CS 5950/6030 Network Security Class 30 (W, 11/9/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Enabling Secure Internet Access with ISA Server
Chapter 14 – Authentication Applications
Akshat Sharma Samarth Shah
Chapter 17: WEB COMPONENTS
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
CS 5950/6030 Network Security Class 31 (F, 11/11/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.
October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
7.3 Network Security Controls 1Network Security / G.Steffen.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario –workstations.
CS 5950/6030 Network Security Class 29 (M, 11/7/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
SECURITY IN MOBILE NETWORKS BY BHONGIRI ANAND RAJ VENKAT PAVAN RAVILISETTY NAGA MOHAN MADINENI.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Css security in Networks-css-ps2 1 Computer Systems Security Security in Networks (Security Controls) Topic 2 Pirooz Saeidi Source: Pfleeger, Chapter 7.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
V0.0CPSC415 Biometrics and Cryptography1 Placement of Encryption Function Lecture 3.
Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Information Security in Distributed Systems Distributed Systems1.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Fall 2006CS 395: Computer Security1 Key Management.
Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
* Essential Network Security Book Slides.
Virtual Private Network
Computer Security Distributed System Security
Introduction to Network Security
Advanced Computer Networks
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

CS 5950/6030 Network Security Class 30 (W, 11/9/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing. Third Edition by Pfleeger and Pfleeger. Using some slides (as indicated) courtesy of: Prof. Aaron Striegel — at U. of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands Slides not created by the above authors are © by Leszek T. Lilien, 2005 Requests to use original slides for non-profit purposes will be gladly granted upon a written request.

2 7. Security in Networks Threats in Networks a)Introduction b) Network vulnerabilities c) Who attacks networks? d) Threat precursors e) Threats in transit: eavesdropping and wiretapping f) Protocol flaws g) Types of attacks 1) Impersonation 2) Spoofing 3) Message confidentiality threats4) Message integrity threats 5) Web site attacks 6) Denial of service 7) Distributed denial of service 8) Threats to/by active or mobile code—PART 1 8) Threats to/by active or mobile code—PART 2 9) Scripted and complex attacks h)Summary of network vulnerabilities 7.3. Networks Security Controls a)Introduction b)Security threat analysis c)Impact of network architecture/design and implementation on security—PART 1 Class 29 © by Leszek T. Lilien, 2005

3 Threats to/by active or mobile code (6) 2) Script – resides on server S; when executed on S upon command of client C, allows C to invoke services on S  Legitimate interaction of browser (run on C) w/ script (run by script interpreter on S)  On C:  Browser organizes user input into script params  Browser sends string with script name + script params to S (e.g.,  On S:  Named script is executed by script interpreter using provided params, invoking services called by script  Attacker can intercept interaction of browser w/ script  Attacker studies interaction to learn about it  Once browser & script behavior is understood, attacker can handcraft string sent fr. browser to script interpreter  Falsifies script names/parameters  Cf. incomplete mediation example with false price © by Leszek T. Lilien, 2005

4 Threats to/by active or mobile code (10) 3) Active code (Recall: code pushed by S to C for execution on C) As demand on server S’s computing power grows, S uses client C’s computing power  S downloads code to C (for execution on C), C executes it Two main kinds of active code: (a) Java code (Sun Microsystems) (b) ActiveX controls (Microsoft) (a)Java code... (b) ActiveX controls © by Leszek T. Lilien, 2005

5 Threats to/by active or mobile code (15) 4) Automatic execution by type = automatic invocation of file processing program implied by file type Two kinds of auto exec by type: (a) File type implied by file extension  e.g., MS Word automatically invoked for file.doc (happens also in other cases, e.g., for ActiveX controls) (b) File type implied by embedded type  File type is specified within the file  Example:  File named „class28” without extension has embedded info that its type is „pdf”  Double-clicking on class28 invokes Adobe Acrobat Reader Both kinds of auto exec by type are BIG security risks! © by Leszek T. Lilien, 2005

Networks Security Controls  Outline a)Introduction b)Security threat analysis c)Impact of network architecture/design and implementation on security—PART 1... © by Leszek T. Lilien, 2005

