Chapter 4: Security of the
architecture, and lower layer
security
Outline
●
Security of the architecture
●Access control
●
Lower layer security
– Data link layer – VPN access
– Wireless access
1. Security of the architecture
●
Security of the architectures
●Firewall
Security of the architectures
●
Security of the architectures
– specific to each architecture – few standards
– often insufficient
●
Several levels
Security of the architectures
●
Security of the building / computer rooms
– often neglected
– access control required
●
Network security
Security of the architectures
●
Communication security
– higher layers
– often easy and fast to deploy
Classification of solutions
●
Classification of solutions
– extension solutions – transparent solutions – signaling solutions
Classification of solutions
●
Extension solutions
– add new features to existing protocols – interoperability problems
– example: DNSSec
●
Transparent solutions
– inserted between two protocols
Classification of solutions
●
Signaling solutions
– operate within a layer
– encapsulation by protocols of the same layer (rather
than encapsulation by protocols of lower layers)
– example: IPSec
●
Local processing solutions
– most deployed solutions
– no interoperability problems
Firewall
●
Firewall
– packet filtering device
– filtering rules are predefined
●
Security policies
Firewall
●
Default rule
– allowing packets implicitely: low security – rejecting packets implicitely: too restricting
●
Rule processing
– sequential processing
Firewall: advantages
●
Transparent
●
Filtering at different levels
– MAC, IP
– application data – by user groups
●
Able to deal with complex network (NAT, DMZ,
Firewall: drawbacks
●
Target of attacks
●
Control required for each protocol (MAC, IP,
HTTP, HTTPS, SQL, ...)
●
Requires to understand filtering rules and their
Firewall
●
Operation modes
– stateless: packets are processed independently
– stateful: the firewall stores a state for each protocol
●
Stateless firewalls
– simple filtering
●
Stateful firewalls
Firewall and ACL
●
Firewall operation
– analyzes packets (or their headers) exchanged
between two entities, located on each side of the firewall
– uses ACL
●
ACL = Access Control List
– source IP, source port, destination IP, destination
port
– TCP (opening), TCP (communication) or UDP
Firewall and ACL
●
Source IP and destination IP: mask
●
Source and destination ports: n, >n, list
●Action
– authorization – rejection
Frequent ports
●
Frequent ports
– DNS (53)
– HTTP (80, 8000, 8080) and HTTPS (443) – FTP (20 and 21) and TFTP (69)
– SMTP (25), POP3 (110) and IMAP (143)
– X (6000 à 6063), RIP (520), NFS (2049), LPD (Line
Firewall examples
●
Example of specification
– r1 - accept from 192.168.1.3:* to 193.49.118.1:25 – r2 - accept from 192.168.1.0/24:* to *:80
Firewall examples
●
Example Cisco (simplified)
– deny ip 192.168.1.0 0.0.0.255 – permit tcp any any established
– permit tcp any host 192.168.1.3 eq smtp – permit tcp any host 192.168.1.3 eq dns – permit udp any host 192.168.1.3 eq dns – deny tcp any any range 6000 6063
Firewall: problems
●
Problems
– no authentication – no confidentiality
– external connections are not taken into account
● network access that bypass the firewall
● external storage / communication devices (USB sticks)
Proxy
●
Proxy = intermediate device
– device on the client side, relaying (and modifying)
communications between a client and a server
– use: filtering, caching, logging, anonymizing
●
Types of proxys
– transparent proxy ≠ anonymizing proxy – tunnel (or gateway) = does not modify
communications
Reverse proxy
●
Reverse proxy
– device on the server side, relaying (and modifying)
communications between a client and a server
– use: in front of the main server, caching,
Proxy
●
Generally concerns the following protocols
– HTTP
– FTP
– SSH
Proxy
●
Security aspects
– can provide anonymity
– eases / centralizes the application of security
policies (access control)
– logs usage
– processes entering content (antivirus, anti-spam)
and leaving content (information leaking)
NAT
●
Definition: network address translation
– operation: principle, translation table
●
Advantages
– private addressing is independent from the public
adressing (provides flexibility + hides the private architecture)
●
Drawbacks
NAT + PAT
●
Definition: network address and port translation
– IPv4 address space is (nearly) exhausted
– operation: principle, address and port translation
table
– example: private client accessing a public server – mascerading: the public address is the address of
NAT + PAT
●
Problem: public client accessing a private
server
●
Solution: manual configuration
●Private addresses
– 10.0.0.0 / 8
NAT + PAT
●
Advantages
– no need to have several public addresses
●
Drawbacks
– initiated by the client (only)
– client does not know its own IP address (problems
with protocols such as FTP)
DMZ
●
Description of a DMZ
●Objectives
– network partitionning
– the security of the internal part of the network is
independent from the security of the external part
