Académique Documents
Professionnel Documents
Culture Documents
On Network Security
Drafted by Reviewed by Reviewed by Approved by Ren Yuan Wang Zhen Chen Rui Date Date Date Date 2005-03-14 2002-04-07 2005-03-14
Huawei Confidential
On Network Security
Revision Record
Date 2002-07-12 Revised Version V1.0 Description First draft finished Author Wang Zhen
Huawei Confidential
On Network Security
Contents
Chapter 1 Overview .......................................................................................................................... 1 1.1 Background........................................................................................................................... 1 1.2 Importance of Security.......................................................................................................... 1 1.3 Our Enemies ......................................................................................................................... 2 1.4 Our Enemies' Tricks.............................................................................................................. 2 Chapter 2 Hacker Strategies ........................................................................................................... 5 2.1 Denial Of Service (DOS)....................................................................................................... 5 2.1.1 Cause Analysis........................................................................................................... 5 2.1.2 Types of DOS............................................................................................................. 6 2.1.3 Distributed Denial Of Service (DDOS) ....................................................................... 8 2.1.4 Defense Against and Exploration of DOS................................................................ 11 2.2 Sniff..................................................................................................................................... 13 2.2.1 Principle.................................................................................................................... 13 2.2.2 How to Guard Against Sniff?.................................................................................... 14 2.3 Scanning ............................................................................................................................. 14 2.3.1 Scanning Attack ....................................................................................................... 14 2.3.2 Security Scanning .................................................................................................... 15 2.4 Security Problems of Routing Protocols ............................................................................. 16 2.4.1 Route Spoofing: Attack to the RIP Protocol ............................................................. 16 2.4.2 Route Spoofing: Attack to the BGP Protocol ........................................................... 16 2.4.3 Route Spoofing: Attack to the OSPF Protocol ......................................................... 16 2.5 Buffer Overflow ................................................................................................................... 17 2.5.1 Loopholes of and Attacks to Buffer Overflow........................................................... 17 2.5.2 Protection Against Buffer Overflow .......................................................................... 19 Chapter 3 Security Problems of Other Protocols ....................................................................... 20 3.1 Security at the Network Layer............................................................................................. 20 3.1.1 Source IP Address Spoofing .................................................................................... 20 3.1.2 The Attack of Over-long Reassembled IP Segmented Packet and the Solution to It22 3.2 Security at the Transport Layer .......................................................................................... 23 3.3 Security at the Application Layer ........................................................................................ 24 Chapter 4 Security Strategies ....................................................................................................... 27 4.1 What Is Security?................................................................................................................ 27 4.2 Security Service, Mechanism and Technology................................................................... 27 4.3 Network Security System.................................................................................................... 27 Chapter 5 Security Technologies ................................................................................................. 29 5.1 CallBack.............................................................................................................................. 29 5.2 AAA: Authentication, Authorization and Accounting........................................................... 29 5.3 Certification Authority (CA) ................................................................................................. 30 5.4 Packet Filtering ................................................................................................................... 32 5.5 Address Translation............................................................................................................ 33 5.6 Data Compression .............................................................................................................. 33 5.6.1 Description of IPComp ............................................................................................. 33 5.6.2 IPComp Association (IPCA) ..................................................................................... 34 5.7 Encryption and Key Exchange............................................................................................ 35 5.7.1 IP Security (IPSec)................................................................................................... 35 5.7.2 Internet Key Exchange (IKE).................................................................................... 36 5.8 Application Specific Packet Filter (ASPF)........................................................................... 37 5.8.1 ASPF Principle ......................................................................................................... 37 5.8.2 ASPF Working Process............................................................................................ 38
Huawei Confidential
On Network Security
5.8.3 Detection of and Prevention Against DOS............................................................... 38 5.9 Firewall................................................................................................................................ 39 5.9.1 What Is Firewall?...................................................................................................... 39 5.9.2 What Firewall Can Do? ............................................................................................ 39 5.9.3 Types of Firewall ...................................................................................................... 41 5.9.4 Operating System of Firewall ................................................................................... 42 5.9.5 The Counter-attack Function of Firewall .................................................................. 42 5.9.6 Limitation of Firewall ................................................................................................ 42
Huawei Confidential
On Network Security
Key words: Denial Of Service (DOS), Distributed Denial Of Service (DDOS), Sniff, scanning, route spoofing, buffer overflow, address spoofing, network security system, security technology Abstract: This document introduces some basic concepts of network security, common methods of network attack, and some network security technologies. Chapter 1 briefly describes the current network security condition and common problems of network security. Chapter 2 analyzes the forms and causes of common network attacks, such as DOS, Sniff and scanning. Chapter 3 covers some security problems existing in the current protocols. Chapter 4 briefly deals with the concept of security and the security system. Chapter 5 introduces some security technologies currently in common use. Acronyms and Abbreviations: DOS: Denial Of Service AAA: Authentication, Authorization and Accounting ASPF: Application Specific Packet Filter References: Null
Huawei Confidential
On Network Security
Chapter 1 Overview
1.1 Background
Internet brings immense vitality to the people all over the world and realizes the borderless global village. But we are still hindered by many undesirable factors: the shortage of IP address, serious consumption of bandwidth, limitation of governmental regulations and deficiency in programming technology. Now, the numerous loopholes that have accumulated on the network confront us with even greater threats. The trouble-makers lurking on the network will seek for these loopholes to attack the network system, which will inevitably cost us much more efforts for our former negligence. Though most network system products are labeled with "security", compared with the weak network protocols and defective technologies we have, it seems that dangers are still everywhere.
