1 | 57 communication systems 17 th lecture (last) chair of communication systems department of...

57
1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

Post on 18-Dec-2015

219 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

1 | 57

Communication systems17th lecture (last)

Chair of Communication SystemsDepartment of Applied Sciences

University of Freiburg2006

Page 2: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

2 | 57

Communication systemsadministrational stuff

● Last lecture for this semester● Friday is written exam starting at 11am sharp, Room 03-026

in this building (attic, end of stairs)– We gave some hints in last practical course on Tuesday

– Please bring a fountain/ballpin pen with you (seats, tables, writing paper are provided by us)

● Grades in oral or written exams will be sent to the examinations office (an will be available there beginning of winter term)– If you need a special printed paper – please tell us/send an

email, so we could prepare it – it will be available at the secretaries of the computing department

Page 3: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

3 | 57

Communication systemsadministrational stuff – seminar next semester

● Professorship will held a block seminar on “Security, trust and law in the Internet” next winter in cooperation with MPICC (dept. of Prof. Sieber)– Unfortunately the faculty was not able to held the central

infrormation block on available seminars soon enough

– We expect written seminar papers for the end of October, the three seminar dates are on Friday/Saturday end of November, beginning of December

– Seminar could be taken for the field of specialization #6

– Topics like SPAM, cracking, phishing, etc. will be covered

– Seminar is in german only!

– More information on the several topics could be found on the homepage

Page 4: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

Freiburg Embedded Systems TalksAcademia meets Industry

Referenten (Auszug):– Prof. Dr.-Ing. Dr. h.c. Rolf Isermann

– Prof. Dr. Leonhard Michael Reindl

– Prof. Dr. Wilhelm Schäfer

– Prof. Dr.-Ing. Peter Woias

– Prof. Dr. Hans-Joachim Wunderlich

Themen:– Softwaretechnik

– Rekonfigurierbarkeit / Fehlertoleranz

– Wireless / Low-Power

– Sensor-Networks

Vorträge: 16.-18. Oktober 2006

Workshops:19.-20. Oktober 2006

Festveranstaltung mit Live-Musik:16. Oktober 2006, ab 18:00 Uhr

Veranstaltungsort: 11. Fakultät, Gebäude 101

Weitere Informationen:http://festami.informatik.uni-freiburg.de

4 | 57

Page 5: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

Freiburg Embedded Systems TalksAcademia meets Industry

Vorträge: 16.-18. Oktober 2006

Workshops:19.-20. Oktober 2006

Festveranstaltung mit Live-Musik:16. Oktober 2006, ab 18:00 Uhr

Veranstaltungsort: 11. Fakultät, Gebäude 101

Weitere Informationen:http://festami.informatik.uni-freiburg.de

Referenten (Auszug):– Prof. Dr.-Ing. Dr. h.c. Rolf Isermann

– Prof. Dr. Leonhard Michael Reindl

– Prof. Dr. Wilhelm Schäfer

– Prof. Dr.-Ing. Peter Woias

– Prof. Dr. Hans-Joachim Wunderlich

Themen:– Softwaretechnik

– Rekonfigurierbarkeit / Fehlertoleranz

– Wireless / Low-Power

– Sensor-Networks

Für Studierende und Mitarbeiter ist die Teilnahme kostenlos!5 | 57

Page 6: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

6 | 57

● We talked on and demonstrated (in the practical course) SIP – session initialization protocol and H.323 (both might be part of the written exam questions)– Telephony over IP networks

– Only session setup

– compression, packet transport left to other services like RTP and RTCP

– the latter define container and control protocols for multimedia data streams

– H.323 – standard developed by Telcos - ITU

– SIP – internet standard, thus they differ definitely in their designs

Communication systemsLast lecture – SIP and H323

Page 7: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

7 | 57

Communication systemsthis lecture – security in computer networks

● We leave the area of telephony and talk of a complete different field again

● The topic of this lecture will NOT asked in exam questions :-)

● After some overview on the several network layers– IP v4 and v6 on the third OSI layer (network)

– TCP, UDP on the fourth OSI layer (transport)

– and several protocols for the underlying first and second layer (physical and data link layer)

● “security” is a very broad topic not only connected to networks but many other aspects of computers

