Patterns in network security: an analysis of architectural complexity in securing recursive inter-network architecture networks

Recursive Inter-Network Architecture (RINA) networks have a shorter protocol stack than the current architecture (the Internet) and rely instead upon separation of mech- anism from policy and recursive deployment to achieve large scale networks. Due to this smaller protocol stack, fewer networking mechanisms, security or otherwise, should be needed to secure RINA networks. This thesis examines the security proto- cols included in the Internet Protocol Suite that are commonly deployed on existing networks and shows that because of the design principles of the current architecture, these protocols are forced to include many redundant non-security mechanisms and that as a consequence, RINA networks can deliver the same security services with substantially less complexity

Network Access Control : single computer viewpoint

The purpose of the thesis was to develop an entirely new ideology and technique which is called a client’s NAC (Client’s Network Access Control). The objectives of the thesis were to discover methods how a single computer could make conclusions about the connected network and validate if the network is trusted or not. This is an entirely new ideology, which has not been published on the commercial markets or in academic research. In a nutshell, the philosophy of the Network Access Control is that all devices requesting access to network’s resources are untrusted until they are otherwise proved. The objective was to discover if it is possible to conduct same kind of philosophy to a single computer. A computer does not trust the network before it has done specific validations from the network and depending on the outcome of the validations; network traffic to network is allowed or denied. The discovery in the thesis was that almost every LAN protocol has different kinds of security issues. Usually these threats are blocked in the network’s outer perimeter with firewalls in such a way that the outside of the network cannot exploit these threats. This does not prevent from exploiting these security threats from inside the network. These findings supported the idea of client’s NAC implementation, because if the network is trusted, the devices in the network are also trusted. The goal was to develop methods and techniques how a single computer could execute the conclusion about the connected network. This included developing the basic architecture of the client’s NAC solution and discovering different authentication methods for authenticating the network. These authentication methods were analyzed with security and implementation analysis and based on these analyzes the thesis recommends certain authentication methods for client to authenticate the connected network.Työn tavoitteena oli kehittää uutta ideologiaa ja tekniikoita (client’s NAC), jossa perinteinen verkkolähtöinen näkökulma pääsynhallinnassa suunnataan yksittäiselle tietokoneelle. Tämän kaltaista tutkimusta tai konseptia ei ollut olemassa, joten kyseessä oli aivan uusi tutkimuksen aihe. Kehittämisessä lähtökohtana oli löytää malli, jonka mukaan yksittäinen tietokone pystyy päättelemään, onko verkko, johon se on kytketty, luotettu vai ei. Työssä sovellettiin ja analysointiin eri autentikointivaihtoehtoja, joiden perusteella esitettiin tiettyjä autentikointitekniikoita client’s NAC -sovelluksen toteuttamiseen. Työ osoitti, että yleisimmissä LAN-protokollissa on merkittäviä uhkia ja haavoittuvuuksia. Jos yksittäinen tietokone kykenee päättelemään verkon luottavuuden, näiden uhkien toteutumista voidaan lieventää, sillä luotettava verkko sisältää vain luotettuja laitteita. Tämä vahvisti, että client’s NAC -konseptin avulla voidaan suojautua epäluotettavien laitteiden haitalliselta tietoliikenteeltä. Eri autentikointimallit jaettiin työssä kahteen eri kategoriaan tulevan kohdeympäristön perusteella. Korkean tietoturvallisuuden ympäristöissä tietoturva ja osapuolten luottavuus on tärkein tekijä suunniteltaessa autentikointimalleja, kun taas matalamman tietoturvaluokan ympäristöihin toteutuksen helppous ja käytettävyys ratkaisee valinnassa. Analysointi eri autentikointimallien välillä suoritettiin tietoturva-analyysillä, joka perustui tietoturvaprotokollissa oleviin yleisimpiin haavoittuvuuksiin, ja toteutusanalyysillä, jossa pyrittiin tekemään päätelmiä toteutuksen toimivuudesta ja vaikeudesta. Näiden analyysien perusteella työ esittää eri vaihtoehtoja eri ympäristöihin toteutettavaksi autentikointitavaksi client’s NAC -sovellukseen

