Network and Internet Defences - Computer Security Lecture 12
Transcript of Network and Internet Defences - Computer Security Lecture 12
![Page 1: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/1.jpg)
Network and
Internet DefencesComputer Security Lecture 12
David Aspinall
School of InformaticsUniversity of Edinburgh
7th March 2013
![Page 2: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/2.jpg)
Outline
Firewalls
Attack detection
Attack attraction
Building in security
![Page 3: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/3.jpg)
Outline
Firewalls
Attack detection
Attack attraction
Building in security
![Page 4: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/4.jpg)
Firewall varietiesProtect vulnerable machines; compensate for
impossibility of securing internal networks.
1. Packet filters. Cheap, fast, stateless. Filter based
on source/dest addresses, port numbers. Built into
routers. Drawbacks: prevent some protocols (plain
FTP, maybe UDP), dynamic port assignment (RPC).
![Page 5: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/5.jpg)
Firewall varietiesProtect vulnerable machines; compensate for
impossibility of securing internal networks.
1. Packet filters. Cheap, fast, stateless. Filter based
on source/dest addresses, port numbers. Built into
routers. Drawbacks: prevent some protocols (plain
FTP, maybe UDP), dynamic port assignment (RPC).
2. Dynamic packet filters. Stateful filters; allow
more protocols by parsing command streams,
portmapper messages, UDP protocols, “port
knocking”. Drawback: complexity.
![Page 6: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/6.jpg)
Firewall varietiesProtect vulnerable machines; compensate for
impossibility of securing internal networks.
1. Packet filters. Cheap, fast, stateless. Filter based
on source/dest addresses, port numbers. Built into
routers. Drawbacks: prevent some protocols (plain
FTP, maybe UDP), dynamic port assignment (RPC).
2. Dynamic packet filters. Stateful filters; allow
more protocols by parsing command streams,
portmapper messages, UDP protocols, “port
knocking”. Drawback: complexity.
3. Application gateways. Each app has dedicated
program at firewall which acts as a relay/proxy.
SMTP and HTTP work well. Drawback: gateways for
each app; bottlenecks.
![Page 7: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/7.jpg)
Firewall varietiesProtect vulnerable machines; compensate for
impossibility of securing internal networks.
1. Packet filters. Cheap, fast, stateless. Filter based
on source/dest addresses, port numbers. Built into
routers. Drawbacks: prevent some protocols (plain
FTP, maybe UDP), dynamic port assignment (RPC).
2. Dynamic packet filters. Stateful filters; allow
more protocols by parsing command streams,
portmapper messages, UDP protocols, “port
knocking”. Drawback: complexity.
3. Application gateways. Each app has dedicated
program at firewall which acts as a relay/proxy.
SMTP and HTTP work well. Drawback: gateways for
each app; bottlenecks.
4. Circuit relays, e.g., SOCKS. Generic circuit-passing
for TCP connections. Middle ground between 1
and 3. Drawbacks: poor for outgoing traffic (can
even tunnel IP).
![Page 8: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/8.jpg)
Firewall issues◮ Outbound (egress) filtering blocks launch points in
DoS attacks and prevents spyware software which
“phones home” with user information.
![Page 9: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/9.jpg)
Firewall issues◮ Outbound (egress) filtering blocks launch points in
DoS attacks and prevents spyware software which
“phones home” with user information.◮ Complex architectures use multiple firewalls.
Outermost, a packet filter (choke), links to internal
demilitarized zone (DMZ) subnet, with further
app relays, filters, and isolated intranets.
![Page 10: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/10.jpg)
Firewall issues◮ Outbound (egress) filtering blocks launch points in
DoS attacks and prevents spyware software which
“phones home” with user information.◮ Complex architectures use multiple firewalls.
Outermost, a packet filter (choke), links to internal
demilitarized zone (DMZ) subnet, with further
app relays, filters, and isolated intranets.◮ Security cornerstone, yet serious limitations:
![Page 11: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/11.jpg)
Firewall issues◮ Outbound (egress) filtering blocks launch points in
DoS attacks and prevents spyware software which
“phones home” with user information.◮ Complex architectures use multiple firewalls.
Outermost, a packet filter (choke), links to internal
demilitarized zone (DMZ) subnet, with further
app relays, filters, and isolated intranets.◮ Security cornerstone, yet serious limitations:
◮ Hard to configure/maintain (tiger teams/automatedanalysis).
![Page 12: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/12.jpg)
Firewall issues◮ Outbound (egress) filtering blocks launch points in
DoS attacks and prevents spyware software which
“phones home” with user information.◮ Complex architectures use multiple firewalls.
Outermost, a packet filter (choke), links to internal
demilitarized zone (DMZ) subnet, with further
app relays, filters, and isolated intranets.◮ Security cornerstone, yet serious limitations:
◮ Hard to configure/maintain (tiger teams/automatedanalysis).
◮ May bypass(frag’d packets, FIN-scans, tunnels).
![Page 13: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/13.jpg)
Firewall issues◮ Outbound (egress) filtering blocks launch points in
DoS attacks and prevents spyware software which
“phones home” with user information.◮ Complex architectures use multiple firewalls.
Outermost, a packet filter (choke), links to internal
demilitarized zone (DMZ) subnet, with further
app relays, filters, and isolated intranets.◮ Security cornerstone, yet serious limitations:
◮ Hard to configure/maintain (tiger teams/automatedanalysis).
◮ May bypass(frag’d packets, FIN-scans, tunnels).◮ Don’t prevent attacks at higher level. Circuit relaywon’t prevent SMTP attacks. Application gatewaymay scan emails for viruses, but either accepts orrejects too much.
![Page 14: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/14.jpg)
Firewall issues◮ Outbound (egress) filtering blocks launch points in
DoS attacks and prevents spyware software which
“phones home” with user information.◮ Complex architectures use multiple firewalls.
Outermost, a packet filter (choke), links to internal
demilitarized zone (DMZ) subnet, with further
app relays, filters, and isolated intranets.◮ Security cornerstone, yet serious limitations:
◮ Hard to configure/maintain (tiger teams/automatedanalysis).
◮ May bypass(frag’d packets, FIN-scans, tunnels).◮ Don’t prevent attacks at higher level. Circuit relaywon’t prevent SMTP attacks. Application gatewaymay scan emails for viruses, but either accepts orrejects too much.