Page 8: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

8 | 57

Communication systemsthis lecture – security in computer networks

● This lecture – short introduction into problems of open networks, types and points of possible attacks– more than introduction is not possible

– whole lectures may be held on that topic

● Security measures do not focus on a single network layer● Different measures try to solve different problems that might

occur● There is no single measure, which will solve all security

issues at once● There will evolve new types of attacks and new types of

counter measures

Page 9: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

9 | 57

Communication systemsnetwork insecurity – simple packet snapshot (pract. course)

Page 10: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

10 | 57

Communication systemsnetwork insecurity

● IP packets are easily readable (if provided with the proper tools)

● e.g. ethereal can provide the user/network administrator– with a graphical userinterface for interpreting packets

– can grab all packets visible to a machine (promiscous mode in LANs like ethernets)

– can sort out TCP streams (check which packets are part of a certain communication)

– can interpret most of protocol packets

● You should be familiar with this tool (and others like tcpdump) from the several practical courses

Page 11: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

11 | 57

Communication systemsnetwork insecurity

● why packets are as easily readable?● all communication has to follow standards – otherwise no

communication would be possible (think of people talk in different languages with each other)

● even not open protocols, like certain implementations of windows network service are interpretable – such the samba service is developed through trial-and-error and reverse engineering

● such: no security by obscurity!!● in the beginning of "The Internet”

– very few participants in networks

– very few computers connected to each other

– very few people with deep understanding of networking

– not many network analyzation tools available (for free)

Page 12: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

12 | 57

Communication systemsnetwork insecurity

● restricted computing power of connected machines– protocols should be very simple and should not impose high loads

on the machine

– encryption technologies were not common knowledge / restricted for export ("strategic technology”)

● and: simplicity of TCP/IP protocol suite helped the rapid growth of the Internet and fast adaptation for the different operating systems

● by now: the Internet is one of base technologies for information exchange and communication

● wide range of businesses directly depend on this network (online shops, auctions, b2b, games, advertisements, porn sites, ... :-))

Page 13: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

13 | 57

Communication systemsnetwork insecurity

● inner and intra firm communication moves from the classic communication media telephone and fax over to mail and similar technologies– sending and reception of a wide range of digital objects

– e.g. with the “melissa” virus you could observe employees entering their offices at eight and leaving them at half past nine (no mail and online communication was available – most MS operated networks)

– production and development heavily depend on networks – most information between firms is directly interchanged between databases over the net

– in the future: move of telecommunications into IP networks to avoid duplicated infrastructure and cut communication costs

Page 14: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

14 | 57

Communication systemsnetwork insecurity

● networks could be attacked on all layers● layer 1 and 2

– e.g. ARP spoofing in broadcast networks for man-in-the-middle attack, redirection of default gateway traffic over the attackers host (fifth lecture)

– “dialer” programs – redirection of internet traffic over costly dial-in lines (attack is of course induced via web applications, trojan horses, ...)

● layer 3– IP spoofing – forging of IP addresses for good or malicious

reasons (explained later) for motivation of IPsec

– attacking router protocols, e.g. RIP (II) for redirecting traffic in LANs

Page 15: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

15 | 57

Communication systemsnetwork insecurity

● networks could be attacked on all layers● layer 1 and 2

– rather simple within WLANs (unguided media with no distinct boundaries):

● spamming with corrupt packets or simply noise (microwave oven) – frequency band is rendered unusable

● breaking the weak WEP algorithm– e.g. ARP spoofing in broadcast networks for man-in-the-

middle attack, redirection of default gateway traffic over the attackers host (earlier lecture)

– “dialer” programs – redirection of internet traffic over costly dial-in lines (attack is of often initiated via web applications, trojan horses, ...)

Page 16: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

16 | 57

Communication systemsnetwork insecurity

● layer 4– very simple to send unsolicited UDP packets – connectionless

service (such spoof protocols like SNMP, DHCP, DNS, ...)

– take over open TCP connections – grab an open telnet, mail, http session to use an authenticated session to a remote host

– TCP syn attacs (open as many TCP connections as possible from different hosts and leave them in open state without further communication – type of distributed denial of service DdoS)

– dynamic routing protocols (drop in replacement for TCP or UDP) have their weaknesses too ...

