Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Network Security Shivkumar Kalyanaraman Rensselaer Polytechnic Institute

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Network Security Shivkumar Kalyanaraman Rensselaer Polytechnic Institute
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Chapter 29 Internet Security
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Socket Layer (SSL)
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Chapter 21 Distributed System Security Copyright © 2008.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g.,
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
K. Salah1 Security Protocols in the Internet IPSec.
Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Cryptography CSS 329 Lecture 13:SSL.
IPSec Detailed Description and VPN
IPSecurity.
Computer Communication & Networks
Secure Sockets Layer (SSL)
Radius, LDAP, Radius used in Authenticating Users
Advanced Computer Networks
Presentation transcript:

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Network Security Shivkumar Kalyanaraman Rensselaer Polytechnic Institute Shivkumar Kalyanaraman Rensselaer Polytechnic Institute

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 2 q Common Network Attacks q Security techniques: passwords, hash functions, one-time passwords, digital signatures, symmetric/asymmetric key cryptography q IPSec, SSL, Kerberos, S/Key, (+ mention of PAP, CHAP, RADIUS, TACACS) q Firewalls q Common Network Attacks q Security techniques: passwords, hash functions, one-time passwords, digital signatures, symmetric/asymmetric key cryptography q IPSec, SSL, Kerberos, S/Key, (+ mention of PAP, CHAP, RADIUS, TACACS) q Firewalls Overview

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 3 Common Network Attacks q Sniffing/Snooping - Monitoring the network for sensitive data and passwords q Message Replays - Sending a message repeatedly to a receiver (“replay attack”) q Message Alteration - Modifying a message and sending q Message Delay and Denial - Lowering or removing quality of service in a network (AKA Denial-of- service) q Spoofing - Making a packet appear to come from a location other than the one from which it was sent q Sniffing/Snooping - Monitoring the network for sensitive data and passwords q Message Replays - Sending a message repeatedly to a receiver (“replay attack”) q Message Alteration - Modifying a message and sending q Message Delay and Denial - Lowering or removing quality of service in a network (AKA Denial-of- service) q Spoofing - Making a packet appear to come from a location other than the one from which it was sent

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 4 Common Network Attacks q SYN flooding: 1 Z(x) ---SYN---> A... 2 X<---SYN/ACK--- A … 3 X <---RST--- A q 1) Attacking host sends a multitude of SYN requests to fill it's backlog queue with pending connections. q 2) The target responds with SYN/ACKs to what it believes is the source of the incoming SYNs. All further requests to this TCP port will be ignored. The target port is flooded. q SYN flooding: 1 Z(x) ---SYN---> A... 2 X<---SYN/ACK--- A … 3 X <---RST--- A q 1) Attacking host sends a multitude of SYN requests to fill it's backlog queue with pending connections. q 2) The target responds with SYN/ACKs to what it believes is the source of the incoming SYNs. All further requests to this TCP port will be ignored. The target port is flooded.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5 Common Network Attacks q Avarice - a SYN,RST generator designed to disallow any TCP traffic on an Ethernet segment. q 1) Listen for the 3-way handshake procedure to begin q 2) When one is detected, immediately generate a forged RST packet and sends it back to the client q The result is that no TCP based connections can be negotiated, and therefore no TCP traffic can flow. q Avarice - a SYN,RST generator designed to disallow any TCP traffic on an Ethernet segment. q 1) Listen for the 3-way handshake procedure to begin q 2) When one is detected, immediately generate a forged RST packet and sends it back to the client q The result is that no TCP based connections can be negotiated, and therefore no TCP traffic can flow.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 6 Common Network Attacks q Sloth - a zero TCP window generator q 1) Detect a connection q 2) Transmits a spoofed TCP zero-size window advertisement, q 3) Host stops sending data, and start sending window probes q 3) Constantly return zero-size windows q Sloth - a zero TCP window generator q 1) Detect a connection q 2) Transmits a spoofed TCP zero-size window advertisement, q 3) Host stops sending data, and start sending window probes q 3) Constantly return zero-size windows

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 7 Common Network Attacks q Land Attack - sends a spoofed packet with the SYN flag from the same IP and port number as the destination q La Tierra - Sends the same packet used in a land attack but to more than one port and it doesn't matter (on some systems, esp. NT) if the port is opened or closed q Land Attack - sends a spoofed packet with the SYN flag from the same IP and port number as the destination q La Tierra - Sends the same packet used in a land attack but to more than one port and it doesn't matter (on some systems, esp. NT) if the port is opened or closed