7 c. Impact of network architecture/ design & implement. on security (1)  Security principles for good analysis, design, implementation, and maintenance (as discussed in sections on Pgm Security and OS Security) apply to networks  Architecture can improve security by: 1) Segmentation 2) Redundancy 3) Single points of failure 4) Other means © by Leszek T. Lilien, 2005

8 Class 29 Ended Here © by Leszek T. Lilien, 2005

9 7. Security in Networks Threats in Networks... g) Types of attacks... g-8) Threats to active or mobile code—PART 2 g-9) Scripted and complex attacks h)Summary of network vulnerabilities 7.3. Networks Security Controls a)Introduction b)Security threat analysis c)Impact of network architecture/design and implementation on security—PART 1 c)Impact of network architecture/design and implementation on security—PART 2 d)Encryption i.Link encryption vs. end-to-end (e2e) encryption ii.Virtual private network (VPN) iii.PKI and certificates —PART 1 Class 29 © by Leszek T. Lilien, 2005 Class 30

10 Impact of network architecture/ design & implement. on security (5) 3) Single points of failure (SPF)  Architecture should eliminate SPFs to prevent losing availability due to exploit/failure of a single network entity  Using redundancy is a special case of avoiding SPFs  Network designers must analyze network to eliminate all SPFs  Example of avoiding SPF (without using redundancy)  Distribute 20 pieces of database on 20 different hosts (so called partitioned database)  Even if one host fails, 95% of database contents (19/20=95%) still available  Elimination of SPFs (whether using redundancy or not) adds cost © by Leszek T. Lilien, 2005

11 Impact of network architecture/ design & implement. on security (6) 4) Other architectural means for improving security  Will be mentioned below as we discuss more network security controls © by Leszek T. Lilien, 2005

12 d. Encryption  Arguably most important/versatile tool for network security  We have seen that it can be used for:  Confidentiality/Privacy  Authentication  Integrity  Limiting data access  Kinds of encryption in networks: i.Link encryption vs. end-to-end (e2e) encryption ii.Virtual private network (VPN) iii.PKI and certificates iv.SSH protocol v.SSL protocol (a.k.a. TLS protocol) vi.IPsec protocol suite vii.Signed code viii.Encrypted © by Leszek T. Lilien, 2005

13 (i) Link vs. end-to-end encryption (1) 1)Link encryption = between 2 hosts  Data encrypted just before they are placed on physical communication links  At OSI Layer 1 (or, perhaps, Layer 2)  Fig. 7-21, p. 431  Properties of link encryption (cf. Fig. 7-21)  Msgs/pkts unprotected inside S’s/R’s host  I.e., unprotected at OSI layers 2-7 of S’s/R’s host (in plaintext)  Packets protected in transit between all hosts  Pkts unprotected inside intermediate hosts  I.e., unprotected at OSI layers 2-3 of interm. hosts => unprotected at data link and network layers at intermediate hosts (if link encryption at Layer 1)  Layers 2-3 provide addressing and routing © by Leszek T. Lilien, 2005

14 Link vs. end-to-end encryption (2)  Link encryption is transparent (invisible) to users, their applications, and their OSs  Encryption service provided by physical (or data) layer  Can use encryption h/w (link encryption device)  Message under link encryption  Fig. 7-22, p. 432  See which portions encrypted, which exposed  Only part of data link header & trailer created after encryption is exposed  Link encryption is useful when transmission line is most vulnerable in a network  I.e., when S’s host, intermediate hosts, R’s host are reasonably secure (so msgs/pkts at their Layers 2-7 can be exposed) © by Leszek T. Lilien, 2005

15 Link vs. end-to-end encryption (3) 2) End-to-end encryption = between 2 user applications  Data encrypted as „close” to app as possible  At OSI Layer 7 (or, perhaps, Layer 6)  Fig. 7-23, p. 433  Properties of e2e encryption (cf. Fig. 7-21)  Msgs/pkts protected all the way once they „exit” S’s app & before they enter R’s app  Msgs/pkts protected (in ciphertext) inside S’s/R’s host  Packets protected in transit between S’s & R’s hosts Including protection inside intermediate hosts  I.e., protected at OSI layers 1-3 of interm. hosts Layers 1-3 provide physical connectivity, addressing and routing for packets © by Leszek T. Lilien, 2005