Page 17: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

17 | 57

Communication systemsnetwork insecurity

● application layers (layer 5 – 7)– SPAM attack on productivity in every organization, network /

overload mail boxes to stop reception of further email

– redirection of users/traffic through modification of DNS replies, DNS caches

– crack passwords to gain access to accounts, databases ...

– by now: so called “bot-nets”● groups of computers corrupted by some worm or system /

service weakness● waiting for special incoming packets for distributed denial

of service (DDoS) attacks, SPAM relaying, file exchange, ...

Page 18: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

18 | 57

Communication systemsnetwork security measures

● different security measures for different network layers and protocols– application layers: e.g. PGP for mail – end-to-end mail

encryption - advantages:● PGP/GnuPG available for many OS / mail clients● independent of admin permissions of the underlying OS● key ring could be put to USB stick (or similar) and

deployed on more than one machine– disadvantages:

● available for mail / filesystem encryption only● mail header (and all protocols below), end-to-end

communication visible to every one along the route

Page 19: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

19 | 57

Communication systemsnetwork security measures

● Transport layer as an extension to service protocols put between TCP and higher level protocol – Secure socket layer (SSL: initially developed by Netscape to

secure http connections to allow secure applications prerequisite for online shopping, homebanking, ...)

– Transport layer security (TLS, or SSL v3) – modern version of SSL

Page 20: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

20 | 57

Communication systemsnetwork security measures

– by now implemented to a wide range of TCP applications● Web: https – port 443● Mailboxes: imap4 – imaps, port 993● Hierarchical database: ldap – ldaps, port 636

– OpenSSL – open source implementation of the SSL library

– SSL requires certificate authorities (CA) to really know how the communication partner is

● hierarchical structures of trust are rather costly● information of CA has to be put into application, e.g. Web

browser– Rather strong requirement in the rather “unregulated”

Internet

Page 21: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

21 | 57

Communication systemsnetwork security measures

– Advantages of SSL/TLS:● Library functions which could be relatively easily applied to

every TCP application● Freely available for all common OS● Relatively wide spread through use with HTTP

communication● Relatively mature (some security flaws where detected and

fixed)● For not SSL enabled / rather old applications or protocols

secure tunnels via SSH (secure shell) could be established

● Some certificate authorities are available

Page 22: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

22 | 57

Communication systemsnetwork security measures

– Disadvantages of SSL/TLS:● Not available for applications using UDP (or more difficult

to apply), no SSH tunnels possible● Incompatibilities with/of older versions of SSL● CA are rather expensive and not really compatible with

each other– e.g. University of Freiburg uses some CA but would

pay extra money to enable every virtual web / mail host to use authorized certificate (e.g. examine the certificate of the mail server ...)

– Every CA has to be known to the web browsers and protocols using SSL

Page 23: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

23 | 57

Communication systemsnetwork security measures

– By now many universities and scientific organizations use the services of DFN CA

● This CA is available free of charge to the members of that network

● The Root certificate is integrated into the popular open source browsers (of course not into IE – M$ will most probably charge for that :-))

– There is a more “general” solution to link encryption and authentication than SSL/TLS

Page 24: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

24 | 57

Communication systemsnetwork security measures

– Network layer: IP sec protocol

– Mostly in parallel to the SSL development need for secured IP connections was stated

– IETF created work group which should backport IP v6 security features to IP v4 networks

● Many participants in that workgroup● Long processes● Many incompatibilities between different vendors

Page 25: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

25 | 57

Communication systemsnetwork security measures

– Data link layer: PPTP or L2TP

– PPTP (point-to-point-tunneling-protocol) is a Microsoft development for security enhancements to the PPP

– PPP allows to transport more than one network layer protocol (e.g. IPX) beside IP

– PPTP was cracked some years ago – some security issues not solved ...

– PPTP is available to other operating systems too

– L2TP (layer-2-tunneling-protocol) is prepared for adding security features too – but some issues not solved

– For layer 2 tunneling OpenVPN (open source project available for OS with tun/tap network device)

Page 26: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

26 | 57

Communication systemsnetwork security measures

– OpenVPN uses the SSL library to encrypt traffic, could be used for securing layer 2 and IP connections

– Uses UDP packets for easy crossing of masquerading routers

– Could deploy TCP connections, connections over HTTP proxies too

– Disadvantages: only point-to-point connections by now● need to setup of several connection endpoints on a server

with the older 1.N versions ● multipoint connections to the same server port would be

available with the 2.0 version– Not an officially standardized protocol, but in broad use in

many setups

Page 27: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

27 | 57

Communication systemsnetwork security measures – summary

Page 28: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

28 | 57

Communication systemsnetwork insecurity – address spoofing

● Talked on ARP and ARP spoofing earlier this lecture / practical course– Without authentication it is impossible to say which

communication partner generated a certain packet

– Same problem on higher layers too

● Same problems with WEP (lecture on Wireless LAN), layer 2 security measures ...

