CS 155 Spring 2014

Network Security Protocols and

Defensive Mechanisms  

John Mitchell
Plan for today
Network protocol security
 Wireless access– 802.11i/WPA2
 IPSEC
 BGP instability and S-BGP
 DNS rebinding and DNSSEC
Standard network defenses
 Firewall
 Packet filter (stateless, stateful), Application layer
proxies
 Intrusion detection
 Anomaly and misuse detection
Last lecture
Basic network protocols
 IP, TCP, UDP, BGP, DNS
Problems with them
 TCP/IP
 No SRC authentication: can’t tell where packet is from
 Packet sniffing
 Connection spoofing, sequence numbers
 BGP: advertise bad routes or close good ones
 DNS: cache poisoning, rebinding
 Web security mechanisms rely on DNS
Network Protocol Stack

Application protocol
Application Application
TCP protocol
Transport Transport

IP protocol IP protocol
Network IP Network

Data Network Data

Link Access
Link
Link Link
Key management

IKE subprotocol from IPSEC

m1

A, (ga mod p)
A , signB(m1,m2) B
B, (gb mod
m2 p)
signA(m1,m2)

Result: A and B share secret gab mod p

Link-layer connectivity
Link Layer
802.11i Protocol
Supplicant Authenticator Authentic
UnAuth/UnAssoc
Auth/Assoc UnAuth/UnAssoc
Auth/Assoc a-tion
802.1X UnBlocked
Blocked 802.1X UnBlocked
Blocked Server
No Key
MSK
PMK
New
PTK/GTK
GTK No Key
PMK
New
PTK/GTK
GTK (RADIUS)
MSKKey
No
802.11 Association

EAP/802.1X/RADIUS Authentication

MSK

4-Way Handshake

Group Key Handshake

Data Communication
TCP/IP connectivity
Transport layer security (from last lecture)

Basic Layer 2-3 Security Problems

Network packets pass by untrusted hosts
 Eavesdropping, packet sniffing
 Especially easy when attacker controls a
machine close to victim

TCP state can be easy to guess

 Enables spoofing and session hijacking
 Virtual Private Network (VPN)
Three different modes of use:
 Remote access client connections
 LAN-to-LAN internetworking
 Controlled access within an intranet
Several different protocols
 PPTP – Point-to-point tunneling protocol
Data layer
 L2TP – Layer-2 tunneling protocol
 IPsec (Layer-3: network layer)

0
 Credit: Checkpoint
1
 IPSEC
Security extensions for IPv4 and IPv6
IP Authentication Header (AH)
 Authentication and integrity of payload and
header
IP Encapsulating Security Protocol (ESP)
 Confidentiality of payload
ESP with optional ICV (integrity check value)
 Confidentiality, authentication and integrity of
payload

2
 Recall packet formats and layers

TCP Header
Application message - data
Application message

Transport (TCP, UDP) segment TCP data TCP data TCP data

Network (IP) packet

IP TCP data

Link Layer frame ETH IP TCP data ETF

IP Header Link (Ethernet) Link (Ethernet)

Header Trailer

3
 IPSec Transport Mode: IPSEC instead of IP header

4 [Link]
 IPSEC Tunnel Mode

5
 IPSec Tunnel Mode: IPSEC header + IP header

6
 Key management

IKE subprotocol from IPSEC

m1

A, (ga mod p)
A , signB(m1,m2) B
B, (gb mod
m2 p)
signA(m1,m2)

Result: A and B share secret gab mod p

7
 Mobility

Mobile IPv6 Architecture

Mobile Node (MN)

Direct connection via

IPv6
binding update

Corresponding Node (CN)

Authentication is a
requirement
Home Agent (HA)
Early proposals weak
8
 Filtering network traffic
(starting at IP, transport layer …)

9
 Perimeter
security
Basic Firewall Concept
Separate local area net from internet

Firewall
Local network Internet

Router

All packets between LAN and internet routed through firewall

0
 Screened Subnet Using Two Routers

1
 Alternate 1: Dual-Homed Host

2
 Alternate 2: Screened Host

3
 Basic Packet Filtering
Uses transport-layer information only
 IP Source Address, Destination Address
 Protocol (TCP, UDP, ICMP, etc)
 TCP or UDP source & destination ports
 TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
 ICMP message type
Examples
 DNS uses port 53
 Block incoming port 53 packets except known trusted servers
Issues
 Stateful filtering
 Encapsulation: address translation, other complications
 Fragmentation

