Network Security 2016-2017
EDA491 / DIT071
News
2017-06-22 Ph.D. position in vehicular security at KTH in Stockholm now open for applications.
2017-06-20 Inspection of exams can be done Wednesday June 28 at 11:30-12:00 in room EDIT 5128.
If you cannot make it this time, the exam is stored in the departments "expedition" where you can
review it during their opening hours. If there are any questions, please just send me an email.
Have a nice summer :-)
2017-05-23 The last page on the exam will look like this and contain information which may be useful
2017-05-18 Final catch-up session in the lab: Tuesday, May 23, 17:15 - 21:00
2017-05-16 Lectures will continue as scheduled. There is some slack in the remaining lectures and it should be
possible to catch up with the missing material without scheduling another lecture.
2017-05-11 Due to a cold and lost voice, today's lecture has to be cancelled. Sorry for that!
2017-03-23 Slide #6 (Rainbow tables) was missing in lecture 2 - if you downloaded slides before lecture, please update.
2017-02-07 Change: no lecture Friday week 1 (spare lecture used instead)
Teachers
Tomas Olovsson - tomas.olovsson@... (teacher, course responsible)
Aljoscha Lautenbach - aljoscha@... (teaching assistant, main contact for lab-related issues)
Boel Nelson - boeln@... (teaching assistant)
Thomas Rosenstatter - thomas.rosenstatter@ ... (teaching assistant)
Charalampos Stylianopoulos - chasty@... (teaching assistant)
Carlo Brunetta brunetta@... (teaching assistant
Nasser Nowdehi (teaching assistant)
Course information
This course is part of a security specialization offered by the department which consists of four courses:
Computer security, Network security, Language-based security and Cryptography.
We begin the course by looking at weaknesses that have plagued networked systems for years. We then continue with countermeasures like firewalls and security protocols such as SSL/TLS, SSH and IPsec and investigate in detail what makes them secure. The course also gives a survey of cryptographic tools and explains how they can be utilized in protocols and applications, for example how to provide secure user authentication over a public network.
Knowledge about possible threats and countermeasures is important not only for the network security specialist but also for application programmers and everyone else who wants to understand what level of security a system and an application can offer. By knowing the problems, future systems can be designed to be much more secure and reliable than today.
This course covers the underlying principles and techniques for network and communication security. Practical examples of security problems and principles for countermeasures are given. The course also surveys cryptographic and other tools used to provide security and reviews how these tools are utilized in protocols and applications.
Prerequisites for this course are good knowledge of communication principles and protocols (TCP, IP, ICMP, ARP, etc.). You must have taken at least one communications course before this course. We also recommend that you have taken the course Computer Security which shows how to think regarding security and discusses security issues in a wider perspective. Other relevant courses are Computer Networks and Cryptography which will make some topics easier to understand.
The course consists of a series of lectures and laborative exercises. The laborative exercises focus on network scanning, building firewalls, configuration of an intrusion detection system (IDS) and practical work with analyzing the SSL/TLS protocol. The course ends with a written exam. To pass the course, the exam must be passed and all laborative exercises must be completed.
Reading material
The course consists of the following material:
- Text book including web chapters (see lecture plan for details)
- Mandatory reading material listed below
- Material presented at lectures such as slides
- Reading related to the lab work
Text book
William Stallings: Cryptography and Network Security, seventh edition ISBN 978-1-292-15858-7 or sixth edition ISBN 978-0-273-79335-9. The main difference is that in the latest edition chapter 17.3 about TLS does not exist but has been integrated with the rest of the text in chapter 17.This book is shared with the Cryptography course. The book is to a large extent followed during the lectures, but some topics are missing or not deep enough so additional material is used in some lectures, see reading list below.
The book has a companion web page with student resources and useful links if you want to know more about a subject. There is an errata sheet for the book that you may want to check, and the book also has online chapters that are used in the course. You need the code printed in your book to access them.
It is also possible to use the book Network Security Essentials, also by William Stallings. It contains the same chapters but the cryptography part is omitted. Although it is almost half the size, the price is almost the same as for the full book.
Mandatory reading
The course book lacks information about certain topics. The following papers are therefore an integral part of the course and will be part of the exam. Some links go to research papers published by IEEE and ACM and can only be downloaded from the Chalmers network. These papers describe interesting and important security aspects and will also introduce you to research papers in the area, and reading such papers will be important for you in your future career. Please not that the list will be updated during the course. Information about future, upcoming, lectures is preliminary and may change.
- Lecture 1: The Secret Life of SIM cards. A video of how smart cards and SIM cards work and how to program them.
- Lecture 2: Authentication: Joshua Hill, Bugtraq mailing list, 12 November 2001: An Analysis of the RADIUS Authentication Protocol (ignore 4.2 about protocol improvements). Read it to see how a protocol is analyzed - the methodology is what we can learn from! Radius is also an important protocol and is widely used.
- Lecture 4: Security assessment of the IP protocol, RFC 6274, which is created from a paper published by Centre of Protection of National Infrastructure CPNI in the U.K (a slightly older original with nicer formatting is available here). It is the general understanding that is important and what types of vulnerabilities there are, not the exact details about number of bytes, etc.You can skip chapter 3.13 (options), 3.14 (DiffServ) and 3.15 (ECN) - the last two are only available in the CPNI PDF document.
- Lecture 5: Security assessment of the TCP Protocol from CPNI and now an Internet draft (work in progress). The original with nicer formatting can be downloaded from here (read only chapter 5 to 8, 12 and 14).
- Lecture 8: NAT router security solutions, tips and tricks. A nice page explaining what security we can expect to get from using a NAT router/gateway as a firewall.
