Network Security: Network Endpoint Security PDF

Summary

This document is a lecture outline for Network Security: Network Endpoint Security, covering topics such as firewalls, design goals, techniques, and capabilities. The material presented is likely suitable for an undergraduate-level computer science course at the university of Bern.

Full Transcript

Network Security
XII. Network Endpoint Security

Prof. Dr. Torsten Braun, Institut für Informatik
Bern, 02.12.2024 – 09.12.2024
Network Security: Network Endpoint Security

Network Endpoint Security
Table of Contents
1. Firewalls
2. Intrusion Detection Systems
3. Malicious Software
4. Denial of Service Attacks
5. The Onion Routing
6. Securing BGP Inter-Domain Routing
7. Scalability, Control, and Isolation on Next-Generation Networks
8. NIST Zero-Trust Architecture
3
Network Security: Network Endpoint Security

1. Firewalls
1. Introduction

- important complement to - provides an additional layer of
host-based security services defense
such as intrusion detection - insulates internal systems from
systems.
external networks or other parts of
- typically inserted between the internal network.
the premises network and
the Internet to establish a
controlled link and
to build an outer security
wall or perimeter.
4
Network Security: Network Endpoint Security

1. Firewalls
2. Design Goals

- All traffic in both directions must - Firewall itself is immune to
pass through the firewall. penetration.
This is achieved by blocking all This implies the use of a
access to the local network hardened system with a
except via the firewall. secured operating system.
- Only authorized traffic, Trusted computer systems are
as defined by the local suitable for hosting a firewall.
security policy,
will be allowed to pass.
5
Network Security: Network Endpoint Security

1. Firewalls
3. Techniques
- Service control - User control
- determines the types of Internet services that can - controls access to a service according to
be accessed, inbound or outbound. which user is attempting to access it.
- Firewall may - typically applied to users inside the firewall
- filter traffic on the basis of IP address, protocol, or perimeter (local users).
port number. - may also be applied to incoming traffic from
- provide proxy software that receives and interprets external users; this requires some form of
each service request secure authentication, e.g., IPsec.
- host the server software itself,
such as a Web or mail service. - Behaviour control
- Direction control - controls how particular services are used, e.g.,
- determines the direction in which firewall may filter email to eliminate spam, or it
particular service requests may
may enable external access to only a portion
be initiated and allowed to flow of the information on a local Web server.
6 through the firewall.
Network Security: Network Endpoint Security

1. Firewalls
4. Capabilities
Firewall
- defines a single choke point that keeps - provides a location for monitoring
unauthorized users out of the protected security-related events. Audits and alarms
network. can be implemented on firewall.
- prohibits potentially vulnerable services - is a convenient platform for several
from entering or leaving the network. Internet functions that are not security
related, e.g., Network Address Translator,
- provides protection from various kinds of
which maps local addresses to Internet
IP spoofing and routing attacks.
addresses, and a network management
- simplifies security management because function that audits or logs Internet usage.
security capabilities are consolidated on - can serve as the platform for
a single system or set of systems.
implementing virtual private networks.
7
Network Security: Network Endpoint Security

1. Firewalls
5. Limitations

Firewall - An improperly secured
- cannot protect against attacks wireless LAN may be
that bypass the firewall. accessed from outside the
organization.
- may not protect fully against
- Mobile devices may be used
internal threats, such as a
misbehaving employees and infected outside the
corporate network, and then
connected and used internally.

8
 Network Security: Network Endpoint Security

1. Firewalls
6. General Model
Internal (protected) network External (untrusted) network
(e.g. enterprisenetwork) Firewall (e.g. Internet)

Types
(a) General model
- Packet Filtering Firewall
- Stateful Inspection Firewall
- Application Proxy Firewall
End-to-end Circuit-level Proxy Firewall
End-to-end Application End-to-end End-to-end Application
-
transport
9 transport transport transport
 Network Security: Network Endpoint Security

1. Firewalls (a) General model
7.1 Packet Filtering Firewall

- Filtering Rules
End-to-end End-to-end - Source
End-to-endand destination IP address
End-to-e nd
Application Application
transport transport transport
- Source transport
and destinationconne
connection connection connection ction
Transport transport-level address (port number)
Transport
- IP protocol field
Internet Internet
- Interface
Network Network
access - List of rules based on matches to
access

Physical
fields
State in the IP or TCP header;
Physical
default: discard / forward
info

