Scarica Practical Network Defense Theory e più Appunti in PDF di Sicurezza delle reti solo su Docsity!
Internet: an interconnected network of networks
Hierarchical networks:
▪ Internet backbone: connecting the ISPs’ backbones
▪ ISP backbone: connecting organizations’ backbones
Organization backbone connects local area networks
(LANs)
▪ LAN connects end systems
○ P ublic Internet versus private intranet
Internet standards
○ RFC: Request for comments
IETF: Internet Engineering Task Force ○
○ Free download of RFCs at rfc-editor.org
Network edge
Hosts: server, client, P2P ○
○ Applications: http, mail, Facebook, Twitter
Network core
○ Edge router: connecting an organization/ISP to the Internet
○ Interconnection of routers using fiber
○ Naming services
Routers and fiber links (in orange) form the Internet core ○
○ Routers work together to figure out the most efficient path
for routing a packet from source to destination host
○ A distributed algorithm can adapt to changing Internet conditions
○ Great idea during the cold war
○ Routing tables are generated and maintained in real time
The core is provided by ISPs that interconnect multiple continents
▪ ISPs
▪ Global ISPs or Tier-1 ISPs
▪ Regional ISPs or Tier-2 ISPs
- Access networks: Wired, or wireless communication links
network of networks
Internet Backbone connects tier-1 ISPs: e.g., Verizon, Sprint, AT&T, Qwest, Level 3 Communications ○
○ The backbones of tier-1 ISPs are interconnected at various access points called Internet eXchange Points (IXP)
○ The number of IXPs around the world is continually growing - > to date more than 1000
○ Interactive (probably not exhaustive) map: https://www.pch.net
Specify rules about the desired service
Procedure Rules
▪ Types and sequences of messages exchanged: Syntax and semantics
▪ Actions to take with respect to messages and events
○ Message Format: format, size and coding of messages.
Timing: the time to wait between any event.
▪ Access to medium
▪ Flow control
▪ Timeouts
Protocol specification examples
Modularization → Many protocols for each layer
▪ Hides implementation details
Layers can change without disturbing other layers
□ Development (one company can tackle one module)
□ Maintenance
□ Updating the system
Packet switching
▪ Best effort delivery
▪ Better for resource sharing
○ Network congestion and flow control
- Internet uses a gateway (edge router) to connect a Local Area Network (LAN) or a subnet to the hierarchical network
Residential Internet access overview
○ Point to point protocol (PPP) for access to an ISP
○ Dialup via modem
○ DSL: digital subscriber line
○ Cable modem
Fiber In The Loop ○
○ Broadband over a power line
Broadband wireless: such as WiMAX
Internet
venerdì 1 marzo 2024 11:
○ Broadband wireless: such as WiMAX
○ Satellite
Local area network connected to Internet
○ Organization/home local area network (LAN) or subnet connects hosts to edge router
○ Edge router connects LANs to Internet: Telco uses ATM over fiber
Ethernet LAN
▪ Hosts connect into Ethernet switch
▪ 10Mbps, 100Mbps, 1Gbps, 10Gbps Ethernet
○ ATM: asynchronous transfer mode
- Constituted by networks with end-points of the same local management
- Provides connectivity among stations on the same network
- Nodes in the same network can directly communicate among them - > Used protocol: Ethernet family
- Each host in a Ethernet network has a NIC (Network Internet Card) with a (generally) fixed address
- MAC addresses are 48 bits (6 bytes) long and UNIQUELY ideintify hosts in the network
- Each host only processes packets intended for it
- Each Ethernet packet (“frame”) has a fixed format
How to build a Ethernet network: All the hosts connected together with a shared “transmission system” based on Ethernet are a network, as if
they were connected to the same medium
○ Two computer with a single Ethernet cable
○ Many computer connected with several Ethernet cables to a single device (generally a switch, but also repeater, hubs or bridges)
○ Many computer connected with several Ethernet cables to several devices (generally switches)
An Ethernet network constitutes a broadcast domain: For historical reasons there also exist collision domains, but full-duplex and switches
have made them obsolete
Ideally frames sent in a broadcast domain are potentially received by all the hosts in the network: All the host receive all the frames and only
read some
- Actually, switches segment the network to limit the explosion of packets in the network
- Only broadcast messages are “replicated”
How switches segment the network
○ Switches remembers the source MAC addresses on the different ports
○ They only replicate the frame on the segment where the destination MAC address replies - >
Tables of MAC are
▪ ARP tables for hosts
▪ CAM tables for switches
Why Internet is not a large Ethernet net?
