network security - cse, iit bombaysiva/talks/ace2003.pdfrfc 2196 site security handbook guidelines...
TRANSCRIPT
Home Page
Title Page
Contents
JJ II
J I
Page 1 of 85
Go Back
Full Screen
Close
Quit
Network SecurityG. Sivakumar
Computer Science DepartmentIndian Institute of Technology, Bombay
Mumbai 400076, [email protected]
December 11, 2003
Outline of Talk• Some Puzzles
– Key Exchange
– Mutual Authentication
• Internet Security Overview
– Threats, Vulnerabilities,Requirements
– Site Security Assurance
• Cryptography and CryptographicProtocols
– Asymmetric (Public-KeyEncryption), Signatures
– Session Keys (Diffie-Hellman)
• Network Security Mechanisms
– Firewalls, SSL, Proxies, ...
• IIT Bombay Network Case Study
Home Page
Title Page
Contents
JJ II
J I
Page 2 of 85
Go Back
Full Screen
Close
Quit
Food for Thought• Key Exchange Puzzle
How to exchange a secret over a insecure medium?
• Mutual Authentication Puzzle
• Zero-Knowledge Proofs
Prove that you know without revealing the knowledge.
– Rubik’s Cube
– Cave Puzzle
Home Page
Title Page
Contents
JJ II
J I
Page 3 of 85
Go Back
Full Screen
Close
Quit
Internet’s Dream
• Why should a fridge be on Internet?
• Will security considerations make this anightmare?
Home Page
Title Page
Contents
JJ II
J I
Page 4 of 85
Go Back
Full Screen
Close
Quit
Internet’s Growth andCharter
InformationAnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone
Home Page
Title Page
Contents
JJ II
J I
Page 5 of 85
Go Back
Full Screen
Close
Quit
Security ConcernsMatch the following!
Problems AttackersHighly contagious viruses Unintended blunders
Defacing web pages Disgruntled employees or customersCredit card number theft Organized crime
On-line scams Foreign espionage agentsIntellectual property theft Hackers driven by technical challenge
Wiping out data Petty criminalsDenial of service Organized terror groups
Spam E-mails Information warfareReading private files ...
Surveillance ...
• Crackersvs. Hackers
• Insiders vs. Outsiders
• Note how muchresourcesavailable to attackers.
Home Page
Title Page
Contents
JJ II
J I
Page 6 of 85
Go Back
Full Screen
Close
Quit
RFC 2196 Site SecurityHandbook
Guidelines for any organization joining Internet
1. Risk Assessment (Assets/Threats)
2. Security Policies
3. Security Architecture and Services
• Firewalls, VPN, Encryption, ...
• Authentication
• Confidentiality, Integrity
• Authorization and Access Control
• Backups
4. Usage Monitorig and Auditing
5. Intrusion/Attack Detection
6. Security Incident Handling
No silver bulletor one timefix!Eternal Vigilance is the price of liberty
Home Page
Title Page
Contents
JJ II
J I
Page 7 of 85
Go Back
Full Screen
Close
Quit
Recent Top 10 AttacksSeewww.securityfocus.comandwww.sans.orgfor more details
1. Blaster (Aug 2003)
2. SQL Slammer (Jan 2003)
3. Nimda Worm (IIS/MIME bugs)
4. Code Red Worm (Buffer Overflow)
5. Code Red II Worm
6. Spam Mail (Open Relays/Formmail)
7. CGI Attacks
8. SubSeven Trojan
9. Microsoft FrontPage Attacks
10. DNS Attacks
Home Page
Title Page
Contents
JJ II
J I
Page 8 of 85
Go Back
Full Screen
Close
Quit
Common Vulnerabilities andExposures
Seecve.mitre.org.A nomenclature(and database) for indexing vulnerabilites. Critical to evaluatevarious approaches/tools.