10
 Network Security: Network Endpoint Security

1. Firewalls
7.2 Packet Filtering Example
a)Inbound mail is allowed (port 25 is for SMTP incoming), but only to a gateway
host. Packets from a particular external host, SPIGOT, are blocked.
b)explicit statement of the default policy
c)Any inside host can send mail to the outside. A TCP packet with a destination port
of 25 is routed to the SMTP server on the destination machine.
problem: use of port 25 for SMTP is only a default. An outside machine could be
configured to have some other application linked to port 25.
d)addresses problem in c): Once a connection is set up, the ACK flag of a TCP
segment is set to acknowledge segments sent from the other side. It allows IP
packets where the source IP address is one of a list of designated internal hosts
and the destination TCP port number is 25. It allows incoming packets with a
source port number of 25 that include the ACK flag in the TCP segment.
e)Approach to handle FTP connections. FTP uses 2 TCP connections: a control and
a data connection. Data connection uses a different port number dynamically
assigned. Most servers use low-numbered ports; most outgoing calls tend to use
a higher-numbered port > 1023. Thus, this rule set allows
- Packets that originate internally
- Reply packets to a connection initiated by an internal machine
- Packets destined for a high-numbered port on
11
 Network Security: Network Endpoint Security

1. Firewalls
7.3 Weaknesses
- Because packet filter firewalls do not - Packet filter firewalls are generally
examine upper-layer data, they cannot vulnerable to attacks that take
prevent attacks that employ application- advantage of problems within the TCP/IP
specific vulnerabilities or functions. specification and protocol stack, such
as network layer address spoofing. Many
- Logging functionality in packet filter firewalls
packet filter firewalls cannot detect a
is limited. Packet filter logs normally contain network packet in which IP addressing
the same information used to make access information has been altered.
control decisions
(source/destination address, traffic type). - Due to the small number of variables
used in access control decisions, packet
- Most packet filter firewalls do not support filter firewalls are susceptible to security
advanced user authentication schemes, breaches caused by improper
mostly due to the lack of upper-layer configurations.
functionality
12
by firewall.
 Network Security: Network Endpoint Security

1. Firewalls
7.4 Attacks and Countermeasures

- IP address spoofing - Tiny fragment attacks:
→ discard packets with an inside source - Attacker uses IP fragmentation option to create
address if the packet arrives on an extremely small fragments and force the TCP
external interface. header information into a separate packet
fragment.
- Source routing attacks - This circumvents filtering rules that depend on
- Source station specifies the route that a TCP header information.
packet should take as it crosses the - Attacker hopes that the filtering firewall examines
Internet, in the hope that this will only the first fragment and that the remaining
bypass security measures that do not fragments are passed through.
analyse source routing information. → enforce a rule that the first fragment of a packet
→ discard all packets using this option must contain a predefined minimum amount of
the transport header. If the first fragment is rejected,
the filter can remember the packet and discard all
13 subsequent fragments.
 Network Security: Network Endpoint Security

1. Firewalls
model
8.1 Stateful Inspection Firewall
- A traditional packet filter makes filtering decisions on
an individual packet basis and does not consider any
higher-layer context.
End-to-end Application End-to-end - Most applications that run on top of TCP follow a
transport transport client/server model, e.g., SMTP. Typically, servers use
connection connection
Transport lower-numbered well-known ports and clients use
high-numbered ports.
Internet - A simple packet filtering firewall must permit inbound
network traffic on all high-numbered ports for TCP-
Network
access
based traffic to occur. This creates a vulnerability that
can be exploited by unauthorized users.
State Physical
info
- A stateful inspection packet firewall defines rules for
TCP traffic by creating a directory of outbound TCP
14
connections.
 Network Security: Network Endpoint Security

1. Firewalls
8.2 Example Stateful Firewall Connection State Table
Table21.1 ExampleStateful Firewall Connection StateTable

