Network Security (NetSec)netsec.net.in.tum.de/slides/01_Intro.pdf · Network Security (NetSec)...

transcript

Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich

Network Security (NetSec)

IN2101 – WS 19/20

Prof. Dr.-Ing. Georg Carle

Dr. Holger KinkelinJonas Jelten

Richard von SeckJohannes Schleger

Chair of Network Architectures and ServicesDepartment of Informatics

Technical University of Munich

Chapter 1: Introduction

Network InSecurity

Do not Trust a Network Connection

Do not Trust the Network

Attacker Models

Capabilities of Attackers

Attacker Model

The Attacker’s Position in the Network determines her Capabilities

Security Goals

Security Goals Technically Defined

Threats

Threats Technically Defined

Literature

Chapter 1: Introduction 1-1

Network InSecurity

Attacker Models

Security Goals

Threats

Literature

• Example: An Ethernet cable

• How secure is it?

Alice Bob

Chapter 1: Introduction — Network InSecurity 1-3

• Step 1: Obtain a knife

• Step 2: Add RJ45 adapters

Alice Bob

• Step 3: Get yourself a computer with two network interfaces

• Step 4: Configure transparent Ethernet bridging

• You are now in full control of the traffic• read• modify

• Technical term for this attacker: Man in the Middle (MitM)

• Note: Cryptography can mitigate this situation, which is why we later focus on crypto and secure chan-nels!

Alice BobChapter 1: Introduction — Network InSecurity 1-5

Alice the Internet Bob

• Note: of cause, not only secret services are "the bad guys" in the Internet

• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieveeven worse goals

• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...

• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logicallyplace the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!

• Result: There are endless opportunities for any kind of attacker to monitor/interfere with your traffic!

Alice NSA, GCHQ, ... Bob

• Note: of cause, not only secret services are "the bad guys" in the Internet

• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieveeven worse goals

Alice NSA, GCHQ, bad ISP/AS, criminals, ... Bob

• Note: of cause, not only secret services are "the bad guys" in the Internet• Also criminals, corporations, etc. monitor internet traffic to gain your data or interfere with the traffic to achieve

even worse goals

Alice NSA, GCHQ, bad ISP/AS, criminals, employer, ... Bob

even worse goals

• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logically

place the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!

Alice NSA, GCHQ, bad ISP/AS, criminals, employer, ... Bob

even worse goals

• Note 2: of cause, not only the internet is problematic but every other type of (switched) network: networksin companies, universities, internet cafes, airports, dorms, residential communities, ...• In this case, you are not even required to be a physical "man in the middle": an ARP spoofing attack can logically

place the attacker between e.g. Alice and Bob. With tampered ARP tables, packets flow fromAlice↔ Attacker↔ Bob!

Network InSecurity

Attacker Models

Attacker Model

Security Goals

Threats

Literature

What could an attacker possibly do?

• Attacking communication on the message level

• Passive attacks• Eavesdropping of messages

• Traffic Analysis

• Active attacks• All passive attacks

• Delay

• Replay

• Deletion

• Modification

• Insertion

Chapter 1: Introduction — Attacker Models 1-8

Attacker Model

• Attacker model = definition what an attacker can do and cannot do

• The attacker is the network

• And can perform any active attack

• But cannot break cryptographic primitives (encryption, signing, hashing, etc.)

• Attacker has no control over end systems

• This is called the Dolev-Yao attacker model

Alice Bob• Important: If not stated otherwise, we will always assume this attacker model in the lectures, the exer-

cises, and also the exam.Chapter 1: Introduction — Attacker Models 1-9

End system(Initiator)

End system(Responder)

Network

• Attackers typically do not control the entire Internet.

• Their position in the network is crucial and defines what the attacker can do /which messages can be seen

Network

• Assume the attacker is close to your end system (initiator/client)

• Example: You sit in a cyber cafe and accidentally connected to the attacker’s hot spot• The attacker can perform any active attacks on you

• But you can defend against this attacker: Establish a secure tunnel to a server in the Internet

• Route all your packets over the secure tunnel

• The attacker can now perform only DOS (Denial Of Service) attacks against you, collect meta data, etc.

Network

• Assume the attacker is somewhere in the Internet

• Internet: Best effort packet switching

• End-user has no control on how packets are routed

• Are all AS/ISP trustworthy?

• Does you ISP alter your packets?• “Value added service 1”: your ISP places advertisement on the websites you are visiting (seen in aircraft WiFi

networks)• “Value added service 2” your ISP reduces quality of images to save bandwidth (seen in mobile networks)• “Value added service 3” your ISP redirects requests to non-existent or mis-typed websites to their own portal

which has advertisements

• NSA/GCHQ/ ... black boxes can be basically everywhereChapter 1: Introduction — Attacker Models 1-12

Network

• Assume the attacker is close to your end system (responder/server)

• Example: She rented a VM on the same host machine where your virtual server is running• The attacker could try to perform timing attacks against your server

• Work by measuring how long certain operations (operation successfully completed, operation failed) take at yourserver

• Result: the attacker might be able to break a security service, deduce a secret key, etc.