◮ Clearly can’t prevent inside attacks, or protect appsthat must be exposed (web servers). Growth ofweb-services: “Internet interprets censorship asdamage and routes around it.”
![Page 15: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/15.jpg)
Outline
Firewalls
Attack detection
Attack attraction
Building in security
![Page 16: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/16.jpg)
Logging, Auditing and Forensics◮ After break-in attempts or compromise, log files
may provide evidence and audit trails.
![Page 17: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/17.jpg)
Logging, Auditing and Forensics◮ After break-in attempts or compromise, log files
may provide evidence and audit trails.
◮ Common Unix logs (in /var/log): lastlog, utmpand wtmp, actt and psacct, messages, secure.Other programs have specific logs, e.g: maillog,httpd/access_log, xfer_log.
![Page 18: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/18.jpg)
Logging, Auditing and Forensics◮ After break-in attempts or compromise, log files
may provide evidence and audit trails.
◮ Common Unix logs (in /var/log): lastlog, utmpand wtmp, actt and psacct, messages, secure.Other programs have specific logs, e.g: maillog,httpd/access_log, xfer_log.
◮ Beware! If a system has been compromised, there
may be no guarantee of the integrity of the log files.
Countermeasures: use append only filesystem; log
to a dedicated secure server or even secure printer.
![Page 19: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/19.jpg)
Logging, Auditing and Forensics◮ After break-in attempts or compromise, log files
may provide evidence and audit trails.
◮ Common Unix logs (in /var/log): lastlog, utmpand wtmp, actt and psacct, messages, secure.Other programs have specific logs, e.g: maillog,httpd/access_log, xfer_log.
◮ Beware! If a system has been compromised, there
may be no guarantee of the integrity of the log files.
Countermeasures: use append only filesystem; log
to a dedicated secure server or even secure printer.
◮ Certification may require logging, but log analysis
tools are limited (exceptions: swatch, logwatch).
![Page 20: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/20.jpg)
Logging, Auditing and Forensics◮ After break-in attempts or compromise, log files
may provide evidence and audit trails.
◮ Common Unix logs (in /var/log): lastlog, utmpand wtmp, actt and psacct, messages, secure.Other programs have specific logs, e.g: maillog,httpd/access_log, xfer_log.
◮ Beware! If a system has been compromised, there
may be no guarantee of the integrity of the log files.
Countermeasures: use append only filesystem; log
to a dedicated secure server or even secure printer.
◮ Certification may require logging, but log analysis
tools are limited (exceptions: swatch, logwatch).
◮ Forensics: the art of reading other less obvious,
incidental trails. E.g., shell, editor, application
history/lock files; secret key files; outgoing mail
drops, firewall and web cache logs; ultimately file
system block level or hard-drive data recovery.
![Page 21: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/21.jpg)
Intrusion Detection◮ Realization: log and audit info was hardly used.Idea: trigger an alarm when some conditionobserved; alarm may be log/email (risks slowresponse) or shutdown/recovery (risks DoS).
![Page 22: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/22.jpg)
Intrusion Detection◮ Realization: log and audit info was hardly used.Idea: trigger an alarm when some conditionobserved; alarm may be log/email (risks slowresponse) or shutdown/recovery (risks DoS).◮ boundary conditions: traditional simple tests ofnumber of failed logins, credit cardexpenditure/location movement.
![Page 23: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/23.jpg)
Intrusion Detection◮ Realization: log and audit info was hardly used.Idea: trigger an alarm when some conditionobserved; alarm may be log/email (risks slowresponse) or shutdown/recovery (risks DoS).◮ boundary conditions: traditional simple tests ofnumber of failed logins, credit cardexpenditure/location movement.
◮ misuse detection: model likely behaviour of anintruder. Scan for characteristic attack signatures,e.g., presence of virus, system file changes(Tripwire), execution of unusual commands, orfalling into honey trap.
![Page 24: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/24.jpg)
Intrusion Detection◮ Realization: log and audit info was hardly used.Idea: trigger an alarm when some conditionobserved; alarm may be log/email (risks slowresponse) or shutdown/recovery (risks DoS).◮ boundary conditions: traditional simple tests ofnumber of failed logins, credit cardexpenditure/location movement.
◮ misuse detection: model likely behaviour of anintruder. Scan for characteristic attack signatures,e.g., presence of virus, system file changes(Tripwire), execution of unusual commands, orfalling into honey trap.
◮ anomaly detection: use heuristics or neural netsto build model of normal behaviour, and then flagunusual events.
![Page 25: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/25.jpg)
Intrusion Detection◮ Realization: log and audit info was hardly used.Idea: trigger an alarm when some conditionobserved; alarm may be log/email (risks slowresponse) or shutdown/recovery (risks DoS).◮ boundary conditions: traditional simple tests ofnumber of failed logins, credit cardexpenditure/location movement.
◮ misuse detection: model likely behaviour of anintruder. Scan for characteristic attack signatures,e.g., presence of virus, system file changes(Tripwire), execution of unusual commands, orfalling into honey trap.
◮ anomaly detection: use heuristics or neural netsto build model of normal behaviour, and then flagunusual events.
◮ Issues: difficult problem; Internet is noisy medium;
too few attacks so more false alarms than real
ones; maintaining library of attack signatures;
encryption can conceal signatures.
![Page 26: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/26.jpg)
Outline
Firewalls
Attack detection
Attack attraction
Building in security
![Page 27: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/27.jpg)
Honeypots and Honeynets
◮ Honeypot/net: a system or network whose value
lies in being probed or attacked. Not necessarily
designed to attract attackers explicitly.
![Page 28: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/28.jpg)
Honeypots and Honeynets
◮ Honeypot/net: a system or network whose value
lies in being probed or attacked. Not necessarily
designed to attract attackers explicitly.
◮ Idea raised 1990/1: Clifford Stoll’s book The
Cuckoo’s Egg and Bill Cheswick’s paper An Evening
with Berferd. Products appeared 1997 on.
![Page 29: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/29.jpg)
Honeypots and Honeynets
◮ Honeypot/net: a system or network whose value
lies in being probed or attacked. Not necessarily
designed to attract attackers explicitly.
◮ Idea raised 1990/1: Clifford Stoll’s book The
Cuckoo’s Egg and Bill Cheswick’s paper An Evening
with Berferd. Products appeared 1997 on.
