Chapter 9 Networking

1
Chapter 9Networking Distributed Security
(Part B)
2
Outline

• Overview of Networking
• Threats
• Wiretapping, impersonation, message
  interruption/modification, DoS
• Controls
• Encryption, authentication, distributed
  authentication, traffic control, integrity
  control
• Email privacy PEM, PGP
• Firewalls
• Multilevel networks

3
Network Security Controls Encryptions

• Host-level (link) encryption Fig. 9-16, p.406
• Link encryption occurs at layer 1 (physical) or
  layer 2 (data link) in the OSI model.
• Data is encrypted before the system places it on
  the physical communication link.
• Data is decrypted when entering the destination
  host.
• Encryption is performed by efficient and
  reliable hardware.
• Encryption is invisible to the OS and the
  application.
• Data are in the clear at the higher layers
  (layer 3 and above).
• Data need to be decrypted by the intermediate
  hosts.
• Q How many intermediate hosts are there?

4
Network Security Controls Encryptions

• Application-level (end-to-end) encryption Fig.
  9-18
• Encryption is performed between the sending
  application and the receiving application.
• The encryption can be done by hardware device
  (between the user and the host) or by software.
• A message is transmitted in encrypted form
  throughout the network. ? a secure virtual
  tunnel
• No cleartext exposure in any host. Is this
  true?
• No exposure in intermediate hosts.
• slower than link level encryption
• If symmetric keys are used, totally n (n-1) / 2
  keys are needed between every n applications.

5
Network Security Controls Encryptions

• Comparison of link and end-to-end encryption
• Table 9-2 p.409

• Any other encryption-based network controls?

6
VPN (Virtual Private Network)

• There are two common types of VPNs
• Remote-Access
• Also called a Virtual Private Dial-up Network
  (VPDN)
• a user-to-LAN connection used by a company that
  has employees who need to connect to the private
  network from various remote locations
• Typically, a corporation that wishes to set up a
  large remote-access VPN provides some form of
  Internet dial-up account to their users using an
  ISP.
• Site-to-Site
• Through the use of dedicated equipment and
  large-scale encryption, a company can connect
  multiple fixed sites over a public network such
  as the Internet.
• Use of VPN to secure wireless LAN

7
VPN Encryptions

• Most VPNs use one of the following protocols to
  provide encryption IPSec, PPTP/MPPE, and
  L2TP/IPSec.
• IPSec - Internet Protocol Security Protocol
  (IPSec).
• Tunnel mode encrypts the header and the payload
  of each packet while transport mode only encrypts
  the payload.
• All devices must use a common key or certificate
  and must have very similar security policies set
  up.
• IPSec supports either 56-bit (single DES) or
  168-bit (triple-DES) encryption.
• PPTP/MPPE Point-To-Point Tunneling Protocol
• PPTP supports multi-protocol VPNs, with 40-bit
  and 128-bit encryption using a protocol called
  Microsoft Point-to-Point Encryption (MPPE).
• PPTP by itself does not provide data encryption.

8
VPN Encryptions

• L2TP/IPSec - Commonly called L2TP over IPSec
• This provides the security of the IPSec protocol
  over the tunneling of Layer 2 Tunneling Protocol
  (L2TP).
• Primarily used for remote-access VPNs with
  Windows 2000 operating systems, since Windows
  2000 provides a native IPSec and L2TP client.
• Internet Service Providers can also provide L2TP
  connections for dial-in users, and then encrypt
  that traffic with IPSec between their
  access-point and the remote office network
  server.
• VPN References
• http//www.cisco.com/warp/public/471/how_vpn_works
  .shtmlintro
• http//pptpclient.sourceforge.net/

9
Network Security Controls Authentication /
Access Control

• Two goals of access control in a network
• To protect a single system from unauthorized
  users
• To prevent unauthorized users to access a
  computer by passing through another computer
  (distributed authentication)
• Protection of dial-in ports
• a special case of distributed user authentication
• Automatic call-back
• Differentiated access rights depending on access
  methods (local vs remote)
• Silent modem
• Q Any other methods for dial-in port protection?

10
Network Security Controls Distributed
authentication

• Two issues
• To protect a single system from unauthorized
  remote users ?distributed user authentication
• To protect a network node from unauthorized
  access coming from other nodes ?
  computer-to-computer authentication
• Several approaches
• Distributed Authentication (by Digital, DEC)
• Kerberos (by MIT)
• DCE - Distributed Computing Environment (by OSF)
• SESAME (a European RD project)
• CORBA Common Object Request Broker Architecture
  (by OMG)

11
Digital Distributed Authentication

• 1989, 1990
• Gasser, Morrie, and Ellen McDermot. An
  Architecture for Practical Delegation in a
  Distributed System. Proceedings of the 1990
  IEEE Symposium on Security and Privacy. 5/1990.
• Issues to be resolved
• Impersonation of a server by a rogue process
• Interception / modification of data exchanged
  btwn servers
• Replay of a previous authentication
• Approach
• Creation of a session key using public keys
• The session key is used to encrypt further
  communications between the servers.
• Implementation issues public key distribution
  certification

12
Kerberos

• Kerberos (Greek) a 3-headed dog that in Greek
  mythology guards the entrance to Hades
• Steiner, J., Neuman, C., and J. Schiller, 1988
  "Kerberos An Authentication Service for Open
  Network Systems", pp. 191-202 in Usenix
  Conference Proceedings, 2/1988.
• Kohl, J. and C. Neuman, 1993 The Kerberos
  Network Authentication Service (V5). RFC1510.
  9/1993.
• Purpose authentication in distributed systems
• Two types of servers
• A Kerberos server (KS) establish a session key
  btwn a user and the TGS
• A ticket granting server (TGS) grant a ticket
  to a user request access to a resource