2007-03-22
Huawei Confidential
Page 1 of 47
On Network Security
On Network Security
ridiculous pop-up message. Some viruses are destructive. They delete files or slow down the system running speed. A network may get infected by downloading files from the floppy disk or from the Internet. When a computer on the network gets infected, the chances are that the other computers on the same network will get infected. Trojan Horse Trojan Horse is a program secretly installed in the target system either directly by a hacker or by an unnoticed user. Once installing the program successfully and obtaining the administrator's authority, the attacker can directly and remotely control the target system. Trojan Horse is a vehicle for other destructive codes. It usually appears as a harmless and even useful program, such as a computer game, which is but a camouflage. The virus of Trojan Horse may delete files, replicate itself and send the program to all addresses in the mail address list. It can also prepare for other attacks. Vicious programs include NetBus, BackOrifice and BO2k. Benign programs include netcat, VNC and pcAnywhere. Vandals With the development of application software such as ActiveX and Java Applets, websites are becoming more vivid. The application software can create special effects to make the websites more interactive and attractive. However, it also makes it easier to download and run these application programs, thus providing new entrances for sabotage. Vandal is an application software or Applet (a Java application program) that causes damage of varied degrees. Vandal can damage the partition of the file or the system. Network Attack Since the TCP/IP protocol that constitutes Internet is weak in security, network security becomes an actual issue that we must face. Many types of attack exist on the network. They include: Packet interceptionThe attacker uses the data-obtaining device to intercept the data from the data flow in transmission. The attacker analyzes the data to obtain the username/password or other sensitive information. Delay exists when data is transmitted on Internet. Compound with the geological span, it is practically impossible to avoid data interception. IP address spoofingThe attacker changes his own IP address to disguise as an intranet user or a credible extranet user, and sends specific packets to disturb the normal transmission of network data. He can also fake some acceptable routing packets (such as the ICMP specific packets) to change the routing information and then intercept the information. Source route attackThe sender of packet specifies the route for the packet in the Option field of the IP packet, and the packet may be sent to some protected networks. Port scanningThe attacker finds the system loophole by detecting the port that the firewall is monitoring. Or he may have known that the router software of a certain version has a loophole, and queries the specific port to judge whether the loophole exists. Then he attacks the routers by these loopholes so that the router is under his control or fails to run normally. Denial Of Service (DOS)The attacker intends to stop the legal user from accessing the resources. For example, he sends large quantities of packets to exhaust the bandwidth resource of the network. The macro virus, Mellisa, is designed for DOS.
2007-03-22
Huawei Confidential
Page 3 of 47
On Network Security
Many big websites suffer serious loss due to the attack of Distributed Denial Of Service (DDOS). Data Interception The data transmitted over the network may be intercepted by unauthorized people. These criminals can intercept and even modify the content of the data. They can intercept data in many ways, for example, by IP address theft. Social Engineering Social engineering is an increasing non-technical method used to obtain confidential information on network security. For example, a social engineer can pretend to be a technical support representative and call the employee to get the password. Some other people can achieve the same end by bribery. Spam Spam is the emails sent automatically or the advertisement information emailed automatically. Though harmless, spam is a real nuisance. It consumes much of our time and memory space.
2007-03-22
Huawei Confidential
Page 4 of 47
On Network Security
On Network Security
wrong configuration gives birth to DOS. Wrong configuration is usually generated by some inexperienced or irresponsible employees or by wrong theories. Resource Bottleneck Finally, some unintentional DOS attacks are caused by the bottleneck of overloaded bandwidth or resources. There is no fixed solution to this type of problems.
2007-03-22
Huawei Confidential
Page 6 of 47
On Network Security
client, it must respond with an SYN-ACK packet, and wait for the client to respond with an ACK packet for acknowledgement. Then a connection is finally established. However, if the client sends only an SYN packet for initialization and does not send the ACK packet for acknowledging the server, it will keep the server waiting for the ACK packet. Some TCP/IP protocol stacks have only limited memory buffer for establishing TCP connection, so the server can wait for only a limited number of ACK packets. If the buffer if full of initialization messages of false connection, the TCP/IP protocol stack will stop responding to the subsequent connection till the connection attempts in the buffer time out. Even if establishing TCP connection is unlimited, SYN Flood still consumes a lot of the victim system resources. Slashdot Effect The Slashdot Effect causes the Web server or servers of other types to get overloaded because of heavy network transmission. In these circumstances, the network traffic is generated for a certain webpage or link. This also occurs as a normal phenomenon on the website with heavy visits. We must distinguish the normal phenomenon from DOS. If your server becomes congested suddenly and even fails to respond to further requests, you should examine the phenomenon of resource shortage closely. Check whether the 10000 clicks are all done by the legal user, or 5000 of them by the legal user, and 5000 of them by an attacker. UDP Flood Various attacks with a disguise use the simple TCP/IP service, such as Chargen and Echo, to transmit useless data that occupies the bandwidth to the full. The attacker fakes a UDP connection in the Chargen service of a certain host, and directs the response address to a host providing the Echo service, thus generating abundant useless data flow between two hosts. Data flow of a certain quantity will cause DOS to the bandwidth. Land Attack The attacker sets the IP address of a victim as the source address and destination address of the TCP SYN message. Thus the victim sends the SYN-ACK message to its own address, which responds with an ACK message and creates a null connection. Each null connection created in this way will stay till it times out. Different victims react to the Land attack differently. Many UNIX hosts will crash, and NT hosts will become extremely slow (for about five minutes). Teardrop Teardrop uses the information contained in the packet header of the IP fragmentation that is trusted in the TCP/IP stack implementation to attack the victim. The IP segment contains information that indicates which segment of the original packet the current segment carries. When receiving fake segments containing overlapped offset, some servers that runs TCP/IP (including the Windows NT with the patch earlier than service pack 4) will crash. Defense: Apply the latest service packet on the server, or reassemble the segments instead of forwarding them when configuring the firewall. Email Bomb Email bomb is one of the primitive anonymous attacks. The attacker configures a device to keep sending many emails to the same address, and exhausts the bandwidth of the receiver's network. Ping of Death
2007-03-22
Huawei Confidential
Page 7 of 47
On Network Security
In the early period, the router restricts the maximum length of the packet. When running the TCP/IP protocol stack, many operating systems specify the maximum length of the ICMP packet as 64 KB. The systems read the packet header, and then generate the buffer for the payload according to the information contained in the header. When the receiver receives a malformed packet, namely, the packet who claims that its length exceeds the upper limit of the ICMP packet (the overloaded length is over 64 KB), error of memory allocation occurs. It causes the TCP/IP protocol stack to collapse and the receiver to undergo system down.
