190 likes | 291 Views
Vulnerabilities and Safeguards in Networks with QoS Support. Dr. Sonia Fahmy CS Dept., Purdue University. Goals. Study, classify and rank vulnerabilities in a QoS enabled network. Model the various possible attacks and determine their effect on QoS experimentally.
E N D
Vulnerabilities and Safeguards in Networks with QoS Support Dr. Sonia Fahmy CS Dept., Purdue University
Goals • Study, classify and rank vulnerabilities in a QoS enabled network. • Model the various possible attacks and determine their effect on QoS experimentally. • Design usable, easily deployable and configurable, adaptive/reactive safeguards for such attacks, and study the tradeoffs involved.
Proposed Research • Study QoS, policy control and network security mechanisms in detail and formulate attacks possible in a QoS enabled network. • Study network simulation tools, model attacks and measure damage and performance loss • Implement the attacks on a QoS network test bed and evaluate damage and performance.
Proposed Research • Propose recommendations for safeguards against attacks. • Implement these safeguards both in simulated and actual networks. • measure their performance. • convert them to tools.
Possible Solutions • Using trustable entities. • Authentication mechanisms. • Securing policy control. • Constant monitoring of QoS provisioning. • Proposing design changes to make QoS networks inherently secure.
Components of QoS • Resource allocation • Admission and policy control • QoS based routing • Resource reservation • Resource usage and provisioning • Traffic shaping and policing • Buffer management and scheduling • Congestion Control • Traffic monitoring and Feedback
QoS Categories • Differentiated Services(DiffServ) • Classification at edges • Core only forwards • Potential points of attack • DSCP field and services based on it • QoS negotiations across edge routers • PHB, PHB groups, EF, AF
Components of QoS • Integrated Services • Best Effort Service • Controlled-Load Service: Performance as good as in an unloaded datagram network. No quantitative assurances • Guaranteed Service: • Firm bound on data throughput and delay. • Every element along the path must provide delay bound. • Is not always implementable, e.g., Shared Ethernet.
Policy Control • COPS protocol • PEPs and PDPs and their role
Network Security • Denial of service • Service overloading by flooding • Compromising routers by altering routing strategies • Exploit flaws in software implementation • Session Hijacking • Masquerading • Information Leakage • Unauthorized resource usage (Theft of service).
Security Issues • Attack Operations • Inject(I), Modify(M), Delay(Dl), Drop(Dr), Eavesdrop(E) • Points of Attack • Policy control mechanisms • Congestion control mechanisms • Resource configuration in routers • Resource usage in routers
Security Issues • Vulnerabilities Exploited • Design problems (eg. DSCP uncovered, SYN flooding) • Implementation issues (poor software, buffer overflow) • Interoperability issues • Complementary protocols
Types of Security Breaches • Theft of Service (Unauthorized use) • Modifying DSCP (M) • Injecting RSVP signaling messages (I) • Injecting malicious configuration (I) • Denial of Service • Compromising routers (Dr, Dl) • Re-marking packets (M) • Flooding (I)
Types of Security Breaches • Information Leakage • About QoS policies (E) • Data that goes through QoS enabled Network (E) • Session Hijacking / Masquerading • Seizing control of a session by injecting or maliciously modifying authentication packets (I and M)
Recommendations • Building good policy mechanisms • Securing PEPs like Edge routers and BBs (Authentication) • Encapsulation/Encryption important fields • Performing QoS measurements
Tools • Monitoring Resource Allocation • Monitoring signaling mechanisms • Monitoring QoS negotiations • Monitoring packet classifiers • Monitoring Resource Usage • Monitoring bandwidth utilization • Monitoring remarking of service levels • Monitoring routing strategies