4
 Source/Destination Address Forgery

5
 More about networking: port numbering

TCP connection
 Server port uses number less than 1024
 Client port uses number between 1024 and 16383
Permanent assignment
 Ports <1024 assigned permanently
 20,21 for FTP 23 for Telnet
 25 for server SMTP 80 for HTTP
Variable use
 Ports >1024 must be available for client to make connection
 Limitation for stateless packet filtering
 If client wants port 2048, firewall must allow incoming traffic
 Better: stateful filtering knows outgoing requests
 Only allow incoming traffic on high port to a machine that has
initiated an outgoing request on low port

6
 Filtering Example: Inbound SMTP

Can block external request to internal server based on port number

7
 Filtering Example: Outbound SMTP

Known low port out, arbitrary high port in

If firewall blocks incoming port 1357 traffic then connection fails
8
 Stateful or Dynamic Packet Filtering

9
 Telnet
Telnet Server Telnet Client

23 1234

 Client opens channel to

server; tells server its port 
O RT 1234”
number. The ACK bit is “P
not set while establishing
the connection but will be
set on the remaining

“ACK”
packets

 Server acknowledges

Stateful filtering can use this pattern to identify legitimate sessions

0
 FTP
FTP Server FTP Client

20 21
 Client opens Data Command 5150 5151
command channel to
server; tells server
5151”

second port number “ PO RT

 Server
acknowledges 
 “OK”
 Server opens data
channel to client’s DATA C
HANNE
second port L

 Client
acknowledges

TCP ACK
1
 Complication for firewalls

Normal IP Fragmentation

Flags and offset inside IP header indicate packet fragmentation

2
 Abnormal Fragmentation

Low offset allows second packet to

overwrite TCP header at receiving host

3
 Packet Fragmentation Attack
Firewall configuration
 TCP port 23 is blocked but SMTP port 25 is allowed
First packet
 Fragmentation Offset = 0.
 DF bit = 0 : "May Fragment"
 MF bit = 1 : "More Fragments"
 Destination Port = 25. TCP port 25 is allowed, so firewall allows packet
Second packet
 Fragmentation Offset = 1: second packet overwrites all but first 8 bits of
the first packet
 DF bit = 0 : "May Fragment"
 MF bit = 0 : "Last Fragment."
 Destination Port = 23. Normally be blocked, but sneaks by!
What happens
 Firewall ignores second packet “TCP header” because it is fragment of first
 At host, packet reassembled and received at port 23

4
 TCP Protocol Stack

Application protocol
Application Application
TCP protocol
Transport Transport

IP protocol IP protocol
Network IP Network

Data Network Data

Link Access
Link
Link Link

5
 Remember SSL/TLS
Version, Crypto choice, nonce

Version, Choice, nonce,

Signed certificate
containing server’s
public key Ks

C
Secret key K
encrypted with
server’s key Ks
S
switch to negotiated cipher

Hash of sequence of messages

Hash of sequence of messages

data transmission
6
 Beyond packet filtering

Proxying Firewall
Application-level proxies
 Tailored to http, ftp, smtp, etc.
 Some protocols easier to proxy than others
Policy embedded in proxy programs
 Proxies filter incoming, outgoing packets
 Reconstruct application-layer messages
 Can filter specific application-layer commands, etc.
 Example: only allow specific ftp commands
 Other examples: ?
Several network locations – see next slides

7
 Firewall with application proxies

FTP
Telnet proxy SMTP
proxy proxy

Telnet FTP SMTP

daemon daemon daemon
Network Connection

Daemon spawns proxy when communication detected …

8
 Application-level proxies
Enforce policy for specific protocols
 E.g., Virus scanning for SMTP
 Need to understand MIME, encoding, Zip archives
 Flexible approach, but may introduce network delays
“Batch” protocols are natural to proxy
 SMTP (E-Mail) NNTP (Net news)
 DNS (Domain Name System) NTP (Network Time Protocol
Must protect host running protocol stack
 Disable all non-required services; keep it simple
 Install/modify services you want
 Run security audit to establish baseline
 Be prepared for the system to be compromised

9
 Web traffic scanning
Intercept and proxy web traffic
 Can be host-based
 Usually at enterprise gateway
Block known bad sites
Block pages with known attacks
Scan attachments
 Usually traditional virus scanning methods

0
 Firewall references

Elizabeth D. Zwicky William R Cheswick

Simon Cooper Steven M Bellovin
D. Brent Chapman Aviel D Rubin
1
 TCP Protocol Stack
Application protocol
Application Application
TCP protocol
Transport Transport

