network and its hosts Eavesdropping - read messages Spoofing - forge illegitimate messages DOS (Denial of Service) - disrupt the communications ➡ The attacker can target any layer in the network stack confidentiality integrity availability
SSL v3) provides • integrity: authentication handshake • confidentiality: end-to-end secure channel ✓ Prevents all kinds of eavesdropping and spoofing for application protocols e.g HTTP + TLS = HTTPS ๏ 2-10 times slower than an insecure TCP connection ๏ Not used in practice to secure DNS and BGP
HTTPS or HTTP ➡ The browser can automatically switch between HTTP and HTTPS Sometime within the same webpage (mixed-content) e.g the main page loads over HTTPS but images, scripts or css load with HTTP An attacker can do a MitM attack and remove the SSL protection ➡ SSLStripping attack (lab 05)
on all ports Switch : (smart HUB) forward messages on specific port based on their MAC addresses ➡ isolate Ethernet traffics (no straightforward packet sniffing) ≈
sending them over the air Wireless Security WEP WPA WPA2 Personal Enterprise Authentication Shared Key Shared Key Shared Key RADIUS Server Cryptography RC4 TKIP and RC4 CCMP and AES Security Broken Broken External attackers only Good
(and optionally encryption) of IP traffic ➡ Uses SHA2 and AES (previously SHA1 and 3DES) ✓ Used usually between routers (link and network layers only) ๏ However IPsec is rarely deployed in practice m IP header m IP header m IP header IPsec header IPsec encapsulation IPsec secure channel router 1 router 2
(a.k.a BCP 38) Best Current Practice to limit the impact of DOS and DDOS 1. Deny access to network traffic with spoofed addresses 2. Ensure that traffic is traceable to its correct source network ➡ Implemented by ISPs (Internet Service Providers)
echo message ➡ ICMP can be disabled or reserved to hosts on the same network Port Scanning uses TCP-syn messages ➡ TCP connections can be rejected if a source attempts to initiate multiple connections on multiple ports simultaneously ➡ Packet filtering can prevent these two scanning techniques
packet filtering on every host on the network? 1. Each host needs to have packet filtering capability across different hardware, OS and versions 2. The admin needs to have administrative privilege on every host to push the packet filtering policy ➡ Impossible in practice
and acts an access control between two networks ➡ Packet filtering based on IP addresses (TCP filtering) • inbound traffic from the Internet trying to get into the protected network • outbound traffic going the other way ✓ For the most part, we trust the outbound but not the inbound
a firewall can prevent • Most scanning attacks • Some spoofing attacks • Some flooding attacks (as long as it can handle the load) • Anomalous messages e.g smurf attack • and others ➡ But more generally, it can restrict access to protected hosts
Lists action protocol IP src port dst IP dst port dst state allow TCP 222.22/16 >1023 ! 222.22/16 80 any allow TCP ! 222.22/16 80 222.22/16 >1023 ack allow UDP 222.22/16 >1023 ! 222.22/16 53 - allow UDP ! 222.22/16 53 222.22/16 >1023 - deny all all all all all all
malicious message pattern ➡ Relies on a signature database Heuristic-based Builds a model of acceptable message exchange patterns ➡ Relies on machine learning
the VPN server 2. The VPN extract this traffic and send it to the destination 3. Same thing on the way back ➡ Provides anonymity (from the IP perspective at least) m TCP header m TCP header TCP header TCP secure channel VPN server
thierrysans
mongodb
skoyamalab
sergeychernyshev
akademiya2063
afnizarnur
thoeni
moore
katarinadahlin
kneath
colly
stephenakadiri
samtorres
