intensive programme on information and communication … · intensive programme on information and...

Intensive Programme on Information and Communication Security 2010

23/07/2010

© 2009 Luke Hebbes unless otherwise referenced 1

Network Security

Slides before 1st

Section Divider

Firewalls

TLS, VPNs & Remote

Access

Network Protection

Intensive Programme on Information and Communication Security

Dr Luke HebbesEmail: [email protected]: http://blog.rlr-uk.comTwitter: lhebbes

Network Authentication

Protocols

Introduction

Access Control

Network Security (IPICS)

Dr Luke HebbesEmail: [email protected]: http://blog.rlr-uk.comTwitter: lhebbes

Introduction

• In a world where everything is connected we require very good security, but what do we secure and how?

• Perimeter defence sits at the edge protecting from the outside world

• Infrastructure security focuses on internal systems, dependability, information flow, etc.

• Every system will have different priorities and constraints; security is not always an exact science

Network Security

When is our enterprise going to be attacked?

NOT

Is our enterprise going to be attacked?

Web Log File#Software: Microsoft Internet Information Services 7.0

#Version: 1.0

#Date: 2010-02-21 04:41:26

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent)

sc-status sc-substatus sc-win32-status time-taken

2010-02-21 04:41:26 192.168.16.20 GET /intl/zh-CN/ - 80 - 221.195.73.68

Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 404 0 64 562

2010-02-21 06:02:58 192.168.16.20 GET /fastenv - 80 - 221.195.73.68


2010-02-21 11:24:06 192.168.16.20 GET /cgi-bin/textenv.pl - 80 - 221.195.73.68


...

2010-02-21 11:33:31 192.168.16.20 GET /manager/html - 80 - 221.6.38.203

Mozilla/3.0+(compatible;+Indy+Library) 404 0 2 484

2010-02-21 15:27:10 192.168.16.20 GET /prx2.php - 80 - 61.183.15.9


2010-02-21 19:01:07 192.168.16.20 GET /sumthin - 80 - 209.88.88.251 - 404 0 64 3828

2010-02-21 20:34:43 192.168.16.20 GET /prx2.php - 80 - 61.183.15.9


2010-02-21 21:48:17 192.168.16.20 GET /phpmyadmin/config/config.inc.php p=phpinfo(); 80 -

192.146.134.251 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) 404 0 2 640

2010-02-21 21:48:17 192.168.16.20 GET /pma/config/config.inc.php p=phpinfo(); 80 -


2010-02-21 21:48:17 192.168.16.20 GET /admin/config/config.inc.php p=phpinfo(); 80 -


... linserv.abc.hu - in Hungary

linserv.abc.hu Port Scan

Nmap scan report for linserv.abc.hu

(192.146.134.251)

Host is up (0.020s latency).

Not shown: 968 closed ports

PORT STATE SERVICE VERSION

1/tcp open tcpwrapped

21/tcp filtered ftp


23/tcp open telnet?

25/tcp filtered smtp

43/tcp filtered whois

53/tcp open domain?


110/tcp open pop3?

111/tcp filtered rpcbind

113/tcp open auth?


139/tcp filtered netbios-ssn

143/tcp open imap?

179/tcp filtered bgp

445/tcp filtered microsoft-ds

515/tcp filtered printer


1433/tcp filtered ms-sql-s



4662/tcp filtered edonkey

6346/tcp filtered gnutella


|_irc-info: Unable to open connection

6699/tcp filtered napster








Nmap done: 1 IP address (1 host up)

scanned in 222.13 seconds

mailto:[email protected]?subject=Re: IPICS

http://blog.rlr-uk.com/



http://twitter.com/lhebbes

http://www.ipics-school.eu/index.html

mailto:[email protected]?subject=Re: IPICS




http://twitter.com/lhebbes


23/07/2010


Network Security

• Best security stems from a proactive, preventative approach

• Must understand methods and tools for maintaining a secure network

• Network is only as secure as weakest link

• Internal security must also be addressed

• Finally, must detect attacks by auditing & (hopefully) recover

Network Security

• Not just dealing with hackers

• Four types of network security required

• Physical Security

• User Security

• File Security

• Intruder Security

• You will need to address all 4

Pragmatic Approach Access Control

• Access-control devices are the first line of defence for a network

• Selectively permit or deny access based on a certain characteristic

• Must control and secure “dial-up” facilities

• Use as few RAS as you can

• Packet Filtering filters out datagrams from unauthorised users or applications

NAT - Introduction

• Most Broadband connections come with a single IP address

• May be static or dynamic

• To connect more than one machine need to use NAT

• Enables LAN to use one set of IP addresses for internal traffic & a second set of addresses for external traffic