◮ Primary use: gathering data on attacks, maybe as
evidence. Easy since any activity is abnormal.
Standard technology: logging, packet scanning,
IDS. Log security critical!
![Page 30: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/30.jpg)
Honeypots and Honeynets
◮ Honeypot/net: a system or network whose value
lies in being probed or attacked. Not necessarily
designed to attract attackers explicitly.
◮ Idea raised 1990/1: Clifford Stoll’s book The
Cuckoo’s Egg and Bill Cheswick’s paper An Evening
with Berferd. Products appeared 1997 on.
◮ Primary use: gathering data on attacks, maybe as
evidence. Easy since any activity is abnormal.
Standard technology: logging, packet scanning,
IDS. Log security critical!
◮ Advantages: false positives and false negatives
reduced compared with IDS running on ordinary
production machines. But perhaps additional risk
associated in both IT and legal senses (ex: where?)
![Page 31: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/31.jpg)
Honeypots and Honeynets
◮ Honeypot/net: a system or network whose value
lies in being probed or attacked. Not necessarily
designed to attract attackers explicitly.
◮ Idea raised 1990/1: Clifford Stoll’s book The
Cuckoo’s Egg and Bill Cheswick’s paper An Evening
with Berferd. Products appeared 1997 on.
◮ Primary use: gathering data on attacks, maybe as
evidence. Easy since any activity is abnormal.
Standard technology: logging, packet scanning,
IDS. Log security critical!
◮ Advantages: false positives and false negatives
reduced compared with IDS running on ordinary
production machines. But perhaps additional risk
associated in both IT and legal senses (ex: where?)◮ Distinction:
![Page 32: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/32.jpg)
Honeypots and Honeynets
◮ Honeypot/net: a system or network whose value
lies in being probed or attacked. Not necessarily
designed to attract attackers explicitly.
◮ Idea raised 1990/1: Clifford Stoll’s book The
Cuckoo’s Egg and Bill Cheswick’s paper An Evening
with Berferd. Products appeared 1997 on.
◮ Primary use: gathering data on attacks, maybe as
evidence. Easy since any activity is abnormal.
Standard technology: logging, packet scanning,
IDS. Log security critical!
◮ Advantages: false positives and false negatives
reduced compared with IDS running on ordinary
production machines. But perhaps additional risk
associated in both IT and legal senses (ex: where?)◮ Distinction:
◮ production honeypots
![Page 33: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/33.jpg)
Honeypots and Honeynets
◮ Honeypot/net: a system or network whose value
lies in being probed or attacked. Not necessarily
designed to attract attackers explicitly.
◮ Idea raised 1990/1: Clifford Stoll’s book The
Cuckoo’s Egg and Bill Cheswick’s paper An Evening
with Berferd. Products appeared 1997 on.
◮ Primary use: gathering data on attacks, maybe as
evidence. Easy since any activity is abnormal.
Standard technology: logging, packet scanning,
IDS. Log security critical!
◮ Advantages: false positives and false negatives
reduced compared with IDS running on ordinary
production machines. But perhaps additional risk
associated in both IT and legal senses (ex: where?)◮ Distinction:
◮ production honeypots◮ research honeypots
![Page 34: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/34.jpg)
Production Honeypot Deployment
◮ Production honeypots configured identically to
corresponding machines. No DNS entries.
![Page 35: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/35.jpg)
Research Honeypots and Honeynets◮ More sophisticated than production systems.
![Page 36: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/36.jpg)
Research Honeypots and Honeynets◮ More sophisticated than production systems.
◮ Often a high-level of virtualization. Single machine
may simulate entire heterogeneous network,
including routers, workstations, printers.
![Page 37: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/37.jpg)
Research Honeypots and Honeynets◮ More sophisticated than production systems.
◮ Often a high-level of virtualization. Single machine
may simulate entire heterogeneous network,
including routers, workstations, printers.
◮ Containment important: we can use jailed
environments. For example, Unix chroot with
customized suite of programs. Risks: attacker
recognizes this, or breaks out.
![Page 38: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/38.jpg)
Research Honeypots and Honeynets◮ More sophisticated than production systems.
◮ Often a high-level of virtualization. Single machine
may simulate entire heterogeneous network,
including routers, workstations, printers.
◮ Containment important: we can use jailed
environments. For example, Unix chroot with
customized suite of programs. Risks: attacker
recognizes this, or breaks out.
◮ Limiting external connectivity also important: don’t
want to become the launch point for attacks on
external networks.
![Page 39: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/39.jpg)
Research Honeypots and Honeynets◮ More sophisticated than production systems.
◮ Often a high-level of virtualization. Single machine
may simulate entire heterogeneous network,
including routers, workstations, printers.
◮ Containment important: we can use jailed
environments. For example, Unix chroot with
customized suite of programs. Risks: attacker
recognizes this, or breaks out.
◮ Limiting external connectivity also important: don’t
want to become the launch point for attacks on
external networks.
◮ Nonetheless want to offer a high level of interaction
to attackers as possible, and appear convincing
(e.g. assign a domain name, fabricate a list of
users, simulate network activity).
![Page 40: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/40.jpg)
Research Honeypots and Honeynets◮ More sophisticated than production systems.
◮ Often a high-level of virtualization. Single machine
may simulate entire heterogeneous network,
including routers, workstations, printers.
◮ Containment important: we can use jailed
environments. For example, Unix chroot with
customized suite of programs. Risks: attacker
recognizes this, or breaks out.
◮ Limiting external connectivity also important: don’t
want to become the launch point for attacks on
external networks.
◮ Nonetheless want to offer a high level of interaction
to attackers as possible, and appear convincing
(e.g. assign a domain name, fabricate a list of
users, simulate network activity).
◮ Advanced attackers (as opposed to script kiddies)
may still be difficult to detect/attract.
![Page 41: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/41.jpg)
The Honeynet Project (www.honeynet.org)
◮ “A non-profit research organization of security
professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and
sharing the lessons learned.”
![Page 42: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/42.jpg)
The Honeynet Project (www.honeynet.org)
◮ “A non-profit research organization of security
professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and
sharing the lessons learned.”
◮ Fanciful analogy to scouts in military. Produced
revealing series of Know Your Enemy papers.
