg)
IKE phases
Phase 1: long-term keys used to derive a session key (and provide authentication)– Roughly analogous to SSL session
Phase 2: the session key is used to derive SAs– Roughly analogous to SSL connection
In theory, can run phase 1 once, followed by multiple executions of phase 2
• E.g., different flows between same endpoints
• Why not use same key for each?
– In practice, this rarely happens
![Page 14: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/14.jpg)
Phase 1 session keys
Two session keys are defined in phase 1– One each for encryption/authentication
These keys are used to protect the final phase 1 messages as well as all phase 2 messages
![Page 15: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/15.jpg)
Key types
As mentioned earlier…
Why are there two PK options?– Signature-based option
• Efficiency (can start protocol knowing only your own public key, then get other side’s key from their certificate)
• Legal reasons/export control
– Encryption-based option• Can be used to provide anonymity in both directions
Adds tremendously to the complexity of implementation
![Page 16: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/16.jpg)
IKE phase 1
Aggressive mode– 3 messages
Main mode– 6 messages
– Additional features:• Anonymity
• Negotiation of crypto parameters
![Page 17: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/17.jpg)
Anonymity Protocols can be designed so that identities of the
parties are hidden from eavesdroppers– Even while providing authentication!
Can also protect anonymity of one side against active attacks– Whom to protect?
• Initiator: since responder’s identity is generally known…• Responder: since otherwise it is easy to get anyone’s identity
![Page 18: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/18.jpg)
Aggressive mode Alice sends ga, “Alice”, crypto algorithms
– Note that choices are restricted by this message
Bob sends gb, choice of crypto algorithm, “proof” that he is really Bob– If Bob does not support any of the suggested
algorithms, he simply does not reply– Note that there is no way to authenticate a refusal, since
no session key yet established
Alice sends “proof” that she is Alice
Derive shared key from gab
![Page 19: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/19.jpg)
Main mode
Negotiate crypto algorithms (2 rounds)
Alice and Bob do regular Diffie-Hellman key exchange (2 rounds)
Alice sends encryption of “Alice” plus a proof that she is Alice, using long-term secret keys plus (keys derived from) gab
Bob does similarly…
![Page 20: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/20.jpg)
Crypto parameters…
Choice of: – Encryption method (DES, 3DES, …)
– Hash function (MD5, SHA-1, …)
– Authentication method (e.g., key type, etc.)
– Diffie-Hellman group (e.g., (g, p), etc.)
A complete set of protocols (a security suite) must be specified
![Page 21: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/21.jpg)
Negotiating parameters
Many protocols allow parties to negotiate cryptographic algorithms and parameters– Allows users to migrate to stronger crypto; increases
inter-operability (somewhat)
But, opens up a potential attack if not authenticated somehow…
Also makes for more complicated implementations
![Page 22: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/22.jpg)
“Proofs of identity”
Depend on which type of long-term shared key is being used
Similar (in spirit) to the authentication protocols discussed in class
![Page 23: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/23.jpg)
IPsec: AH/ESP
![Page 24: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/24.jpg)
AH vs. ESP
Two header types…
Authentication header (AH)– Provides integrity only
Encapsulating security payload (ESP)– Provides encryption + integrity
Both provide cryptographic protection of everything beyond the IP headers – AH additionally provides integrity protection of some
fields of the IP header
![Page 25: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/25.jpg)
Transport vs. tunnel mode
Transport mode: add IPsec information between IP header and rest of packet– IP header | IPsec | [ packet ]
Designed for end-to-end secure communication
protected
![Page 26: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/26.jpg)
Firewalls and transport mode
Transport mode may cause problems if there are firewalls between the communicating hosts– Firewalls can’t inspect higher-layer information, like
ports or applications
Tunnel mode was suggested to overcome this…– Traffic secured between the firewalls (or between one
firewall and the other end host)
– End host(s) can be oblivious to what is being done
![Page 27: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/27.jpg)
Transport vs. tunnel mode Tunnel mode: keep original IP packet intact but
protect it; add new header information outside– New IP header | IPsec | [ old IP header | packet ]
– Can be used when IPSec is applied at intermediate points along path (e.g., for firewall-to-firewall traffic)
• Treat the link as a secure tunnel
– New IP header different from old header since, e.g., src/dest have changed
protected
![Page 28: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/28.jpg)
Transport vs. tunnel mode
Note that tunnel mode subsumes transport mode…– …but transport mode is more efficient
Tunnel mode also hides (some information about) the communicating parties
![Page 29: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/29.jpg)
More on AH
AH provides integrity protection on header– But some fields change en route!
Immutable fields included in the integrity check
Mutable but predictable fields are also included in the integrity check– The final value of the field is used
![Page 30: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/30.jpg)
More on ESP
ESP provides both confidentiality and integrity– On data only, not header
• Header can’t be encrypted
![Page 31: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/31.jpg)
More on AH vs. ESP
ESP can already provide encryption and/or authentication
So why do we need AH?– AH also protects the IP header
– Export restrictions
– Firewalls need some high-level data to be unencrypted
None of these are compelling…
![Page 32: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/32.jpg)
Intrusion detection
![Page 33: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/33.jpg)
Prevention vs. detection Firewalls (and other security mechanisms) aim to
prevent intrusion
IDS aims to detect intrusion in case it occurs
Use both in tandem!– Defense in depth, full prevention impossible– Outsider vs. insider attacks– The sooner intrusion is detected, the less the damage– IDS can also be a deterrent, and can be use to detect
weaknesses in other security mechanisms
![Page 34: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/34.jpg)
IDS tradeoff
IDS based on the assumption that attacker behavior is (sufficiently) different from legitimate user behavior
In reality, there will be overlap– Some legitimate behavior may appear malicious
– Intruder can attempt to disguise their behavior as that of an honest user
![Page 35: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/35.jpg)
False positives/negatives
False positive– Alarm triggered by acceptable behavior
False negative– No alarm triggered by illegal behavior
Always a tradeoff between the false positive and false negative rate
![Page 36: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/36.jpg)
False alarms?
Say we have an IDS that is 99% accurate– I.e., Pr[alarm | attack] = 0.99 and
Pr[no alarm | no attack] = 0.99
An alarm goes off -- what is the probability that an attack is taking place?
To increase this probability, what should we focus on improving??
![Page 37: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/37.jpg)
False alarms
Say the probability of an attack is 1/1000
Use Bayes’ law:Pr[attack | alarm] = Pr[alarm | attack] Pr[attack] / Pr[alarm] = 0.99 * 0.001 / (0.99 * 0.001 + 0.01 * 0.999) ≈ 0.001/(0.001 + 0.01) ≈ 0.1
I.e., when an alarm goes off, 90% of the time it will be a false alarm!
How best to lower this number?