13
Kerberos

• Using Kerberos
• The user obtains a session key (SG)and a ticket
  (TG)from the KS. The KS also sends the session
  key and the users id to the TGS. (Fig. 9-21,
  p.413)
• Q. What is the session key for?
• Q. What information are contained in the ticket?
• Q. To whom would the user present the ticket?
• Q. Does the user transmit his password to the KS?
• The user requests access to an object by
  obtaining from the TGS a ticket (TF) and a
  session key (SF). (Fig. 9-22)
• Q. What is the session key for?
• Q. What information are contained in the ticket?
  SF (p.414)
• Q. To whom would the user present the ticket?
  Fig. 9-23
• Q. Can the ticket be read, modified or forged?
  Why or why not?

14
Kerberos

• Strength
• No passwords are transmitted on the network.
• Cryptographic protection against spoofing
  Every access is checked by the TGS and the
  respective resource server.
• Limited period of validity Every ticket has a
  time stamp.
• Time stamps to prevent replay attack Use of a
  reliable universal clock is required.
• Mutual authentication A secure channel btwn a
  user and a server can be established, via the use
  of a ticket and a session key. Both the serve
  and the user can authenticate each other. How?

15
Kerberos

• Weakness
• A continuously available TGS is required. Both
  reliability and performance may be potential
  problems.
• Trust between the TGS and every server is
  required. Trust in a distributed environment is
  hard to establish.
• Timely transactions are required.
• A subverted workstation can save and later replay
  user passwords.
• Password guessing works.
• Kerberos does not scale well. Why? Fig. 9-23,
  p.415.
• To enable the use of Kerberos in a distributed
  system, it is required that all applications use
  Kerberos.
• Q. Can the Kerberos server and the TGS be
  combined? Yes (see DCE).
• Q. What are the trade-offs?

16
Distributed Computing Environment

• An OSF project, 1992 (now the Open Group,
  http//www.opengroup.org/dce/)
• OSF DCE provides a foundation on which other
  distributed services and applications may be
  built. Fig. 9-24, p.416.
• DCE is called "middleware" or "enabling
  technology. It is not intended to exist alone,
  but instead should be bundled into a vendor's
  operating system offering, or integrated in by a
  third-party vendor.
• DCE is not an application in itself, but is used
  to build custom applications or to support
  purchased applications.
• The security service in DCE is based on Kerberos,
  with the KS and the TGS combined into a Security
  Server.
• A cell is an administrative domain, consisting of
  the set of subjects and objects managed together.
• OSF Distributed Computing Environment FAQ
• DCE RFCs

17
SESAME

• A European Commissions RD project
• Similar to DCE
• It uses Kerberos extensively.
• It preceded both Kerberos and DCE in use of
  public key technology for secure authentication
  and distributing privilege attributes and tickets
  to users.
• Note Both Kerberos and DCE used symmetric keys
  initially, but have moved to support public keys.

18
CORBA

• Common Object Request Broker Architecture
• An OMG specification, http//www.omg.org/corba/
• An ORB is a traffic director that joins clients
  requests to appropriate servers.
• Cross-platform interoperability
• Using the standard protocol IIOP (Internet
  Inter-ORB Protocol), a CORBA-based program from
  any vendor, on almost any computer, operating
  system, programming language, and network, can
  interoperate with a CORBA-based program from the
  same or another vendor, on almost any other
  computer, operating system, programming language,
  and network. (http//www.omg.org/gettingstarted/c
  orbafaq.htmWhatIsIt)

19
CORBA

• The separation of interface from implementation,
  enabled by OMG IDL, is the essence of CORBA.

20
CORBA Security Services

• Viega McGraw p.54
• OMG standards define two levels of CORBA security
  services.
• Level 1 is intended for applications that may
  need to be secure, but where the code itself need
  not be aware of security issues.
• In such a case, all security operations should be
  handled by the underlying ORB.
• Level 2 supports other advanced security
  features, and the application is likely to be
  aware of these.
• Most CORBAs security features are built into the
  underlying IIOP protocol, which supports secure
  communication using cryptography.
• Mutual authentication is possible between the
  server and the user.

21
CORBA

• Strength of CORBA
• Flexibility of security policy Any security
  policy may be supported, at the level of the ORB.
• Independence of security technology security
  technology neutral
• Interoperability
• Drawback
• CORBA specifications describe the means by which
  security functionality can be linked to a CORBA
  object, but there is no requirement to do so.
• Implementations of the CORBA specification vary
  widely in terms of supported functionalities.
  (Example tunneling connections through a
  firewall. See VM, p.56.)

22
Network Security Controls Traffic control

• Traffic (flow) analysis
• an attack launched by an interceptor who examines
  the traffic of a network to gather and/or to
  infer information
• The mere existence of messages flowing from one
  point to another can be sensitive information.
• Examples p.418
• Control against traffic analysis
• Spurious messages between points of low traffic

23
Network Security Controls Data Integrity Control

• The goal To ensure that data is correctly
  stored, communicated, and modified in the network
• Types of controls
• Cryptographic checksums
• Parity bits
• Byte parity bit 1 if the sum of bits in a byte
  is even 0 otherwise
• Longitudinal parity bit byte parity bit p.421
• Other error checking codes hash value, message
  digest
• Digital signatures In a network, digital
  signatures are used to check authenticity of a
  message and also to enable auditability/traceabili
  ty of data change.
• Notarization a 3rd party authority (notary)
  between two users in a network

24
Summary

• Next
• Email privacy PEM, PGP
• Firewalls