![Page 43: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/43.jpg)
The Honeynet Project (www.honeynet.org)
◮ “A non-profit research organization of security
professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and
sharing the lessons learned.”
◮ Fanciful analogy to scouts in military. Produced
revealing series of Know Your Enemy papers.
◮ Started in 1999 by building (real) honeynets fromstandard installs of production systems. Results:
![Page 44: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/44.jpg)
The Honeynet Project (www.honeynet.org)
◮ “A non-profit research organization of security
professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and
sharing the lessons learned.”
◮ Fanciful analogy to scouts in military. Produced
revealing series of Know Your Enemy papers.
◮ Started in 1999 by building (real) honeynets fromstandard installs of production systems. Results:◮ End 2000: average life expectancy of standardRedHat 6.2 install was <72hrs
![Page 45: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/45.jpg)
The Honeynet Project (www.honeynet.org)
◮ “A non-profit research organization of security
professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and
sharing the lessons learned.”
◮ Fanciful analogy to scouts in military. Produced
revealing series of Know Your Enemy papers.
◮ Started in 1999 by building (real) honeynets fromstandard installs of production systems. Results:◮ End 2000: average life expectancy of standardRedHat 6.2 install was <72hrs
◮ Records: system compromise 15mins, worm: 90secs
![Page 46: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/46.jpg)
The Honeynet Project (www.honeynet.org)
◮ “A non-profit research organization of security
professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and
sharing the lessons learned.”
◮ Fanciful analogy to scouts in military. Produced
revealing series of Know Your Enemy papers.
◮ Started in 1999 by building (real) honeynets fromstandard installs of production systems. Results:◮ End 2000: average life expectancy of standardRedHat 6.2 install was <72hrs
◮ Records: system compromise 15mins, worm: 90secs◮ 2001: 100% increase in incidents
![Page 47: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/47.jpg)
The Honeynet Project (www.honeynet.org)
◮ “A non-profit research organization of security
professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and
sharing the lessons learned.”
◮ Fanciful analogy to scouts in military. Produced
revealing series of Know Your Enemy papers.
◮ Started in 1999 by building (real) honeynets fromstandard installs of production systems. Results:◮ End 2000: average life expectancy of standardRedHat 6.2 install was <72hrs
◮ Records: system compromise 15mins, worm: 90secs◮ 2001: 100% increase in incidents
◮ CDROM Roo, boots into a Linux-based Honeynet
gateway, or “Honeywall”. Target systems placed
behind the gateway; the gateway performs all Data
Capture (i.e., logging) and Data Control (i.e.,
containment; firewalling).
![Page 48: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/48.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
![Page 49: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/49.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
![Page 50: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/50.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
![Page 51: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/51.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
![Page 52: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/52.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails
![Page 53: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/53.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations
![Page 54: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/54.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations5. filter whitelist of innocuous changes
![Page 55: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/55.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations5. filter whitelist of innocuous changes6. learn about exploits, build blacklist of URLs
![Page 56: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/56.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations5. filter whitelist of innocuous changes6. learn about exploits, build blacklist of URLs
◮ Implementations:
![Page 57: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/57.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations5. filter whitelist of innocuous changes6. learn about exploits, build blacklist of URLs
◮ Implementations:◮ MITRE Honeyclient (2004)
![Page 58: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/58.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations5. filter whitelist of innocuous changes6. learn about exploits, build blacklist of URLs
◮ Implementations:◮ MITRE Honeyclient (2004)◮ Microsoft’s HoneyMonkey (2005)
![Page 59: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/59.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations5. filter whitelist of innocuous changes6. learn about exploits, build blacklist of URLs
◮ Implementations:◮ MITRE Honeyclient (2004)◮ Microsoft’s HoneyMonkey (2005)◮ Google Safe Browsing API (2008)
![Page 60: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/60.jpg)
Client Honeypots (2004-)
◮ Realisation: honeypots mainly passive and
watching servers, while many exploits attack
clients to install malware.
◮ Basic idea:
1. design a honeyclient that emulates or is built-on astandard client or suite (e.g., IE 6 in WinXP)
2. use Tripwire-like methods to monitor client, systemfiles, registry, etc
3. crawl suspicious web sites or URLs in emails4. build database of malicious file alterations5. filter whitelist of innocuous changes6. learn about exploits, build blacklist of URLs
◮ Implementations:◮ MITRE Honeyclient (2004)◮ Microsoft’s HoneyMonkey (2005)◮ Google Safe Browsing API (2008)
◮ Again, needs carefully designed resilient
architecture.
![Page 61: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/61.jpg)
Outline
Firewalls
Attack detection
Attack attraction
Building in security
![Page 62: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/62.jpg)
Securing Unsecured Networks
◮ Link-level security. Confidentiality andauthentication ensured on individual links.
![Page 63: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/63.jpg)
Securing Unsecured Networks
◮ Link-level security. Confidentiality andauthentication ensured on individual links.◮ Most transparent; implemented by low-levelhardware.
![Page 64: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/64.jpg)
Securing Unsecured Networks
◮ Link-level security. Confidentiality andauthentication ensured on individual links.◮ Most transparent; implemented by low-levelhardware.
◮ Appropriate only for local traffic, or small number ofvulnerable lines.
![Page 65: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/65.jpg)
Securing Unsecured Networks
◮ Link-level security. Confidentiality andauthentication ensured on individual links.◮ Most transparent; implemented by low-levelhardware.
◮ Appropriate only for local traffic, or small number ofvulnerable lines.
◮ Examples: satellite circuits, transatlantic cables,and Wi-Fi Protected Access (WPA).
![Page 66: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/66.jpg)
Securing Unsecured Networks
◮ Link-level security. Confidentiality andauthentication ensured on individual links.◮ Most transparent; implemented by low-levelhardware.
◮ Appropriate only for local traffic, or small number ofvulnerable lines.
◮ Examples: satellite circuits, transatlantic cables,and Wi-Fi Protected Access (WPA).
◮ Network/transport-level secruity.Conversations secured in the networking protocol.
![Page 67: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/67.jpg)
Securing Unsecured Networks
◮ Link-level security. Confidentiality andauthentication ensured on individual links.◮ Most transparent; implemented by low-levelhardware.
◮ Appropriate only for local traffic, or small number ofvulnerable lines.