○ Ethernet makes high use of broadcast packets: Inefficient for large networks
Large networks are split in order to reduce the broadcast domain ○
○ There is the need of a logical division of the networks: Ethernet is the Access layer, but wee need a Distribution layer
○ Hosts in a local network use a Default Gateway to go out and have access to the Distribution layer
○ Distribution layer is based on IP, the Internet Protocol
- Interconnect local networks among them
- Distribution layer is at level of Autonomous Systems (like big enterprises and ISPs)
- Core layer is at the level of continents: Telia, Cogent, AT&T, Orange…
- Use logical addressing: IP
- The connections between the networks are done by routers
Router and switches
○ Routers are the Default Gateways
○ Give access to the Internet
Ethernet has physical addresses
○ You can not change the MAC address of your NICs: It is like your name: it goes wherever you go
An Ethernet address tells WHO you are, but does not tell anything on WHERE you are ○
IP has logical addresses
○ You can change IP address of your NIC - > It is like your home address: it changes if you go somewhere
○ IP addresses are used to identify and reach networks and hosts
Local addresses and remote addresses
Analogy: if you want to say something to somebody
▪ If both of you are in the same room, you can simply call his/her name and he/she will answer: Directly connected → Local address
If you are NOT in the same room, you have to know where he/she is, before sending the message AND the message has to LEAVE th e
room through the door: Remote address
○ How to know if one IP is the same network than you? Subnet mask
Two versions of IP addresses: IPv4 and IPv6.
○ IPv4 defines IP address with 32 bits organized in four octets (8 bits in each).
○ IPv6 (version 6) has 128 bits.
For human readability, the bits in each octet are separated by dots while writing an IPv4 address (colons in IPv6):
○ E.g. 69.58.201.25 and fe80::250:56ff:fec0:
Certain bits from the left correspond to the network address (69.58.201) and the remaining correspond to define the computer (host) on the
- Not a “new” protocol.
- Developed mid to late 1990s.
- Much learned from IPv4.
- 128 - bit address space, written in hexadecimal - > This gives us 340 undecillion Addresses which is 10 followed by 30 zeros
Internet is a much different place and will continue to evolve:
○ Mobile devices
○ Video on demand
○ Internet of Everything
○ A critical part in how we “live, work, play, and learn”.
3.4×
38
○ -> “It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future.”
IPv6 is not just about more addresses:
○ Stateless autoconfiguration : no one care about the address an host picks - > the DHCP server is not used
○ End-to-end reachability without private addresses and NAT: substituting NAT and private anddresses by public addresses
○ Better support for mobility
○ Peer-to-peer networking easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
- 1993, IETF announced a call for white papers with RFC 1550 IP: Next Generation (IPng) White Paper Solicitation.
IETF chose Simple Internet Protocol Plus (SIPP) written by Steve Deering, Paul Francis, and Bob Hinden but changed the addres s size from
64 bits to 128 bits.
- 1995, IETF published RFC 1883 Internet Protocol, Version 6 (IPv6) Specification - later obsoleted by RFC 2460 in 1998.
What About IPv5?
In the late 1970s, a family of experimental protocols was developed intended to provide quality of service (QoS) for real-time
multimedia applications such video and voice.
○ Known as Internet Stream Protocol (ST) and later ST2 – (RFC 1190 and RFC 1819).
○ Although it was never known as IPv5, when encapsulated in IP, ST uses IP Protocol version 5.
The Need for IPv
○ We are running out of IPv4 address space.
○ Monday, January 31, 2011 IANA allocated the last /8 IPv4 address blocks to the RIRs.
○ In November 2019, RIPE NCC made their final /22 IPv4 allocation from the last remaining addresses in their available pool.
RIPE NCC now allocates IPv4 addresses only from the pool of returned addresses, which by itself is not enough for the scalability of
the Internet - > the idea is to reuse addresses that are not used anymore and assigning them to users in a queue
- The regions with the largest populations have the lowest percentages of people connected to the Internet
No More NAT as We Know It
○ NAT has been used to help “hide” customers and works for many client-initiated applications.
○ However, NAT also creates some issues, like peer-to-peer networking and accessing our “hidden” systems from other networks.
○ Using NAT to “hide” IPv6 networks has been the source of some debate.
○ IETF continues to state that NAT is not a security feature.