Network IP protocol IP IP protocol Network

Network
Link Data Data Link
Access
Link Link

Intrusion detection
Infrastructure protocols
 BGP
 DNS
2
 Intrusion detection
Many intrusion detection systems
 Close to 100 systems with current web pages
 Network-based, host-based, or combination
Two basic models
 Misuse detection model
 Maintain data on known attacks
 Look for activity with corresponding signatures
 Anomaly detection model
 Try to figure out what is “normal”
 Report anomalous behavior

Fundamental problem: too many false alarms

3
 Example: Snort [Link]

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS
4 Techniques with Snort, Apache, MySQL, PHP, and ACID.
 Snort components
Packet Decoder
 input from Ethernet, SLIP, PPP…
Preprocessor:
 detect anomalies in packet headers
 packet defragmentation
 decode HTTP URI
 reassemble TCP streams
Detection Engine: applies rules to packets
Logging and Alerting System
Output Modules: alerts, log, other output
5
 Snort detection rules

rule header rule options

6
 Additional examples
destination ip address
Apply to all ip packets
Destination port
Source ip address

Source port #
Rule options
Alert will be generated if criteria met

7
 Snort challenges
Misuse detection – avoid known intrusions
 Database size continues to grow
 Snort version 2.3.2 had 2,600 rules
 Snort spends 80% of time doing string match

Anomaly detection – identify new attacks

 Probability of detection is low

8
 Difficulties in anomaly detection
Lack of training data
 Lots of “normal” network, system call data
 Little data containing realistic attacks, anomalies
Data drift
 Statistical methods detect changes in behavior
 Attacker can attack gradually and incrementally
Main characteristics not well understood
 By many measures, attack may be within bounds
of “normal” range of activities
False identifications are very costly
 Sys Admin spend many hours examining evidence
9
 INFRASTRUCTURE
PROTOCOLS: BGP, DNS

0
 BGP example

327
1 27 3 4
265 265 3265 5
27
8 2 65
7265 7 27
7 627
265 5
6
7
5

Transit: 2 provides transit for 7

Algorithm seems to work OK in practice
 BGP is does not respond well to frequent node outages

Figure: D. Wetherall
1
 BGP Security Issues
BGP is used for all inter-ISP routing
Benign configuration errors affect about 1% of all
routing table entries at any time
Highly vulnerable to human errors, malicious attacks
 Actual routing policies can be very complicated
MD5 MAC is rarely used, perhaps due to lack of
automated key management, addresses only one
class of attacks

2
 S-BGP Design Overview
IPsec: secure point-to-point router communication
Public Key Infrastructure: authorization for all S-BGP
entities
Attestations: digitally-signed authorizations
 Address: authorization to advertise specified address blocks
 Route: Validation of UPDATEs based on a new path
attribute, using PKI certificates and attestations
Repositories for distribution of certificates, CRLs, and
address attestations
Tools for ISPs to manage address attestations,
process certificates & CRLs, etc.

3 Slide: Steve Kent

 BGP example

1 27 3 4

27
8 2
7 27
7
6 5
7
AS

Host1
Host2
… Address blocks
Hostn

4
 Address Attestation
Indicates that the final AS listed in the UPDATE is
authorized by the owner of those address blocks to
advertise the address blocks in the UPDATE
Includes identification of:
 owner’s certificate
 AS to be advertising the address blocks
 address blocks
 expiration date
Digitally signed by owner of the address blocks
Used to protect BGP from erroneous UPDATEs
(authenticated but misbehaving or misconfigured BGP speakers)

5
 Route Attestation
Indicates that the speaker or its AS authorizes the
listener’s AS to use the route in the UPDATE
Includes identification of:
 AS’s or BGP speaker’s certificate issued by owner of the AS
 the address blocks and the list of ASes in the UPDATE
 the neighbor
 expiration date
Digitally signed by owner of the AS (or BGP speaker)
distributing the UPDATE, traceable to the IANA ...
Used to protect BGP from erroneous UPDATEs
(authenticated but misbehaving or misconfigured BGP speakers)

6
 Validating a Route
To validate a route from ASn, ASn+1 needs:
 address attestation from each organization owning an
address block(s) in the NLRI
 address allocation certificate from each organization owning
address blocks in the NLRI
 route attestation from every AS along the path (AS1 to ASn),
where the route attestation for ASk specifies the NLRI and
the path up to that point (AS1 through ASk+1)
 certificate for each AS or router along path (AS1 to ASn) to
check signatures on the route attestations
 and, of course, all the relevant CRLs must have been
checked

Slide: Kent et al.