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 8 Security Requirements q Authentication - establishing proof of identity q Access Control - regulating access to some object (also called “authorization”) q Integrity - detecting that the data is not tampered with. q Confidentiality - maintaining the privacy of sensitive data q Non-repudiation - ability to prove that the sender actually sent the data q Authentication - establishing proof of identity q Access Control - regulating access to some object (also called “authorization”) q Integrity - detecting that the data is not tampered with. q Confidentiality - maintaining the privacy of sensitive data q Non-repudiation - ability to prove that the sender actually sent the data

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 9 Authentication techniques q Weak: clear-text password q Strong: don’t send secrets on the wire q One-time password (Eg: S/Key. RFC 2289) q User remembers secret pass-phrase. q Server issues a challenge (random #) q User applies hash function to it multiple times to generate a new password. q Simple challenge-response: (Eg: CHAP): q Server encrypts a random number based upon the user’s password (“challenge”) q User decrypts & returns result (“response”) q Weak: clear-text password q Strong: don’t send secrets on the wire q One-time password (Eg: S/Key. RFC 2289) q User remembers secret pass-phrase. q Server issues a challenge (random #) q User applies hash function to it multiple times to generate a new password. q Simple challenge-response: (Eg: CHAP): q Server encrypts a random number based upon the user’s password (“challenge”) q User decrypts & returns result (“response”)

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 10 Authentication & authorization q CHAP: also allows server-controlled “re- authentication” q Kerberos: single sign-on to multiple servers q Alt: digital signatures (discussed later): authenticates every message. q Authorization: q Which resources can this user access ? q Achieved using “access control lists” (ACLs) stored in database or directory q Client-server rather than peer-peer for better manageability (eg: RADIUS vs CHAP/PAP) q CHAP: also allows server-controlled “re- authentication” q Kerberos: single sign-on to multiple servers q Alt: digital signatures (discussed later): authenticates every message. q Authorization: q Which resources can this user access ? q Achieved using “access control lists” (ACLs) stored in database or directory q Client-server rather than peer-peer for better manageability (eg: RADIUS vs CHAP/PAP)

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 11 Encryption techniques q Symmetric encryption: (Eg: DES, RC-4) q Share a secret (“key”) q Encrypt text based upon the shared secret q Longer key (eg: 128-bits) => more secure  Advantages: q Less CPU intensive q Provides integrity verification and privacy q Disadvantages: q Keys have to somehow reach receivers q Need one key for every receiver q Need separate authentication infrastructure q Symmetric encryption: (Eg: DES, RC-4) q Share a secret (“key”) q Encrypt text based upon the shared secret q Longer key (eg: 128-bits) => more secure  Advantages: q Less CPU intensive q Provides integrity verification and privacy q Disadvantages: q Keys have to somehow reach receivers q Need one key for every receiver q Need separate authentication infrastructure

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 12 Public Key Encryption (PKE) q Asymmetric (“Public-key Encryptoin”) q Eg: RSA, Diffie-Hellman q Public key; Private key q Data -> Public key -> private key -> Data q Use receiver’s public key to encrypt and send data to receiver (“body”) q Authentication => verify ownership of private key. Encrypt message with sender’s private key (“signature”) q Problems: q Extremely CPU intensive, and slow q Need to secure private keys q Asymmetric (“Public-key Encryptoin”) q Eg: RSA, Diffie-Hellman q Public key; Private key q Data -> Public key -> private key -> Data q Use receiver’s public key to encrypt and send data to receiver (“body”) q Authentication => verify ownership of private key. Encrypt message with sender’s private key (“signature”) q Problems: q Extremely CPU intensive, and slow q Need to secure private keys

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 13 Hash Functions, Message Digests, Digital Signatures q Problem: The private-key based “signature” is too slow to generate & is a lot of overhead q Solution: q 1. Convert the message into a smaller-sized, tough-to-guess numeric value using a “one-way hash function” (eg: MD5, SHA)  2. This numeric value (16-32 bytes) is called a “message digest” or a Message Authentication Code (MAC) q 3. Encrypt the MAC with the private key to create a “digital signature” q 4. Receiver generates MAC, decrypts digital signature and compares to authenticate q Problem: The private-key based “signature” is too slow to generate & is a lot of overhead q Solution: q 1. Convert the message into a smaller-sized, tough-to-guess numeric value using a “one-way hash function” (eg: MD5, SHA)  2. This numeric value (16-32 bytes) is called a “message digest” or a Message Authentication Code (MAC) q 3. Encrypt the MAC with the private key to create a “digital signature” q 4. Receiver generates MAC, decrypts digital signature and compares to authenticate