Destination Destination Connection - Table entries for each currently established
SourceAddress SourcePort
Address Port State
connection.
192.168.1.100 1030 210.9.88.29 80 Established
- Packet filter will now allow incoming traffic to high-
192.168.1.102 1031 216.32.42.123 80 Established
numbered ports only for those packets that fit the
192.168.1.101 1033 173.66.32.122 25 Established
profile of one of the entries in this directory.
192.168.1.106 1035 177.231.32.12 79 Established
- Stateful packet inspection firewall reviews same
223.43.21.231 1990 192.168.1.6 80 Established
packet information as a packet filtering firewall, but
219.22.123.32 2112 192.168.1.6 80 Established
also records information about TCP connections.
210.99.212.18 3321 192.168.1.6 80 Established
- Some stateful firewalls keep track of TCP sequence
24.102.32.23 1025 192.168.1.6 80 Established
numbers to prevent attacks that depend on the
223.21.22.12 1046 192.168.1.6 80 Established
sequence number, e.g., session hijacking.
- Some inspect limited amounts of application data for
some well-known protocols like FTP in order to
identify and track related connections.
15
 Network Network
access Endpoint Security
Network Security: Network access

Physical State Physical
1. Firewalls info

9. Application
(b) Packet filteringfireProxy
wall Firewalls (c) Stateful inspection firewall
- An application-level gateway, also called application proxy acts as a
Application proxy relay of application-level traffic. vel proxy
Circuit-le
- User contacts gateway using an application, e.g., Telnet, FTP;
gateway asks user for name of remote host to be accessed.
Internal Application Application External Internal Application Application External
transport transport - When the user
transport provides a valid user ID and authentication
transportinformation,
connection connection the conne
gateway
ctioncontacts the application on the remote hostction
conne and relays
Transport Transport TCP segments with Trans port
application data Trans portthe endpoints.
between
- If the gateway does not implement the proxy code for a specific
Internet Internet application, the service
Interneist not supported.Internet
- Advantages:
Network Network Network Network
- Approach tends to be more secure than packet filters.
access access access access
- Application-level gateway needs to check few applications.
Physical Physical - Disadvantages: Physical Physical
- additional processing overhead on each connection
- two spliced bi-directional connections
16
 access
Network Security: Network Endpoint Security
State Physical
info

1. Firewalls
(c) Stateful inspection firewall
10. Circuit-level Proxy Firewall
- Stand-alone system or a specialized function performed
Circuit-level proxy
by an application-level gateway for certain applications.
- As with an application gateway, a circuit-level gateway
Internal Application Application External sets up two TCP connections. Once the two
transport transport connections are established, the gateway relays TCP
connection connection
Transport Transport segments from one connection to the other without
examining the contents. The security function consists
of determining which connections will be allowed.
Internet Internet
- Typical use when system administrator trusts internal
Network Network users.
access access
- The gateway can be configured to support application-
Physical Physical level or proxy service on inbound connections and
circuit-level functions for outbound connections.
17
 Network Security: Network Endpoint Security

1. Firewalls
Remote
Internet
11. Demilitarized Zone Networks
users

Boundary
router

- External firewall is placed at the edge of a Internal DMZ network

local or enterprise network. External
firewall

- One or more internal firewalls protect the LAN
enterprise network. Web
server(s)
Email
server
DNS
server
switch

- Between internal and external firewalls Internal protected network

there are one or more networked devices in Internal
firewall

a region called demilitarized zone network,
e.g., for systems that are externally Application and databaseservers
LAN
switch

accessible but need some
protections like corporate
web18 server, email server. Workstations
Network Security: Network Endpoint Security

2. Intrusion Detection Systems
1. Terms

Intrusion Intrusion Detection
- Violations of security policy, usually - The process of collecting information about
characterized as attempts to affect events occurring in a computer system or
the confidentiality, integrity, or network and analyzing them for signs of
intrusions
availability of a computer or network
by external attackers or authorized Intrusion Detection System
users trying to overstep their - Hardware or software that gather and
legitimate authorization levels analyze information from various areas within
a computer or a network for the purpose of
finding, and providing real-time or near-real-
time warning of attempts to access system
19
resources in an unauthorized manner
Network Security: Network Endpoint Security

2. Intrusion Detection Systems
2. Classification

Host-based IDS Network-based IDS
- monitors the characteristics - monitors network traffic for
of a single host and the particular network segments or
events occurring within that devices and analyzes network,
host for suspicious activity transport, and application
protocols to identify suspicious
activity

20
Network Security: Network Endpoint Security

2. Intrusion Detection Systems
3. Components
Sensors Analyzers
- are responsible for collecting data. - receive input from one or more sensors or from other
analyzers.
- The input for a sensor may be any part of a - are responsible for determining if an intrusion has
system that could contain evidence of an occurred. The output of this component is an indication
intrusion, e.g., network packets, log files, that an intrusion has occurred. The output may include
and system call traces. evidence supporting the conclusion that an intrusion
occurred.
- collect and forward this information
- may provide guidance about what actions to take as a
to the analyzer. result of the intrusion.
User interface
- enables a user to view output from the system or control
the behavior of the system.
- may equate to a manager, director, or console
21 component.
 Network Security: Network Endpoint Security

2. Intrusion Detection Systems
4.1 Misuse and Anomaly Detection

Misuse detection
- is based on rules that specify system events, Anomaly detection
sequences of events, or observable properties of - searches for activity that is different from the normal
a system that are believed to be symptomatic of
security incidents. behaviour of system entities and system resources.
- uses various pattern-matching algorithms, - Advantage:
operating on large databases of attack patterns, able to detect previously unknown attacks based on
or signatures. an audit of activity.
- Advantage: accurate and few false alarms. - Disadvantage: significant trade-off between false
positives and false negatives.
- Disadvantage: difficult to detect
novel22 or unknown attacks.
Network Security: Network Endpoint Security

2. Intrusion Detection Systems
4.2 Behaviour of Intruders and Authorized Users
Probability
density function
profileof
profileof authorized user
intruder behavior behavior

overlap in observed
or expected behavior

Measurablebehavior
averagebehavior averagebehavior
of intruder of authorized user parameter
23
Network Security: Network Endpoint Security

2. Intrusion Detection Systems
5. Host-Based IDS
- add a specialized layer of security - use one or a combination of
software to vulnerable or sensitive anomaly and misuse protection,
systems, e.g., database server anomaly detection strategies:
- monitor activity on the system in a variety - Threshold detection
of ways to detect suspicious behavior - Profile based
- sometimes can halt an attack before any
damage is done
- primary purpose: to detect intrusions,
log suspicious events, and send alerts
- can detect external and internal intrusions
24
Network Security: Network Endpoint Security

2. Intrusion Detection Systems
6.1 Network IDS

- monitors the traffic on its - accomplished by placing the
network segment as a data network interface card in
source. promiscuous mode to capture
all network traffic that crosses
its network segment.

25
 Network Security: Network Endpoint Security

2. Intrusion Detection Systems
6.2 Network IDS Function

Look for a text string that
String signatures indicates a possible attack, e.g.,
“cat “+ +” 7/.rhosts
Network IDS involves
looking at the packets on
the network as they pass Watch for connection attempts
by some sensor. to well known, frequently
Port signatures
attacked ports, e.g., ports 20,
Packets are considered 21, 23, 143
to be of interest if they
match a signature watch for dangerous or not
logical combinations in packet
Header condition headers, e.g., WinNuke destined
signatures for NetBIOS port and urgent
pointer set, or TCP segment with
26 SYN and FIN bit set
 Network Security: Network Endpoint Security

2. Intrusion Detection Systems Internal server
and data resource
networks

6.3 Network IDS Locations
Internet
1. Outside the main enterprise firewall: LAN switch
or router 1
useful for establishing the level of threat NIDS NIDS

for a given enterprise network 3
internal 2
firewall
2. In the network DMZ: to monitor for penetration NIDS
attempts that target web and other services
LAN switch
generally open to outsiders. or router external
4 firewall
3. Behind internal firewalls:
to monitor major backbone networks, NIDS
Servicenetwork
such as those that support internal (Web, Mail, DNS, etc.)
LAN switch
servers and database resources. or router
internal
firewall

4. Behind internal firewalls: to monitor LANs that Workstation
networks
support user workstations and
servers specific to a single department. NIDS
27 manager
 Network Security: Network Endpoint Security

3. Malicious Software
1. Definition and Types
- NIST SP 800-83 Definition: Malware types
- “a program that is covertly inserted into another
- Virus
program with the intent to destroy data, run
destructive or intrusive programs, or otherwise - Worm
compromise the confidentiality, integrity, or availability - Trojan Horse
of the victim’s data, applications, or operating system”
- Spyware
- Malware can
- pose a threat to application programs, to utility - Rootkit
programs, and to kernel-level programs - Backdoor
- be used on compromised or malicious Web - Mobile code
sites and servers, or in especially crafted
spam emails or other messages - Bot
28
Network Security: Network Endpoint Security