● IP spoofing is creation of IP packets using some other IP address as source

Page 29: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

29 | 57

Communication systemsIP insecurity – IP spoofing

● IP source and destination addresses could be easily modified (you have only to recompute the headers checksum after it)– e.g. useful for IP masquerading (hide whole networks behind a masq. router – common technique for home LANs)

● Tools to do so: iptables (Linux firewall package - example given in one of the practical courses), wincap, sendpacket, raw socket, ...

Page 30: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

30 | 57

Communication systemsIP insecurity – IP spoofing

● forging source IP address causes responses to be misdirected, meaning that no normal network connection might be created

● originates in packet switched type of IP networks● IP routing is done on a hop by hop basis● delivery route is determined by the routers that participate in

the delivery process● routers use the “destination IP” address in order to forward

packets through the Internet, but “ignore” the source address field – point of attack for IP spoofing

● or asymmetric routing – packet is sent out on one interface and received over another

Page 31: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

31 | 57

Communication systemsIP insecurity – IP address spoofing in special scenarios

● prerequisite for some type of SAT connections (incoming via SAT, outgoing via Modem / ISDN)● user makes request using return channel● ISP receives data from Internet and sends it out through

satellite● user receives data through satellite receiver (card)

Page 32: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

32 | 57

Communication systemsIP sec – IP v4 insecurity

● IP v4 does not implement any security (easy IP spoofing, easy rewriting of packets, no encryption)

● As we will see firewalls does not secure outgoing or inbound traffic but shields the internal LAN

● For secure communication over an insecure network (not because of lost packets or connections - but special agencies listening on routers and wires) encryption will be needed

● If hosts in an secured internetwork should interoperate as easily as in the classical Internet a standard for secure communication is needed

Page 33: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

33 | 57

Communication systemsIP sec – IP v4 insecurity

● IP and transportation headers must be easily readable for routers and network engines

● But packet payload is easily readable too, if the proper tools for analysis are applied (i.e. Ethereal)

● Example of HTTP post packet (login to a wellknown free mail provider: ID and password could be identified without problem)

Page 34: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

34 | 57

● IP level security -> IPsec● IPSEC is Internet Protocol SECurity● The level above the network layer is the place where IPsec was

put - No alteration to the IP was needed, simply the transportation protocol was interchanged (or and additional security header introduced)

● It uses strong cryptography to provide both authentication and encryption services– Authentication ensures that packets are from the right sender

and have not been altered in transit

– Encryption prevents unauthorized reading of packet contents● Topic covered in other lectures: Telematics/Internet-Working

Communication systemsIP sec - overview

Page 35: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

35 | 57

● It allows multiple access for e.g. teleworkers to the company LAN● Without VPN

– costly separate infrastructure would be needed

– often inflexible● Construction of a VPN

– connection of all participating parties to the internet

– VPN client asks for secure connection from the server

– authentication via username/password, shared secret, key cards ...

– after validation tunnel is set up with special IP routes

Communication systemsIP sec – VPNs

Page 36: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

36 | 57

● Problems with VPN gateways– gateway machines reachable over the public internet

– could be attacked for break-in, denial of service

– security could be increased through combination of authentication methods

● Security at tunnel end point– split tunnel – unencrypted interface to the internet needed

(transport medium for encrypted traffic)

– user machine is not secured against attacks from the internet

– “hardened tunnel” - no connection/routing to the local LAN is allowed, user end point machine obtains a private IP from the internal network

Communication systemsIP sec – VPN problems

Page 37: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

37 | 57

● By now we discussed encryption and authentication measures put to different protocol layers to improve security

● We ensure this way, that nobody can read/alter the packets of a communication during transit

● We do not secure a machine that way – vulnerability to attacks, DoS have to be abated some other way

● Completely other path of thought– not to protect own traffic from sniffing ...

