Technical Devices for Security Management Kathryn Hockman COSC 481

Outline Introduction Introduction Types of Devices Types of Devices Smart CardsSmart Cards Cryptographic tokensCryptographic tokens FirewallsFirewalls Biometric DevicesBiometric Devices Summery Summery

Introduction What kinds of technical devices are there for Security Management? What kinds of technical devices are there for Security Management? Smart CardsSmart Cards Cryptographic tokensCryptographic tokens Synchronous tokens Synchronous tokens Asynchronous tokens Asynchronous tokens FirewallsFirewalls Biometric DevicesBiometric Devices

Smart Cards A Smart Card is a card with embedded integrated circuits which can process information A Smart Card is a card with embedded integrated circuits which can process information A Smart Card can receive input which is processed and then gives output A Smart Card can receive input which is processed and then gives output In comparison to a “Dumb Card”, a Smart Card is secured so that only people with the enabling code (PIN) or using an authorized reader for the card can access the data stored on it. In comparison to a “Dumb Card”, a Smart Card is secured so that only people with the enabling code (PIN) or using an authorized reader for the card can access the data stored on it.

Cryptographic Tokens A Cryptographic Token is a device that is used to authenticate a user on a computer system. A Cryptographic Token is a device that is used to authenticate a user on a computer system. Two types: Two types: Synchronous tokensSynchronous tokens Asynchronous tokensAsynchronous tokens

Synchronous tokens Synchronous Token is a Cryptographic Token that is time-based and generates a value that is used in authentication Synchronous Token is a Cryptographic Token that is time-based and generates a value that is used in authentication The token’s value is valid for a set period of time before it changes, and is based on a secret key held by both the token and the server The token’s value is valid for a set period of time before it changes, and is based on a secret key held by both the token and the server Known Problem: Known Problem: Mistiming issuesMistiming issues

Asynchronous Token An Asynchronous Token is a device that uses a challenge-response mechanism to determine whether the user is valid. An Asynchronous Token is a device that uses a challenge-response mechanism to determine whether the user is valid. The server gives users a number, the user puts number into token to get response number for authentication The server gives users a number, the user puts number into token to get response number for authentication

Firewalls A Firewall is any device that prevents a specific type of information from the outside world to the inside world A Firewall is any device that prevents a specific type of information from the outside world to the inside world Types of Firewalls: Types of Firewalls: Packet filtering firewallsPacket filtering firewalls Application-level firewallsApplication-level firewalls Stateful inspection firewallsStateful inspection firewalls Dynamic packet filtering firewallsDynamic packet filtering firewalls

Application-level Firewalls An Application-level Firewall consists of dedicated computers kept separate from the first filtering router, used in conjunction with a separate or internal filtering router. An Application-level Firewall consists of dedicated computers kept separate from the first filtering router, used in conjunction with a separate or internal filtering router. It is also known as a proxy serverIt is also known as a proxy server

Stateful Inspection Firewalls Stateful Inspection Firewalls keeps track of each network connection established between internal and external system using a "state table“ Stateful Inspection Firewalls keeps track of each network connection established between internal and external system using a "state table“ Known Problem: Known Problem: Because of addition processing requirements of Stateful Inspection Firewalls, it makes DoS (Denial of Service) attacks easierBecause of addition processing requirements of Stateful Inspection Firewalls, it makes DoS (Denial of Service) attacks easier

Dynamic Packet Filtering Firewalls Dynamic Packet Filtering Firewalls allow only a particular packet with a specific source, destination, and port address to pass through the firewall Dynamic Packet Filtering Firewalls allow only a particular packet with a specific source, destination, and port address to pass through the firewall

Other Devices that involve Hybrid Firewall Systems Screened-host firewall system Screened-host firewall system Dual-homed host firewalls Dual-homed host firewalls Screened-subnet firewalls (with DMZ) Screened-subnet firewalls (with DMZ)

Screened-host Firewall System Screened-host Firewall System is a mix of a packet filtering router with a dedicated firewall like a proxy server Screened-host Firewall System is a mix of a packet filtering router with a dedicated firewall like a proxy server Can Include: Can Include: bastion hostbastion host A bastion host is a computer on a network that provides a single entrance and exit point to the Internet from the internal network and vice versa A bastion host is a computer on a network that provides a single entrance and exit point to the Internet from the internal network and vice versa sacrificial hostsacrificial host A computer server placed outside an organization's Internet Firewall to provide a service that might otherwise compromise the local net's security A computer server placed outside an organization's Internet Firewall to provide a service that might otherwise compromise the local net's security

Dual-homed Host Firewalls A Dual-homed Host Firewall uses two or more network interfaces. One connection is an internal network and the second connection is to the Internet. A Dual-homed Host Firewall uses two or more network interfaces. One connection is an internal network and the second connection is to the Internet. It works as a simple firewall provided there is no direct IP traffic between the Internet and the internal network. It works as a simple firewall provided there is no direct IP traffic between the Internet and the internal network.

Screened-subnet Firewalls (with DMZ) Screened-subnet Firewalls is made up of one or more screened internal bastion hosts behind a packet filtering firewall Screened-subnet Firewalls is made up of one or more screened internal bastion hosts behind a packet filtering firewall

Biometric Devices Certain Security Devices can use Biometrics to aide in Authentication Certain Security Devices can use Biometrics to aide in Authentication Biometrics are comprised of: Biometrics are comprised of: Something you areSomething you are Something you ProduceSomething you Produce

Biometrics Something you are: fingerprints fingerprints palm scan palm scan hand geometry hand geometry hand topography hand topography ID cards (face representation) ID cards (face representation) facial recognition facial recognition retina scan retina scan iris scan iris scan

Biometrics Something you produce: Something you produce: signature recognition signature recognition voice recognition voice recognition keystroke pattern recognition keystroke pattern recognition

Biometrics Problems with Biometrics: Problems with Biometrics: False Accept RateFalse Accept Rate Accepting Someone who should not have been Accepting Someone who should not have been False Reject RateFalse Reject Rate Rejecting someone who should not have been Rejecting someone who should not have been Crossover Rate Crossover Rate Place where the number of False Accepts and False Rejects is equalPlace where the number of False Accepts and False Rejects is equal

Summery Introduction Introduction Types of Devices Types of Devices Smart CardsSmart Cards Cryptographic tokensCryptographic tokens FirewallsFirewalls Hybrid Firewall SystemsHybrid Firewall Systems Biometric DevicesBiometric Devices