3. Malicious Software
2. Malware Defense

29
Network Security: Network Endpoint Security

4. Denial-of-Service Attacks
1. Overview

- Attempt to prevent legitimate users - (D)DoS attacks make computer
of a service from using that service systems inaccessible by flooding
- When the attack comes from a single servers, networks, or even end-
host or network node, then it is user systems with useless traffic so
simply referred to as a DoS attack that legitimate users can no longer
gain access to those resources.
- More serious threats by a Distributed
Denial-of-Service attack; in a typical
DDoS attack, many compromised
hosts send useless packets

30
Network Security: Network Endpoint Security

4. Denial-of-Service Attacks
2.1 DDoS Example: Distributed SYN Flood Attack

2
Attack
machine SYN SYN
packets packets

Internet
1
SYN/ACK
packets
Target Web
3 server

Slave
servers
(a) Distributed SYN flood attack
31
 Internet
1 Network Endpoint Security
Network Security:
SYN/ACK
packets
Target Web
4. Denial-of-Service Attacks 3 server

Slave
2.2 DDoS Example:
servers Distributed ICMP Attack
(a) Distributed SYN flood attack

Attack
machine

Target
3 router
1
2

Reflector
machines

32
 Network Security: Network Endpoint Security

4. Denial-of-Service Attacks
3.1 Direct DDoS Attack
Attacker
- Attacker can implant zombie software on several
sites distributed throughout the Internet.
- Often, two levels of zombie machines: Master
zombies
master zombies and slave zombies,
both infected with malicious code.
- Attacker coordinates and triggers the Slave
zombies
master zombies, which in turn co-
ordinate and trigger the slave zombies.
- The use of two levels of zombies makes
it more difficult to trace the attack back Victim

to its source and provides for a more (a) Direct DDoS Attack
resilient network of attackers.
33
 Slave
zombies
Network Security: Network Endpoint Security

4. Denial-of-Service Attacks Victim

3.2 Reflector DDoS Attack (a) Direct DDoS Attack

Attackerr
Attacke

- Slave zombies construct packets requiring a response
that contain the target’s IP address as the source IP Attacker Master
address in the packet’s zom
Masbie
tes
r
zombies
IP header. Slave
zombies
- These packets are sent to uninfected machines known Master
zombies
as reflectors, which respond with packets directed at the Slave
target machine. zombies

- A reflector DDoS attack can easily involve more
Slave
machines and more traffic than a direct DDoS attack zombies
and hence be more damaging. Reflectors
Victim
- Tracing back the attack or filtering out the attack packets
is more difficult because (a) Direct DDoS Attack
the attack comes from widely Victim
dispersed uninfected machines. Victim
Attacker
(a) Direct DDoS Attack
34
(b) Reflector DDoS Attack
 Network Security: Network Endpoint Security

4. Denial-of-Service Attacks
4. DDoS Countermeasures

- Attack prevention and preemption - Attack detection and filtering
(before attack): (during attack):
- Mechanisms enable the victim to - Mechanisms attempt to detect the attack as it begins
endure attack attempts without denying and respond immediately.
service to legitimate clients - Detection involves looking for suspicious patterns of
- Techniques: enforcing policies for behavior
- Response involves filtering out packets likely to be part
resource consumption and providing
backup resources available on demand of the attack
- Prevention mechanisms modify - Attack source traceback and identification
systems and protocols on (during and after attack):
the Internet to reduce the - Attempt to identify the source of the attack
possibility of DDoS attacks as a first step in preventing future attacks.
- typically, does not yield results fast enough,
35 if at all, to mitigate an ongoing attack.
Network Security: Network Endpoint Security

5. The Onion Routing
1. Overview

- most widely used anonymity - integrated with a customized
network browser for better user
- based on Onion Routing ideas experience and mitigate
against side channel attacks
- First release in 2002
- provides anonymity for users
and servers

36
Network Security: Network Endpoint Security

5. The Onion Routing
2. Tunneling

37
Network Security: Network Endpoint Security

5. The Onion Routing
3. TLS Tunneling

38
 Network Security: Network Endpoint Security

5. The Onion Routing
4. Operation
1. User installs Tor-Proxy on his/her
computer, which connects to Tor network.
Download of available Tor servers
(relays) from directory server (signed list)
2. Selection of random route via at least 3
Tor servers entry
(trade-off delay and anonymity) node