II. Defense
Now all standard TCP/IP protocol stacks are capable of tackling with jumbo packets, and most firewalls can automatically filter these packets.
2007-03-22
Huawei Confidential
Page 8 of 47
On Network Security
This figure shows that DDOS consists of the performers of three levels: the attacker, the controlling terminal, and the agent. The devices at the three levels play different roles in the attack.
On Network Security
2)
TFN
TFN is composed of the program of the controlling terminal and that of the agent. It can fake packets and usually uses the following attack methods: SYN Flood Ping Flood UDP Bomb TFN2K
3)
TFN2K evolves from TFN. Based on the features of TFN, TFN2K has some new ones. In TFN2K, the network communication between the controlling terminal and the agent is encrypted, and the communication may be mixed with many false packets. In TFN, the ICMP communication is not encrypted. TFN2K has new attack methods: Mix and Targa3. In TFN2K, the process port on the agent can be configured. 4) Stacheldraht Stacheldraht also evolves from TFN and inherits the latter's features. The communication between the controlling terminal and the agent in Stacheldraht is also encrypted. In addition, it fakes the command source and can escape from the RFC2267 filter of some routers. There is a built-in agent upgrade module in Stacheldrah. The module can automatically download and install the latest agent program.
2007-03-22
On Network Security
2)
3) 4)
5)
6)
administrator account). We can take these measures to reduce the opportunity for the attacker to take advantage of the system. In network management, check the physical environment of the system regularly, and prohibit the unnecessary network service. Lay down restriction on border security to ensure that the packets output are correctly restricted. Check the system configuration information regularly, and make sure to check the daily security log. Fortify the network security with network security tools (such as the firewall); and configure the security rules correctly to filter all possible fake packets. Another good defense measure is to accommodate the work with the Internet Service Provider (ISP), and request the ISP to provide access control on the router and limitation on the total bandwidth. When you find your system under the DDOS attack, you must start your counter-attack strategies. Track the attacking packets as soon as possible, contact the ISP and relative emergency organizations promptly, analyze the affected system, confirm the other nodes involved and stop the traffic from the nodes known to be under attack. When you are a potential DDOS victim and find that your computer is controlled by the attacker as the controlling terminal or agent, do not treat the matter lightly just because your system is temporarily not damaged. The attacker has already found the loophole in your system, which poses as a serious threat to your system. Therefore, once you find DDOS software existing in the system, delete the software as soon as possible to avoid further dangers.
On Network Security
2007-03-22
Huawei Confidential
Page 12 of 47
On Network Security
2.2 Sniff
Sniff is an old-school topic. It is no news to obtain sensitive information on the network by Sniff. There are also many successful cases. Well, what is Sniff then? Sniff is a sniffing device, or a bugging device. Sniff furtively works at the bottom network layer, and records all the victim's secrets, catching the victim off his guard. Sniff can be software or hardware. There are several platforms for the Sniff software, such as Windows and UNIX. The Sniff hardware is also called the network analyzer. They all aim at one thing: obtaining various information transmitted on the network.
2.2.1 Principle
On the Ethernet, all communication is broadcast. That is, usually, all network interfaces in the same network segment can access all data that is transmitted on the physical media. Each network interface has a unique hardware address, which is the MAC address of the network interface card (NIC). Most systems use the 48-bit address which represents a device on the network. Generally, the MAC addresses on the NICs are different. After an address segment is allocated to the NIC vendor, each address in this segment is allocated to an NIC the vendor manufactures. The Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol (RARP) are used for the conversion between the MAC address and the IP address. In normal condition, a network interface should respond to only the following two types of frames: 1) 2) The frame that matches the NIC's MAC address The broadcast frame that is sent to all devices
In an actual system, the NIC receives and transmits the data. After the NIC receives the data, the single-chip program inside the NIC receives the destination MAC address of the frame. Then according to the receiving mode configured in the computer's NIC driving program, the single-chip program decides whether NIC will receive the frame or not. If yes, NIC receives the frame and generates the interruption signal to inform CPU; if not, NIC discards the frame. Therefore NIC stops the data that it will not receive, and the computer does not know this at all. After receiving the interruption signal, CPU starts to interrupt the current processing flow. According to the interruption program address of NIC configured in NIC's driving program, the operating system calls the driving program for receiving the data. The driving program receives the data, and puts the data in the signal stack for processing by the system. NIC receives signals in four modes: Broadcast mode NIC can receive the broadcast information on the network. Multicast mode NIC set in this mode can receive multicast data. Direct mode Only the destination NIC can receive the data. Promiscuous mode NIC can receive all data that is transmitted through it, regardless of whether the data is intended for it or not.
2007-03-22
Huawei Confidential
Page 13 of 47
On Network Security
In short, based on the broadcast mode, data is transmitted on the Ethernet. That is, all physical signals have to pass a certain device. When an NIC is set to the promiscuous mode, the NIC can receive all data that passes through it, thus the attacker can intercept, analyze and monitor the packets. This is the principle of Sniff: set the NIC to receiving all data that it can receive.
2.3 Scanning
Scanning is to perform security detection on the computer system or other network devices, thus discover the security loopholes and defects that the hacker may take advantage of. Obviously, the scanning software is a double-bladed knife. The hacker uses it to invade the system, and the system administrator can use it to effectively protect the system from invasion.