– but allow or block traffic at gateway, router, end system ...● Traffic / packet filtering on different levels is another concept to

increase security – parts of it will be discussed next part of lecture ...

Communication systems network security – other directions to look

Page 38: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

38 | 57

● Take a completely new track now ...● Firewalls are traffic / packet filters that operate on different layers

of our OSI protocol stack● Try for a definition: “A Firewall is a network security device

designed to restrict access to resources (information or services) according to a security policy”

● Important remark is to be made here:– Firewalls are not a “magic solution” to network security

problems, nor are they a complete solution for remote attacks or unauthorized access to data!!

– Firewalls could be circumvented in several ways and may increase the complexity of network and this way decrease the level of security!

Communication systemsnetwork security – “the magic device”: firewall

Page 39: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

39 | 57

● A Firewall is a often a network security device, but can be or simply is implemented directly into the end systems

● It serves to connect two parts of a network a control the traffic (data) which is allowed to flow between them

● Often installed between an entire organization's network and the Internet

● A Firewall is always the single path of communication between protected and unprotected networks

– Of course there are special cases of multiple Firewalls, redundant connections, fault-tolerant failover etc.

– A Firewall can only filter traffic which passes through it

– If traffic can get to a network by other means, the Firewall cannot block it

Communication systems network security – firewalls

Page 40: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

40 | 57

● Types of firewalling concepts:– (MAC / ethernet frame filter)

– Packet filter– Circuit-level proxy

– Stateful packet filter

– Application-level proxy

● Filtering on data link layer– ethernet packets contain source and destination addresses: MAC

– allow only frames to be delivered from known sources, block frames with unknown MACs

Communication systemsnetwork security – firewalls

Page 41: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

41 | 57

● Filtering on network layer– Source & destination IP addresses

● Source address● Destination address

– Both are numerical – it is not easy for a Firewall to deal with machine or domain names

– e.g. www.hotmail.com● Request: client = source, server = destination● Response: server = source, client = destination

Communication systems network security – firewalls

Page 42: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

42 | 57

● Filtering on transport level– This is where we deal with (mostly) TCP and UDP port

numbers ● e.g.: 25 SMTP – sending email (TCP)● 110 POP3 – collecting email (TCP)● 143 IMAP – collecting email (TCP)● 389 LDAP – directory service (TCP)● 636 LDAPS – TLS secured directory service (TCP)● 80 HTTP – web pages (TCP)● 443 HTTPS – secure web pages (TCP)● 53 DNS – name lookups (UDP)● 68, 69 DHCP – dynamic end system IP config (UDP)

Communication systems network security – firewalls

Page 43: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

43 | 57

● Most Firewalls and their administrators assume that the port number defines the service – not necessarily– who could stop me from sending or receiving mail over the

HTTP port

– who could stop users from tunneling all their IP traffic over an open port (AOL left UDP 53 completely open for DNS traffic some year ago :-))

● Here we get major problem: If users are blocked from using a service and try to avoid the blocking firewall they might find a way through – the admin still thinks all is fine with the network, but the situation might be even worse than without firewall at all ...

Communication systems network security – firewalls

Page 44: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

44 | 57

● Layer 7 – Application– There is where we find all the 'interesting' stuff ...

● Web requests● Images● Executable files● Viruses● Email addresses● Email contents● Usernames● Passwords

Communication systems network security – firewalls

Page 45: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

45 | 57

● packet filter – a special router that have the ability to throw packets away independently of network congestion

● Examines TCP/IP headers of every packet going through the Firewall, in either direction

● Choice of whether to allow or block packet based on:– (MAC source & destination)

– IP source & destination addresses (layer 3)

– TCP / UDP source & destination ports (layer 4)● Stateful filter

– Same as a packet filter, except initial packets in one direction are remembered, and replies are automatically allowed fo

– Simpler rules than simple port based packet filter

Communication systems network security – firewalls

Page 46: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

46 | 57

● Packet filter use rules specify which packets are allowed through the Firewall, and which are dropped– Rules must allow for packets in both directions

– Rules may specify source / destination IP addresses, and source / destination TCP / UDP port numbers

– Certain (common) protocols are very difficult to support securely (e.g. FTP, IRC, SIP, ...)