IPv
venerdì 8 marzo 2024 11:
IPv6 addresses are 128-bit addresses represented in:
○ Hexadecimal: 1 hex digit = 4 bits
○ Eight 16-bit segments or “hextets” (not a formal term) between 0000 and FFFF
○ Separated by colons
○ Reading and subnetting IPv6 is easier than IPv4, almost always
Number of IPv6 Addresses
○ IPv4 addresses: 4.3 billion
○ IPv6 addresses: 340 undecillion
Two rules for reducing the size of written IPv6 addresses.
1. Leading zeroes in any 16-bit segment do not have to be written - > Only leading 0s can be excluded, trailing 0s must be included
Any single, contiguous string of one or more 16-bit segments consisting of all zeroes can be represented with a double colon
(::) - > If there are multiple possible reductions, RFC 5952 states that the longest string of zeroes must be replaced with the :: and
if they are equal then only the first string of 0’s should use the :: representation.
- IPv6 does not have a “broadcast” address
- IPv6 Source: Always a unicast (linklocal or GUA)
- IPv6 Destination: Unicast, multicast, or anycast.
- Many operating systems will use a random 64-bit Interface IDs for GUA and Link-Local IPv6 Addresses.
An Important Role in IPv
○ Used as a source IPv6 address before a device gets one dynamically (SLAAC and DHCPv6).
○ Router’s link-local address is used by devices as the default gateway.
○ Routers exchange routing messages.
○ Router use the link-local address as the next-hop address in the routing table: via link-local address.
○ The only important part to generate a global routing is the prefix
ICMPv6 Neighbor Discovery defines 5 different packet types:
Router Solicitation Message + Router Advertisement Message: Used with dynamic
address allocation
Neighbor Solicitation Message + Neighbor Advertisement Message: Used with address
resolution (IPv4 ARP)
Redirect Message
○ Similar to ICMPv4 redirect message
○ Router-to-Device messaging
3 Options in Router(config)# ipv6 unicast-routing:
1. SLAAC - No DHCPv6 (Default on Cisco routers): “I’m everything you need (Prefix, Prefix-length, Default Gateway)”
SLAAC + Stateless DHCPv6 for DNS address: “Here is my information but you need to get other information such as DNS
addresses from a DHCPv6 server.” (DNS can be in RA)
3. All addressing except default gateway use DHCPv6: “I can’t help you. Ask a DHCPv6 server for all your information.”
- Option 1 and 2: Stateless Address Autoconfiguration - > DHCPv6 Server does not maintain state of addresses
- Option 3: Stateful Address Configuration - > Address received from DHCPv6 Server
Verifying SLAAC on the PC Using EUI- 64 - > A 64-bit Interface ID and the EUI-64 process accommodates:
○ The IEEE specification for a 64-bit MAC address
○ 64 - bit boundary processing
- Verifying SLAAC on the PC Using Privacy Extension
Ensuring Unique Unicast Addresses
○ SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address-to-device mappings.
How can we guarantee the address is unique? Duplicate Address Detection (DAD)
▪ Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended.
/64 Interface IDs
DAD protocol for detecting duplication of addresses in stateless address autoconfiguration in which the hosts can choose
random addresses
▪ Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link.
▪ A device will send a Neighbor Solicitation for its own unicast address (static or dynamic).
After a period of time, if a NA is not received, then the address is deemed unique.
▪ Once required, RFC was updated to where it is only recommended - /64 Interface ID makes duplicates unlikely
Problem in EUI-64 is that the process is
related to MAC addresses: you will always be
recognizable wherever you go, since the only
thing that changes is the prefix
Privacy extension : is a balance between the
nees of privacy and the traceability, in fact if
you join the same network you will always
generate randomly the same kind of IP
address
The router needs a network
Are two different networks
Idea: provide additional addresses that have relatively
short lifetimes and are used as the source address
when originating connections
Same prefix as a public address, randomized value
for the Interface ID
- Short lifetime, usually hours or days
It is common to have multiple temporary addresses
to make sure existing connections can continue
while a new temporary address is created for new
connections
- Used by a device to send a single packet to multiple destinations simultaneously (one-to-many).
- Equivalent to 224.0.0.0/4 in IPv4.
Two types of multicast addresses:
1. Assigned
2. Solicited-Node
- IPv6 Source: Always a unicast
- IPv6 Destination : Unicast, multicast, or anycast
IPv6 multicast addresses
have the prefix FF00::/
Scope is a 4-bit field used to define the range of
the multicast packet.
Scope (partial list):
○ 0 Reserved
○ 1 Interface-Local scope
○ 2 Link-Local scope
○ 5 Site-Local scopoe
○ 8 Organization-Local scope
○ E Global scope
Permanent, well-known
multicast address assigned by
IANA.