◮ Examples: satellite circuits, transatlantic cables,and Wi-Fi Protected Access (WPA).
◮ Network/transport-level secruity.Conversations secured in the networking protocol.◮ Transparent to applications, but can set securityneeds by need and negotiation.
![Page 68: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/68.jpg)
Securing Unsecured Networks
◮ Link-level security. Confidentiality andauthentication ensured on individual links.◮ Most transparent; implemented by low-levelhardware.
◮ Appropriate only for local traffic, or small number ofvulnerable lines.
◮ Examples: satellite circuits, transatlantic cables,and Wi-Fi Protected Access (WPA).
◮ Network/transport-level secruity.Conversations secured in the networking protocol.◮ Transparent to applications, but can set securityneeds by need and negotiation.
◮ E.g., for the Internet, IPsec.
![Page 69: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/69.jpg)
Securing Unsecured Networks
◮ Application-level security. Confidentiality andauthentication secured by the application.
![Page 70: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/70.jpg)
Securing Unsecured Networks
◮ Application-level security. Confidentiality andauthentication secured by the application.◮ Least convenient (each app must be modified)
![Page 71: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/71.jpg)
Securing Unsecured Networks
◮ Application-level security. Confidentiality andauthentication secured by the application.◮ Least convenient (each app must be modified)◮ . . . but most flexible: can be customized forapplication concerned
![Page 72: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/72.jpg)
Securing Unsecured Networks
◮ Application-level security. Confidentiality andauthentication secured by the application.◮ Least convenient (each app must be modified)◮ . . . but most flexible: can be customized forapplication concerned
◮ Examples include ssh for remote login, SSL/TLSdesigned for secure web transactions, and S/MIMEor PGP for secured email.
![Page 73: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/73.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
![Page 74: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/74.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]
![Page 75: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/75.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]◮ New header after the IP header used forauthentication.
![Page 76: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/76.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]◮ New header after the IP header used forauthentication.
◮ Includes SPI; sequence no; integrity check hash.
![Page 77: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/77.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]◮ New header after the IP header used forauthentication.
◮ Includes SPI; sequence no; integrity check hash.
◮ Encapsulating Security Payload (ESP)[RFC2406]
![Page 78: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/78.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]◮ New header after the IP header used forauthentication.
◮ Includes SPI; sequence no; integrity check hash.
◮ Encapsulating Security Payload (ESP)[RFC2406]◮ Encryption mechanism providing confidentialityand/or authentication. (Originally purelyconfidentiality, but then attacks were discovered).
![Page 79: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/79.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]◮ New header after the IP header used forauthentication.
◮ Includes SPI; sequence no; integrity check hash.
◮ Encapsulating Security Payload (ESP)[RFC2406]◮ Encryption mechanism providing confidentialityand/or authentication. (Originally purelyconfidentiality, but then attacks were discovered).
◮ Internet Key Exchange protocol (IKE)[RFC2409]
![Page 80: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/80.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]◮ New header after the IP header used forauthentication.
◮ Includes SPI; sequence no; integrity check hash.
◮ Encapsulating Security Payload (ESP)[RFC2406]◮ Encryption mechanism providing confidentialityand/or authentication. (Originally purelyconfidentiality, but then attacks were discovered).
◮ Internet Key Exchange protocol (IKE)[RFC2409]◮ Protocol for negotiating security andauthentication/encryption keys
![Page 81: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/81.jpg)
IPsec and IPv6
◮ IPv6 adds strong crypto security services to IP.
IPsec is the retrofit to IPv4. Three mechanisms:
◮ Authentication Header (AH) [RFC2402]◮ New header after the IP header used forauthentication.
◮ Includes SPI; sequence no; integrity check hash.
◮ Encapsulating Security Payload (ESP)[RFC2406]◮ Encryption mechanism providing confidentialityand/or authentication. (Originally purelyconfidentiality, but then attacks were discovered).
◮ Internet Key Exchange protocol (IKE)[RFC2409]◮ Protocol for negotiating security andauthentication/encryption keys
◮ Uses Diffie-Hellman (i.e., key agreement of freshshared key without authentication).
![Page 82: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/82.jpg)
IPsec: Security Associations
◮ The Internet Security Association and KeyManagement Protocol (ISAKMP) [RFC2408],describes negotiating a security association (SA),which defines:
![Page 83: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/83.jpg)
IPsec: Security Associations
◮ The Internet Security Association and KeyManagement Protocol (ISAKMP) [RFC2408],describes negotiating a security association (SA),which defines:
1. a destination IP,
![Page 84: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/84.jpg)
IPsec: Security Associations
◮ The Internet Security Association and KeyManagement Protocol (ISAKMP) [RFC2408],describes negotiating a security association (SA),which defines:
1. a destination IP,2. a protocol ID,
![Page 85: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/85.jpg)
IPsec: Security Associations
◮ The Internet Security Association and KeyManagement Protocol (ISAKMP) [RFC2408],describes negotiating a security association (SA),which defines:
1. a destination IP,2. a protocol ID,3. an SPI (security parameter index), an identifier to
track SAs.
![Page 86: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/86.jpg)
IPsec: Security Associations
◮ The Internet Security Association and KeyManagement Protocol (ISAKMP) [RFC2408],describes negotiating a security association (SA),which defines:
1. a destination IP,2. a protocol ID,3. an SPI (security parameter index), an identifier to
track SAs.
◮ Security association meaningful for destination end
only: peer-to-peer security requires two SAs.
![Page 87: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/87.jpg)
IPsec: Security Associations
◮ The Internet Security Association and KeyManagement Protocol (ISAKMP) [RFC2408],describes negotiating a security association (SA),which defines:
1. a destination IP,2. a protocol ID,3. an SPI (security parameter index), an identifier to
track SAs.
◮ Security association meaningful for destination end
only: peer-to-peer security requires two SAs.
◮ SAs are usually negotiated dynamically using IKE,
although other protocols possible.
![Page 88: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/88.jpg)
IPsec: Security Associations
◮ The Internet Security Association and KeyManagement Protocol (ISAKMP) [RFC2408],describes negotiating a security association (SA),which defines:
1. a destination IP,2. a protocol ID,3. an SPI (security parameter index), an identifier to
track SAs.
◮ Security association meaningful for destination end
only: peer-to-peer security requires two SAs.
◮ SAs are usually negotiated dynamically using IKE,
although other protocols possible.
