EECS 489 - Computer Networks University of Michigan

Tuesday, December 7, 2004

Network Security

Hey, your not Morely …

Michael Baileymibailey@eecs.umich.edu

Agenda

• Course Evaluations• Security in Distributed Systems• Examples of current mechanisms

– Firewalls– IDS– VPNs

Readings and Bibliography

• William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, “Firewalls and Internet Security: Repelling the Wily Hacker”, Addison-Wesley, Boston, MA, 2003, ISBN 0-201-63466-X

• Andrew S. Tanenbaum, and Maarten van Steen, “Distributed Systems Principles and Paradigms”, Prentice Hall, Upper Saddle River, NJ, 2002, ISBN 0-13-088893-1

• Bruce Schneier, “Secrets & Lies: Digital Security in a Networked World”, John Wiley & Sons, New York, 2000, ISBN 0-471-25311-1

• Props out to Paul Francis and Avi Rubin for several pages on content (esp. VPN and Firewall Slides)

Security in Distributed Systems

Security

• “There is no such thing as absolute security” -Cheswick

• Security is all about managing risk.• How much effort are you willing to go through

to protect what from whom?

How do we think about security?

Goals +Adversaries +

Threats + Economics= Policies

• These are separate from the mechanisms used to enforce the policy or the implementation of these mechanisms

Goals

• Confidentiality– Privacy– Anonymity

• Integrity– Non-repudiation

• Dependability– Availability– Reliability– Safety– Maintainability

.. and loyal and trustworthy and brave and …

Adversaries

• Lone Criminals• Malicious Insiders• Industrial Espionage• Organized crime• Terrorists• Police• National Intelligence agencies

I am a L33t H4x0r D00d!

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Threats

• Interception• Interruption• Modification• Fabrication

• The Network Security Policy identifies the threats against which protection is required, and defines the required level of protection. – Least Privilege– Defense In Depth– Choke Point– Weakest Link– Fail Safe Stance – etc.

• Example :– Strategy 1 : Everything is forbidden unless explicitly permitted.– Strategy 2 : Everything is permitted unless explicitly forbidden.

Policies http://www.darmstadt.gmd.de/ice-tel/

Policy Questions

• What resources are we trying to protect ? • Which people do we need to protect the resources

from ? • How likely are the threats ? • How important is the resource ? • What measures can be implemented to protect the

resource ? • How cost effectively and in what time frame can these

be implemented ? • Who authorizes users ?

Security Mechanisms

• Encryption• Authentication• Authorization• Auditing

Mechanisms and Implementation

• Schneier encourages us to think of security needs as a system– Complex– Bug-ridden– Emergent– Interactive

• “A chain is only as strong as its weakest link” –Cheswick

• May not have to go through a specific mechanism, can go around it.

FirewallsPolicy Enforcement

Site with no firewall

ISP Router

Site Router

Site Network

Link (T1 etc.)

Site with firewall

ISP Router

Site Router

Site Network

Firewall

DMZ (“De-Militarized Zone”)

ISP Router

Firewall/NAT

DMZ:Network outside of Site security perimeter used to deploy firewall(s) and publicly available services (Web, FTP, DNS, etc.)

History: Firewalls were rogue components

• Firewall/DMZ architecture never part of the “official” Internet Architecture– Purely a commercial creation– Distrusted by IAB (Internet Architecture Board)

• “Crunchy on the outside, soft on the inside”– “All security should be end-to-end”, etc…

Firewalls not just protection from attackers

• Bandwidth control– Block high bandwidth applications– Pointcast, Napster

• Employee network usage control– Block games, pornography, non-business uses

• Privacy– Don’t let outside see what you have, how big you are, etc.– Similar to making corporate phone directory proprietary

Firewall functions

• Dropping packets– According to 5-tuple and direction of packet (incoming or

outgoing)• Recall: 5-tuple = src/dst address, src/dst port, protocol

– According to “conversation”• Multiple related flows, like FTP, SIP

– According to higher-layer info (i.e. URL)• Steering packets/messages

– To other filters, like spam filter, virus checker, HTTP filter, etc.

• Logging flows and statistics

Simple firewall policy configuration

dropanyany-outsideany-insideallowFTPany-outsideany-inside

dropanyany-insideany-outside

allowHTTPany-outsideany-insidedropSMTPany-outsideany-insideallowSMTPdmz-mailany-inside

ActionAppDestSource

Conversations

• FTP consists of two flows, control flow and data flow

• Firewall must be smart enough to read control flow, identify subsequent data flow

• True for SIP as well

Stateful and stateless firewalls

• Original firewalls were stateless– Maintain static filter list, but no per flow state– For TCP, only look at SYN

• Means that non-SYN TCP packets are allowed even if should be blocked

– No concept of conversation• Modern firewalls are typically stateful

– Maintains dynamic list of all allowed flows– Better capability, harder to scale

Problem for app developer

• Obviously, your application may be blocked by the firewall

• Two basic strategies:1. Hide the application inside HTTP2. Make it easy for the firewall administrator to

allow your application

• Which strategy you use depends on why the app is being blocked

Intentional versus unintentional blocking

• Unintentional blocking:– Blocking is a side effect of a broader policy

• i.e., all UDP blocked, even though in principle the admin has no problem with your application

• Intentional blocking:– The admin knows of your application, and really

does want to block it• i.e. Napster

Strategy for intentional blocking

• Long term, this is a hard battle to win– Can try to hide everything in what looks like normal HTTP,

but the administrator can fight this in various ways:• Block on specific URLs• Block on specific IP addresses• Disallow the application on the client computers

• Better to solve the network admin’s concerns– Allow a caching proxy in the DMZ– Although this didn’t work for Pointcast….