– Low level of security● Stateful packet filter

– Packet filter which understands requests and replies (e.g.: for TCP: SYN, SYN-ACK, ACK)

Communication systems network security – firewalls

Page 47: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

47 | 57

● Stateful packet filter– Rules need only specify packets in one direction (from client to

server – the direction of the first packet in a connection)

– Replies and further packets in the communication are automatically processed

– Supports wider range of protocols than simple packet filter (eg: FTP, IRC, H323)

– Medium-high level of security

Communication systems network security – firewalls

Page 48: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

48 | 57

● Layer-7 proxy server – application level proxy– Client and server in one box

– For every supported application protocol● SMTP, POP3, HTTP, SSH, FTP, NNTP, Q3A, ...

– Packets are received and processed by server

– New packets generated by client● Prevents the need for direct network connection of clients, no

client packet is directly routed into the Internet, no packet from Internet is directly handed to the client

● Special proxy protocol supported by many applications which offers authentication: socks5

Communication systems network security – firewalls

Page 49: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

49 | 57

● Complete server & client implementation in one box for every protocol which can be expected through it

● Client connects to Firewall● Firewall validates request● Firewall connects to server● Response comes back through Firewall and is also processed

through client/server● Large amount of processing per connection● High level of security● And: lot of funny stuff could be tried with filtering (SPAM, Ads,

porno sites, ...)

Communication systems network security – firewalls

Page 50: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

50 | 57

● Packet filters, circuit-level proxies and stateful packet filters are like telephone call-barring by number– block or allow mobile calls

– block or allow international calls

– block or allow 0190/0900 calls

– from different internal extensions● Application level proxy is like telephone call monitoring by listening

to the conversations– conversations may still be encoded, or in a foreign language !!

Communication systems network security – firewall taxonomy

Page 51: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

51 | 57

● Applications which run on Windows machines– commonest home PCs

– often insecure

– increasingly connected using ADSL etc.● Packet filter (sometimes stateful)● Learn which applications are permitted to make what type of

connections outbound● Block inbound access except replies● But nobody nows exactly

– how personal firewalls are bound to Windows network stack

– how firewalls could be disabled by malicious applications

Communication systems network security – “personal” firewalls

Page 52: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

52 | 57

● Firewalls control network traffic to and from the protected network● Can allow / block access to services (both internal and external)● Can enforce authentication before allowing access to services● Can monitor traffic in/out of network● Firewalls typically defend a protected network against an attacker,

who tries to access vulnerable services which should not be available from outside the network

Communication systems firewalls - conclusion

Page 53: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

53 | 57

● Firewalls are also used to restrict internal access to external services, for many different reasons:– security (don't want people downloading and installing

unknown applications)

– productivity (don't want people wasting time on non-work related websites etc)

– cost (many Internet connections, e.g.: Dial-Up are charged by data transferred – ensure this is all necessary)

● But firewalls could mislead to total control and monitoring– or distract admins from more important security issues ...

Communication systems firewalls - conclusion

Page 54: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

54 | 57

● Gave a broad overview on network related issues with focus on IP and digital telephony networks

● Defined a model for network protocol layering– talked on network layer: IP v4 / v6

– routing on this layer

– DNS as a helper application for the convinience of the Internet users

– physical and data link layer – several lower layer protocols and techniques for transportation of bitstreams

– encoding digital data into analogous signals

Communication systemsconclusion of the lecture

Page 55: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

55 | 57

Communication systemsconclusion of the lecture – OSI layers and examples

Page 56: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

56 | 57

● Many topics were not or rather short covered● Range of lectures which focus on

– network security

– network programming

– dynamic networks and routing protocols

– network applications

– ...● Courses of the professorship next semester

– Interdisz. seminar as introduced beginning of lecture ...

– Special practical course on OpenSource PBX Asterisk (SIP, mobile telephony, ...) at Summercampus2006: 16th - 19th of August

Communication systemsconclusion of the lecture

Page 57: 1 | 57 Communication systems 17 th lecture (last) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006

57 | 57

● Thanks to our hiwis– Rui Zhou

– Ahmad Abdul Majeed and Christoph Hanke● Helping preparation of practical courses

– Discussing and defining excercises

– Correcting excercises

– Preparing services and tools

– ...● Have nice summer holidays!!● See you tomorrow :-))

Communication systemsend for today and this semester!!