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 14 PKE (contd) q PKE slow => the text of the message is encrypted using symmetric encryption (eg: DES): integrity and confidentiality q Append digital signature for authentication & non-repudiation q Another problem with PKE: q Anyone can create a new public key and advertise it as belonging to a third-party. q Need to authenticate advertiser of public key, and later verify that the sender indeed has the corresponding private key q PKE slow => the text of the message is encrypted using symmetric encryption (eg: DES): integrity and confidentiality q Append digital signature for authentication & non-repudiation q Another problem with PKE: q Anyone can create a new public key and advertise it as belonging to a third-party. q Need to authenticate advertiser of public key, and later verify that the sender indeed has the corresponding private key

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 15 X.509 and Certificate Authorities (CAs) q Solution: q Have a trusted third-party (“certificate authority” (CA)) authenticate the advertisement of a public key. Eg: Verisign q The CA digitally signs the public key advertisement: creates a “X.509 certificate” q Issues: (“Public Key Infrastructure (PKI)”) q CA should guard its private key closely q CA does background checks on customers. q CA can provide several "grades" of certificates. q Certificate registration (CA's public key) security q Scalability: need multiple, distributed CAs ! q Solution: q Have a trusted third-party (“certificate authority” (CA)) authenticate the advertisement of a public key. Eg: Verisign q The CA digitally signs the public key advertisement: creates a “X.509 certificate” q Issues: (“Public Key Infrastructure (PKI)”) q CA should guard its private key closely q CA does background checks on customers. q CA can provide several "grades" of certificates. q Certificate registration (CA's public key) security q Scalability: need multiple, distributed CAs !

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 16 Putting it all together... q Server: q Securely register with CA q Distribute X.509 certificates I.e. public key q To send to receiver, use public key of receiver q For body: use symmetric encryption using shared secret (aka “cookie”) which itself is exchanged using PKE q Append signature: Apply hash function to text to generate a MAC, and apply my private key q Server: q Securely register with CA q Distribute X.509 certificates I.e. public key q To send to receiver, use public key of receiver q For body: use symmetric encryption using shared secret (aka “cookie”) which itself is exchanged using PKE q Append signature: Apply hash function to text to generate a MAC, and apply my private key

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 17 Putting it all together (contd)... q Client: q Verify X.509 certificates (public key) for CA signature and certification; store if ok q Use private key to decrypt remote's password, and use this to decode the text portion. This may involve matching a result with a crypto-checksum q If ok, then integrity, confidentiality guaranteed q Use standard hash function on text to get a MAC q Apply sender's public key to digital signature to get a MAC value. q Compare the two MACs. If equal, then authenticated, non-repudiable. q Client: q Verify X.509 certificates (public key) for CA signature and certification; store if ok q Use private key to decrypt remote's password, and use this to decode the text portion. This may involve matching a result with a crypto-checksum q If ok, then integrity, confidentiality guaranteed q Use standard hash function on text to get a MAC q Apply sender's public key to digital signature to get a MAC value. q Compare the two MACs. If equal, then authenticated, non-repudiable.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 18 SSL q Session oriented, stateful. Integrated w/ HTTPS q Client may optionally have a X.509 certificate. q Server required to have an X.509 certificate q Client verifies server certificate; server performs optional client authentication q Server private key verified w/ a “challenge”. q Agree to a shared secret for symmetric encryption q Session ID is agreed upon -- stored in server cache => not necessary to re-authenticate. q Data transfer using 128 bit keys q Session oriented, stateful. Integrated w/ HTTPS q Client may optionally have a X.509 certificate. q Server required to have an X.509 certificate q Client verifies server certificate; server performs optional client authentication q Server private key verified w/ a “challenge”. q Agree to a shared secret for symmetric encryption q Session ID is agreed upon -- stored in server cache => not necessary to re-authenticate. q Data transfer using 128 bit keys

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 19 SSL (contd) q IETF standard = TLS: transport layer security q LDAP combined with X.509 certificates, presented through SSL can achieve single “sign- on” access like Kerberos q Problem: firewalls cant peek in (no “escrow”) q Need proxy server terminates SSL sessions at the firewall and no SSL within enterprise. q => client authentication cannot be done (proxy server can’t have client’s private key) q IETF standard = TLS: transport layer security q LDAP combined with X.509 certificates, presented through SSL can achieve single “sign- on” access like Kerberos q Problem: firewalls cant peek in (no “escrow”) q Need proxy server terminates SSL sessions at the firewall and no SSL within enterprise. q => client authentication cannot be done (proxy server can’t have client’s private key)