Home Page
Title Page
Contents
JJ II
J I
Page 9 of 85
Go Back
Full Screen
Close
Quit
Vulnerabilities• Application/Host Security
– Buggy code
– Buffer Overflows
• Protocol Security
– Cryptographic Protocols
– Client-Server Messages
• Transmission Security
Home Page
Title Page
Contents
JJ II
J I
Page 10 of 85
Go Back
Full Screen
Close
Quit
Windows Top 10Vulnerabilities
Seehttp://www.sans.orgfor more info (CVE numbers, how to check/protectetc.)
1. Internet Information Services (IIS)
2. Microsoft Data Access Components (MDAC) (Remote Data Services)
3. Microsoft SQL Server
4. NETBIOS – Unprotected Windows Networking Shares
5. Anonymous Logon – Null Sessions
6. LAN Manager Authentication – Weak LM Hashing
7. General Windows Authentication – Accounts with No (or Weak) Pass-words
8. Internet Explorer
9. Remote Registry Access
10. Windows Scripting Host
Home Page
Title Page
Contents
JJ II
J I
Page 11 of 85
Go Back
Full Screen
Close
Quit
Unix Top 10 VulnerabilitiesSeehttp://www.sans.orgfor more info (CVE numbers, how to check/protectetc.)
1. Remote Procedure Calls (RPC)
2. Apache Web Server
3. Secure Shell (SSH)
4. Simple Network Management Protocol (SNMP)
5. File Transfer Protocol (FTP)
6. R-Services (.rhosts) – Trust Relationships
7. Line Printer Daemon (LPD)
8. Sendmail
9. BIND/DNS
10. General Unix Authentication – Accounts with No or Weak Passwords
Home Page
Title Page
Contents
JJ II
J I
Page 12 of 85
Go Back
Full Screen
Close
Quit
Denial of ServiceSmall shop-owner versus Supermarket
• What can the attacker do?
• What has he gained or compromised?
• What defence mechanisms are possible?
– Screening visitors using guards (who looks respectable?)
– VVIP security, but do you want to be isolated?
• what is the Internet equivalent?
Home Page
Title Page
Contents
JJ II
J I
Page 13 of 85
Go Back
Full Screen
Close
Quit
Yahoo DDoS attack• Caused traffic to Yahoo to zoom to 100s of Mbps
• Broke the capacity of machines at Yahoo and its ISPs
• Internet Control Message Protocol (ICMP) normally used for good pur-poses.
• Ping used to check “are you alive?’
Home Page
Title Page
Contents
JJ II
J I
Page 14 of 85
Go Back
Full Screen
Close
Quit
Yahoo DDoS attack
Home Page
Title Page
Contents
JJ II
J I
Page 15 of 85
Go Back
Full Screen
Close
Quit
Security RequirementsInformal statements (formal is much harder)
• ConfidentialityProtection from disclosure to unauthorized persons
• IntegrityAssurance that information has not been modified unauthorizedly.
• AuthenticationAssurance of identity of originator of information.
• Non-RepudiationOriginator cannot deny sending the message.
• Availability Not able to use system or communicate when desired.
• Anonymity/PseudonomityFor applications like voting, instructor evalua-tion.
• Traffic AnalysisShould not even know who is communicating with whom.Why?
• Emerging ApplicationsOnline Voting, Auctions (more later)
And all this with postcards (IP datagrams)!
Home Page
Title Page
Contents
JJ II
J I
Page 16 of 85
Go Back
Full Screen
Close
Quit
Security Mechanisms• System Security:“Nothing bad happens to my computers and equipment”
virus, trojan-horse, logic/time-bombs, ...
• Network Security:
– Authentication Mechanisms“you are who you say you are”
– Access ControlFirewalls, Proxies “who can do what”
• Data Security: “for your eyes only”
– Encryption, Digests, Signatures, ...
Home Page
Title Page
Contents
JJ II
J I
Page 17 of 85
Go Back
Full Screen
Close
Quit
Cryptography and DataSecurity
• sine qua non[without this nothing :-]
• Historically who used first? (L & M )
• Code Language injoint families!