The Impact of DNSSEC on the Internet Landscape

In this dissertation we investigate the security deficiencies of the Domain Name System (DNS) and assess the impact of the DNSSEC security extensions. DNS spoofing attacks divert an application to the wrong server, but are also used routinely for blocking access to websites. We provide evidence for systematic DNS spoofing in China and Iran with measurement-based analyses, which allow us to examine the DNS spoofing filters from vantage points outside of the affected networks. Third-parties in other countries can be affected inadvertently by spoofing-based domain filtering, which could be averted with DNSSEC. The security goals of DNSSEC are data integrity and authenticity. A point solution called NSEC3 adds a privacy assertion to DNSSEC, which is supposed to prevent disclosure of the domain namespace as a whole. We present GPU-based attacks on the NSEC3 privacy assertion, which allow efficient recovery of the namespace contents. We demonstrate with active measurements that DNSSEC has found wide adoption after initial hesitation. At server-side, there are more than five million domains signed with DNSSEC. A portion of them is insecure due to insufficient cryptographic key lengths or broken due to maintenance failures. At client-side, we have observed a worldwide increase of DNSSEC validation over the last three years, though not necessarily on the last mile. Deployment of DNSSEC validation on end hosts is impaired by intermediate caching components, which degrade the availability of DNSSEC. However, intermediate caches contribute to the performance and scalability of the Domain Name System, as we show with trace-driven simulations. We suggest that validating end hosts utilize intermediate caches by default but fall back to autonomous name resolution in case of DNSSEC failures.In dieser Dissertation werden die Sicherheitsdefizite des Domain Name Systems (DNS) untersucht und die Auswirkungen der DNSSEC-Sicherheitserweiterungen bewertet. DNS-Spoofing hat den Zweck eine Anwendung zum falschen Server umzuleiten, wird aber auch regelmäßig eingesetzt, um den Zugang zu Websites zu sperren. Durch messbasierte Analysen wird in dieser Arbeit die systematische Durchführung von DNS-Spoofing-Angriffen in China und im Iran belegt, wobei sich die Messpunkte außerhalb der von den Sperrfiltern betroffenen Netzwerke befinden. Es wird gezeigt, dass Dritte in anderen Ländern durch die Spoofing-basierten Sperrfilter unbeabsichtigt beeinträchtigt werden können, was mit DNSSEC verhindert werden kann. Die Sicherheitsziele von DNSSEC sind Datenintegrität und Authentizität. Die NSEC3-Erweiterung sichert zudem die Privatheit des Domainnamensraums, damit die Inhalte eines DNSSEC-Servers nicht in Gänze ausgelesen werden können. In dieser Arbeit werden GPU-basierte Angriffsmethoden auf die von NSEC3 zugesicherte Privatheit vorgestellt, die eine effiziente Wiederherstellung des Domainnamensraums ermöglichen. Ferner wird mit aktiven Messmethoden die Verbreitung von DNSSEC untersucht, die nach anfänglicher Zurückhaltung deutlich zugenommen hat. Auf der Serverseite gibt es mehr als fünf Millionen mit DNSSEC signierte Domainnamen. Ein Teil davon ist aufgrund von unzureichenden kryptographischen Schlüssellängen unsicher, ein weiterer Teil zudem aufgrund von Wartungsfehlern nicht mit DNSSEC erreichbar. Auf der Clientseite ist der Anteil der DNSSEC-Validierung in den letzten drei Jahren weltweit gestiegen. Allerdings ist hierbei offen, ob die Validierung nahe bei den Endgeräten stattfindet, um unvertraute Kommunikationspfade vollständig abzusichern. Der Einsatz von DNSSEC-Validierung auf Endgeräten wird durch zwischengeschaltete DNS-Cache-Komponenten erschwert, da hierdurch die Verfügbarkeit von DNSSEC beeinträchtigt wird. Allerdings tragen zwischengeschaltete Caches zur Performance und Skalierbarkeit des Domain Name Systems bei, wie in dieser Arbeit mit messbasierten Simulationen gezeigt wird. Daher sollten Endgeräte standardmäßig die vorhandene DNS-Infrastruktur nutzen, bei Validierungsfehlern jedoch selbständig die DNSSEC-Zielserver anfragen, um im Cache gespeicherte, fehlerhafte DNS-Antworten zu umgehen

ROVER: a DNS-based method to detect and prevent IP hijacks

2013 Fall.Includes bibliographical references.The Border Gateway Protocol (BGP) is critical to the global internet infrastructure. Unfortunately BGP routing was designed with limited regard for security. As a result, IP route hijacking has been observed for more than 16 years. Well known incidents include a 2008 hijack of YouTube, loss of connectivity for Australia in February 2012, and an event that partially crippled Google in November 2012. Concern has been escalating as critical national infrastructure is reliant on a secure foundation for the Internet. Disruptions to military, banking, utilities, industry, and commerce can be catastrophic. In this dissertation we propose ROVER (Route Origin VERification System), a novel and practical solution for detecting and preventing origin and sub-prefix hijacks. ROVER exploits the reverse DNS for storing route origin data and provides a fail-safe, best effort approach to authentication. This approach can be used with a variety of operational models including fully dynamic in-line BGP filtering, periodically updated authenticated route filters, and real-time notifications for network operators. Our thesis is that ROVER systems can be deployed by a small number of institutions in an incremental fashion and still effectively thwart origin and sub-prefix IP hijacking despite non-participation by the majority of Autonomous System owners. We then present research results supporting this statement. We evaluate the effectiveness of ROVER using simulations on an Internet scale topology as well as with tests on real operational systems. Analyses include a study of IP hijack propagation patterns, effectiveness of various deployment models, critical mass requirements, and an examination of ROVER resilience and scalability

IPv4 to IPv6 transition : security challenges

Tese de mestrado integrado. Engenharia Informática e Computação. Faculdade de Engenharia. Universidade do Porto. 201