NAT - Basic

PWR

OK

WIC0ACT/CH0

ACT/CH1

WIC0ACT/CH0

ACT/CH1

ETHACT

COL

141.241.2.12

207.46.156.220

Internet

192.168.0.3

192.168.0.2

192.168.0.1 81.174.253.180

192.168.0.2:2056 141.241.2.12:80

192.168.0.3:2532 141.241.2.12:80

192.168.0.2:2057 207.46.156.220:80

192.168.0.2:2056 81.174.253.180:2056 141.241.2.12:80

192.168.0.3:2532 81.174.253.180:2532 141.241.2.12:80

192.168.0.2:2057 81.174.253.180:2057 207.46.156.220:80


23/07/2010


NAT – Port Forwarding

PWR

OK

WIC0ACT/CH0

ACT/CH1

WIC0ACT/CH0

ACT/CH1

ETHACT

COL Internet

80.176.12.63192.168.0.1 81.174.253.180

192.168.0.2

192.168.0.3

141.241.80.2192.168.0.2:80 141.241.80.2:3256

192.168.0.3:80 80.176.12.63:2064

192.168.0.2:80 81.174.253.180:80 141.241.80.2:3256

192.168.0.3:80 81.174.253.180:8080 80.176.12.63:2064

NAT Advantages

• Main purpose is to be more efficient with addresses

• Also:• Helps to enforce firewall's control over outbound

connections – internal address not valid

• Help restrict incoming traffic

• Helps conceal internal network's configuration

• Can provide stronger restrictions on incoming traffic than packet filtering

NAT Disadvantages

• Dynamic allocation requires state information that is not always available – UDP

• Embedded IP addresses are a problem & NAT boxes only know certain protocols – can have VPN problems, SNMP, BOOTP, etc.

• Interferes with encryption & authentication systems – IPSec protects whole packet but NAT changes headers

• Dynamic allocation of addresses interferes with logging

• Dynamic allocation of ports may interfere with packet filtering

Advanced NAT

• Can load balance internal services by running port translation to multiple servers

• Different schemes for translating:• Allocate 1 external host address for each internal address

& always apply same translation• Dynamically allocate external host address each time an

internal host initiates a connection, without modifying port numbers

• Create fixed mapping from internal addresses to externally visible addresses, but use port mapping so multiple internal machines use same external addresses

• Dynamically allocate external host address & port pair each time internal host initiates connection

Packet Filtering

• IP Packet Filtering can be based on

• Source/Destination IP Address

• Source/Destination Port Number

• Can specifically Permit/Deny

• Routers with additional functionality

• Compares IP header with a table to see if packet allowed to continue to next hop

• Inexpensive, flexible and fast

Packet Filtering

Rule Source IP Source Port Dest. IP Dest. Port Protocol Access

A 10.1.0.0 * 10.2.0.0 * * Allow

B 10.2.0.0 * 10.1.0.0 * * Allow

C * * 10.1.1.2 25 TCP Allow

D 10.1.0.0 * * * * Allow

E * 4444 10.1.0.0 80 TCP Allow

F * 4444 * * TCP Deny

G * * 10.1.0.0 * * Deny

Port 4444 – Blaster, etc.


23/07/2010


Packet Filtering

• Apply an access list to a specific interface

• Applied either in or out

• One rule – one line

• Criteria checked sequentially

• Implicit deny at end (usually)

• Different commands for different protocols

• Lines appear in order they are entered

ACL 1

IN

ACL 1

OUT

Routing

Packet Filtering

• Can do most things with packet filtering

• Some things are much easier than others• Operations requiring detailed protocol knowledge or

prolonged tracking of past events - proxy systems

• Simple operations that need to be fast & on individual packets - packet filtering systems

• Allows provision of particular protections for entire network

• Disallow Telnet by turning off Telnet server on all hosts, still have to worry about installing new machine

• If Telnet is not allowed by filtering router, new machine would be protected from start

Packet Filtering

• Cannot keep track of sessions

• Cannot prevent IP Spoofing attacks

• A lot of applications dynamically allocate port numbers, which can cause problems

• Although TCP traffic is difficult to deal with, UDP traffic is even harder

• Difficult and lengthy to configure

Configuring Packet Filtering

• Don’t forget protocols are usually bidirectional

• Common mistakes include blocking return channel

• Reject all external packets that have internal addresses (tunnelled attacks)

• Reject all internal packets with external addresses (IP Spoofing)

• Log certain rules

• Don’t respond to dropped packets

Configuring Packet Filtering

• Deny traffic with invalid source address (including broadcast and multicast source addresses)

• Deny all traffic with source routes or IP options

• Deny ICMP traffic over a reasonable size (a few kilobytes)

• Reassemble fragments into entire packets

• Set up explicit default deny (with logging) so that default behaviour is to reject packets

TCP SYN Flooding

• Exploits weakness in TCP 3-way handshake

• Can be very effective if combined with IP Spoofing

• Attacker must make sure spoofed address will not reply, otherwise a RST segment sent defeating Flood

• Very difficult to trace attacker


23/07/2010


TCP SYN Flooding

SYN

SYN-ACK

ACK

Client Server

Connection Established

Server creates

entry in pending connection table

Connection is now half open

Server removes

entry from pending connection table

Other Attacks

• Source Routing Attack

• IP allows you to specify the route to take

• Route your packets around the security

• Discard packets containing route option

• Tiny Fragment Attacks

• Fragment packets into extremely small pieces

• First fragment header checked, rest passed

• Discard fragments that are TCP with FO of 1

Stateful Packet Inspection

• Inspects packets and only allows traffic under certain conditions

• Allow all (?) outgoing connections (i.e. connections initiated from within the secure network)

• If incoming to a service will allow connection to particular Address and Port

• All other incoming traffic denied unless the response to a specific outgoing request

Protocol Checking

• Protocol checking allows you to make rules like:• Let in packets bound for the DNS port, only if they are

formatted like DNS packets

• Protocol checking helps avoid situations where an unsafe service on a port that is allowed through

• Avoid attacks involving sending misformatted packets• Normally fairly rudimentary & still can be circumvented

by determined insider• Most advanced systems will allow data-specific rules for

well-known protocols, e.g.:• Disconnect any FTP connection where the remote

username is "anonymous".• Do not allow HTTP transfers to these sites

Application-Level Gateways

• Examines packets at the Application layer

• Allows for greater flexibility and security

• Can restrict applications, and combat packet tunnelling

• Slower than Packet Filtering

• Needs to set up an additional session

• Requires separate application for each service

Bastion Host

• Critical strong point of network

• Platform for application or circuit-level gateway

• Only services considered essential installed

• Each service requires separate proxy to be installed & configured

• Proxy module is small software package

• Each proxy is independent of others


23/07/2010


Filtering

• Can filter based on many different criteria

• Content

• Criteria very subjective

• Natural language keywords to block sites

• Skin tones in images

• URL

• Blacklist of known bad sites

• Dynamically updated from content filter or online resource

• Real-time scanning for viruses

Firewalls

“Firewall - A configuration of routers and networks placed between an organization's internal internet [intranet] and a connection to an external internet to provide security.” Internetworking with TCP/IP, Douglas E. Comer, Prentice Hall.

“Setting up an Internet firewall without a comprehensive security policy is like placing a steel door on a tent”

Firewalls

• Many different topologies

• Have to find right balance

• Divide Organisation into zones

• Number of decisions to be made:• Stance of Firewall

• Overall Security Policy of Organisation

• Financial cost of Firewall

• Components or building blocks of the Firewall system

Firewalls

• Four techniques firewalls use to control access

• Service Control – determines types of Internet services that can be accessed, in or out

• Direction Control – determines direction of service request initiations

• User Control – controls access to services

• Behaviour Control – controls how services are used

• Originally mainly service control, now all four

Firewalls - Benefits

• Protect private network from outside attacks

• Can be used within private network

• Firewalls concentrate network security into one control point (‘choke point’)

• Can generate alarms when attack attempted

• Monitor and log traffic

• Convenient location for implementation of NAT, WWW/FTP Servers

Firewalls - Limitations

• Can not protect against attacks that do not go through firewall

• Think of wireless communications

• Can not guard against traitors or accidental infringements

• People are also a weak link

• Security of network is only as good as weakest link - one weak host weakens entire network


23/07/2010


Firewalls - Features

• DOS attack protection

• Active attack protection

• Logging of attacks and traffic

• Blacklist – discard all packets from machines on blacklist and dynamically update blacklist

• Trace connections

• Maximum connections limit

Firewalls

• Two general types

• Network Layer

• Application Layer

• Lower the level, the less examination

• Network make decisions based on source/destination addresses/ports

• App make decisions based on more elaborate characteristics & log events

Firewalls - Packet Filtering Router

PacketFilteringRouter

Firewalls - Screened Host

• Two types

• Single-Homed Bastion Host

• Dual-Homed Bastion Host

• First has single connection to Bastion Host

• Second has two network connections

• 1st - Users connect to outside world direct

• 2nd - More secure and allows IS

Firewalls - Screened Host

Bastion Host

InformationServer


Firewalls - Demilitarised Zone

• DMZ is a Screened-Subnet Firewall

• Employs 2 Packet Filtering Routers and a Bastion Host

• Most secure of the three topologies

• The Bastion Host, IS, RAS and other public servers are placed within the DMZ, protected at both ends by the PFR


23/07/2010


Firewalls - Demilitarised Zone

Bastion Host

InformationServer



Firewalls - Types

• Many different topologies

• Three different types:

• Stand-alone Hardware Firewall product

• Integrated Broadband Router and Firewall

• Software Firewall

• Hardware is usually the most secure and configurable (with several screened subnets available)

5 ‘Easy’ Ways to Bypass a Firewall

• Poorly configured firewall

• IS connectivity

• IS on internal network

• IS connects to public and private networks

• Wireless wardriving

• Phishing/Pharming/Internet Malware

• Hacking the Human – Social Engineering

• VPN credentials, Remote Access, Physical Access...

InformationServer

InformationServer

UTM

• Unified Threat Management

• According to IDC (who coined the term) UTM is “a single network firewall that also contains spam protection, anti-virus capability, an intrusion detection system and web content filtering, along with the traditional activities of a firewall”

• Helps guard against blended threats

• Simplifies management for non-specialists

UTM

• Replacing point solutions with no overall control with single, intelligent solution

• Combat blended threats

• Appropriate for SMEs, but large enterprises can see benefit from unified approach

• Significantly cheaper (one fifth price according to CRN) plus cheaper to configure & run

• However, this can hurt availability, reliability and scalability

UTM

• UTM puts all of this together in ‘one box’

• Allows sophisticated reporting, monitoring, analysis, etc.

• Allows for Security Information & Event Management (SIEM)

• Pull UTM device into core rather than at network edge

• Internal traffic segregated & monitored

• Stop spread of successful exploit

http://www.google.co.uk/imgres?imgurl=http://www.ianneubert.com/wp/wp-content/uploads/2008/01/icon_firewall_100x95_rgb.jpg&imgrefurl=http://www.ianneubert.com/wp/2008/01/28/centos-firewall-init-script/&usg=__q81cmk88C6F2tmcqGOM6RTrelnM=&h=95&w=100&sz=34&hl=en&start=3&sig2=2A-Al7Ehq_iPk2ktSp7zYg&itbs=1&tbnid=MTG3RNi68F2vkM:&tbnh=78&tbnw=82&prev=/images%3Fq%3Dfirewall%2Bicon%26hl%3Den%26gbv%3D2%26tbs%3Disch:1&ei=ZFNJTMrIINTNjAfEjaCvDg

http://www.google.co.uk/imgres?imgurl=http://www.ianneubert.com/wp/wp-content/uploads/2008/01/icon_firewall_100x95_rgb.jpg&imgrefurl=http://www.ianneubert.com/wp/2008/01/28/centos-firewall-init-script/&usg=__q81cmk88C6F2tmcqGOM6RTrelnM=&h=95&w=100&sz=34&hl=en&start=3&sig2=2A-Al7Ehq_iPk2ktSp7zYg&itbs=1&tbnid=MTG3RNi68F2vkM:&tbnh=78&tbnw=82&prev=/images%3Fq%3Dfirewall%2Bicon%26hl%3Den%26gbv%3D2%26tbs%3Disch:1&ei=ZFNJTMrIINTNjAfEjaCvDg


23/07/2010


UTM

• Centralised Log Management

• Real-time Monitoring & Alerting

• Comprehensive Reporting

• Forensic Analysis

UTMClavister InSightTM & InControlTM

Hardening the OS

• Make OS withstand attacks

• Manage updates & patches

• Protect against buffer overflows – Data Execution Prevention (DEP) & Address Space Layout Randomisation (ASLR)

• Configure OS protections

• Run as few services as required

• Use security templates and policies

• Configure baselines

• Monitor & Audit

Hardening the OS

• Automated patch update service:• Download vendor’s patch to

local server

• Admin approves/declines update

• Force updates

• Detect & report on updates

• Automatically apply hotfixes

OS Lines of Code

Red Hat Linux 7 30 million

Windows Vista 50 million

Mac OS X 86 million

Patch Management

OSes have so many lines of code errors are inevitable

Web Browser Security

• Lock down the browser to reduce the chances of having problems

• Set up Trusted and Restricted sites

• Set a reasonably high security level for general Internet pages

• Do not download unsigned plug-ins or applications

• Do not allow pages to run components and programs on the machine without prompting


• Get the browser to prompt the user before allowing a website to access the persistent cookies collection

• Run Java Applets in high safety mode or disable it all together

• Don’t allow a page to load across domains

• Don’t allow sites to update the shortcuts, etc. without prompting

• Check the certificates on each machine

• Shut down the browser after accessing a secure site


23/07/2010



• Which is the Most Secure Browser?

• Which is the Least Secure Browser?

Chrome• Sandbox hard to exploit• Many vulnerabilities though• Biggest threat is socially-engineered malware

Safari• Surely you’re joking that you think this is secure!• Latest: AutoFill Feature Exposes User Data

Firefox• Is configurable, which may help an expert, but harms a novice• Unsigned components

IE8• Can be exploited and is most targeted• However, not the least secure• Consider signed components• Socially-engineered malware protection

Prevent ARP Spoofing

• ARP Spoofing (aka ARP Poisoning) allows network packet sniffing

• Send fake ARP messages to spoof another node, e.g. Default Gateway or Server

• DoS performed by associating non-existent MAC with Default Gateway

• Defend with static ARP mapping (doesn’t scale), specialist tool or network authentication

Intrusion Detection Systems

• Intrusion prevention will fail in the end

• Intrusion detection is process of monitoring events occurring on a computer system or network and analyzing them for signs of intrusions

• Intrusions defined as attempts to compromise confidentiality, integrity or availability of a computer or network

• An intrusion detection system is a software or hardware device that automates intrusion detection

Other Technologies

• Network IPS sit inline on network, statefullyanalyzing packet content & block packets that match signature & alert on others

• Attack Mitigation Systems designed for one specific job, e.g. DOS/DDOS protection

• File Integrity Checkers periodically test digest of key files

• HoneyPots for prevention, detection or information gathering (Legality?)

IPv6/IPng & IPSec

• IAB recognised encryption as an important aspect of IP security (RFC 1636 – 1994)

• Standardised as RFCs 1824-1829

• Provides security services at IP layer

• IPSec has been incorporated into many of the current IP version 4 implementations

• Sender Authentication

• Extra security with encryption

IPSec

• Services offered:

• Access control

• Connectionless integrity

• Data origin authentication

• Replay attack protection

• Confidentiality

• Limited traffic flow confidentiality


23/07/2010


802.1X

• 802.1X is an IEEE standard regarding port level security

• Initially designed for wired, but equally applicable to wireless

• Layer 2 security protocol for authentication

• Deny access to physical port unless authorised

• No encryption – although can exchange keys

802.1X

• Using 802.1X, when device requests access to AP, it demands set of credentials

• AP forwards to standard RADIUS server for authentication & authorization

• Can be used to stop people plugging rogue devices into wired network

802.11i

• 802.11i standard for new WLANs

• Provides improved encryption for networks for common standards

• Requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES)

• Officially ratified by the IEEE in June of 2004, and thereby became part of the 802.11 family of wireless network specifications

802.11i

• Wi-Fi Protected Access (WPA) is a subset introduced as 802.11i taking too long

• Uses Pre-Shared Key (PSK) for authentication & TKIP for encryption with RC4

• Changes key derivation and rotates more frequently (PSK authenticates and is used as seed for TKIP)

• Adds message integrity check function

• WPA2 uses AES instead of TKIP & RC4

802.11i

• Robust Security Network (RSN)

• Dynamic negotiation of authentication and encryption algorithms

• Will move with technology

• Authentication based on 802.1X and EAP

• Encryption provided by AES

• 2 modes

• WPA-Personal – PSK

• WPA-Enterprise – requires authentication server

Wireless Security

• Hard to limit access in a broadcast environment

• Must stop association with AP & encrypt

• Can use MAC address filtering, but they can be spoofed

• Stop broadcast of SSID – but can be sniffed off network + can cause problems

• Can VLAN wireless to allow for public & private LAN access through one AP

• Need Authentication


23/07/2010


Wireless Security

• Wireless access points should be on a separate DMZ connection, not on the wired network

• Wireless connections must pass through firewall

• Implement software firewall on all wireless

• WLAN networks exist in infrastructure or ad hoc mode (always use infrastructure)

VLANs

• Virtual LAN

• Segment network by separating devices into logical groups

• Scattered devices can be grouped and access the same resources even if on different switches

• VLANs can be isolated so that sensitive traffic is only delivered to certain devices

VLANs

• Communication between VLANs requires a router

• Communication within takes place in 2 ways:

• If connected to same switch, this can handle all transfers by assigning physical ports to VLANs

• Otherwise use 802.1Q port tagging (adding a tag field to the header)

• Devices on the same VLAN are in the same broadcast domain and logical network

VLANs

802.1Q Port Tagging

• Received packets are dealt with as follows:• Untagged packet is tagged with port’s default VLAN ID

• Tagged packet is unaffected by default VLAN ID

• Packet dropped if port is not in VLAN specified in tag

• Packet forwarded to other ports with same VLAN ID if port is part of VLAN indentified by tag

• Packets leaving port can be tagged or untagged

• Port can belong to more than one VLAN

VLANs

• Scenario:

• VLAN 10 – Sales (Ports 1, 2, 3 & 8)

• VLAN 20 – Marketing (Ports 2, 3, 4 & 8)

• VLAN 30 – Accounts (Ports 5, 6, 7 & 8)

• Port 8 – email server & internet

802.1Q Port Tagging

SalesMarketing Accounts

Network Access Control (NAC)

• Next generation of access control

• Machine is quarantined in a restricted network (DHCP/ARP)

• Has to prove health (i.e. latest patches, virus checkers, configuration, etc.)

• If meet health policy a health certificate is granted along with full access to network

Vendor Product Name Comments

Cisco Network Admission Control Cisco Hardware Components

Microsoft Network Access Protection Primarily Software-based (not just MS)

Juniper Unified Access Control Emphasis on network hardware

Trusted Computing

Trusted Network Connect Open, vendor-neutral specification


23/07/2010


NAP RADIUS Authentication

• Remote Authentication Dial-in User Service

• Widely used protocol in networks

• RADIUS is currently the de-facto standard for remote authentication

• IETF plan for Diameter to replace RADIUS using IPSec and TLS

• Developed in 1992 it is now used internally on networks, not just for Remote Access (in fact this is not so common)

RADIUS Authentication

• Commonly used for embedded network devices for following reasons:• Generally cannot deal with large no. users

• Facilitates centralized user administration

• Consistently provides some level of protection against a sniffing, active attacker

