class: big, middle # ECE 7420 / ENGI 9823: Security .title[ .lecture[Lecture 21:] .title[Middleboxes] ] --- # Today ### What stands between you and your request? -- * hubs and switches -- * routers and gateways -- * proxies -- * firewalls -- * TLS interception equipment --- # Hubs and switches -- .floatright[ | # | Name | Example | |---|------|-------------| | 7 | Application | HTTP, DNS, NFS, SSH... | 6 | Presentation | TLS, SSH... | 5 | Session | SOCKS, SMB... | 4 | Transport | TCP, UDP, SCTP... | 3 | Network | IP | 2 | Data link | Ethernet MAC | 1 | Physical | Ethernet PHY ] ### OSI layer? -- ### Purpose? -- ### Difference? ??? Historically, Ethernet hubs broadcast whatever they received on one port to all other ports, leading to quite a bit of contention, whereas switches could learn over time which MAC addresses were attached to which ports and thus be more selective in how they transmit traffic. These days, "managed" switches can do a lot more, too. -- ### _Monitor_ port ??? Since a switch doesn't repeat all traffic everywhere, many managed switches will allow you to configure a _monitor_ port that **receives a copy of every Ethernet frame sent over the switch**. This is very useful for network admins when they need to troubleshoot issues, but of course it could allow anyone plugged into it to become a very effective eavesdropper! --- # Routers .floatright[ | # | Name | Example | |---|------|-------------| | 7 | Application | HTTP, DNS, NFS, SSH... | 6 | Presentation | TLS, SSH... | 5 | Session | SOCKS, SMB... | 4 | Transport | TCP, UDP, SCTP... | 3 | Network | IP | 2 | Data link | Ethernet MAC | 1 | Physical | Ethernet PHY ] -- ### Purpose? ??? Local area network (LAN) names are only meaningful within the same LAN. So, my wireless Ethernet MAC address (`48:45:20:d3:16:f7`) isn't much good to you when you're trying to communicate with me from another network (on campus, at home, etc.). A router helps with this problem by routing packets from one local network (e.g., a wired Ethernet LAN) to another (e.g., a wireless Ethernet LAN). This is why you'll sometimes see a router labeled with LAN ports and a "WAN port": WAN stands for **wide area network**. -- ### OSI layer? ??? A router that routes between local networks exists at Layer 3: the Network layer. Your home "router" that you got from Bell, Rogers (hopefully not?), etc., may also contain things that aren't strictly a router, like a wired **switch** (layer 2), a wireless **access point** (layer 2) or a **firewall** (layer 2/3). --- layout: true # The Internet --- ### What is the Internet? --- .floatright[ <img src="http://live.staticflickr.com/6052/6218137120_38aae946d0_z.jpg" width="400"/> .caption[ Source: [Stefan Funke](https://www.flickr.com/people/92734975@N00), [CC BY-SA 2.0](https://creativecommons.org/licenses/by-sa/2.0) ] ] ### What is the Internet? * "a network of networks" --- .floatright[ <img src="https://i.ytimg.com/vi/2NbYUks0AjI/maxresdefault.jpg" width="400"/> .caption[ Source: [Juniper Networks](https://www.youtube.com/watch?v=2NbYUks0AjI) ] ] ### What is the Internet? * "a network of networks" * connected at _Internet Exchanges_ --- .floatright[ <img src="https://image.slidesharecdn.com/ixpmaarit020316-160309133619/95/role-of-internet-exchange-points-ixp-3-638.jpg?cb=1457530780" width="400"/> ] ### What is the Internet? * "a network of networks" * connected at _Internet Exchanges_ * ... all over the world --- .floatright[ <img src="http://drpeering.org/HTML_IPP/chapters/ch10-3-Evolution-3/img/10-5-LSNSCP-Peer.png" width="400"/> .caption[ Source: [Dr Peering](https://drpeering.org) ] ] ### What is the Internet? * "a network of networks" * connected at _Internet Exchanges_ * ... all over the world * ... with _internet service providers_ (ISPs) of varying "tiers" --- layout: false # BGP: Border Gateway Protocol -- .floatright[ <img src="https://www.juniper.net/documentation/images/g040727.gif" alt="Autonomous Systems connected via BGP" height="350"/> .caption[ Source: [Juniper