3. Setup of consecutive connections, each
server knows successor nod exit node
and predecessor e
directory encrypted
4. Data transfer over server connection
these connections unencrypted
connection
39
Network Security: Network Endpoint Security

5. The Onion Routing
5. Discussion
Advantages Disadvantages
- No Single Tor node is aware - Quality-of-Service and
of the complete plan of Performance
Communication. - Central directory server
- the more Tor nodes the
- Dependence on DNS
more anonymity added
- Tor builds anonymous paths
for the client based on
a list of bridge nodes.
40
 Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
1. Border Gateway Protocol
Messages
- OPEN to start a BGP session
- UPDATE to exchange reachability
information
- NOTIFICATION to convey a reason
code prior to BGP session termination
- KEEPALIVE to confirm continued
availability of BGP peer BGP Route Propagation
- ROUTE-REFRESH to request
resending the routing information.
41
Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
2. Securing BGP Sessions

BGP is vulnerable to TCP threats. Other threats
- Eavesdropping - Session hijacking
- Spurious session reset - Replay attacks
- Session capture - Withholding traffic
- Message alternation - Saturation attack
- Denial-of-Service

42
Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
3. BGP Issues

- Verifying BGP identities
- often done via IP addresses
- Verifying BGP information
- Risk of prefix hijacking
- Verifying forwarding paths
- Route advertisements cannot be validated.

43
Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
4. BGP Security Requirements

- Data Security - Path validation: BGP speaker
- data that a BGP speaker should be able to validate that
receives can be - AS Path in UPDATE represents
cryptographically verified to a valid inter-AS transit path
have been sent by the BGP through the network.
peer - prefix reachability information
- data is not a replay of has been propagated along the
previously transmitted data reverse inter-AS Path.
- no data has been removed
from the transmission
44
Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
5. BGP Weaknesses
BGP does not have mechanisms to
- protect integrity, currency, and source authenticity of BGP messages
- verify the authenticity of an address prefix and an AS origination of
this prefix in the routing system
- verify the authenticity of the attributes of a BGP UPDATE message
- verify that the local cache Routing Information Base information
is consistent with the current state of the forwarding table

45
Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
6. BGP Session Protection

- IPSec - BGP over TLS
(is not widely used due to - requires modifications of BGP
complicated rekeying of IKE implementations.
sessions) - Resource Public Key
- TCP MD5 Signature Option Infrastructure (RPKI, RFC 6480)
- TCP Authentication Option - digitally signed routing objects
(X.509) to support routing security
- distributed repository system to
hold PKI and signed routing objects
46
 Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
7. secure BGP
sBGP
- places digital signatures over the address
and AS Path information contained in
routing advertisements
- defining an associated PKI for validation of
signatures
- Address attestation authorises a nominated
AS to advertise itself as the origin AS for a
particular address prefix.
47
 Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
8. secure origin BGP
soBGP
- avoids hierarchical PKI that mirrors
the AS number distribution
framework and nominates the use
of a web of trust (or a reputation
mechanism) as the means of
validation of these certificates

48
 Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
9. Inter-domain Route Validation
- All previous approaches require changes
to the operation of BGP itself.
- Inter-domain Route Validation does not
modify the BGP protocol but defines a
companion information-distribution protocol.
- In IRV, each AS must provide an IRV server
capable of providing authoritative responses
relating to prefixes originated by this AS.
- IRV provides routing policy information using
the Routing Policy Specification Language.
49
 Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
10. BGPSec
- BGP AS Path attributes carry the digital
signatures produced by the AS that propagates
a BGP UPDATE message.
- These signatures, signed by AS, assure that
- every AS listed in the AS Path attribute has
handled the propagation of this prefix
- the order in the AS Path is the exact order of
propagation of the UPDATE message through
the inter-domain routing space,
- each AS listed has explicitly authorised the
propagation of an UPDATE message to its BGP
peer
50
Network Security: Network Endpoint Security

6. Securing BGP Inter-Domain Routing
11. Discussion

Approaches often
- have high crypto processing overhead
- require BGP protocol changes or significant extensions
making incremental deployment difficult.