◮ IKE is rather complicated (allows for extending SAs,
deleting SAs, detecting dead peers), which has
raised interoperability problems. A Kerberos-based
protocol and simplified version, IKEv2 (2005), may
replace it.
![Page 89: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/89.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:
![Page 90: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/90.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:◮ locates a SA to determine the mechanism
![Page 91: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/91.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:◮ locates a SA to determine the mechanism◮ calculates the authentication data based on theready part of the packet (uninitialized fields, e.g.,authentication data, are zeroed).
![Page 92: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/92.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:◮ locates a SA to determine the mechanism◮ calculates the authentication data based on theready part of the packet (uninitialized fields, e.g.,authentication data, are zeroed).
![Page 93: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/93.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:◮ locates a SA to determine the mechanism◮ calculates the authentication data based on theready part of the packet (uninitialized fields, e.g.,authentication data, are zeroed).
A MAC such as HMAC with MD5, SHA-1 is used.
◮ Similarly, to use ESP with an IPv6/IPsec datagram,the sender:
![Page 94: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/94.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:◮ locates a SA to determine the mechanism◮ calculates the authentication data based on theready part of the packet (uninitialized fields, e.g.,authentication data, are zeroed).
A MAC such as HMAC with MD5, SHA-1 is used.
◮ Similarly, to use ESP with an IPv6/IPsec datagram,the sender:◮ locates a SA to determine the mechanism
![Page 95: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/95.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:◮ locates a SA to determine the mechanism◮ calculates the authentication data based on theready part of the packet (uninitialized fields, e.g.,authentication data, are zeroed).
A MAC such as HMAC with MD5, SHA-1 is used.
◮ Similarly, to use ESP with an IPv6/IPsec datagram,the sender:◮ locates a SA to determine the mechanism◮ calculates the encryption and/or authentication
![Page 96: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/96.jpg)
IPsec: AH and ESP
◮ To use AH with an IPv6/IPsec datagram, the sender:◮ locates a SA to determine the mechanism◮ calculates the authentication data based on theready part of the packet (uninitialized fields, e.g.,authentication data, are zeroed).
A MAC such as HMAC with MD5, SHA-1 is used.
◮ Similarly, to use ESP with an IPv6/IPsec datagram,the sender:◮ locates a SA to determine the mechanism◮ calculates the encryption and/or authentication
◮ There is much flexibility over where IPsec is placed:
encryption may occur at hosts or routers; packets
may be sent in a transport or tunneled mode.
![Page 97: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/97.jpg)
IPsec in Transport mode◮ In transport mode, the AH is inserted after the IP
header and before an upper layer protocol (e.g.,
TCP, UDP, ICMP).
![Page 98: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/98.jpg)
IPsec in Transport mode◮ In transport mode, the AH is inserted after the IP
header and before an upper layer protocol (e.g.,
TCP, UDP, ICMP).◮ Original IPv4 packet:
![Page 99: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/99.jpg)
IPsec in Transport mode◮ In transport mode, the AH is inserted after the IP
header and before an upper layer protocol (e.g.,
TCP, UDP, ICMP).◮ Original IPv4 packet:
IP hdr TCP hdr User Data
![Page 100: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/100.jpg)
IPsec in Transport mode◮ In transport mode, the AH is inserted after the IP
header and before an upper layer protocol (e.g.,
TCP, UDP, ICMP).◮ Original IPv4 packet:
IP hdr TCP hdr User Data
![Page 101: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/101.jpg)
IPsec in Transport mode◮ In transport mode, the AH is inserted after the IP
header and before an upper layer protocol (e.g.,
TCP, UDP, ICMP).◮ Original IPv4 packet:
IP hdr TCP hdr User Data
becomes:
IP hdr AH hdr TCP hdr User Data
|←− authenticated −→|
![Page 102: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/102.jpg)
IPsec in Transport mode◮ In transport mode, the AH is inserted after the IP
header and before an upper layer protocol (e.g.,
TCP, UDP, ICMP).◮ Original IPv4 packet:
IP hdr TCP hdr User Data
becomes:
IP hdr AH hdr TCP hdr User Data
|←− authenticated −→|
◮ Authentication doesn’t apply to mutable fields of IP
header.
![Page 103: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/103.jpg)
IPsec in Transport mode◮ In transport mode, the AH is inserted after the IP
header and before an upper layer protocol (e.g.,
TCP, UDP, ICMP).◮ Original IPv4 packet:
IP hdr TCP hdr User Data
becomes:
IP hdr AH hdr TCP hdr User Data
|←− authenticated −→|
◮ Authentication doesn’t apply to mutable fields of IP
header.◮ ESP in transport mode similar, except a trailer is
added to user data (including encryption padding)
before encrypting. Encryption applies to TCP
header, user data, and trailer. Authentication field
is added at the end. Minor difference: no
authentication of IP header.
![Page 104: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/104.jpg)
IPsec in Tunnel mode◮ In tunnel mode, the “inner” IP header carries the
ultimate source and destination addresses,
whereas an “outer” IP header may contain other
addresses, e.g., addresses of security gateways.
![Page 105: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/105.jpg)
IPsec in Tunnel mode◮ In tunnel mode, the “inner” IP header carries the
ultimate source and destination addresses,
whereas an “outer” IP header may contain other
addresses, e.g., addresses of security gateways.◮ An IPv4 packet before:
![Page 106: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/106.jpg)
IPsec in Tunnel mode◮ In tunnel mode, the “inner” IP header carries the
ultimate source and destination addresses,
whereas an “outer” IP header may contain other
addresses, e.g., addresses of security gateways.◮ An IPv4 packet before:
IP hdr TCP hdr User Data
![Page 107: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/107.jpg)
IPsec in Tunnel mode◮ In tunnel mode, the “inner” IP header carries the
ultimate source and destination addresses,
whereas an “outer” IP header may contain other
addresses, e.g., addresses of security gateways.◮ An IPv4 packet before:
IP hdr TCP hdr User Data
![Page 108: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/108.jpg)
IPsec in Tunnel mode◮ In tunnel mode, the “inner” IP header carries the
ultimate source and destination addresses,
whereas an “outer” IP header may contain other
addresses, e.g., addresses of security gateways.◮ An IPv4 packet before:
IP hdr TCP hdr User Data
and after:
new IP hdr AH hdr old IP hdr TCP hdr User Data
|←− authenticated −→|
![Page 109: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/109.jpg)
IPsec in Tunnel mode◮ In tunnel mode, the “inner” IP header carries the
ultimate source and destination addresses,
whereas an “outer” IP header may contain other
addresses, e.g., addresses of security gateways.◮ An IPv4 packet before:
IP hdr TCP hdr User Data
and after:
new IP hdr AH hdr old IP hdr TCP hdr User Data
|←− authenticated −→|
◮ Authentication doesn’t apply to mutable fields of
new IP header.