7
 INFRASTRUCTURE
PROTOCOLS: BGP, DNS

8
 Recall: DNS Lookup
Query: "[Link] A?"
Reply Resource Records in Reply

"com. NS [Link]"
3
"[Link] A [Link]"

"[Link]. NS [Link]"
5
"[Link] A [Link]"

7 "[Link] A [Link]"

8 "[Link] A [Link]"

Local recursive resolver caches these for TTL specified by RR

9
 DNS is Insecure
Packets sent over UDP, < 512 bytes
16-bit TXID, UDP Src port are only “security”
Resolver accepts packet if above match
Packet from whom? Was it manipulated?

Cache poisoning
 Attacker forges record at resolver
 Forged record cached, attacks future lookups
 Kaminsky (BH USA08)
 Attacks delegations with “birthday problem”

0
 DNSSEC Goal
“The Domain Name System (DNS) security extensions
provide origin authentication and integrity assurance
services for DNS data, including mechanisms for
authenticated denial of existence of DNS data.”

-RFC 4033

1
 DNSSEC
Basically no change to packet format 
 Goal is security of DNS data, not channel security
New Resource Records (RRs)
 RRSIG : signature of RR by private zone key
 DNSKEY : public zone key
 DS : crypto digest of child zone key
 NSEC / NSEC3 authenticated denial of existence
Lookup referral chain (unsigned) 
Origin attestation chain (PKI) (signed)
 Start at pre-configured trust anchors
 DS/DNSKEY of zone (should include root)
 DS → DNSKEY → DS forms a link

2
 DNSSEC Lookup
Query: "[Link] A?"

Reply RRs in DNS Reply Added by DNSSEC

"com. NS [Link]" "com. DS"
3
"[Link] A [Link]" "RRSIG(DS) by ."
"com. DNSKEY"
"[Link]. NS [Link]" "RRSIG(DNSKEY) by com."
5
"[Link] A [Link]" "[Link]. DS"
"RRSIG(DS) by com."
"[Link] DNSKEY"
7 "[Link] A [Link]" "RRSIG(DNSKEY) by [Link]."
"RRSIG(A) by [Link]."
8 "[Link] A [Link]" Last Hop?
3
 Authenticated Denial-of-Existence
Most DNS lookups result in denial-of-existence
NSEC (Next SECure)
 Lists all extant RRs associated with an owner name
 Points to next owner name with extant RR
 Easy zone enumeration
NSEC3
 Hashes owner names
 Public salt to prevent pre-computed dictionaries
 NSEC3 chain in hashed order
 Opt-out bit for TLDs to support incremental adoption
 For TLD type zones to support incremental adoption
 Non-DNSSEC children not in NSEC3 chain

4
 Insecure Sub-Namespace
NSEC3 Opt-out
 "Does not assert the existence or non-existence of
the insecure delegations that it may cover" (RFC
5155)
 Only thing asserting this is insecure glue records
Property: Possible to insert bogus pre-pended
name into otherwise secure zone.  (RFC 5155)
Insecure delegation from secure zone
 Spoofs possible for resultant lookup results
  Acceptable for TLD, bad for enterprises

5
 [DWF’96, R’01]

DNS Rebinding Attack

<iframe src="[Link] DNSSEC cannot
stop this attack
[Link]?
[Link]
[Link] TTL = 0
DNS server
[Link]
Firewall

[Link]
corporate web server
web server [Link]

[Link]
Read permitted: it’s the “same origin”

6
 DNS Rebinding Defenses
Browser mitigation: DNS Pinning
 Refuse to switch to a new IP
 Interacts poorly with proxies, VPN, dynamic DNS, …
 Not consistently implemented in any browser
Server-side defenses
 Check Host header for unrecognized domains
 Authenticate users with something other than IP
Firewall defenses
 External names can’t resolve to internal addresses
 Protects browsers inside the organization

7
 Summary
Network protocol security
 Wireless security – 802.11i/WPA2
 IPSEC
 BGP instability and S-BGP
 DNSSEC, DNS rebinding
Standard network perimeter defenses
 Firewall
 Packet filter (stateless, stateful), Application layer
proxies
 Traffic shaping
 Intrusion detection
 Anomaly and misuse detection
8
9