The Domain Name System (DNS): Security challenges and improvements

An analogy that is often used for the Domain Name System (DNS) is that it is the phonebook for the Internet. The DNS provides the mapping between the names that we use to identify applications, websites and e-mail recipients etc and the numerical addresses that are used by the components in networks. If an attacker can poison the DNS (i.e. make it return invalid information) then the user may unknowingly connect to the attacker’s service, rather than the correct one. The user may then be exposed to confidentiality, integrity and availability issues. In July 2008, security researcher Dan Kaminsky disclosed a significant issue in DNS that allowed an attacker to be able to poison the DNS with information of the attacker’s choosing. Whilst this had always been possible, it was believed there was a narrow window of opportunity to attack, and that during that narrow window the possibility of a successful attack was very low. Dan Kaminsky showed that this was not the case; this report includes an analysis that shows an attack of 259 seconds duration has a 75% chance of success against vulnerable servers. Weaknesses exist in client and server applications and operating systems, their configuration, procedures, people and the DNS protocol that allow a range of different factors that may cause confidentiality, integrity and availability issues to users and applications that rely on the DNS. This report provides an overview of related vulnerabilities and attacks, two of which are investigated in more detail; cache poisoning and amplification attacks (a type of denial of service attack). DNS poisoning attacks can easily be conducted against servers not patched against the Kaminsky vulnerability. A tactical solution has been provided that makes these attacks harder, but still possible. A strategic solution is needed that provides a cryptographic response to cache poisoning. This report looks at two possible solutions to cache poisoning attacks: DNSSEC and DNSCurve, although neither provides the perfect solution. The DNS is vulnerable to use in amplification attacks. The DNS can be abused to generate multigigabit attacks that can be used against any target to prevent legitimate use of resources at the target. Although DNSSEC provides protection against DNS poisoning attacks it does make amplification attacks easier

Attacking and securing Network Time Protocol

Network Time Protocol (NTP) is used to synchronize time between computer systems communicating over unreliable, variable-latency, and untrusted network paths. Time is critical for many applications; in particular it is heavily utilized by cryptographic protocols. Despite its importance, the community still lacks visibility into the robustness of the NTP ecosystem itself, the integrity of the timing information transmitted by NTP, and the impact that any error in NTP might have upon the security of other protocols that rely on timing information. In this thesis, we seek to accomplish the following broad goals: 1. Demonstrate that the current design presents a security risk, by showing that network attackers can exploit NTP and then use it to attack other core Internet protocols that rely on time. 2. Improve NTP to make it more robust, and rigorously analyze the security of the improved protocol. 3. Establish formal and precise security requirements that should be satisfied by a network time-synchronization protocol, and prove that these are sufficient for the security of other protocols that rely on time. We take the following approach to achieve our goals incrementally. 1. We begin by (a) scrutinizing NTP's core protocol (RFC 5905) and (b) statically analyzing code of its reference implementation to identify vulnerabilities in protocol design, ambiguities in specifications, and flaws in reference implementations. We then leverage these observations to show several off- and on-path denial-of-service and time-shifting attacks on NTP clients. We then show cache-flushing and cache-sticking attacks on DNS(SEC) that leverage NTP. We quantify the attack surface using Internet measurements, and suggest simple countermeasures that can improve the security of NTP and DNS(SEC). 2. Next we move beyond identifying attacks and leverage ideas from Universal Composability (UC) security framework to develop a cryptographic model for attacks on NTP's datagram protocol. We use this model to prove the security of a new backwards-compatible protocol that correctly synchronizes time in the face of both off- and on-path network attackers. 3. Next, we propose general security notions for network time-synchronization protocols within the UC framework and formulate ideal functionalities that capture a number of prevalent forms of time measurement within existing systems. We show how they can be realized by real-world protocols (including but not limited to NTP), and how they can be used to assert security of time-reliant applications-specifically, cryptographic certificates with revocation and expiration times. Our security framework allows for a clear and modular treatment of the use of time in security-sensitive systems. Our work makes the core NTP protocol and its implementations more robust and secure, thus improving the security of applications and protocols that rely on time

My Email Communications Security Assessment (MECSA): 2018 Results

This JRC technical report presents the results obtained by the My Email Communications Security Assessment (MECSA) tool. MECSA is an online1 tool developed by the Joint Research Centre to assess the security of email communications between email providers. Email communications continue to be one of the most widespread forms of digital communications with thousands of millions of emails exchanged on a daily basis. It is estimated that 72% of the European population use email either in mobile phones, tablets or computers. It is the means of digital communication used by most Europeans on a daily basis (Special Eurobarometer 462, 2017. Published July 2018.) MECSA is the outcome of our research on the security of email communications. It servers a triple purpose. Firstly, it allows us to monitor the adoption of modern email security standards in the current ecosystem of email providers, assessing their capability to protect the confidentiality, integrity and authenticity of the email exchange amongst them. Secondly, MECSA aims to become a one-stop shop for email users to receive an indication of the capability of their email providers to protect their email exchange in the communication with other providers of the ecosystem. Finally, MECSA aims to become a reference tool for professionals and a mean to promote the adoption of modern email security standards in Europe.JRC.E.3-Cyber and Digital Citizens' Securit