Networks](https://www.juniper.net/documentation/en_US/junos/topics/topic-map/bgp-peering-sessions.html) ] ] ### _Autonomous systems_ * co-located in IXPs -- * _peering_ agreements reflected in _routing tables_ ??? Peering agreements can be considered confidential because they may contain **commercially sensitive information**. This can include **prices** and **conditions under which options may be exercised**, which could be valuable information for a competitor AS! -- * routes advertised by BGP -- ### Remember Dijkstra? ??? Internet routing is the quintessential application of Dijkstra's algorithm, as it's about finding short paths from A to B. --- # BGP weaknesses * "I, AS 1234, can route traffic to 134.153.0.0/16 in 1 hop" -- * routers prefer short paths and long prefixes -- #### BGP _hijacking_ -- * 2008 Youtube Hijack* .footnote[ * RIPE NCC, <a href="https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study"> "YouTube Hijacking: A RIPE NCC RIS case study"</a>, _RIPE NCC News: Industry Developments_, 2008. ] ??? In 2008, the government of Pakistan decided to block its citizens from being able to access YouTube. However, the mechanism by which they chose to block YouTube caused some unindented side effects: their BGP hijacking of YouTube's address space caused the _entire world's YouTube traffic_ to be directed through serverse of Pakistan Telecom. --- # BGP weaknesses * "I, AS 1234, can route traffic to 134.153.0.0/16 in 1 hop" * routers prefer short paths and long prefixes #### BGP _hijacking_ * 2008 Youtube Hijack* * post-Obama/Xi BGP advertisements by China Telecom† .footnote[ * RIPE NCC, <a href="https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study"> "YouTube Hijacking: A RIPE NCC RIS case study"</a>, _RIPE NCC News: Industry Developments_, 2008. † Demchak and Shavitt, "China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking," _Military Cyber Affairs_ 3(1), 2018. DOI: [10.5038/2378-0789.3.1.1050](https://doi.org/10.5038/2378-0789.3.1.1050) ] ??? In 2008, the government of Pakistan decided to block its citizens from being able to access YouTube. However, the mechanism by which they chose to block YouTube caused some unindented side effects: their BGP hijacking of YouTube's address space caused the _entire world's YouTube traffic_ to be directed through serverse of Pakistan Telecom. YouTube fixed the issue within 80 minutes of the problem starting via a BGP announcement of their own, but for those 80 minutes the world stood still... In 2015, right after the Presidents of the US and China agreed that they really shouldn't hack each other's companies, China Telecom started advertising some Internet traffic routes that were... surprising. Apparently the new accord didn't cover Internet routing, because suddenly all of the traffic between Canada and South Korea, or between the US and Italy, or a bunch of other funny combinations, started to flow through China Telecom. Accident? Deliberate hijacking? I wouldn't care to speculate (in writing). --- # Securing routing ### RPKI (Route PKI) ### BGPsec* ### Difficult to get everyone to move together!† .footnote[ * Lychev, Goldberg and Schapira, "BGP Security in Partial Deployment: Is the Juice Worth the Squeeze?", in _SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM_, 2013. DOI: [10.1145/2534169.2486010](https://doi.org/10.1145/2534169.2486010) † Goldberg, "Why is it taking so long to secure Internet routing?", _ACM Queue_ 12(8), 2014. DOI: [10.1145/2668152.2668966](https://dx.doi.org/10.1145/2668152.2668966) ] ??? RPKI and BGPsec work differently, with RPKI allowing signature-based validation of prefix announcements ("do you really own this prefix?") and BGPsec providing validation of entire routing paths. There are serious pros and cons to both, and as is often the case, the "right" answer (BGPsec) doesn't work well unless everybody starts using it. Collective action problems are hard. --- # Gateways -- ### Boundaries between networks ??? The term "gateway" is a bit looser than some of our other terms: * routers typically act as gateways * "gateway" can also be used to refer to a modem (a point-to-point device) + a router -- ### Places for control, policy enforcement -- ```sh sysctl net.inet.ip.forwarding=1 # FreeBSD sysctl net.ipv4.ip_forward=1 # Linux ``` --- # Firewalls -- .floatright[ <img src="http://cliffave.com/media/library/pages/gallery/gallery187/1970_Chevelle_firewall.jpg" alt="Automotive firewall" width="400"/> .center.caption[An automative firewall] ] ### In cars: a physical object -- ### In computing? -- * logical "wall" between networks -- * can be a physical device! <img src="https://encrypted-tbn3.gstatic.com/shopping?q=tbn:ANd9GcSiqwl7dxPSbvR9tdmX6JaP8E5fO8KHFfE6FQbd0S-hg65A7kZLZEfeqj_WUfyZRMmu7lV-BqemOEvjANUcV55q1bT0iPzhNA&usqp=CAY" alt="Firewall applicance" width="500"/> --- # Software firewalls ### Implemented in OS kernels -- * sequence of _rules_ that can be _matched_ -- : ```pf # Default rules: block incoming, allow outgoing block in on em0 pass out all keep state # Allow SSH pass inet proto tcp from any to any port ssh # TODO: disable this again AS SOON as the 8894/9875 lab is done! #pass inet proto tcp from any to any port telnet ``` --- # Linux firewalls -- ```sh iptables -A OUTPUT -p tcp -d 31.0.0.0/8 -j DROP iptables -A INPUT -p icmp -i eth0 -j DROP iptables -L -n -v ``` -- ```sh Chain INPUT (policy DROP 544 packets, 87564 bytes) pkts bytes target prot opt in out source destination 101 8362 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 46 5733 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain OUTPUT (policy ACCEPT 535 packets, 46301 bytes) pkts bytes target prot opt in out source destination 203 174K DROP tcp -- * * 0.0.0.0/0 31.0.0.0/8 ``` -- ... and now nftables --- # BSD firewalls ### IPFW ### PF (packet filter) --- # PF example ```pf # Redirect jailed DNS requests to local (caching) resolver. rdr log (all) inet proto udp to $jail_ifs port domain -> lo0 # NAT jails and machines on the internal network. nat pass log (all) on $ext_if from $jail_ifs to any -> $ext_if nat pass on $ext_if from $internal_net to any -> $ext_if # Default rules: block incoming traffic, allow outgoing and internal network. block in on $ext_if pass in log (all) on $jail_ifs pass in on $internal_if pass out all keep state pass proto udp from $local port domain pass inet proto tcp from any to any port ssh pass in on $ext_if proto tcp from any to any port {http,https} ``` --- # NAT -- ### _Network address translation_ ??? In most networks you connect to, you'll see that your computer has an address like 192.168.1.1 or 10.0.0.1. These are example of **private IP ranges** that have been designated by [IANA](https://www.iana.org) as only usable on local networks, _not_ for routing over the Internet (see [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918)). So what's the good of an IP address that you can't route to? -- ```pf nat pass on $ext_if from $internal_net to any -> $ext_if ``` ```sh iptables -t nat -A POSTROUTING -o $external -j MASQUERADE ``` -- ### Helps with IP scarcity -- ### Hides internal IPs -- ... does that help security? ??? Answer: **yes and no**. For one thing, nothing says that a NAT has to restrict incoming traffic. NAT shouldn't be thought of primarily as a security mechanism, but then again, nobody said that you _have_ to give your network topology information to your adversaries! --- # Proxies -- ### Can be pure data caching -- * Squid, vagrant -- * Netflix! -- ### Integrity questions ??? How can we know whether the content that we received from a proxy is the same as the original content? For some content, we may not be able to. For things like software packages and software updates, we should rely on techniques like **digital signatures** rather than trusting the proxy. -- ```html <script src="...min.js" integrity="sha384-vtXRMe3mGCbOeY7l30aIg8H9p3GdeSe4IFlP6G8JMa7o7lXvnz3GFKzPxzJdPfGK" crossorigin="anonymous"></script> ``` ??? For things like proxied JavaScript libraries, we have the ability to specify in an HTML `script` tag