51
Network Security: Network Endpoint Security

7. Scalability, Control, and Isolation on Next-
Generation Networks
1.1 Motivation
- Internet: 99.9% availability Reasons for Outages
(86 s/day unavailability) - Numerous short-lived outages
[Katz-Bassett et al., ACM
due to Border Gateway Protocol
Sigcomm 2012]
route changes and
- Plug-into-the wall telephones: route convergence delays
99.999% availability - Misconfigurations
- attacks, e.g., hijacking
(redirecting) of paths
52
Network Security: Network Endpoint Security

7. SCION
1.2 Network Availability
- is the most fundamental security issue.
- Main attack is preventing communication, e.g.,
- Disrupting routing system
- DDoS attack
- Address hijacking
- Current Internet offers
limited control of paths.
- Paths can be hijacked
and redirected.

53
Network Security: Network Endpoint Security

7. SCION
1.3 BGP Limitations

- Frequent periods of unavailability - Limited path control by end points
when paths change → possible redirection
- Slow convergence during → no multipath support
iterative route computation → no optimization of paths

- Susceptible to attacks and - very few trust roots
→ single point of failure
misconfigurations, sometimes
resulting in global outages - Lack of scalability
- Path transparency: poor path
predictability and reproducibility
54
Network Security: Network Endpoint Security

7. SCION
1.4 Secure End-to-end Communication

Certificate Issues Non-Scalability of Trust
- Fake certificates for man in - No single entity trusted by
the middle attacks everyone.
- Hacking of CAs that are
issuing SSL/TLS certificates
- Issuing of fake certificates for
popular domain names, e.g.,
Google, Facebook
55
Network Security: Network Endpoint Security

7. SCION
1.5 Problems to be addressed

- High availability
- Path control
- Path and Trust Transparency
- Secure entity authentication
- Resilience to compromised trust roots: limit global scope of CAs
- Scalability, efficiency, flexibility

56
Network Security: Network Endpoint Security

7. SCION
1.6 Problems with current SSL/TLS PKI
- Weakest-link security with too - Transparency
many trusted entities, - CAs’ actions are not transparent.
often > 1’000 keys - Imbalance
- Revocation system is insecure - CAs have almost unlimited power.
and inefficient - Misconfigurations
- Various schemes - SSLv2, weak crypto,
- Some CAs are too-big-to-fail NULL cipher suites

- Trust agility - Users ignore errors and visit web sites
- Domains cannot state which CAs → domains should decide about error handling
are trusted → SCION PoliCERT for
TLS certificate management
57
 Network Security: Network Endpoint Security

7. SCION
2.1 Architecture Overview

Control plane: How to find
and disseminate paths
- Path exploration
- Path registration
Data plane:
How to send packets
- Path lookup
- Path combination
- Path encoding in packets
58
 Network Security: Network Endpoint Security

7. SCION
2.2 Isolation Domain
- grouping of ASs
- ISD core: ASs that manage the ISD
- Authentication of entities inside an ISD
- Core AS: AS that is part of ISD core
- Trusted Root Configuration
- Definiton of trust roots in an ISD for control-
plane, end-identity and
name-resolution PKI
- Hierarchical control plane
- inter-ISD control plane
- intra-ISD control plane
59
Network Security: Network Endpoint Security

7. SCION
2.3 Sample TRC and TRC Cross Signatures

60
Network Security: Network Endpoint Security

7. SCION
2.4 AS Certificates

- Each AS obtains certificate signed by a core AS.
- Core AS certificate can be revoked through TRC
update.
- Any AS can certify any other AS through chain of
cross-signed TRCs and by verifying core AS signatures.

61
 Network Security: Network Endpoint Security

7. SCION
3.1 Control Plane:
Intra-ISD Path Exploration: Beaconing
- Core ASs K, L, M initiate Path-segment Construction Beacons.
- PCBs traverse ISD as a flood to reach downstream ASs.
- Each AS receives multiple PCBs representing path segments to a
core AS.
- Up-path segments, e.g., R → K
- Down-path segments, e.g., M → S
- Securing PCBs
- Each AS has certificate: {AS, KAS, expiration}KcoreAS.
- Beacon servers know relevant AS certificates.
- Each PCB is signed by core AS that issues it.
- Each AS that resends PCB signs updated PCB.
62
Network Security: Network Endpoint Security

7. SCION
3.2 Control Plane: Core Path Segments
- Core Beaconing for Inter-ISD Path Exploration
- Each AS operates path servers.
- Path servers offer path lookup service.
- Registration of up-path segments
at local path servers
- Down-path segments are core path
uploaded to core path server. server

63
Network Security: Network Endpoint Security

7. SCION
3.3 Control Plane: Path Lookup

- Host contacts RAINS Another - Host contacts local path
Internet Naming Service server server to query path segments
with a name H → PS: ISD X, AS Y
H → RAINS: PS → H: up-path, core-path,
www.scion-architecture.net down-path segments
RAINS → - Host combines path segments
H: ISD X, AS Y, local address Z to obtain end-to-end paths,
which are added to packets.