- Lecture 10: WLAN: Bittau, Handley, Lackey: The final nail in WEP's coffin (good overview of WEP insecurity and how to analyze a protocol). Copyrighted, only accessible from Chalmers network.
- Lecture 14: Kiravuo, et.al: A Survey of Ethernet LAN Security, IEEE Communication Surveys & Tutorials, Vol 15, No. 3, 2013.
- And finally, an interesting report from Symantec summarizing many of the security problems we have seen in this course: A security analysis of Windows Vista's network implementation. Read page 1-11, 16-22, 24-25 and page 28. This paper is a good test that you have understood many of the topics discussed in the course.
Voluntary reading - if you want to know more about a topic
The reading list below provides more information about some topics for the interested. You don't need to study it for the exam. Some papers may explain things presented at lectures in a different way, something that may be useful for your understanding. And some other topics are just additional reading for the interested. Square bullets are used for published research articles in the field:
Authentication:
- Interesting web page about how we select PIN codes - What numbers are most common? Or least common?
- IBM Research: Remote Client Authentication, IEEE 2008. Can only be downloaded from the Chalmers network.
Cryptography:
- Assured, a Gothenburg based company have a very good security blog worth reading - although most info is in Swedish. They frequently summarize findings in ciphers and related issues.
- From Stanford magazine Nov 7, 2014: About the politics surrounding cryptography research. Describes the problems Standford researchers Diffie and Hellman had when releasing their original work.
- Nigel Smart at University of Bristol has published a free book about cryptography and the latest edition can be downloaded freely. It covers all from historical to current ciphers (PostScript format)
- The ECRYPT II report about current status of ciphers and key lengths (Sept 2012). Contains good advice about how to select ciphers and key lengths for various purposes.
- CISCO has published a similar paper about next-generation cryptography (NGC)
- Interesting papers about hash functions and collisions: MD5 collision demo, Authenticode and MD5 collisions and RFC 6151 about MD5 and HMAC_MD5 security.
- A nice story about how a 250 year old cipher was cracked partly using human language translation tools. From Wired Magazine Dec 2012. The beginning may seem boring, but it soon becomes more interesting.
- The problem with too many trusted SSL certificates in web browsers (by the EFF foundation)
Tools:
- Top 125 Network Security tools from sectools.org
- Cyber Scanning: A Comprehensive Survey - an overview of different scanning techniques (easy and rather long). From fall 2014.
- Protection against SYN flood attacks by Cisco - a nice overview of different techniques
Weaknesses:
- TCP: Security Problems in the TCP/IP Protocol Suite an early and famous paper from 1989 written by Steven Bellovin at Bell Labs.
- ICMP attacks against TCP: RFC 5297 discusses security in ICMP and how it can affect protocols such as TCP.
- TCP: CERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers
- TCP: More info about TCP initial sequence numbers and pictures from other operating systems:
http://lcamtuf.coredump.cx/oldtcp/tcpseq.html and a follow up at http://lcamtuf.coredump.cx/newtcp
- DDoS: Flawed Routers Flood University of Wisconsin Internet Time Server
- DDoS: How Kaspersky Lab Disabled the Hlux/Kelihos Botnet (Sept., 2011)
- DDoS attacks against GRC.com - easy but interesting reading, written by a systems administrator
Firewalls:
- The firewall in Windows Vista and Windows Server 2008 (Microsoft Technet article) describes the firewall architecture introduced in Vista and now used in later operating systems - still valid although old.
SSL/TLS, SSH:
- A 45 minute video from Defcon 16 demonstrating a major bug in the pseudo-random number generator (PRNG) in the Debian OpenSSL package affecting SSL/TLS, SSH, and many other applications relying on good random numbers. They explain why it happened and how it affects security.
- SSL/TLS Strong Encryption: An Introduction. From the Apache documentation (world's most widely used web server). Summarizes many things like certificates, the protocol, etc.
- Understanding SSH port forwarding (easy and short reading explaining how port forwarding works)
- Pitfalls when implementing SSL in non-browser applications. Good reading if you want to implement SSL/TLS in your own application and is serious about it.
- The SSL POODLE attack problem
IPsec:
-
- An IPsec video, sligthly old, but still valuable describing security in IPsec
- IPv6 Security written for SURFnet
- A Cryptographic Evaluation of IPsec by Bruce Schneier 2003
- How NAT-T works with IPsec - A Cisco document describing how IPsec can be compatible with NAT
WLAN:
- Top 5 myths about wireless protection: (in)secure magazine #22 (sept 09), page 55-58. It is still valid...
Link-level security, DNSsec, etc.:
- Practical Switch Security - describes how switches can be configured to enhance security
- A Framework for DNSsec Policies and DNSsec Practice Statements (RFC 4861)
Remote access:
- Improved Port Knocking with Strong Authentication - a paper that describes port knocking and how authentication can be done (early paper, 2005).
Security, general:
- A good article from The Guardian, Sept 2013: NSA surveillance: A guide to staying secure
- More comments from Bruce Schneier about the NSAs cryptographic capabilities
- The latest Symantec Internet Security Threat report
- The Intercept's analysis of the Regin malware found 2014 in the European Union computers in Belgium. It is believed to be created by the U.S. and British intelligence. It is rather technical analysis of malware.
News announcements and security magazines. These resources can be useful for you in the future:
- SANS Security Reading Room - a site with lots of reading material about security
- Kaspersky labs and their Threat Post news service
- SC Magazine have lots of news about security related issues. It is not always that deep, though...
- (In)secure magazine - news about all kinds of security, hacking, tools, etc.
- Swedish CERT.se with the possibility to subscribe to weekly security news (Swedish only)