that a fetched JS file ought to hash to a specific value. --- # DMZ .floatright[ <img src="https://upload.wikimedia.org/wikipedia/commons/thumb/b/bd/Korea_DMZ.svg/681px-Korea_DMZ.svg.png" width="400"> .caption[Source: <a href="https://en.wikipedia.org/wiki/File:Korea_DMZ.svg">Rishabh Tatiraju via Wikipedia</a>] ] ### For _demilitarized zone_ -- * not really in, not really out -- * computers reachable from both inside and outside your network -- * mail servers, Web servers, SSH jump hosts, VPN concentrators... --- # DPI: _deep packet inspection_ -- * what URL are you visiting? -- * what keywords are you using? -- #### Dual-use technology: -- * protecting corporate network from known malware vectors -- * survelling a population for unapproved/"unpatriotic" sentiment -- * "Great Firewall" may employ as many as 50,000 people* .footnote[ * <a href="https://www.bloomberg.com/quicktake/great-firewall-of-china"> "The Great Firewall of China" </a>, _Bloomberg News_, 5 Nov 2018. ] --- # "Going dark" -- ### Who talks on the phone any more? -- * Harder to do lawful interception / exceptional access -- * "Going dark" phrase popularized in US discourse* .footnote[ * Savage, <a href="https://www.nytimes.com/2010/09/27/us/27wiretap.html"> "U.S. Tries to Make It Easier to Wiretap the Internet"</a>, _The New York Times_, 27 Sep 2010. ] --- # "Going dark" ### Who talks on the phone any more? * Harder to do lawful interception / exceptional access * "Going dark" phrase popularized in US discourse* * Continuing debate† .footnote[ * Savage, <a href="https://www.nytimes.com/2010/09/27/us/27wiretap.html"> "U.S. Tries to Make It Easier to Wiretap the Internet"</a>, _The New York Times_, 27 Sep 2010. † Schneier, <a href="https://www.lawfareblog.com/attorney-general-william-barr-encryption-policy"> "Attorney General William Barr on Encryption Policy"</a>, in _Lawfare_, 23 Jul 2019. ] --- # "Going dark" ### Who talks on the phone any more? * Harder to do lawful interception / exceptional access * "Going dark" phrase popularized in US discourse* * Continuing debate†‡ .footnote[ * Savage, <a href="https://www.nytimes.com/2010/09/27/us/27wiretap.html"> "U.S. Tries to Make It Easier to Wiretap the Internet"</a>, _The New York Times_, 27 Sep 2010. † Schneier, <a href="https://www.lawfareblog.com/attorney-general-william-barr-encryption-policy"> "Attorney General William Barr on Encryption Policy"</a>, in _Lawfare_, 23 Jul 2019. ‡ Marks and Schaffer, <a href="https://www.washingtonpost.com/politics/2021/06/16/cybersecurity-202-justice-department-is-racking-up-wins-despite-encryption-concerns"> "The Cybersecurity 202: The Justic Department is racking up wins despite encryption concerns"</a>, _The Washington Post_, 16 Jun 2021. ] --- # Quietly into that goodnight? > Rage, rage against the dying of the light -- ### TLS interception -- * Proxy with "trusted" certificate(s) -- * Recent-ish estimate: 5‒10% of all Web requests!* .footnote[ * Durumeric, Ma, Springall et al., "The Security Impact of HTTPS Interception", in _NDSS 2017: Proceedings of the 2017 Network and Distributed System Security Symposium_, 2017. DOI: <a href="http://dx.doi.org/10.14722/ndss.2017.23456">10.14722/ndss.2017.23456</a>. ] --- # More TLS workarounds -- ### Compelled backdoors -- * deliberate insertion of backdoors -- (e.g., [SP800-90 Dual EC PRNG](https://www.wired.com/2013/09/nsa-backdoor/)) -- * extra protocol participants (e.g., Ghost Protocol) -- ### Compelled key disclosure -- * this kind of thing has happened _at least_ once* .footnote[ * Poulsen, <a href="https://www.wired.com/2013/10/lavabit_unsealed"> "Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show"</a>, _Wired_, 2 Oct 2013. ] --- # Finding balance -- ### Privacy _and_ security ### Protecting individuals _and_ communities -- ## No definitive answers here, just questions! --- # Summary ### What stands between you and your request? * hubs and switches * routers and gateways * proxies * firewalls * TLS interception equipment --- class: big, middle The End.