2007-03-22
Huawei Confidential
Page 14 of 47
On Network Security
2007-03-22
Huawei Confidential
Page 15 of 47
On Network Security
Network detection techniques are usually used for penetration experiments and security audit. The software with this type of techniques can detect a series of platform loopholes, and it is easy to install. But it may also affect the network performance.
2007-03-22
Huawei Confidential
Page 16 of 47
On Network Security
2)
Sometimes, the codes that the attacker needs already exist in the attacked program. The attacker then only needs to input some parameters in the codes to make the program transfer to an existing segment of codes (legal codes). For example, the attacking codes demand to execute "exec("/bin/sh")", and the codes execute "exec("/bin/sh")" in libc (a standard function library and exists in the form of file). "arg" is a pointer parameter that points to a character string. The attacker only needs to change the parameter pointer that he has input to make the pointer point to "/bin/sh". Then the program will transfer to the corresponding command serial in libc.
2007-03-22 Huawei Confidential Page 17 of 47
On Network Security
On Network Security
"exec(something)". "something" is the parameter. The attacker then uses the buffer overflow to change the program parameter, and uses another buffer overflow to point the program pointer to the specified code segment in libc.
On Network Security
To realize array border check, the "read" and "write" operation of all arrays must be checked to ensure that the operation on the arrays is safe. The direct method is to check the operation of all arrays. But usually some optimization technologies can be used to reduce the checking counts.
2007-03-22
Huawei Confidential
Page 20 of 47
On Network Security
Take the attack of TCP-SYN Flood as an example. The attacker sends a lot of TCP-SYN packets to the attacked host. The source address in these TCP-SYN packets is not the IP address of the attacking host; instead, it is an IP address faked by the attacker. After receiving the TCP-SYN packet sent by the attacker, the attacked host allocates some resource for a TCP connection. Also, the attacked host takes the source address (which is faked by the attacker) of the packet it has received as the destination address, and sends the TCP-(SYN+ACK) response to the destination host. Since the fake IP address is chosen carefully by the attacker and does not exist at all, the attacked host will never receive the response to the TCP-(SYN+ACK) packet that it has sent. Therefore the TCP state machine of the attacked host will be in the waiting state. If the TCP state machine of the attacked host is configured with timeout control, the resource allocated to the connection will not be released until the state machine times out. Therefore if the attacker sends enough TCP-SYN packets to the attacked host fast enough, the TCP module of the attacked host will undergo DOS, because the TCP module cannot allocate system resource to the new TCP connection. Moreover, even if the network administrator of the attacked host monitors the packets of the attacker, he cannot check out the attacker with the source address information in the IP packet header. The attacker in TCP-SYN Flood is not the only one who fakes the source IP address in the attack. Actually, taking advantage of the IP protocol for not checking the source IP address, every attacker inputs fake source IP address in the packet header to start an attack, so that the attacker will not be discovered. 2) Hijack Attack The disadvantage of the IP protocol brings about another common hazard to the TCP/IP network: the hijack attack. The attacker gets some privileges by attacking the victim host. This attack only works on the host with authentication based on the source address. Authentication based on the source address is taking the IP address as the criterion for allocating the security authority. Take the firewall as an example, the firewall on some networks permits only the IP packets that come from the network trusted by its own network to pass. Yet since the IP protocol does not check whether the source IP address contained in the IP packet is the authentic address of the source host that sends this packet, the attacker can still escape from the firewall by source IP address spoofing. There are some network application programs that use the IP address as the criterion for allocating the security authority. The attacker can also obtain privileges by source IP address spoofing, and causes serious loss for the victim.
II. Solution
We cannot eliminate the security hazards caused by this inherent defect of the IP protocol. We can only take some redemptive measures to minimize the dangers of this defect. An ideal counter-attack to this threat is: Before the gateway or router that connects the LANs permits the IP packets from extranet to enter the LAN, the gateway or router must check the IP packet. If the source IP address of the IP packet is an IP address that exists on the LAN which the packet will enter, the gateway or router rejects the IP packet to enter the LAN. This solution can well solve the problem.
2007-03-22
Huawei Confidential
Page 21 of 47
On Network Security
But some Ethernet cards receive the packets that they have sent themselves, and in actual application, some LANs need the trust-relationship to share resources. Therefore, this solution is not very practical. Another counter-attack is to check the source IP address when the IP packet goes out from the LAN. That is, before the gateway or router that connects the LANs permits the IP packet to be sent from the LAN, the gateway or router must check the source IP address of the IP packet. If the source IP address of the IP packet is not the IP address that exists on the LAN from which the IP packet will be sent, the gateway or router rejects the IP packet to leave the LAN. Thus, to pass through the gateway or router, the attacker needs at least the IP address that exists on the LAN which the attacker has entered. If the attacker launches an attack, it is easy to trace the attacker according to the source IP address of the IP packet that he has sent. It is recommended that the gateway and router of every ISP or LAN check and filter the source IP address of the IP packet that is sent from the LAN. If every gateway and router work in this way, source IP address spoofing will never work. Currently, not every gateway or router works in this way, so the network administrator has to supervise the network under his management as closely as possible, always on the look-out for possible attacks.