Strategy for unintentional blocking

• “Hide” the application in HTTP• But also allow the application to run “natively”

if you get performance benefits– Make firewall configuration for allowing the

application as simple as possible– i.e. one or a small number of specific ports– Get the port blessed by IANA

• Internet Assigned Numbers Authority

IDSIntrusion Detection System

Intrusion detection

• “Building burglar alarms for the net”• Idea: make systems sensitive to threatening actions,

and make them capable of alerting authorities when they notice anomalies

• Necessarily post-hoc• Broad types

– Statistical analyzers (anomaly based)– Rules-based systems, Attack-signature detectors (misuse)– Others

Know Your Attacker

• Most attackers run scripts to probe for vulnerabilities, then return later to exploit them

• Probes tend to come in waves as new holes are discovered

• Probes look very different than typical network use

• Actual attack may come long after probe

Paradigms in Intrusion Detection

• Misuse Detection Intrusion Detection Systems (MD)– define “what is abnormal” using attack signatures– traffic that matches an attack signature as attack

traffic• Anomaly Detection Intrusion Detection

Systems (AD)– define “what is normal” using profiles– traffic that does not match the profile as abnormal

The world’s simplest ID system

v=listen(frequently-exploited-unused-port);while(1) {

s=accept(v, who, howbig);notify_the_authorities(s, who, howbig);close(s);

}• This won’t catch stealth scanners• Doesn’t have a global view• Can’t detect attacks on systems in use• Surprisingly effective at catching scans nonetheless

Statistical analysis

• Constantly capture packets, watch logs, note typical flows– I.E. “95% of traffic flows from inside the firewall

to outside web services”– Set off alarm bells when traffic not matching

typical flows is seen– Can be a first alert against configuration problems

• Gains a global picture of the system

Rule-based systems

• Monitor logs and network for behavior violating or matching static rules

• Require some knowledge of attack behaviors• Less prone to false alarms• Often combined with anomaly detectors

Using an IDS

• Plan your incident response process well before you install the system

• Know what you’re looking for• Make the system comprehensive• Don’t overreact to alarms• If using a rules-based system, keep up with

vulnerability reports

VPNVirtual Private Networks

What is a VPN?

• Making a shared network look like a private network

• Why do this?– Private networks have all kinds of advantages

• (we’ll get to that)

– But building a private network is expensive• (cheaper to have shared resources rather than dedicated)

History of VPNs

• Originally a telephone network concept– Separated offices could have a phone system that looked

like one internal phone system

• Benefits?– Fewer digits to dial– Could have different tariffs

• Company didn’t have to pay for individual long distance calls

– Came with own blocking probabilities, etc.• Service guarantees better (or worse) than public phone service

Original data VPNs

• Lots of different network technologies in those days– Decnet, Appletalk, SNA, XNS, IPX, …– None of these were meant to scale to global proportions– Virtually always used in corporate settings

• Providers offer virtual circuits between customer sites– Frame Relay or ATM– A lot cheaper than dedicated leased lines

• Customer runs whatever network technology over these • These still exist (but being replaced by IP VPNs)

Advantages of original data VPNs

• Repeat: a lot cheaper than dedicated leased lines– Corporate users had no other choice– This was the whole business behind frame-relay

and ATM services

• Fine-grained bandwidth tariffs• Bandwidth guarantees

– Service Level Agreements (SLA)

• “Multi-protocol”

How has the world changed?

• Everything is IP now– Some old stuff still around, but most data networks

are just IP

• So, why do we still care about VPNs???

IP VPN benefits

• IP not really global (private addresses)– VPN makes separated IP sites look like one private

IP network

• Security• Bandwidth guarantees across ISP

– QoS, SLAs

• Simplified network operation– ISP can do the routing for you

End-to-end VPNs

• Solves problem of how to connect remote hosts to a firewalled network– Security and private addresses benefits only– Not simplicity or QoS benefits

End-to-end VPNs

• Solves problem of how to connect remote hosts to a firewalled network

Site (private network)Internet

RemoteHost

RemoteHost

FW/VPN

SiteHost

SiteHost

IPsecTunnels

Customer-based Network VPNs

• Great for enterprises that have the resources and skills to do it– Large companies

• More control, better security model– Doesn’t require trust in ISP ability and intentions– Can use different ISPs at different sites

• But not all enterprises have this skill

Site

Customer-based Network VPNs

CE

Site

SiteSite

CE

CECE

Internet

Customer buys own equipment, configures IPsec tunnels over the global internet, manages addressing and routing. ISP plays no role.