Includes both assigned and
solicited-node multicast
addresses.
Non-permanently-assigned,
“dynamically" assigned multicast
address.
An example might be
FF18::CAFE:1234, used for a
multicast application with
organizational scope.
RFC 2375, IPv6 Multicast Address Assignments, defines the initial assignment of IPv6 multicast addresses that have permanently
assigned Global IDs.
Reference for assigned multicast addresses: (IANA) IPv6 Multicast Address Space Registry - > http://www.iana.org/assignments/ipv6-
multicast-addresses/ipv6-multicastaddresses.xhtml
Assigned Multicast Addresses with Link-local Scope
○ Flag = 0 , Assigned multicast
○ Scope = 2 , Link-local scope
Assigned Multicast Addresses with Site-local Scope
○ Flag = 0 , Assigned multicast
○ Scope = 5 , Site-local scope
Used to communicate within a “site”, possibly
routed within the site.
○ Must have IPv6 multicast routing enabled:
Router(config)# ipv6 multicast-routing
○ DHCPv6, relay agents and DHCPv6 multicast
addresses are included
- DHCPv6 without and with relay agents
- FF02::1 – > All IPv6 Devices
- All IPv6 devices, including the router, belong to this group.
- Every IPv6 device will listen and process packets to this address.
Isn’t this the same as a broadcast? No, because it maps to a Layer 2 MAC address
which is more efficient
- FF02::2 - > All IPv6 Routers
- All IPv6 routers belong to this group: Process these packets
- Used by devices to communicate with an IPv6 Router.
- IPv4 Protocol
- IPv6 Next Header
- For both protocols, the field indicates the type of header following the IP header
Common values:
○ 6 = TCP
○ 17 = UDP
○ 58 = ICMPv
88 = EIGRP
○ 89 = OSPF
- The next header manages the different options - > after the main header there is another header or the PDU (packet of the transport layer)
- In IPv4 there cannot be another header, but there can be only the PDU
- IPv4 TTL (Time to Live)
- IPv6 Hop Limit
- Renamed to more accurately reflect process.
- Set by source, every router in path decrements hop limit by 1.
- When 0, drop packet.
- IPv6 Source and Destination addresses have the same basic functionality as IPv4.
- IPv4 = 32-bit addresses.
- IPv6 = 128-bit addresses.
- Some significant changes in IPv6.
- IPv4 Header Checksum not used in IPv6.
- Upper-layer protocols generally have a checksum (UDP and TCP).
- So, in IPv4 the UDP checksum is optional
- Because it’s not in IPv6, the UDP checksum is now mandatory.
- IPv4 Options and Padding not used in IPv6.
- Variable length, optional.
- IPv4 Options are handled using extension headers in IPv6.
- Padding makes sure IPv4 options fall on a 32-bit boundary.
- IPv6 header is fixed at 40 bytes.
Next Header identifies:
○ The protocol carried in the data portion of the packet.
The presence of an extension header.
- Extension headers are optional and follow the main IPv6 header.
- Provide flexibility and features to the main IPv6 header for future enhancements without having to redesign the entire protocol.
- Allows the main IPv6 header to have a fixed size for more efficient processing.
Properties
Flexible (normally there are no EHs in IPv6 packets)
▪ The use of EHs is optional, providing a powerful and flexible mechanism for IPv
▪ In the Basic IPv6 header, the EHs and the upper layer header (if used), are linked using the Next Header field. This is calle d the “IPv6 Header Chain”
○ Fixed (Types and order): The number of Extension Header types is fixed and standardised.
Processed only at endpoints (Except Hop-by-Hop and Routing): Packet processing complexity moved from the core to the edge of the Internet for improved IPv
performances.
without encryption
with encryption
- A router is a device that connects two networks
A firewall is a device that besides acting as a router, also contains (and implements) rules to determine whether packets are
allowed to travel from one network to another - > Router also can perform some form of screening (packet filter)
Why firewalls?
○ Restricts access from the outside: Internet = millions of people together → bad things happen
○ Prevents attackers from getting too close
○ Restricts people from leaving
To attain a certain level of network security, you can:
○ Regulate which traffic is allowed (sources, destinations, services, ...)
○ Protect the traffic by encryption
○ Monitor the traffic for “bad behaviour”
○ Monitor the hosts for “bad behaviour”
- The choice will depend on the security policy to be fulfilled (particularly the CIA targets).