• Support is nearly omni-present

• RADIUS Client forwards authentication to server from device requesting access


RADIUS Server

Supplicant

RADIUS Client

1. Remote Access device sendsrequest for remote access to

RADIUS Client

2. RADIUS Client forwardsrequest to RADIUS Server

3. RADIUS Serverauthenticates request from

local DB or Directory Services

4. RADIUS Server sends resultof authentication to RADIUS

Client, which uses the result togrant or deny access


• RADIUS flawed in several ways• Stream cipher is weak in implementation

• MD5 shouldn’t be used as the primitive

• Access-Request packet is not authenticated

• Many implementations do not use sufficiently random Request Authenticators

• Shared secrets usually have insufficient info. Entropy

• Authentication packets sent unencrypted (packet sniffers)

Kerberos

• Is an Authentication Service

• Problem:

• Assume Open Distributed Environment

• Want Servers to restrict access to authorised users & authenticate requests

• 3 Threats:

• Attacker may gain access to legitimate workstation

• Attacker may impersonate workstation (spoofing)

• Attacker may eavesdrop & use replay attack


23/07/2010


Kerberos

• Trusted third-party authentication protocol for TCP/IP networks

• Provides secure network authentication

• Based on symmetric key codes – DES

• Shares a different secret key with each entity on the network

• Knowledge of the secret key = proof of identity

• Entities are clients & servers, with clients including users & software

Kerberos Protocol

Encrypted Communication

• Alice & Bob share keys with trusted third party

• Alice wants to generate session key

• Alice sends identities to Trent – A,B

• Trent generates a timestamp, lifetime & random session key, sending EA(T,L,K,B),EB(T,L,K,A) to Alice

• Alice generates a message with her identity & timestamp, then sends EK(A,T),EB(T,L,K,A) to Bob

• Bob sends EK(T + 1) to Alice

• Assumes clocks are synchronised

Kerberos1. Request for Ticket-

Granting Ticket2. Ticket-Granting Ticket3. Request for Server

Ticket4. Server Ticket5. Request for Service

Server

AuthenticationServer

Ticket-GrantingServer

Client

5

Kerberos

Realms & Multiple Servers

• Kerberos environment (realm) requires:• Kerberos Server must have User ID & hashed

password of all users

• Kerberos Server must share secret key with each server

• Kerberos Server in each interoperating realm must share secret key with server in other realm

• AS used once per session & TGS as needed

Transport Layer Security

• Authenticated & encrypted communication between clients & servers

• Originally developed by Netscape

• IETF standard called TLS based on SSL

• Layer 5/6 – above TCP/IP, but below Application

• Allows bi-directional authentication and encrypted connection


• TLS Protocol includes 2 sub-protocols

• TLS Record Protocol

• TLS Handshake Protocol

• Handshake performs:

• Authenticate server to client

• Allow negotiation of cryptosystem

• Authenticate client to server (optional)

• Establish connection


23/07/2010



• TLS uses DES, triple DES, RSA, DSA and MD5 (among others)

• Utilises block (symmetric) cipher for session encryption

• Public-key for certification and key exchange in handshake

• Use session key to encrypt/decrypt data sent and validate integrity

• Valid for this session only

TLS Handshake

• Uses combination of public-key and symmetric key encryption

1. Client sends server its TLS version, cipher settings, random data + other relevant info

2. Server sends TLS version, cipher settings, random data + other info. Appends certificate (optionally requests client’s)

TLS Handshake

3. Client authenticates server’s certificate

4. Client uses data to produce premaster secretfor session & encrypts it with server’s public-key.

5. If requested server authenticates client

6. Server decrypts premaster secret. This is used to produce master secret at both ends

7. Generate session key from this

TLS Handshake

8. Client sends message indicating future messages will be encrypted. Sends encrypted message indicating client portion of handshake finished

9. Server does the same

10. Handshake now complete

• Client and server use session key for future communications, encrypting everything

HTTPS

• HTTP over TLS connection

• Is this secure?

• Where is user authentication done?

• Can we intercept traffic?