Home Page
Title Page
Contents
JJ II
J I
Page 18 of 85
Go Back
Full Screen
Close
Quit
Symmetric/Private-KeyAlgorithms
Home Page
Title Page
Contents
JJ II
J I
Page 19 of 85
Go Back
Full Screen
Close
Quit
Asymmetric/Public-KeyAlgorithms
• Keys are duals (lock with one, unlock with other)
• Cannot infer one from other easily
• How to encrypt? How to sign?
Home Page
Title Page
Contents
JJ II
J I
Page 20 of 85
Go Back
Full Screen
Close
Quit
Signing a DocumentDigital Signature (like signing a cheque).
Home Page
Title Page
Contents
JJ II
J I
Page 21 of 85
Go Back
Full Screen
Close
Quit
Verifying a Signature
• How to get thepublic key?
• Exam cancelled email with phone number!
• NeedKey Management(models of trust).
Home Page
Title Page
Contents
JJ II
J I
Page 22 of 85
Go Back
Full Screen
Close
Quit
One way Functions
Mathematical Equivalents
• Factoring large numbers (product of 2 large primes)
• Discrete Logarithms
Home Page
Title Page
Contents
JJ II
J I
Page 23 of 85
Go Back
Full Screen
Close
Quit
One-way Functions• Computingf(x) = y is easy.
• Eg. y = 4x mod 13 (If x is 3, y is —?)
n 4n mod 13 10n mod 131 4 102 3 93 12 124 9 35 10 46 1 17 4 10... ... ...
• Note: need not work with numbers bigger than 13 at all!
• But given y = 11, finding suitable x is not easy!
• Can do by brute-force (try all possibilities!)
• No method that ismuch better known yet!
Home Page
Title Page
Contents
JJ II
J I
Page 24 of 85
Go Back
Full Screen
Close
Quit
RSA Encryption ExamplePick 2 primes (p = 251, q = 269).Let n = p ∗ q = 67519 andφ(n) = (p− 1) ∗ (q − 1) = 67000.Picke = 50253 (relatively prime toφ(n)).Computed = e−1 mod φ(n) = 27917 (only one suchd exists, with(e ∗d) mod φ(n) = 1.Interesting number-theoretic property for anym < n is the following
((me) mod n)d mod n = m = ((md) mod n)e mod n
Therefore toencrypt a messagem take it 2 chars at a time (16 bits, so lessthan 65536) and computeE(m) = me mod n.This is thepublic key (the numberse, n).Decrypting is done bym = D(E(m)) = E(m)d mod n and is easy only ifd (private key) is known.
Home Page
Title Page
Contents
JJ II
J I
Page 25 of 85
Go Back
Full Screen
Close
Quit
RSA Small Examplep = 47q = 71n = p * q = 3337
φ(n) = 3220e = 79 (relatively prime to 3220)d = 1019 ( 79 * 1019 = 1 mod 3220)
m = 688123456789m1 = 688c1 = 68879 mod 3337 = 1570d1 = 15701019 mod 3337 = 688
How difficult (how many multiplications and what size numbers) is it to com-pute the last two exponents?
Home Page
Title Page
Contents
JJ II
J I
Page 26 of 85
Go Back
Full Screen
Close
Quit
Network SecurityMechanism Layers
Crptograhphic Protocolsunderly all security mechanisms. Real Challenge todesign good ones forkey establishment, mutual authenticationetc.
Home Page
Title Page
Contents
JJ II
J I
Page 27 of 85
Go Back
Full Screen
Close
Quit
Motivation for Session keysCombine Symmetric (fast) and Asymmetric (very slow) Methods using session(ephemeral) keys for the following additional reasons.
• Limit available cipher text(under a fixed key) for cryptanalytic attack;
• Limit exposurewith respect to both time period and quantity of data, in theevent of (session) key compromise;
• Avoid long-term storageof a large number of distinct secret keys (in thecase where one terminal communicates with a large number of others), bycreating keys only when actually required;
• Create independence across communicationssessions or applications. Noreplay attacks.