![Page 110: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/110.jpg)
IPsec in Tunnel mode◮ In tunnel mode, the “inner” IP header carries the
ultimate source and destination addresses,
whereas an “outer” IP header may contain other
addresses, e.g., addresses of security gateways.◮ An IPv4 packet before:
IP hdr TCP hdr User Data
and after:
new IP hdr AH hdr old IP hdr TCP hdr User Data
|←− authenticated −→|
◮ Authentication doesn’t apply to mutable fields of
new IP header.◮ ESP in tunnel mode encrypts the original IP header,
TCP header, user data, and the ESP trailer
(padding). An extra authentication field is
appended. Again, authentication of the new IP
header is omitted with ESP.
![Page 111: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/111.jpg)
IPsec: summary
◮ Advantages:
![Page 112: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/112.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;
![Page 113: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/113.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;◮ adds to IP level end-to-end data reliability, securesequencing of datagrams, authentication andconfidentiality;
![Page 114: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/114.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;◮ adds to IP level end-to-end data reliability, securesequencing of datagrams, authentication andconfidentiality;
◮ in long term, likely to improve overall Internetinfrastructure and security.
![Page 115: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/115.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;◮ adds to IP level end-to-end data reliability, securesequencing of datagrams, authentication andconfidentiality;
◮ in long term, likely to improve overall Internetinfrastructure and security.
◮ Disadvantages
![Page 116: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/116.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;◮ adds to IP level end-to-end data reliability, securesequencing of datagrams, authentication andconfidentiality;
◮ in long term, likely to improve overall Internetinfrastructure and security.
◮ Disadvantages◮ crypto operations impinge on throughput andlatency everywhere, irrespective of security needs;
![Page 117: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/117.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;◮ adds to IP level end-to-end data reliability, securesequencing of datagrams, authentication andconfidentiality;
◮ in long term, likely to improve overall Internetinfrastructure and security.
◮ Disadvantages◮ crypto operations impinge on throughput andlatency everywhere, irrespective of security needs;
◮ security model is low-level and may bedisconnected from application level (e.g.,authentication is host-based, not user-based);
![Page 118: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/118.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;◮ adds to IP level end-to-end data reliability, securesequencing of datagrams, authentication andconfidentiality;
◮ in long term, likely to improve overall Internetinfrastructure and security.
◮ Disadvantages◮ crypto operations impinge on throughput andlatency everywhere, irrespective of security needs;
◮ security model is low-level and may bedisconnected from application level (e.g.,authentication is host-based, not user-based);
◮ complex to implement, choice of configurations;
![Page 119: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/119.jpg)
IPsec: summary
◮ Advantages:◮ provides security transparently for all applications;◮ adds to IP level end-to-end data reliability, securesequencing of datagrams, authentication andconfidentiality;
◮ in long term, likely to improve overall Internetinfrastructure and security.
◮ Disadvantages◮ crypto operations impinge on throughput andlatency everywhere, irrespective of security needs;
◮ security model is low-level and may bedisconnected from application level (e.g.,authentication is host-based, not user-based);
◮ complex to implement, choice of configurations;◮ does not prevent traffic analysis or covert channels.
![Page 120: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/120.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.
![Page 121: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/121.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
![Page 122: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/122.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
![Page 123: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/123.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
2. key distribution, so servers transmit keys
![Page 124: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/124.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
2. key distribution, so servers transmit keys3. transaction and request authentication for
DNS.
![Page 125: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/125.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
2. key distribution, so servers transmit keys3. transaction and request authentication for
DNS.◮ New security-related RRs are added:
![Page 126: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/126.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
2. key distribution, so servers transmit keys3. transaction and request authentication for
DNS.◮ New security-related RRs are added:
◮ KEY record, for public keys (specifying algorithm)
![Page 127: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/127.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
2. key distribution, so servers transmit keys3. transaction and request authentication for
DNS.◮ New security-related RRs are added:
◮ KEY record, for public keys (specifying algorithm)◮ SIG record, for attaching digital signatures
![Page 128: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/128.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
2. key distribution, so servers transmit keys3. transaction and request authentication for
DNS.◮ New security-related RRs are added:
◮ KEY record, for public keys (specifying algorithm)◮ SIG record, for attaching digital signatures◮ NXT record, for non existence. Secure negativeresponses.
![Page 129: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/129.jpg)
DNS Security◮ DNS Security design dates back to 1993;
deployment increasing now. DNS data (RRsets,
Resource Record sets) is considered public, so no
confidentiality provision; security mechanisms add
authentication and integrity by digital signatures.◮ The DNSSEC extensions provide three services:
1. data origin authentication and integrity, usingpublic zone keys. Security-aware resolvers build achain of trust.
2. key distribution, so servers transmit keys3. transaction and request authentication for
DNS.◮ New security-related RRs are added:
◮ KEY record, for public keys (specifying algorithm)◮ SIG record, for attaching digital signatures◮ NXT record, for non existence. Secure negativeresponses.
◮ Many further issues (caching, insecure
compatibility, etc).
![Page 130: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/130.jpg)
The Secure Shell
◮ SSH is a set of programs that offers secure TCP
communications between two systems, regardless
of untrusted systems between them (routers,
firewalls, sniffers, etc.). A powerful security tool.
![Page 131: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/131.jpg)
The Secure Shell
◮ SSH is a set of programs that offers secure TCP
communications between two systems, regardless
of untrusted systems between them (routers,
firewalls, sniffers, etc.). A powerful security tool.
◮ Provides secure replacements for telnet, rsh, rcp,rlogin, ftp. Can be a secure tunnel for any TCP
service; a cheap VPN-alike (e.g., ppp over ssh).