• Only works if the service is vulnerable to side channel attacks; we will come back to these attacks in a couple ofweeks

• Such measurements are usually not possible/difficult over the Internet, as latencies/delays make it difficult to getgood measurements

Network InSecurity

Attacker Models

Security Goals

Threats

Literature

• Data Integrity• German: “Datenintegrität”

• No improper or unauthorized change of data

• Confidentiality• German: “Vertraulichkeit”

• Concealment of information

• Availability• German: “Verfügbarkeit”

• Services should be available and function correctly

• Authenticity• German: “Echtheit”

• An entity is who it claims to be

• Accountability• German: “Zurechenbarkeit”

• Identify the entity responsible for any communication event

• Controlled Access• German: “Zugriffskontrolle”

• Only authorized entities can access certain services or information

Chapter 1: Introduction — Security Goals 1-15

• What is needed to support non-repudiation? („Nicht-Abstreitbarkeit“)• I.e. you cannot claim not to have done something, like changed a file or sent an email

• Accountability

• What is needed to support non-repudiation? („Nicht-Abstreitbarkeit“)• I.e. you cannot claim not to have done something, like changed a file or sent an email

• Accountability

• What is necessary to support accountability?

• Authenticity

• What is necessary to support accountability?• Authenticity

• What do you want to support deterrence („Abschreckung“)• I.e. we want to prevent that something undesired happens, e.g. a malicious user destroys a document

• Accountability

• What do you want to support deterrence („Abschreckung“)• I.e. we want to prevent that something undesired happens, e.g. a malicious user destroys a document

• Accountability

• What is another word for data origin integrity?

• Authenticity

• What is another word for data origin integrity?• Authenticity

What is the difference?

• Authentication

• Proves who you are

• Associated security goal: Authenticity

• E.g. checking your passport

• Authorization

• Defines what you are allowed to do

• Associated security goal: Controlled Access

• E.g. “are you on the VIP list?”

• Authentication• Proves who you are

• Authorization• Defines what you are allowed to do

• Authentication• Proves who you are

• Authorization• Defines what you are allowed to do

Mixing Authentication and Authorization

My best attempt was registering to Black Hat with firstname: “Staff” and last name: “Access All Areas”

https://twitter.com/mikko/status/587973545797492738

Network InSecurity

Attacker Models

Security Goals

Threats

Literature

Threats

• Abstract Definition• A threat in a communication network is any possible event or sequence of actions that might exploit a vulnerability,

leading to a violation of one or more security goals

• The actual realization of a threat is called an attack

Chapter 1: Introduction — Threats 1-23

• Masquerade• An entity claims to be another entity (also called “impersonation”)

• Eavesdropping• An entity reads information it is not intended to read

• Loss or modification of (transmitted) information• Data is being altered or destroyed

• Denial of communication acts (repudiation)• An entity falsely denies its participation in a communication act

• Forgery of information• An entity creates new information in the name of another entity

• Sabotage/Denial of Service• Any action that aims to reduce the availability and / or correct functioning of services or systems

• Authorization Violation:• An entity uses a service or resources it is not intended to use

Example 1

• Eavesdropping + Authorization Violation

• Example• Alice@Box$ ./rootremoteshell $ROUTER

root@router# tcpdump | grep password

• If Alice does not start modifying the traffic, she is a passive attacker

• Note: If not stated otherwise, we assume that attackers don’t have remote code execution on our boxes

Example 2

• Masquerade + Forgery of Information

• Example• Alice pretends to be Bob

• Alice@Box$ hping3 –count 1 –spoof $BOB –icmp –icmptype 8 $CARL

• CARL gets an ICMP Echo Request which appears to be sent from BOB

• BOB gets an ICMP Echo Reply which he never requested

• Alice is an active attacker

• IP source addresses are not secured

Example 2: IP Spoofing cont.

Alice Bob Carl

src:Bob dst:Carl ping

src:Carl dst:Bob pong

Example 2: IP Spoofing cont.

• Alice: 192.168.1.170

• Bob 192.168.1.227

• Carl: 192.168.1.1

• Alice sends the spoofed packet• Internet Protocol Version 4, Src: 192.168.1.227, Dst: 192.168.1.1; ICMP Echo Request

• Carl replies to the source address specified

• Bob receives a lonely echo reply• Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.227; ICMP Echo Reply

Example 3

• Denial of communication acts

• Example• Bob runs a web server (http, tcp port 80) with very limited memory

• Alice floods Bob with TCP SYN packets

• Alice@Box$ hping3 –fast –count 42 –syn –destport 80 $BOB

• Bob allocates memory to store the 42 connections in the SYN-RECEIVED state

• Now Alice starts to deny that she is responsible for the attack

• Denial of Communication Acts + Masquerade + Forgery of Information

• Example• Alice@Box$ hping3 –fast –count 42 –rand-source –syn –destport 80 $BOB

• –rand-source: random spoofed source IP address

Example 3

• Why does the attack succeed?

• This is a good opportunity to refresh your knowledge about the TCP 3-way handshake

Network InSecurity

Attacker Models

Security Goals

Threats

Literature

• Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004

• Claudia Eckert, IT-Sicherheit: Konzepte – Verfahren – Protokolle, Oldenbourg, 2014

• Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in aPublic World (2nd Edition), Prentice Hall, 2002

• Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2002

• Günter Schäfer, Security in Fixed and Wireless Networks: An Introduction to Securing Data Communi-cations, Wiley, 2004

• Günter Schäfer, Netzsicherheit, dpunkt, 2003

Chapter 1: Introduction — Literature 1-32

Network Security (NetSec)netsec.net.in.tum.de/slides/01_Intro.pdf · Network Security (NetSec)...

Documents