16 Link vs. end-to-end encryption (4)  E2e encryption is visible either to users or their apps  Encryption service provided by app or OS Possibly provided only upon explicit user’s request => visible to user  Encryption by s/w  Message under e2e encryption  Fig. 7-24, p. 433  See which portions encrypted, which exposed  Only user’s msg (user’s data) encrypted  All headers & trailers exposed (all created after encryption)  E2e encryption is useful when transmission lines and intemediate hosts are insecure © by Leszek T. Lilien, 2005

17 Link vs. end-to-end encryption (5)  Comparison of link vs. e2e encryption  Encryption of msgs/packets (whether link or e2e encryption) is no silver bullet  No guarantees of msg/packet security 1) Link encryption — encrypts all traffic over physical link  Typically host H has one link into network => link encryption encrypts all H’s traffic  Every H —incl. intermediate hosts— receiving traffic via link encryption must have decryption capabilities  Either (pairs of) hosts share symmetric key OR  Hosts use asymmetric keys  All hosts along a path from S to R must provide link encryption to prevent („partial”) packet exposure => usu. link encryption provided on all network links © by Leszek T. Lilien, 2005

18 Link vs. end-to-end encryption (6) 2) End-to-end (e2e) encryption — encrypts traffic only between 2 apps („virtual crypto channel between 2 apps”)  Interm. hosts don’t need to decrypt-encrypt pkts => interm. hosts don’t need encryption facilities  All interm. hosts save time/processing  Encrypts only some msgs between 2 apps  If no need to encrypt all msgs => even S’s and R’s hosts save time/processing  If needed, can encrypt all msgs  Using asymmetric keys requires fewer keys than using symmetric keys (n key pairs vs. n*(n-1)/2 keys) © by Leszek T. Lilien, 2005

19 Link vs. end-to-end encryption (7)  Comparison conclusions  Link encryption:  Faster  Easier to use  Uses fewer keys (1 K pair per host pair vs. 1 K pair per app pair)  End-to-end (e2e) encryption:  More flexible  More selective (can select only some msgs for encryption)  User-level, can be integrated with app  Optimize whether link or e2e encryption better for you If needed for higher security, use link and e2e encryption together  E.g., user not trusting network link encryption can use app with e2e encryption © by Leszek T. Lilien, 2005

20 (ii) Virtual private network (VPN) (1)  Virtual private network (VPN) = connection over public network giving its user impression of being on private network  It could be viewed as „logical link” encryption Could be viewed as e2e encr. between client & server  Protecting remote user’s connection with her network  Greatest risk for remote connection via public network:  Between user’s workstation (client) and perimeter of „home” network (with server)  Firewall protects network against external traffic (more later) Physically Protected Network Perimeter Firewall Internal Server User’s Workstation (Client) © by Leszek T. Lilien, 2005

21 Virtual private network (VPN) (2)  Example VPN connection scenario  VPN restricts filters access to „home” server/network  Only „private” accesses allowed => public network access feels like private network 1 – C authenticates to firewall (firewall passes user’s authentic. data to authentic. server [not shown], which decides whether authentication is OK) 2 – Firewall replies with encryption key (after negotiating with C a session encryption key) 3 – C and S communicate via encrypted tunnel Physically Protected Network Perimeter Firewall Internal Server User’s Workstation (Client) © by Leszek T. Lilien, 2005

22 (iii) PKI and certificates (1)  Public key infrastructure (PKI) = enables use of public key cryptography (asymmetric cryptography)  Usually in large & distributed environment  Elements of PKI: 1) Policies (higher level than procedures)  Define rules of operation  E.g., how to handle keys and sensitive info  E.g., how to match control level to risk level 2) Procedures (lower level than policies)  Dictate how keys should be generated, managed, used 3) Products  Implement policies and procedures  Generate, store, manage keys © by Leszek T. Lilien, 2005

23 PKI and certificates (2)  PKI services: 1) PKI creates certificates  Certificate binds entity’s identity to entity’s public key  Entity = user or system or applicationor... 2) PKI gives out certificates from its database 3) PKI signs certificates  Adding its credibility to certificate’s authenticity 4) PKI confirms/denies validity of a certificate  When queried about it 5) PKI invalidates certificates  For entities that are no longer certified by PKI OR  For entities whose private key has been exposed © by Leszek T. Lilien, 2005

24 End of Class 30 © by Leszek T. Lilien, 2005

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.