Netfilter
●
Netfilter
– Linux software firewall
– manages filtering and NAT
IDS
●
IDS = Intrusion Detection System
– passive component
– used in addition to firewall
●
Objective: to detect suspicious behaviors,
intrusions and attacks
NIDS
●
Mechanism
– traffic monitoring
●
NIDS placement
– key location of the architecture: central location,
HIDS
●
Mechanism
– monitoring of error logs, audit logs, file access
rights, used resources
●
Placement
Detection methods
●
Signature-based detection
– detection of known attack schemes
– example: attack of "large ICMP packets" against
"BlackIce Defender" firewalls
●
Suspicious behavior detection
– comparison between usual behavior and current
behavior
Detection methods
●
Integrity check based detection
– verification of file integrity
Drawbacks of IDSs
●
Produces false positives
– alarm generated for a legitimate behavior
●
Produces false negatives
– no alarm generated for an illegitimate behavior
●
Not all attacks are detected
●Does not block intrusions
Software IDS
●
Example: SNORT
– open-source free software – signature-based IDS
2. Access control
●
AAA = Authentication, Authorization,
AAA
●
Often used by internet access providers (or by
a company for its private network)
●
NAS = Network Access Server
– network access point – several NASs
●
RAS = Remote Access Server
– centralized access policy
RADIUS
●
RADIUS = Remote Authentication Dial-In User
Service
– autentication via a shared database
– example: Internet access, POP, apache
– client/server protocol based on requests/responses – data is encrypted using a (pre-)shared key
RADIUS
●
RADIUS server
– communicates with an external database (LDAP,
SQL, user accounts)
●
Operation
– NAS acts as an intermediate between users and
the RAS
– the user requests the NAS (using a login and a
password)
– access-request and access-challenge sequence
RADIUS
●
Accounting
– objective: logging and billing
●
Mechanism
– START packet when access starts
– STOP packet when deconnected, or after a timeout
expires
RADIUS
●
Drawbacks
– UDP protocol
3. Lower layer security
●
Data link layer
– PAP
– CHAP
– PPP
– EAP
Data link layer
●
Security at the lowest level
– critical
●
Multipoint type
– internal network – Ethernet
●
Point to point type
– external connection
PAP and CHAP
●
PAP = Password Authentication Protocol
– sends a pair (login, password) as plaintext – verification of the pair
●
CHAP = Challenge Handshake Protocol
– client sends an identification
PPP
●
PPP = Point to Point Protocol
– transmission protocol operating at layer 2, between
two hosts
– supports PAP and CHAP
●
Mecanism
– encapsulation of packets
– link control (LCP = Link Control Protocol): manages
frame size and authorizes the communication
– network control (NCP = Network Control Protocol):
EAP
●
EAP = Extensible Authentication Protocol
– universal authentication mechanism – used in point-to-point or in wireless
●
Defines frames having a specific format
(request, response, success,
EAP-failure)
VPN
●
VPN = Virtual Private Networks
●Objective
– interconnect distant computers via an existing
(unsecure) network
– form a private network between those computers
●
Example
VPN
●
Interconnection
– layer 2: via a PPP link – layer 3: via an IP link
●
Mechanism: tunnelling (through encapsulation)
●Examples
– layer 2: PPTP, L2F, L2TP
VPN - PPTP
●
PPTP = Point-to-Point Tunnelling Protocol
– RFC 2637, developed by Microsoft
– client/server protocol (does not work for
network/network or client/network modes)
●
Mechanism
– signalling on TCP port 1723 (opening, closing,
authencation)
– layer 2 protocol that encapsulates PPP frames in IP
VPN - PPTP
IP proto GRE proto PPP proto IP Payload PPP proto ●Advantages
– supports MPPE (Microsoft Point-to-Point
Encryption)
– supports MPPC (Microsoft Point-to-Point
VPN - L2F
●
L2F = Layer Two Forwarding
– RFC 2341, developed by Cisco
●
Mechanism
– client/server protocol
– PPP connection between client and the network
access point, and L2F tunnel between the network access point and the server
VPN - L2TP
●
L2TP = Layer Two Tunnelling Protocol
– RFC 2661 and RFC 3931, developed by Cisco and
Microsoft
– based on PPTP and L2F
●
Mechanism
– uses UDP to encapsulate PPP
– provides robustness for control packets, but not for
VPN - L2TP
●
Prior to the communication: tunnel
establishment, session establishment (one
session for each communication)
●
Architectures
– client => LAC (L2TP Access Concentrator) => LNS
(L2TP Network Server) => network
– client LAC => LNS => network
IP L2TP PPP IP Payload
VPN - L2TP
●
Drawback
– no confidentiality
●
Solution: L2TP/IPSec
– IPSec creates a secure channel
VPN - GRE
●
GRE = Generic Routing Encapsulation
– RFC 2784, developed by Cisco
●
Simple protocol
VPN - GRE
●
Detects broken links
– if there is no route towards the destination
– if the interface that brings to the dest. is shut down – if the route to the dest. passes through a tunnel
●
Keepalive messages
– the broken link detection does not take into account
4. Appendices
●