![Page 38: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/38.jpg)
False alarms
Improving Pr[alarm | attack] to 100% givesPr[attack | alarm] ≈ 0.1 (essentially unchanged)
Improving Pr[no alarm | no attack] to 99.9% gives Pr[attack | alarm] ≈ 0.5
![Page 39: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/39.jpg)
Two types of IDS
Signature-based ≈ looks for improper behavior– Roughly analogous to blacklisting
Anomaly-based ≈ looks for atypical behavior– Roughly analogous to whitelisting
![Page 40: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/40.jpg)
Signature (rule-based) detection
Define a set of “bad patterns” (e.g., known exploit characteristics, known bad events)
Detect these patterns if they occur
![Page 41: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/41.jpg)
Example rules
Incoming packets with a certain pattern match a known exploit
Users should not read files in other users’ directories
Users should not be logged in simultaneously from more than one location
Users do not make copies of system programs
No incoming requests except to port 80
![Page 42: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/42.jpg)
Anomaly detection
Monitor behavior and compare to some “baseline” behavior using statistical tests– Look for deviations from “normal behavior”
“Normal behavior” can be defined on a global level or a per-user level
“Normal behavior” can be specified by a human, or learned automatically over time
![Page 43: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/43.jpg)
Overlap in observed or expected behavior
Profile of authorized user behavior
Profile of Intruder behaviorProbability
density function
Average behaviour of intruder
Average behaviour of authorized user
Measurable behaviour parameter
![Page 44: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/44.jpg)
Metric Model Justification
Login frequency by date and time
Mean and standard deviation
Intruders are more likely to login during off-hours
Frequency of login at different locations
Mean and standard deviation
Intruders may login from a location that a legitimate user does not
Time since last login Markov (time series) Break-in to unused account
Length of session Mean and standard deviation
Masquerader may run a much shorter or longer session
Large amount of data copied to some location
Mean and standard deviation
Detect attempt to copy large amounts of sensitive data
Password failures at login
Unusual event/ operational
Detect attempt to guess passwords
![Page 45: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/45.jpg)
Two places IDS can be run
Host-based IDS (HIDS)
Network-based IDS (NIDS)
![Page 46: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/46.jpg)
Host-based IDS
Monitors events on a single host
Can (potentially) observe the effects of an attack (in addition to possibly detecting the attack itself)
Can detect both internal and external intrusions
![Page 47: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/47.jpg)
Distributed host-based IDS
Combine information collected at many different hosts in the network
One or more machines in the network will collect and analyze the network data– Can correlate information across multiple hosts
– E.g., same event occurring simultaneously across all machines might be suspicious
– Or, an event occurring on only one machine might be suspicious
![Page 48: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/48.jpg)
Network-based IDS
Monitors traffic at selected points on the network– Real time; packet-by-packet
By looking at all network traffic, can potentially get a global view
![Page 49: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/49.jpg)
Sensor types Inline sensor
– Inserted in network path; all traffic passes through the sensor
Passive sensor– Monitors a copy of network traffic
Passive sensor more efficient; inline sensor can block attacks immediately
![Page 50: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/50.jpg)
Sensor placement Inside firewall?
– Can detect attacks that penetrate firewall– Can detect firewall misconfiguration– Can examine outgoing traffic more easily to detect
insider attacks– Can configure based on network resources being
accessed (e.g., configure differently for traffic directed to web server)
Outside firewall?– Can document attacks (types/locations/number) even if
prevented by firewall (can then be handled out-of-band)
![Page 51: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/51.jpg)
Drawbacks of NIDS
Cannot analyze encrypted traffic
Cannot observe attack effects
![Page 52: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/52.jpg)
Honeypots
Decoy systems to lure potential attackers– Divert attackers from critical systems
– Collect information about attacker’s activity
– Delay attacker long enough to respond
Since honeypot is not legitimate, any access to the honeypot is suspicious
Can have honeypot computers, or even honeypot networks
![Page 53: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/53.jpg)
Honeypot placement
Outside firewall– Can detect attempted connections to unused IP
addresses, port scanning
– No risk of compromised system behind firewall
– Does not divert internal attackers
Fully internal honeypot– Catches internal attacks
– Can detect firewall misconfigurations/vulnerabilities
– If compromised, run the risk of a compromised system
![Page 54: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/54.jpg)
Course summary
![Page 55: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/55.jpg)
What should you take away from this course (after the final)? Security mind-set
– Not limited to computers/networks!
Security is complex– Draws on many different disciplines
– Need to know what you are doing
Security is hard, still evolving– We did not cover some of the most important present-
day attacks: spam, phishing, DDos, viruses, …
Security is challenging…but fun!
![Page 56: CMSC 414 Computer and Network Security Lecture 28 Jonathan Katz](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bfd81a28abf838caf434/html5/thumbnails/56.jpg)
Thank you!