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 20 Kerberos q Single sign-on authentication/authorization for enterprise q Kerberos V5 in Microsoft Win 2000 q Avoids hassles of CAs, and PKI, securing private keys, and private key portability q Concepts: q Realms: Each realm has a master Key Distribution Center (KDC): trusted third party q 3 components: q Authentication server (AS): responsible for authenticating user q Single sign-on authentication/authorization for enterprise q Kerberos V5 in Microsoft Win 2000 q Avoids hassles of CAs, and PKI, securing private keys, and private key portability q Concepts: q Realms: Each realm has a master Key Distribution Center (KDC): trusted third party q 3 components: q Authentication server (AS): responsible for authenticating user

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 21 Kerberos (contd) q Ticket granting server (TGS): gives access to specific servers to authenticated users q Secret key database q Strong authentication: q User sends login name; AS sends TGT (w/ secret key based upon user’s password) q User enters password; and workstation attempts to decrypt TGT using this password. After decryption, user gets also a session key q Send an “authenticator” to TGS. Encrypted w/ session key (a shared secret w/ TGS), plus name of server, TGT, and timestamps. q Ticket granting server (TGS): gives access to specific servers to authenticated users q Secret key database q Strong authentication: q User sends login name; AS sends TGT (w/ secret key based upon user’s password) q User enters password; and workstation attempts to decrypt TGT using this password. After decryption, user gets also a session key q Send an “authenticator” to TGS. Encrypted w/ session key (a shared secret w/ TGS), plus name of server, TGT, and timestamps.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 22 Kerberos (contd) q TGS decrypts authenticator and gives a “service ticket” q Gets new session key to be shared between user and server q Need to access more servers => connect w/ TGS to get service ticket until TGT does not expire q TGS decrypts authenticator and gives a “service ticket” q Gets new session key to be shared between user and server q Need to access more servers => connect w/ TGS to get service ticket until TGT does not expire

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 23 IPSec q IPSEC: IP-level Security Protocol q Encryption takes place between the transport and internet layers q Designed to provide privacy, forgery detection, or both for IP packets q Uses a security parameter index (SPI) to negotiate cryptographic and authentication algorithms q Authentication header (AH) and encapsulating security payload (ESP) q RFC 1825, 1826, 1827 and work in IPSec working group Internet drafts q IPSEC: IP-level Security Protocol q Encryption takes place between the transport and internet layers q Designed to provide privacy, forgery detection, or both for IP packets q Uses a security parameter index (SPI) to negotiate cryptographic and authentication algorithms q Authentication header (AH) and encapsulating security payload (ESP) q RFC 1825, 1826, 1827 and work in IPSec working group Internet drafts

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 24 Methods: Firewalls q Security objectives: q Ensure controlled access to Internet services q Protect a distributed enterprise network from outsiders q Protect the whole range of Internet protocols currently in use q Public Internet access is available and cost is very important q Security objectives: q Ensure controlled access to Internet services q Protect a distributed enterprise network from outsiders q Protect the whole range of Internet protocols currently in use q Public Internet access is available and cost is very important

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 25 Methods: Firewalls

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 26 Methods: Firewalls q Firewall control mechanisms: q Packet filtering - Based on the contents of individual packets q Circuit filtering - Controls data by controlling the flow of data and blocking if not permitted q Application gateway - Processes and forwards messages specific to particular TCP/IP application protocols (AKA proxy) q Firewall control mechanisms: q Packet filtering - Based on the contents of individual packets q Circuit filtering - Controls data by controlling the flow of data and blocking if not permitted q Application gateway - Processes and forwards messages specific to particular TCP/IP application protocols (AKA proxy)

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 27 Methods: Firewalls q Simple firewall router:

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 28 Methods: Firewalls q Proxy:

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 29 Methods: Firewalls q Perimeter network with bastion hosts

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 30 Summary q Common Network Attacks q Security techniques: passwords, hash functions, one-time passwords, digital signatures, symmetric/asymmetric key cryptography q IPSec, SSL, Kerberos, S/Key, (+ mention of PAP, CHAP, RADIUS, TACACS) q Firewalls q Common Network Attacks q Security techniques: passwords, hash functions, one-time passwords, digital signatures, symmetric/asymmetric key cryptography q IPSec, SSL, Kerberos, S/Key, (+ mention of PAP, CHAP, RADIUS, TACACS) q Firewalls

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.