• EV versus DV certificates

• Still have problems with keyloggers & spyware

• Password in plaintext within HTML page

Virtual Private Networks

• Encrypt TCP/IP Packets

• Transmit private data across public network whilst maintaining confidentiality and authenticity

• VPN usually works at layer 3

• Packet encrypted before IP header added

• Addition of a table of destinations and an encryption algorithm and keys

• VPN connections do slow down network traffic due to encryption


23/07/2010



Internet

VPN Endpoint

141.241.10.3

VPN Endpoint

141.241.12.7

Router

141.241.10.1

Router

141.241.12.1

VPN Connection

141.241.10.3 141.241.12.7 Message 141.241.10.3 141.241.12.7 Message

141.241.10.3 141.241.12.7 Ha&£Kl@ 141.241.10.3 141.241.12.7 Ha&£Kl@

141.241.10.3 141.241.12.7 Ha&£Kl@


• Can also use tunnelling

• Send and receive plaintext packets

• Encrypted/decrypted at tunnel ends

• Requires additional IP header

• Can now pass non-IP protocols through tunnel

• Increases packet size, therefore chance of fragmentation


VPN Endpoint

141.241.12.7

VPN Endpoint

141.241.10.3

Internet

Router

141.241.10.1

Router

141.241.12.1

VPN Tunnel

141.241.10.3 141.241.12.7 Message

141.241.10.1 141.241.12.1 141.241.10.3 | 141.241.12.7 | Message

141.241.10.1 141.241.12.1 hr*ke?fk4$=_(jFJKfYyu5j*&(*$'fmgO@

141.241.10.1 141.241.12.1 141.241.10.3 | 141.241.12.7 | Message

141.241.10.3 141.241.12.7 Message


• Usually client machine will connect to a remote VPN Server

• Client will then obtain an IP address on the remote network

• Traffic can be routed via connection

• Can get firewalls which set up their own VPN to a remote network – i.e. tunnelled

• If using a firewall, it must be able to pass VPN Connections

• VPN Client software included in OS


• Several methods set up for VPN:

• Point-to-Point Tunnelling Protocol (PPTP)

• Layer 2 Tunnelling Protocol (L2TP)

• TLS Web-based access & VPNs

• IPSec Tunnel

• PPTP & L2TP are Layer 2

• IPSec is Layer 3 & can be a solution on its own or just the encryption mechanism for PPTP & L2TP


• PPTP and L2TP are the most common forms of VPN, but not the most secure

• Point-to-Point-Tunnelling Protocol (PPTP) is a networking technology that supports multiprotocol VPN, enabling remote users to access corporate networks securely across point-to-point protocol (PPP)-enabled systems to dial into a local Internet service provider to connect securely to their corporate network through the Internet

• Can be used over Ethernet as well as PPP

• Uses CHAP authentication with pre-shared secret & MD5 (Challenge Handshake Authentication Protocol)


23/07/2010



• IPSec provides ability to secure communications across LAN/WAN/Internet

• Obvious choice for VPN

• However, complex & has problems – notably non-interoperability

• Can use pre-shared secret

• Has automatic key-exchange


• Sending & receiving systems must share encryption key

• Can be accomplished manually

• Requires identical algorithms

• Automatic key exchange also possible (desirable!)

• Using IPSec, can use standard key exchange or negotiate a new one


• Virtual Network Perimeter

• By using Internet instead of leased lines, VPN participants get many benefits of WAN, but at much lower cost (30-70%)

• In linking remote sites using VPN, extend network perimeter

• Only as secure as your weakest link!

• Deal with different remote clients differently

• Every client must use firewall

TLS VPN

• A lot of myths & misinformation from vendors

• Most vendors provide SSL gateways, providing access to corporate applications

• Most aren’t VPNs

• Four methods of connection:

• Proxy

• Application translation

• Port forwarding

• Network extension – only VPN solution

• Vendors who don’t require client only provide first two

Desktop Virtualisation

• Designed to provide remote display & input capabilities over network connections

• Tasks performed on the server and displayed on the (thin) client

• Benefits:• Centralised deployment of Line-of Business

Applications

• Access to Remote Desktop

• Enhanced Administration and Support

Virtual Desktop – Central server hosting multiple

sessions delivering desktop remotely

Remote Applications –Similar to Virtual Desktop, but only the application is

delivered

Operating System Virtualisation – Run a

complete dedicated virtual machine for each user

Application Virtualisation – stream

application to machine and run virtualised

Desktop Virtualisation

intensive programme on information and communication … · intensive programme on information and...

Documents