3.1.2 The Attack of Over-long Reassembled IP Segmented Packet and the Solution to It
Internet is composed of numerous connected networks. The interconnected networks usually have different Maximum Transmission Units (MTUs). To transmit IP packets accurately on networks with different MTUs, the IP protocol provides the function to segment and reassemble IP packets. That is, to transmit IP packets to the network with smaller MTU, the IP protocol takes the MTU of the destination network as the max length of the IP packet. The IP protocol segments the IP packets that are generated with larger MTU on the local network, and then sends the IP packets to the destination host. When the segmented IP packets reach the IP protocol of the destination host, the IP protocol of the destination host finds that the IP packets that have arrive are not integrated packets. It will buffer the IP packets first. When all the related IP packets arrive, the IP protocol reassembles the IP packets into an integrated one, and then sends the IP packet to the upper-layer protocol. The following four fields in the IP header can identify all segmented IP packets that belong to one integrated IP packet: The Identification field The Protocol field The Source address field The Destination address field. In the Flag filed in the IP header, the DF bit indicates whether the packet can be segmented or not, and the MF bit indicates whether the IP packet is an IP segmented packet. In the IP header, the Fragment offset field indicates the position of this segment in the original integrated IP packet. It is based on these six fields that the IP protocol segments and reassembles the IP packet. To reassemble the IP packets, the IP protocol reassembles all IP segments whose MF bit is 1 (that is, they belong to the same integrated IP packet) into one IP packet, till the IP protocol receives an IP segment with the MF bit of 0. This is the last segment.
2007-03-22 Huawei Confidential Page 22 of 47
On Network Security
The length of the reassembled IP packet is obtained by adding the data lengths of the IP segments. The Header length field in the IP header is only 16 bits, which means that the max length of the IP packet is 65535. If the lengths of the IP segments that are received add up to more than 65535, and the IP protocol has not checked this, the IP protocol will collapse or in the state of service failure because of overflow. Normally, this does not occur. But such a hazard usually becomes an opportunity for the attacker, and it exists on the operating system of many networks. The infamous Ping attack is exactly based on this security hazard. Ping is a common program for diagnosing the network condition. Actually, it is an ICMP packet with the type of "ECHO_REQUEST" sent to the destination host according to the Internet Control Message Protocol (ICMP). If the ICMP module of the destination host receives the packet, it responds to the source host with an ICMP packet with the type of "ECHO_RESPONSE". If, within the specified time, there is no "ECHO_RESPONSE" packet, pinging times out and shows that the destination address is unreachable. The Ping attack is also sending the "ECHO_REQUEST" packet to the attacked host. But the packet in this case is composed of a series of IP segmented packets that are manually created by the attacker. And the lengths of the IP segmented packets add up to more than 65535. The aim of the attacker is to make the IP protocol of the destination host reassemble these IP segmented packets, and to confront the IP protocol with the IP packet whose length exceeds 65535. Solution: When reassembling the IP segments, the IP protocol must carefully judge and process the IP packet whose length exceeds 65535. After discovering IP segments whose lengths accumulate to more than 65535, the IP protocol must discard all IP segments that are received, and release the resource that they have occupied.
2)
2007-03-22
Huawei Confidential
Page 23 of 47
On Network Security
The Netscape Com. has launched to the public the SSL reference implementation (SSLref). Another free SSL implementation is called SSLeay. SSLref and SSLeay provide all TCP/IP applications with the SSL function. The Internet Assigned Number Authority (IANA) has assigned fixed port numbers to the TCP/IP application with the SSL function. For example, port number 443 is assigned to HTTP application with the SSL function (https), port number 465 is assigned to the SMTP application with the SSL function (ssmtp), and port number 563 is assigned to the NNTP application with the SSL function (snntp). Microsoft launches the improved version of SSL2: the Personal Communication Technology (PCT). At least in terms of the recording format used, SSL and PCT are highly similar. Their main difference lies in that they have different value for the Most Significant Bit in the field of version number: For SSL, the bit is 0, and for PCT, it is 1. With this difference, the two protocols can be supported discriminatingly. In April, 1996, the Internet Engineering Task Force (IETF) authorizes a Transport Layer Security (TLS) organization to draft the Transport Layer Security Protocol (TLSP). The protocol will be a standard proposal formally submitted to the Internet Engineering Steering Group (IESG). TLSP will resemble SSL in many aspects. One advantage of the security mechanism at the network layer is its transparency. That is, security service can be provided without any change at the application layer. But this is impossible for the transport layer. Theoretically, every TCP/IP application that applies TLSP, such as SSL or PCT, must make some modification in order to add corresponding new functions, and must use a (slightly) different IPC interface. Therefore, the disadvantage of the security mechanism at the transport layer is that both ends, the IPC interface at the transport layer and the application program, have to be modified. However, compared with the security mechanism at the network layer and the application layer, the modification made here is rather small. Another disadvantage is that it is difficult to establish a security mechanism at the transport layer for UDP-based communication. Compared with the security mechanism at the network layer, the advantage of the security mechanism at the transport layer is that it provides process-to-process (instead of host-to-host) security service. Combining this advantage with the security service at the application layer, the security mechanism can take a great leap forward.