![Page 132: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/132.jpg)
The Secure Shell
◮ SSH is a set of programs that offers secure TCP
communications between two systems, regardless
of untrusted systems between them (routers,
firewalls, sniffers, etc.). A powerful security tool.
◮ Provides secure replacements for telnet, rsh, rcp,rlogin, ftp. Can be a secure tunnel for any TCP
service; a cheap VPN-alike (e.g., ppp over ssh).
◮ Offers encryption, authentication, integrity. Protects
against IP and DNS spoofing, fake routes, MITM,
replay.
![Page 133: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/133.jpg)
The Secure Shell
◮ SSH is a set of programs that offers secure TCP
communications between two systems, regardless
of untrusted systems between them (routers,
firewalls, sniffers, etc.). A powerful security tool.
◮ Provides secure replacements for telnet, rsh, rcp,rlogin, ftp. Can be a secure tunnel for any TCP
service; a cheap VPN-alike (e.g., ppp over ssh).
◮ Offers encryption, authentication, integrity. Protects
against IP and DNS spoofing, fake routes, MITM,
replay.
◮ Flexible choice of ciphers. Implementations for
various platforms, including free OpenSSH.
![Page 134: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/134.jpg)
The Secure Shell
◮ SSH is a set of programs that offers secure TCP
communications between two systems, regardless
of untrusted systems between them (routers,
firewalls, sniffers, etc.). A powerful security tool.
◮ Provides secure replacements for telnet, rsh, rcp,rlogin, ftp. Can be a secure tunnel for any TCP
service; a cheap VPN-alike (e.g., ppp over ssh).
◮ Offers encryption, authentication, integrity. Protects
against IP and DNS spoofing, fake routes, MITM,
replay.
◮ Flexible choice of ciphers. Implementations for
various platforms, including free OpenSSH.
◮ Disadvantages: need to carry private key around;
still vulnerable to DoS attacks (connection
terminations) by injected IP packets.
![Page 135: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/135.jpg)
Virtual Private Networks
◮ Extend the boundary of a protected domain, e.g.for:
![Page 136: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/136.jpg)
Virtual Private Networks
◮ Extend the boundary of a protected domain, e.g.for:◮ Remote branch offices or business collaborations.Shared file systems, logins, databases.
![Page 137: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/137.jpg)
Virtual Private Networks
◮ Extend the boundary of a protected domain, e.g.for:◮ Remote branch offices or business collaborations.Shared file systems, logins, databases.
◮ Telecommuting. Tricky issues over IP addresses,routing and DNS.
![Page 138: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/138.jpg)
Virtual Private Networks
◮ Extend the boundary of a protected domain, e.g.for:◮ Remote branch offices or business collaborations.Shared file systems, logins, databases.
◮ Telecommuting. Tricky issues over IP addresses,routing and DNS.
◮ Implementations in software or hardware
![Page 139: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/139.jpg)
Virtual Private Networks
◮ Extend the boundary of a protected domain, e.g.for:◮ Remote branch offices or business collaborations.Shared file systems, logins, databases.
◮ Telecommuting. Tricky issues over IP addresses,routing and DNS.
◮ Implementations in software or hardware◮ Software: pros: configurability; cons: complexity,compromises.
![Page 140: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/140.jpg)
Virtual Private Networks
◮ Extend the boundary of a protected domain, e.g.for:◮ Remote branch offices or business collaborations.Shared file systems, logins, databases.
◮ Telecommuting. Tricky issues over IP addresses,routing and DNS.
◮ Implementations in software or hardware◮ Software: pros: configurability; cons: complexity,compromises.
◮ Hardware: pros: simplicity
![Page 141: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/141.jpg)
Virtual Private Networks
◮ Extend the boundary of a protected domain, e.g.for:◮ Remote branch offices or business collaborations.Shared file systems, logins, databases.
◮ Telecommuting. Tricky issues over IP addresses,routing and DNS.
◮ Implementations in software or hardware◮ Software: pros: configurability; cons: complexity,compromises.
◮ Hardware: pros: simplicity
◮ Security by encapsulation in the network level,
using e.g. IPsec, L2TPv3+IPsec, SSL/TLS.
![Page 142: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/142.jpg)
Other defences, mechanisms and tools
◮ Kerberos: secure authentication system for
networks: tickets with short lifetimes, reduces
password traffic on network. Applications have to
be adapted to use Kerberos libraries. Improves
security inside network perimeters (compared with
host-based trust on network services).
![Page 143: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/143.jpg)
Other defences, mechanisms and tools
◮ Kerberos: secure authentication system for
networks: tickets with short lifetimes, reduces
password traffic on network. Applications have to
be adapted to use Kerberos libraries. Improves
security inside network perimeters (compared with
host-based trust on network services).
◮ SRP, Secure Remote Password is an authentication
protocol which avoids encryption algorithms, allows
short passwords, and stores sensitive information
on server so that it cannot be subjected to
dictionary attack.
![Page 144: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/144.jpg)
Other defences, mechanisms and tools
◮ Kerberos: secure authentication system for
networks: tickets with short lifetimes, reduces
password traffic on network. Applications have to
be adapted to use Kerberos libraries. Improves
security inside network perimeters (compared with
host-based trust on network services).
◮ SRP, Secure Remote Password is an authentication
protocol which avoids encryption algorithms, allows
short passwords, and stores sensitive information
on server so that it cannot be subjected to
dictionary attack.
◮ SSL/TLS-enhanced protocols e.g., SSLtelnet,
SSLftp, stunnel.
![Page 145: Network and Internet Defences - Computer Security Lecture 12](https://reader031.fdocuments.in/reader031/viewer/2022022001/6210258b5b95b9510e179854/html5/thumbnails/145.jpg)
References
Edward G. Amoroso. Intrusion Detection: An
Introduction to Internet Surveillance, Correlation,
Trace Back, Traps and Response.
Intrusion.Net, 1999.
Simson Garfinkel, Gene Spafford, and Alan
Schwartz. Practical UNIX and Internet Security.
O’Reilly, 3rd edition, 2003.
Lance Spitzner. Honeypots: tracking hackers.
Addison-Wesley, 2003.
William R Cheswick, Steven M Bellovin, and Aviel D
Rubin. Firewalls and Internet Security Second
Edition: Repelling the Wily Hacker.
Addison-Wesley, 2003.
Recommended Reading
Part II of Cheswick (1st edition available online).