How to establish session keys over insecure medium where adversary is listen-ing to everything?Can be done even without any public key!Randomizationto rescue (like inCSMA/CD of Ethernet).
Home Page
Title Page
Contents
JJ II
J I
Page 28 of 85
Go Back
Full Screen
Close
Quit
Diffie-Hellman KeyEstablishment Protocol
Home Page
Title Page
Contents
JJ II
J I
Page 29 of 85
Go Back
Full Screen
Close
Quit
Man-in-the-middle attack
• Authentication was missing!
• Can be solved if Kasparov and Anand know each other’s public key(Needham-Schroeder).
• Yes, but different attack possible.
Home Page
Title Page
Contents
JJ II
J I
Page 30 of 85
Go Back
Full Screen
Close
Quit
Needham-SchroederProtocol
Home Page
Title Page
Contents
JJ II
J I
Page 31 of 85
Go Back
Full Screen
Close
Quit
Attack by Lowe (1995)
Home Page
Title Page
Contents
JJ II
J I
Page 32 of 85
Go Back
Full Screen
Close
Quit
Why Are Security ProtocolsOften Wrong?
They aretrivial programs built from simple primitives,BUT, they are compli-cated by
• concurrency
• a hostile environment
– a bad user controls the network
– Concern: active attacks masquerading, replay, man-in-middle, etc.
• vague specifications
– we have to guess what is wanted
• Ill-defined concepts
Protocol flaws rather than cryptosystem weaknessesFormal Methodsneeded!
Home Page
Title Page
Contents
JJ II
J I
Page 33 of 85
Go Back
Full Screen
Close
Quit
Online Voting ProtocolsAre we ready for elections via Internet?
• George Bush(Nov 2000, dimpled chads)
• Pervez Musharaf(April 2002)
• Gujarat(Dec 12, 2002)
E-Voting Protocols Requirements
• No loss of votes already cast (reliability)
• No forging of votes (authentication)
• No modification of votes cast (integrity)
• No multiple voting
• No vote secrecy violation (privacy)
• No vulnerability to vote coercion
• No vulnerability to vote selling or trading protocols (voter is an adversary)
• No loss of ability to cast and accept more votes (availability, no denial ofservice)
Home Page
Title Page
Contents
JJ II
J I
Page 34 of 85
Go Back
Full Screen
Close
Quit
Other Desirable Propertiesmust not only be correct and secure, but also be seen to be so by skeptical (buteducated and honest) outsiders.
• Auditability:
Failure or procedural error can be detected and corrected, especially theloss of votes.
• Verifiability: Should be able to prove
– My vote was counted
– All boothes were counted
– The number of votes in each booth is the same as the number of peoplewho voted
– No one I know who is ineligible to vote did so
– No one voted twice
– ...
without violating anonymity, privacy etc.Zero Knowledge Proofs
Home Page
Title Page
Contents
JJ II
J I
Page 35 of 85
Go Back
Full Screen
Close
Quit
The Victim: An organizationon Internet
• Assume company’s domain name isushacomm.co.in
• Has legal IP addresses obtained from ISP.
• Has 20-30 machines and runs servicesemail, www, ftp, ...