On Network Security
therefore the protocol does not know which part to sign. The application layer is the only layer that provides this kind of security service. Generally, there are several ways to provide security service at the application layer. The first one is to modify every application program (and application protocol) respectively. Some major TCP/IP application programs already support this function. In RFC from RFC1421 to RFC1424, IETF requires using Privacy Enhanced Mail (PEM) to provide security service for the SMTP-based e-mail system. For various reasons, the Internet industry is still slow in adopting PEM. One main reason is that PEM depends on an already existing and operatable Public Key Infrastructure (PKI). PEM PKI is structured on the layer basis, consisting of the following three layers: Top layer: the Internet Policy Registration Authority Sub-layer: the Policy Certification Authority (PCA) Bottom layer: the Certification Authority (CA) To establish a PEM-standard PKI is also a political process, because it requires multiple parties to trust each other on a common point. Unfortunately, as history has proved it, a political process always takes time. As an intermediate step, Phil Zimmermann develops a software package, the Pretty Good Privacy (PGP). PGP meets most PEM standards, and does not require PKI. To the contrary, PGP adopts the distributed trusting mode. That is, every user decides for himself which users he will trust. Therefore, PGP does not propose PKI on the entire network; instead, PGP lets the user establish a trusting network for himself. But one problem occurs immediately: In the distributed trusting mode, what if the key is abolished? S-HTTP is the security enhanced version of the Hyper Text Transport Protocol (HTTP) used on Web. It is designed by IETF. S-HTTP provides a security mechanism on the file basis, so every file can be designed as the private/signed state. The algorithm for encryption and signature can be negotiated by the receiver and the sender that participate in the communication. S-HTTP supports many uni-directional hash functions, such as MD2, MD5 and SHA; it supports many single-key mechanisms, such as DES, ternary DES, RC2, RC4 and Commercial Data Masking Facility (CDMF). It also supports the digital signature mechanism, such as RSA and Digital Signature Standard (DSS). Currently, there is not yet a public standard for the Web security. Such a standard can only be enacted by the WWW Consortium, IETF or other related standardization organizations. The formal standardization process can take as long as several years. It will be when all the standardization organizations thoroughly realize the significance of the Web security. S-HTTP and SSL provide the Web security from different perspectives. S-HTTP distinguishes between the "private" mail and the "signed" mail. SSL treats the data channels between the processes that participate in the communication as "private" and "authenticated". The tool software package, Secure Web, that is developed by the Terisa Company provides security functions for any kind of Web application. This tool software package provides the encryption algorithm library of the RSA data security company, and also completely supports SSL and S-HTTP. This tool software package is also applied to e-business, especially to transactions by the credit card. To make transactions by the credit card on Internet safer, the MasterCard Company, together with IBM, Netscape, GTE and Cybercash, enacts the Secure Encryption Payment Protocol (SEPP). The Visa International Company and Microsoft, together with other companies, enact the Secure Transaction Technology (STT) protocol. Meanwhile, MasterCard, Visa and Microsoft have coordinated to launch secure transaction service by credit card on Internet. They release the corresponding
2007-03-22 Huawei Confidential Page 25 of 47
On Network Security
Secure Electronic Transaction (SET) protocol, which specifies the methods how the bearer pays through the credit card on Internet. This mechanism is backed by an infrastructure for certification, which supports the X.509 certificate. In applying the security functions we have mentioned in the previous text, we are confronted with a primary problem: applying every single function needs the corresponding modification. Therefore it is ideal if there is a unified modifying method. One step in this direction is the Security Shell (SSH) developed by Tatu Yloenen of the Helsinki University. SSH enables the user to safely telnet to the host, execute commands and transport files. It realizes a key exchanging protocol and a protocol of authenticating the host and the client. SSH has many popular and free versions that run on the UNIX system platform. It also has the business version packaged and marketed by the Data Fellows Company. Pushing the SSH theory one step forward, we get the authenticated key distribution scheme. The authenticated key distribution scheme actually provides an Application Program Interface (API). API provides security service for all kinds of network application program, for example, programs of authentication, data confidentiality and integrity, access control and non-repudiation service. Currently, some practical authenticated key distribution schemes have been developed. For example, Kerberos (V4 and V5) by the Massachusetts Institute of Technology (MIT), CryptoKnight and Netwrok Security Program by IBM, SPX by DEC and TESS by the Karlsruhe University. These are the instances widely applied. There are also modification and extension of the authenticated key distribution scheme. For example, SESAME and OSF DCE extend the service of Kerberos V5 by adding access control, and Yaksha extends the service of Kerberos V5 by adding non-repudiation service. A problem confronting the authenticated key distribution scheme is the unpopularity it meets with on Internet. One reason is that it still requires modifying the application program. Taking this into account, it is crucial for the authenticated key distribution scheme to provide a standardized and secure API. If this is realized, the R&D engineers no longer have to modify an entire application program for adding only a few security functions. Therefore, the most prominent progress in the field of authenticating system design is to develop the standardized and secure API, namely, Generic Security Services API (GSS-API). Obviously, GSS-API (V1 and V2) is too technical for a programmer who is not a security expert. However, the researchers of the Austin University, Texas, push API to a higher level than GSS-API by developing Security Network Program (SNP). SNP makes programming concerning network security easier.
2007-03-22
Huawei Confidential
Page 26 of 47
On Network Security
On Network Security
Therefore products concerning the security system focus on network security and information security. The center of the focus is access control, security detection, user authentication and transmission security. The anti-virus function can be integrated with the products of other companies. And backup recovery, audit control, storage security and content audit are mainly the management methods and measures in the operating process. Of course, security management is also vital. Huawei should provide unified management platform and user interface for the security products, and facilitate the user's security management. The following figure shows the security technology system. Figure 4-1 Security technology system
Security management User User authentication authentication
Security management
Backup Environment Environment recovery security security Environment security security Audit Audit monitoring monitoring Media Media security security Equipment security Anti-virus Access control Security Security detection detection
Transmission security
Security system
2007-03-22
Huawei Confidential
Page 28 of 47
On Network Security
It shows that, in the mode of callback directly to the caller number, the server will reject illegal telephone number. In the mode of callback to the number contained in the PPP negotiation, even if the illegal user has obtained the legal username and password, the server only calls back by the line that has been configured, thus avoiding the access of the illegal user and ensuring the security of the server.
2007-03-22
Huawei Confidential
Page 29 of 47
On Network Security
The user (including the Login user, PPP-access user and so on) must be authenticated before he is allowed to access the network resource. The user can be authenticated either by the user database that is maintained by the router, or by the user database that is maintained by the Remote Authentication Dial in User Service (RADIUS) server. Authorization A group of attributes are defined to describe the authority information of the user, and to decide the actual access authority of the user. The information is stored in the database maintained by the RADIUS server. For the access user, the attribute, "filterID", of the user can be used to decide on the type of rule for filtering user packets. Accounting With the accounting function, AAA can track and audit the user conditions, such as accessing the network resource. When the accounting function is enabled, the network access server sends the user activity information to the RADIUS server in a certain accounting format. The information is stored on the server for analyzing the network running condition creating user bills, and so on. The AAA network security service provides a main framework for identity authentication and access control. AAA can be implemented by one or multiple protocols, such as RADIUS, TACACS and Kerberos. The AAA & RADIUS implemented by Huawei devices support the following features: 1) 2) 3) 4) 5) 6) 7) Authenticating the user ID and authorizing the user, including the access user, Login user (such as the Telnet user) and so on; authenticating the caller number. Charging on the basis of time; charging in real time. Charging on the basis of byte; charging in real time. Supporting the RADIUS server group: the RADIUS servers can work in the mode of redundancy backup. Using different RADIUS server groups for different users: Different users can use different authenticating servers and choose different accounting servers. Configuring individual attribute for different users. Supporting the accounting of heavy traffic: the maximum traffic is 2 Gx2 G.
On Network Security
Registering New user needs to register on the proper CA center. Initializing Before the user applies for the certificate, he needs to obtain information of the CA center first, including the identity information of the CA center and the public key, for the follow-up certificate operation. In actual application, the information of the CA center can be initialized in the user's system by pre-installation. Applying for the certificate The user application contains the user's public key information and provides the certificate for bearing the corresponding private key. The CA center receives the user's application, and issues the certificate if the user passes the authentication. Recovering the key pair If the user forgets the certificate password or loses the certificate file for some reason, he can request the CA center on-line to recover his key pair. Of course, it is up to the user to decide whether he will trust the CA center with his key pair. Updating the key pair For security concern, all key pairs must be updated regularly, and the CA center will issue new certificates. Revoking the certificate When the certificate bearer discovers or suspects that his key has lost its confidentiality, he can send an application to the CA center for revoking the certificate to ensure the certificate security. Cross-authentication In actual application, CA should be of the tree structure with different levels. Two different CAs also need to establish a mutual trusting mechanism, namely, cross-authentication of the certificate. When the user authenticates the certificate issued by another CA, he needs to authenticate the identity on the CA level by level on the authentication tree by the cross-authentication information. Figure 5-1 shows the authentication process how a router passes the CA authentication. RCA is called the root CA center and is a CA of higher level. The security certificate can be open, so, during authentication, the two parties can send each other its own certificate with the digital signature. After receiving the certificate, the authenticating party needs to authenticate the following information: Authenticity of the certificate The receiver authenticates the digital signature of the CA center; when a certificate belonging to a different CA is received, a cross authentication of the CA center is needed. Identity of the sender After confirming the authenticity of the certificate and obtaining the public key information, the CA center authenticates the digital signature of the sender to confirm that the certificate is sent by the correct sender, not by an illegal sender. Validity of the certificate The CA center checks the Certificate Revocation List (CRL) to confirm the validity of the certificate. Figure 5-1 Security authentication of the CA center
2007-03-22
Huawei Confidential
Page 31 of 47
On Network Security
On occasions with higher security demands, the user can query the status information of the certificate in real time by the Online Certificate Status Protocol (OCSP).
2007-03-22
Huawei Confidential
Page 32 of 47
On Network Security
Support filtering based on the interface: On a direction of the interface, we can prohibit or permit the interface to forward the packets coming from a certain interface. Create a log for the packets that meet the requirements: The device can record related information of the packet, and provides a mechanism to ensure that, when a lot of identical trigger logs are generated, they will not consume too much resource.
On Network Security
2)
It uses the bandwidth effectively: Data compression can reduce the packet length and use the bandwidth effectively. Experience proves that, compressing common packets at the ratio of 3:1 is the same as carrying more than three times of data by the same link bandwidth. It enhances security: IPComp shows its advantages especially in encrypting IP packets. Firstly, IPComp shortens the packet length, so it takes less time for encryption. Secondly, IPComp reduces the redundant message in the packet, and it is more difficult to decrypt a compressed and encrypted packet. Thirdly, it is inefficient to compress the encrypted data (for example, by the PPP Compression Control Protocol) at the data link layer, and IPComp well solves this problem. IPComp has the following disadvantage:
IPComp requires the participating nodes to have strong calculating capability, because compression and decompression consumes much CPU resource. For a device that mainly works for forwarding packets quickly, data compression becomes a heavy burden.
On Network Security
64255 is reserved for future use. 25661439 is the value negotiated for establishing IPCA between two nodes. The two nodes are independent from each other when choosing CPI. But the IPComp header in the packet sent must use the CPI chosen by the decompressing node. CPI and the destination IP address uniquely point out some features of the compression algorithm. IPCA can be established in two ways: by manual configuration or by dynamic negotiation. When IPCA works with IPSec, it is recommended to establish IPCA according to the standards of Internet Key Exchange (IKE). IKE provides some necessary mechanisms and guiding principles for establishing IPCA. By using IKE, the IPComp negotiation can be finished as an independent process, or as a coordinated process finished with other protocols relating to IPSec.
On Network Security
The AH header ensures the integrity and authenticity of the packet, and guards against the hacker intercepting the packet or inserting fake packets into the network. Taking calculation efficiency into account, AH does not use digital signature. Instead, it uses the Security Hash Algorithm (SHA) to protect the packets. AH does not encrypt the user data. Figure 5-2 shows the position of AH in the IP packet (in the tunnel mode). Figure 5-2 AH processing
IP TCP
Data
IP2 AH
IP TCP
Data
ESP encrypts the user data that needs protection and then encapsulates the data in the IP packet, ensuring the integrity, authenticity and privacy of the data. Figure 5-3 shows the position of the ESP header in the IP packet (in the tunnel mode). Figure 5-3 ESP processing
IP TCP
Data
AH and ESP can work either independently or unitedly. By using IPSec, the data can be transmitted on the public network without the danger of being monitored, modified or faked. IPSec provides data protection between two hosts, two security gateways or between host and security gateway. Multiple SAs can be established between two ends. Combining this with ACL, IPSec can implement different protection strategies for different data flows. SA is directional (uni-directional). Usually, four SAs are established between two ends, each end having two SAs. One SA is for transmitting data, and the other for receiving data. The SA of IPSec can be configured manually. But when the nodes on the network increase, manual configuration becomes difficult and cannot ensure security. So IKE is used for automatic SA establishing and key exchange.
On Network Security
1) 2) 3) 4)
The two parties each generate a random value, for example, a and b. By the modular exponentiation algorithm, the results are generated, c and d. Exchange the modulus. Calculate the DH common values, which are damodp and cbmodp in the figure. It is proved: the DH common value gabmodp = damodp = cbmodp.
Note that, in this calculation process, only the modulus exchange is performed on the public network. If the third party intercepts c and d on the network, he still needs to calculate the DH common value "gabmodp" and to get a or b. And to get a or b by calculating c and d needs to perform discrete logarithm. "p" is a prime number. As has been mathematically proved, when p is big enough (generally a binary number bigger than 768 bits), the calculation is highly complicated and almost impossible. Therefore, DH ensures the two communicating parties to obtain the public information securely. Figure 5-4 DH exchange and calculation
Peer 1
a
1 2
g, p
2 3 3
Peer 2
1
c=gamod p d amod p
4
d=gbmod p c bmod p
4
In identity authentication, IKE provides authenticating methods such as Pre-shared Key, public key encryption authentication and digital signature authentication. The last two methods are implemented by supporting CA. IKE is composed of two periods. In the first period, ISAKMP SA is established, including two modes: Main Mode and Aggressive Mode. In the second period which is protected by ISAKMP SA, IPSec SA is established, and it is also called Quick Mode. IPSec SA finally transmits the IP data securely. Besides, IKE contains the Informational Exchange for transmitting information and the DH Group Exchange for creating new DH groups.
On Network Security
By ASPF, the Quidway series of security devices support the protocol in which multiple data connections exist on one control connection. Many application protocols, such as Telnet and SMTP, use the standard or conventional port address for communication. But most multi-media application protocols, such as H.323, FTP and RPC, use the conventional port for initializing a control connection, and then choose the port dynamically for transmitting data. Choosing the port is unpredictable. And some application protocols may need to use multiple ports at a time. The standard firewall has to prohibit such application protocols to protect intranet from attack. Sometimes the firewall prohibits only some application protocols that use fixed ports, thus leading to many security hazards. ASPF monitors the port used by every connection of every application protocol, enables the proper channel for the data to pass through the firewall in the session, and disables the channel when the session ends. In this way, ASPF effectively controls the access of the application protocol that uses the dynamic port. ASPF also provides the enhanced function of tracking and auditing. It can record the information of all connections. The information includes the time, source address, destination address, port used and bytes transmitted of the connection.
On Network Security
server with a packet to indicate that the connection has been established. To interrupt the flow, SYN Flood uses the fake source address; even if it does not use the fake source address, it does not respond to the server. In establishing a TCP connection, when the packet fails to reach the destination address, it will be sent repeatedly. This increases the network burden greatly. In SYN Flood, the attacker fakes the source address and creates many SYN packets, and exhausts the memory or other resource of the specific target within short time. SYN Flood causes the HTTP or FTP server on the specific network to keep a lot of session connections, thus the legal user cannot access the resource. ASPF detects SYN Flood by comparing the number of requests for establishing new connections, the rate and the number of semi-connections that have been enabled. If the router detects the rate of an abnormal request for a new connection, the router sends the alarm information and takes some action. ASPF guards against DOS with the following two methods: 1) Discarding time-out TCP semi-connections in case the system resource is exhausted. It informs the corresponding host to clear time-out connections in case the system is overloaded. The administrator can configure the maximum number of receivable semi-connections and the time-out time of the semi-connection. Temporarily prohibiting all SYN packets to enter the attacked host. The temporary prohibition does not affect the existing connections. The administrator can configure the interval for the host to resume receiving SYN packets.
2)
5.9 Firewall
5.9.1 What Is Firewall?
Firewall is the combination of a series of components that are configured between different networks (such as between the trustable enterprise intranet and the suspicious public network) or between different network security domains. Firewall is the only passage for the information to enter into or exit from different networks or network security domains. It controls (permits, rejects or monitors) the information flow that travels between networks according to the security policies of the enterprise. Moreover, firewall can well protect itself from attacks. It is the infrastructure for providing information security service and implementing network and information security. Logically, firewall is a splitter, a limiter and an analyzer. It effectively controls all activity between intranet and Internet, and ensures the security of intranet.
2007-03-22
Huawei Confidential
Page 39 of 47
On Network Security
Meanwhile, firewall can protect the network against the route-based attack, such as the source route attack in the IP option and the attack of ICMP redirected packet. Firewall should reject packets of all these attack types and inform the firewall administrator.
2007-03-22
Huawei Confidential
Page 40 of 47
On Network Security
1)
It works at the network layer and the transport layer. According to the fields in the packet header, such as the Source address, Destination address, Port number and Protocol type, the packet filter decides whether the packet can pass. Only the packet that meets the filtering logic will be forwarded to the egress of the corresponding destination, and the other packets will be cast out of the data flow. 2) Application Proxy It is also called application gateway and works at the application layer. It completely "obstructs" the network communication flow. By making special proxy program for each type of application service, it monitors and controls the communication flow at the application layer. In actual application, the functions of application proxy are usually implemented by special workstation.
Therefore, packet filter usually works with the application gateway to constitute the firewall system.
2007-03-22
Huawei Confidential
Page 41 of 47
On Network Security
2)
2007-03-22
Huawei Confidential
Page 42 of 47