64
Network Security: Network Endpoint Security

7. SCION
3.4 Control Plane: SCION Control Message Protocol

SCMP is analogous to ICMP and - Asymmetric (AS certificates) or
provides: symmetric authentication (DRKey)
- Network diagnostics: SCION are supported.
equivalents of ping/traceroute
- Error messages to signal
problems with packet
processing or inform end
hosts about network-layer
problems
65
Network Security: Network Endpoint Security

7. SCION
3.5 Control Plane: Dynamically Recreatable Key

- use of a per-AS secret value Example
to derive keys with an - AS X creates a key for AS Y
efficient PRF
using secret value SVX:
KX→Y = PRFSVx ( “Y” )
- Any entity in AS X knowing
secret value SVX can derive
KX→*

66
Network Security: Network Endpoint Security

7. SCION
4.1 Data Plane: Path Lookup
- Host contacts local path server
requesting
- If path segments are not cached,
local path server will contact core
path server
- If core path server does not have
path segments cached, it will
contact remote core path server
- Finally, host receives
up-, core-, and down-path segments

67
 Network Security: Network Endpoint Security

7. SCION
4.2 Data Plane: Path Combination

Core-segment combination:
Up-path segment + core-path segment + down-path segment

68
Network Security: Network Endpoint Security

7. SCION
4.3.1 Data Plane:
Path Construction

Information Field
69 Hop Field
Network Security: Network Endpoint Security

7. SCION
4.3.2 Data Plane:
Path Encoding

70
Network Security: Network Endpoint Security

7. SCION
4.4 Data Plane: Multipath Communication

- Often, two paths exist between continents
with different characteristics on delay,
bandwidth etc.
- Application-dependent routing
- Multipath communication for redundancy
and protect against DDoS attacks

71
Network Security: Network Endpoint Security

7. SCION
5.1 Use Cases

- SCION for ETH Domain
- Secure Swiss Finance Network
- SWITCHlan SCION Access

72
Network Security: Network Endpoint Security

7. SCION
5.2 Deployment
- CORE Routers are set up at the borders of an ISP
- to peer with other SCION-enabled networks
- to collect customer accesses
- No change to the internal network infrastructure
of an ISP needed
- SCION IP Gateway enables seamless integration
of SCION capabilities in end-domain networks
- No upgrades of end hosts or
applications needed

73
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
1. Motivation
- Zero Trust assumes there is no - Zero Trust Architecture is an
implicit trust granted to assets enterprise’s cybersecurity plan, as
or user accounts based solely a response to enterprise network
on their physical or network trends such as remote users,
location or based on asset Bring Your Own Device,
ownership (enterprise/ person) cloud-based assets.
- Authentication and - ZTA focuses on protecting
authorization are performed resources (assets, services,
before a session to an workflows, network accounts,
enterprise resource is etc.), but not network segments.
established.
74
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
2. Zero Trust Access

- A subject needs access to an enterprise resource. Access is granted through a
Policy Decision Point and corresponding Policy Enforcement Point.
- The system must ensure that the subject is authentic, and the request is valid.
The PDP/PEP passes proper judgment to allow the subject to access the resource.
- ZT applies to two basic areas: authentication and authorization

75
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
3. Zero Trust Logical Components

76
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
4.1 ZTA Deployment:
Device Agent/Gateway-Based Deployment

77
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
4.2 ZTA Deployment: Enclave Gateway Model

78
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
4.3 ZTA Deployment: Resource Portal Model

79
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
4.4 ZTA Deployment: Application Sandboxes

80
Network Security: Network Endpoint Security

8. NIST Zero Trust Architecture
5. ZTA Threats

- Subversion of ZTA decision - Storage of system and
process network information
- Denial of Service or network - Reliance on Proprietary Data
disruption Formats or Solutions
- Stolen credentials and - Use of Non-person Entities in
insider threats ZTA Administration
- Network visibility

81
Thanks a lot
for your Attentation
Prof. Dr. Torsten Braun, Institut für Informatik
Bern, 02.12.2024 – 09.12.2024