Firewall Design & Architecture Issues
○ Least privilege: User can do only basic tasks
○ Defense in depth: different layers of protection
○ Choke point: all incoming connections go through one single point that you want to protect
○ Weakest links
○ Fail-safe stance : if something goes bad, do it in a safe state
○ Universal participation: be sure that security mechanism will be used by anyone
○ Diversity of defense
○ Simplicity
- Kind of firewall that disciplines the traffic in/out a single host
- It specifies the packets that can be received and sent - > Ex: iptables, windows firewall and all the so called “personal firewalls”
- Vendor products generally work per-app: each installed application has a known policy that has to obey
Network Access Control Lists: List the rights for
accessing/using networks - > Extensively used in
switches, routers and firewalls
Usually distinguish between incoming and
outgoing traffic, per interface/port - > Ex: lists of IP
addresses that can send packets to an
interface/port
Stateless: every packet is treated independently,
without any knowledge of what has come before
The ACL are rules that enforce the decision to filter
the traffic based on IP address
The Internal Network is basically a switch that
sends the packets to the screening router
Firewalls
venerdì 5 aprile 2024 11:
- Use a f irewall to filter ingoing and outgoing traffic between “your” network (or individual PC) and the Internet
Assumptions
- You have security policy stating what is allowed and not allowed.
- You can identify the “good” and the “bad” traffic by its IP-address, TCP port numbers, etc, …
- The firewall itself is immune to penetration - > A question of assurance: needs for a trusted system, secure OS etc.
- Drop packets based on their source or destination addresses or port numbers or flags
- No context, only contents
Can operate on
○ incoming interface
○ outgoing interface
○ Both
- The packet filters accesses a very limited number of information - > only information from the transport and the network layers
Check packets with fake IP addresses:
○ from outside - > ingress filtering
○ from inside - > egress filtering
- Packet filters operating layers
Three-step process
1. Know your policy
- Translate the policy in a formal language - > E.g.: logical expression on packet fields 3. Rewrite the policy in terms of the firewall syntax
General mechanism:
○ Rules are checked from top to bottom
○ The first matching rule is applied
○ One implicit rule is assumed if no rule matches
○ Block/Allow everything
Policy:
○ allow inbound email (SMTP, port 25) only to our-gateway machine: Mailgw
○ refuse all traffic from a known spamming site: demon
- Possible rules:
- Add the policy: any inside host can send mail to the outside
- Very bad: we can not control the type of traffic originated from port 25 and coming from the outside
- Then: rules have to specify the direction of the traffic
- Consider the TCP flags
- We distinguish the replies to our SMTP connection considering the ACK flag
Policy:
○ Internal Net 1 is a DMZ and only hosts Mail GW
○ Very limited connections between Mail GW and Internet (only partner servers)
○ Limited connections allowed between Mail GW and net 2 and net 3
○ Anything can pass between net 2 and net 3
○ Outgoing requests only between net 2 or net 3 and the link to the Internet
Requirements
We cannot only consider where packets have to go (destination→ egress filtering)
▪ Open access to net 2 only allowed for traffic with source address in net 3
▪ No way to avoid fake source addresses (address spoofing) from outside
○
We need to define rules based on from where packets are arriving, (source → ingress filtering)
▪ Interface towards Internet
○
▪ Interface on net 1
▪ Interface on net 2 - > net 3 is similar
- Problems with Packet Filters
Incoming TCP connections with IP frag
- Firewall blocks any incoming TCP connection
- ACK packet is allowed for outgoing packets
- Internal host reassembles a packet with the SYN bit set because
two fragment offsets are chosen in order to set the SYN bit
Attacks
○ SYN scan
○ Create TCP connection
○ SYN flood - DoS
Stateful packet inspection
○ Stateful Inspection Firewalls (or Dynamic Packet Filters) can keep track of established connections
Can drop packets based on their source or destination IP addresses, port numbers and possibly TCP flags: Solve one
major problem of simple packet filters, since they can check that incoming traffic for a high-numbered port is a genuine
response to a previous outgoing request to set up a connection
○
○ Considered layers are Transport, Network and Data Link
Connection tracking - > Considered TCP States
Setting up connection:
□ client calls from (high-numbered) port to port for application on server
□ server replies to (high-numbered) port on client
□ connection is considered established when the server gives correct SYN/ACK response.
▪
Closing connection: both parties have to close the connection by sending a TCP packet with FIN flag set before
connection is considered closed
▪
○
- Stateful firewall example
Stateful Firewalls
venerdì 12 aprile 2024 11: