11 - Network Security Flashcards
Why do we need network security?
Attacks:
- Routing (BGP)
- Naming (DNS)
Reasons Internet’s Design is Insecure
- Designed for simplicity
- “On by default”
- Hosts are insecure
- Attacks can look like “normal” traffic
- Federated design
Packet-switched networks are vulnerable to
resource exhaustion attacks
Components of Security
Availability: ability to use a resource Confidentiality: concealing information Authenticity: assures origin of information Integrity: prevent unauthorized changes Threat: potential violation Attack: action that violates
Denial of Service Attack ? (Component)
Availability
Control plane authentication (Routing Security)
- Session: point-to-point b/w routers
- Path: protects AS path
- Origin: ensures that AS advertising prefix is the owner
A route hijack is an attack on the following form of authentication:
Origin, because in a route hijack, the AS that is advertising the prefix is actually not the rightful owner of that prefix.
How? (Attacks on Routing)
- Config error
- Routers compromised
- Unscrupulous ISPs
Types of Attack
- Config/Management software
- Tamper w/software
- Tamper w/ routing data
Most common: “Hijack”
DNS masquerading
Attack whereby an attacker can use the BGP infrastructure to hijack a DNS query and masquerade as a legitimate service
AS-path poisoning
Make sure hijacked route is not accepted
Session Authentication
Ensure BGP routing messages sent between routers between ASs are authentic.
Guaranteeing Origin & Path Authentication
“Secure BGP” (BGPSEC)
Origin Attestation (Address Attestation): Certificate binding prefix to owner (signed by trusted party)
Path Attestation: Signatures along AS path
Path Attestation prevents against:
Hijacks
Shortening
Modification
Path Attestation cannot prevent against:
Suppression
Replay