• Goal: Break-in on some machines
Home Page
Title Page
Contents
JJ II
J I
Page 36 of 85
Go Back
Full Screen
Close
Quit
Map the Victim’s network• Find the IP addresses of machines
• Several methods
% nslookupDefault Server: dns.iitb.ac.inAddress: 202.54.44.116
> set query=any> ushacomm.co.in.Server: dns.iitb.ac.inAddress: 202.54.44.116
Non-authoritative answer:ushacomm.co.in nameserver = hansel.ushacomm.co.inushacomm.co.in nameserver = gretel.ushacomm.co.inushacomm.co.in preference = 10, mail exchanger = hansel.ushacomm.co.in
Authoritative answers can be found from:ushacomm.co.in nameserver = hansel.ushacomm.co.inushacomm.co.in nameserver = gretel.ushacomm.co.inhansel.ushacomm.co.in internet address = 202.54.54.177gretel.ushacomm.co.in internet address = 202.54.54.188
Home Page
Title Page
Contents
JJ II
J I
Page 37 of 85
Go Back
Full Screen
Close
Quit
Probe further> server 202.54.54.177Default Server: [202.54.54.177]Address: 202.54.54.177
> ls ushacomm.co.in.[[202.54.54.177]]$ORIGIN ushacomm.co.in.ftpsrv 1H IN A 202.54.54.186hansel 1H IN A 202.54.54.177ubestftp 1H IN A 202.54.54.178gretel 1H IN A 202.54.54.188
• Now we know 4 machines addresses
• Can probe each of them using (ping, finger, telnet, ..)
• Super tools (e.g.nmap) make life easier
finger [email protected][202.54.54.177]Account Name: guestEmail address: [email protected]
Can you guess the password?
Home Page
Title Page
Contents
JJ II
J I
Page 38 of 85
Go Back
Full Screen
Close
Quit
Nmap: A Hacker’s DreamNMAP(1) NMAP(1)
NAMEnmap - Network exploration tool and security scanner
SYNOPSISnmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
DESCRIPTIONNmap is designed to allow system administrators and curi<AD>ous individuals to scan large networks to determine whichhosts are up and what services they are offering. nmapsupports a large number of scanning techniques such as:UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounceattack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep,Xmas Tree, SYN sweep, and Null scan. See the Scan Typessection for more details. nmap also offers a number ofadvanced features such as remote OS detection via TCP/IPfingerprinting, stealth scanning, dynamic delay andretransmission calculations, parallel scanning, detectionof down hosts via parallel pings, decoy scanning, portfiltering detection, fragmentation scanning, and flexible...
Home Page
Title Page
Contents
JJ II
J I
Page 39 of 85
Go Back
Full Screen
Close
Quit
Example of Nmap’s powerInteresting ports on (202.54.54.187):Port State Protocol Service21 open tcp ftp25 open tcp smtp53 open tcp domain80 open tcp http135 open tcp loc-srv139 open tcp netbios-ssn1032 open tcp iad31352 open tcp lotusnote
TCP Sequence Prediction: Class=trivial time dependencyDifficulty=15 (Easy)
Sequence numbers: C061748 C061B90 C062018 C06247C C062918 C062D72Remote operating system guess: Windows NT4 / Win95 / Win98
Home Page
Title Page
Contents
JJ II
J I
Page 40 of 85
Go Back
Full Screen
Close
Quit
What next?• A chain is as strong as itsweakestlink.
• Known vulnerabilites for many OS, Applications.
• rootshell.composts new exploits regularly.
• Break intoonemachine first, then easier to attack rest.
• Try some UDP ports (used for snmp management)
Home Page
Title Page
Contents
JJ II
J I
Page 41 of 85
Go Back
Full Screen
Close
Quit
Information using snmpwalk%snmpwalk 202.54.44.177 publicsystem.sysDescr.0 = "Sun SNMP Agent, Ultra-5_10"system.sysObjectID.0 = OID: enterprises.42.2.1.1system.sysUpTime.0 = Timeticks: (17913559) 2 days, 1:45:35.59system.sysContact.0 = "System administrator"system.sysName.0 = "hansel"system.sysLocation.0 = "System administrators office"
...at.atTable.atEntry.atIfIndex.1.1.172.16.1.121 = 1at.atTable.atEntry.atIfIndex.1.1.172.18.1.2 = 1at.atTable.atEntry.atIfIndex.1.1.192.9.200.14 = 1at.atTable.atEntry.atIfIndex.1.1.192.9.200.15 = 1at.atTable.atEntry.atIfIndex.1.1.192.9.200.25 = 1
...ipRouteNextHop.192.67.184.64 = IpAddress: 202.54.54.185ipRouteNextHop.198.6.100.21 = IpAddress: 202.54.54.185
...ipNetToMediaPhysAddress.1.172.18.1.2 = 0:10:7b:3a:87:9fipNetToMediaPhysAddress.1.192.9.200.4 = 0:8:c7:4c:24:8f
• How many subnets in use?
• How ARP is done for other networks? (ICMP redirect)
• Can we inject such messages (spoofing) into the network?
Home Page
Title Page
Contents
JJ II
J I
Page 42 of 85
Go Back
Full Screen
Close
Quit
What is a firewall?• Keepingeverysystem secure is a good goal. But, ...
• Firewalls are systems that control the flow of traffic between the Internetand internal networks and systems.
• Like aguard post in the lobby of a building.
• Single “choke point” is easier to control/defend from outside hackers (andinside spies!).
Home Page
Title Page
Contents
JJ II
J I
Page 43 of 85
Go Back
Full Screen
Close
Quit
Benefits of Firewall1. Internet security can be monitored and alarms generated.
2. Network Address Translator (NAT) alleviates IP address shortage.
3. Audit and log Internet Usage. Useful for justifying expense, identifyingbottlenecks.
4. Central point of contact (email, www and ftp). Converse: single point offailure?
5. Caching WWW proxy servers (squid). Ideal for low bandwidth WAN con-nections esp. in India!
Types of Firewalls
1. Packet-Filtering Firewalls
2. Circuit-level gateways
3. Application-level Gateways (proxies)
Home Page
Title Page
Contents
JJ II
J I
Page 44 of 85
Go Back
Full Screen
Close
Quit
Packet Filtering Firewall
Home Page
Title Page
Contents
JJ II
J I
Page 45 of 85
Go Back
Full Screen
Close
Quit
Filtering RulesService-Dependent Filtering
• Permit incoming Telnet sessions only to a specific list of internal hosts
• Permit incoming FTP sessions only to specific internal hosts
• Permit all outbound Telnet sessions
• Permit all outbound FTP sessions
• Deny all incoming traffic from specific external networks
Service-Independent Filtering
• Deny SNMP options like giving routing table
• Inspect for specific IP options
– Source Routing Attacks
– Tiny Fragment Attacks.
– Checking for a special fragment offset
Home Page
Title Page
Contents
JJ II
J I
Page 46 of 85
Go Back
Full Screen
Close
Quit
Circuit-Level Gateway
Variously known asStateful Packet Filter, Network Address TranslationandIPmasquerading/IP Chains/iptables.http://iptables.org/
• Packet Filtering in the Kernel
• Rules to decide which ones to allow/deny.
• Allows set up of:
– Traditional Proxies (proxy-aware clients)
– Transparent Proxies (address rewriting/masquerading)
• Invaluable for an organization connected to Internet.
Note: More “efficient” thanapplication levelproxies.
Home Page
Title Page
Contents
JJ II
J I
Page 47 of 85
Go Back
Full Screen
Close
Quit
Bastion Host Firewall
• Login to Bastion Host first
• Not very convenient
• Overloads asinglehost for multiple services
Home Page
Title Page
Contents
JJ II
J I
Page 48 of 85
Go Back
Full Screen
Close
Quit
Screened Subnet Firewall
Home Page
Title Page
Contents
JJ II
J I
Page 49 of 85
Go Back
Full Screen
Close
Quit
Firewall Limitations1. Attacks that do not go through the firewall
• Unrestricted dial-out!
• Copying sensitive data onto floppy disks
• Virus-infected software or files
• Internal Network Sniffing, Password attacks
2. Some forms of denial of service attacks
Home Page
Title Page
Contents
JJ II
J I
Page 50 of 85
Go Back
Full Screen
Close
Quit
Application Gateways(Proxies)
• fwtk for telnet, ftp
• qmail for e-mail (much more secure than sendmail)
• squid for www traffic
Applications should beproxy-aware. Example (in browsers: Edit, Prefer-ences, Advanced, Proxy).
Home Page
Title Page
Contents
JJ II
J I
Page 51 of 85
Go Back
Full Screen
Close
Quit
Features of Proxies• Authentication (not all clients/users allowed)
– IP-address
– User-name and password
– Time-windows
• Access Control (not all requests forwarded even for authenticated users)
– Can access only certain sites
– Time-windows
– Dynamic policies would be best
– Allow if network is lightly loaded.
– Allow only if quota/bw not exceeded already.
• Logging of Usage
– Allows monitoring/auditing of usage (examples at IIT).
– Can optimize policies and bring in accountability.
– Not easy to do inpacket-levelgateways.
Home Page
Title Page
Contents
JJ II
J I
Page 52 of 85
Go Back
Full Screen
Close
Quit
How to Establish a SecureSession
• How many messages?
• Do we need to contactauthorityevery time?
Home Page
Title Page
Contents
JJ II
J I
Page 53 of 85
Go Back
Full Screen
Close
Quit
Certificates
• College Degress (remember fake racket?)
• Character ceritificate
• Attested Copy
Home Page
Title Page
Contents
JJ II
J I
Page 54 of 85
Go Back
Full Screen
Close
Quit
X.509 CertificateIssued by a Certification Authority (CA)Each certificate contains:
• version
• serial number (unique within CA)
• algorithm identifier (used to sign certificate)
• issuer (CA)
• period of validity (from - to dates)
• subject (name of owner)
• public-key (algorithm, parameters, key)
• signature (of hash of all fields in certificate)
• any user with access to CA can get any certificate from it
• only the CA can modify a certificate
Hierarchy of CA! Who will be at top? (Versign! Govt. of India!)
Home Page
Title Page
Contents
JJ II
J I
Page 55 of 85
Go Back
Full Screen
Close
Quit
Public-Key Infrastructure
• Scalable (Hierarchical)
• Cross certification
• Certificate Revocation
• Shared Signatures
Home Page
Title Page
Contents
JJ II
J I
Page 56 of 85
Go Back
Full Screen
Close
Quit
Case Study: IIT Bombay• IIT Bombay’s Network Infrastructure
• Setup of Critical Services
• Bandwidth Management
– iptables
– Using Multiple WAN links (zebra, ripd, iproute2)
– Shaping different traffic (tc)
– Clustering for Reliability (Ultramonkey)
Home Page
Title Page
Contents
JJ II
J I
Page 57 of 85
Go Back
Full Screen
Close
Quit
Overview• Campus Network Infrastructure
– Academic Area
– Hostels
– Residential
– Hardware and Network(theeasypart!)
∗ Gigabit L3 switches∗ 10 Mbps Internet (4 Links)∗ 5000+ nodes
• Applications(Complexenough)
– Web Browsing/Hosting
• Users and Management(Nightmarebegins)
– MisUse (mp3, movie, porn, hacking, fake mails, ...)
– CCTeam
∗ We carry your Bytes∗ Our T-shirt (cows, dogs, leopards!)∗ More about this at the end.
Home Page
Title Page
Contents
JJ II
J I
Page 58 of 85
Go Back
Full Screen
Close
Quit
Physical View of LANAcademic Area-A is CSE, B is CC, C is Aero
Home Page
Title Page
Contents
JJ II
J I
Page 59 of 85
Go Back
Full Screen
Close
Quit
IIT-B’s WAN Links andFirewall
Home Page
Title Page
Contents
JJ II
J I
Page 60 of 85
Go Back
Full Screen
Close
Quit
Critical Network Services• Firewall (Securitysine qua non)
• Domain Name Service (DNS)http://cr.yp.to/djbdns/
• Directory Services (LDAP)
• Virus Scanningclamav.elektrapro.com
• E-mail (www.qmail.org)
• Newsgroups (inn)
• Web Proxy
• WWW Servers (httpd.apache.org)
Home Page
Title Page
Contents
JJ II
J I
Page 61 of 85
Go Back
Full Screen
Close
Quit
Network Servers Rack• All Vanilla Intel Boxes running GNU/Linux
• Most servicesload balanced.Hot Swappable(at the machine level itself)
Home Page
Title Page
Contents
JJ II
J I
Page 62 of 85
Go Back
Full Screen
Close
Quit
Firewall• Inside IIT we have 50 IP subnets.
• Over 5000 nodes.
• All Private addresses10.x.y.z
• 4 Different WAN subnets
– 128, 64, 32, 32 address only!
• iptables(www.iptables.org) to the rescue.
• Selective services/machines opened up
– Incomingsshto different dept. servers.
– Outgoingssh, Yahoo/MSNchat
– Outgoing port for SciFinder
– Outgoingftp from select machines
• Making agood policyis the hardest!
Home Page
Title Page
Contents
JJ II
J I
Page 63 of 85
Go Back
Full Screen
Close
Quit
Network, Services and UserManagement
Eternal vigilance is the price of liberty!
• How is network doing?
• Are all services up?
• How much email in/out? How many viruses?
• Who’s using Web proxy? For what?
• Are User’s happy?www.gnu.org/software/gnats
Home Page
Title Page
Contents
JJ II
J I
Page 64 of 85
Go Back
Full Screen
Close
Quit
MRTG
Home Page
Title Page
Contents
JJ II
J I
Page 65 of 85
Go Back
Full Screen
Close
Quit
Nagios
Home Page
Title Page
Contents
JJ II
J I
Page 66 of 85
Go Back
Full Screen
Close
Quit
Nagios (ctd.)
Home Page
Title Page
Contents
JJ II
J I
Page 67 of 85
Go Back
Full Screen
Close
Quit
Virus Detection
Home Page
Title Page
Contents
JJ II
J I
Page 68 of 85
Go Back
Full Screen
Close
Quit
Mail Usage Statistics
Home Page
Title Page
Contents
JJ II
J I
Page 69 of 85
Go Back
Full Screen
Close
Quit
Mail Usage Statistics
Home Page
Title Page
Contents
JJ II
J I
Page 70 of 85
Go Back
Full Screen
Close
Quit
Web Proxy Usage
Home Page
Title Page
Contents
JJ II
J I
Page 71 of 85
Go Back
Full Screen
Close
Quit
Putting it all togetherUsingfree tools, one can achieve all the following.
• Security (Firewall)
• Harnessing Multiple WAN links seamlessly
• Shaping the traffic for each application reliably
• Achieving reliability using virutal services
Challenging, but exciting job.
Home Page
Title Page
Contents
JJ II
J I
Page 72 of 85
Go Back
Full Screen
Close
Quit
Leopards at IITMIT vs IIT comparison!Now crocodilestoo!
Home Page
Title Page
Contents
JJ II
J I
Page 73 of 85
Go Back
Full Screen
Close
Quit
CCTeam@IITB
Home Page
Title Page
Contents
JJ II
J I
Page 74 of 85
Go Back
Full Screen
Close
Quit
References• Books
– TCP/IP Illustratedby Richard Stevens, Vols 1-3, Addison-Wesley.
– Applied Cryptography - Protocols, Algorithms, and Source Code in Cby BruceSchneier, Jon Wiley & Sons, Inc. 1996
– Cryptography and Network Security: Principles and Practiceby William Stallings (2ndEdition), Prentice Hall Press; 1998.
– Practical Unix and Internet Security,Simson Garfinkel and Gene Spafford, O’Reillyand Associates, ISBN 1-56592-148-8.
• Web sites
– www.cerias.purdue.edu(Centre for Education and Research in Information Assuranceand Security)
– www.sans.org(System Administration, Audit, Network Security)
– cve.mitre.org(Common Vulnerabilities and Exposures)
– csrc.nist.gov(Computer Security Resources Clearinghouse)
– www.vtcif.telstra.com.au/info/security.html