css security in Networks-css-ps2 1 Computer Systems Security Security in Networks (Security Controls) Topic 2 Pirooz Saeidi Source: Pfleeger, Chapter 7
2css security in Networks-css-ps2 Network Security Controls Agenda:- Security Threat Analysis Security Threat Analysis Design, Implementation and Architecture Design, Implementation and Architecture Control types Control types Firewalls Firewalls Intrusion Detection Systems Intrusion Detection Systems Secure Secure Summary and Conclusion Summary and Conclusion
3css security in Networks-css-ps2 Network Security Controls We introduce a number of defence strategies available to network security engineer. We introduce a number of defence strategies available to network security engineer. With details of three important controls: With details of three important controls: 1. Firewalls, 2. Intrusion Detection Systems, and 3. Encrypted .
4css security in Networks-css-ps2 Security Threat Analysis – The three steps of security threat analysis are: 1. Scrutinise all parts of the system 2. Consider possible damage to confidentiality, integrity and availability. 3. Speculate the kind of attack.
5css security in Networks-css-ps2 Security Threat Analysis – The individual parts of a network: Local nodes connected through Local nodes connected through Local communication links to a Local communication links to a LAN which also contains LAN which also contains Local processes, storage and devices Local processes, storage and devices
6css security in Networks-css-ps2 Security Threat Analysis – LAN is also connected to a gateway that – provides access through Network communications links to – Network control resources, routers, databases, etc.
7css security in Networks-css-ps2 Security Threat Analysis – Possible threats and damage: Intercepting data in traffic Intercepting data in traffic Accessing or modifying data/programmes in remote hosts. Accessing or modifying data/programmes in remote hosts. Modifying data in transit Modifying data in transit Blocking traffic Blocking traffic Impersonating a user Impersonating a user and more… and more…
8css security in Networks-css-ps2 Security Threat Analysis – The network security engineer speculates these threats and uses the defence available. – Such defence varies from design and architecture to different types of controls – We will have a close look at these defences.
9css security in Networks-css-ps2 Design, Implementation and Architecture – In previous lectures we elaborated on design and implementation issues. – Similarly a network architecture and design can have a considerable effect on its security. – In this context we will consider: Segmentation Segmentation Redundancy and Redundancy and Single Points of Failure Single Points of Failure
10css security in Networks-css-ps2 Segmented Architecture Reduces the number of threats and limits damage. Reduces the number of threats and limits damage. Consider an e-commerce application with the following parts: Consider an e-commerce application with the following parts: A web server A web server Application code Application code Database of products Database of products Database of orders Database of orders
11css security in Networks-css-ps2 Segmented Architecture – We don’t want to compromise the entire application by putting all of these activities in one machine. Instead we can use multiple segments. Pfleeger&Pfleeger
12css security in Networks-css-ps2 Other Architectural Controls Redundancy Redundancy Example: provide more than one server and use failover mode: Example: provide more than one server and use failover mode: Servers communicate periodically with each other. Servers communicate periodically with each other. If one fails the other takes over processing for both. If one fails the other takes over processing for both. Avoid Single Point of Failure Avoid Single Point of Failure Example: distribute parts of a database in different segments Example: distribute parts of a database in different segments
13css security in Networks-css-ps2 Controls: Encryption – Two forms: Link Encryption Link Encryption – Between hosts End-to-end Encryption End-to-end Encryption – Between applications
14css security in Networks-css-ps2 Link Encryption – Data encrypted just before it is placed in physical link. – Takes place in layer 1 & 2 of OSI – Appropriate when transmission line is vulnerable. Pfleeger&Pfleeger
15css security in Networks-css-ps2 Link Encryption – Example of a typical Link Encrypted message. – Some of header/trailer information may be applied before encryption takes place.
16css security in Networks-css-ps2 End-to-end Encryption Encryption can be applied by hardware as well as software at highest layers. Encryption can be applied by hardware as well as software at highest layers. Pfleeger&Pfleeger
17css security in Networks-css-ps2 End-to-end Encryption Example: An encrypted message Example: An encrypted message Pfleeger&Pfleeger
18css security in Networks-css-ps2 End-to-end Encryption Messages sent to several hosts are protected and the data content is still encrypted while in transit even if it passes through potentially insecure nodes. Messages sent to several hosts are protected and the data content is still encrypted while in transit even if it passes through potentially insecure nodes.
19css security in Networks-css-ps2 Virtual Private Networks (VPN) With link encryption the users may think they are on a private network. Hence the word VPN. With link encryption the users may think they are on a private network. Hence the word VPN. The greatest exposure for a user is between his/her machine and the perimeter of the host network. The greatest exposure for a user is between his/her machine and the perimeter of the host network. A VPN can deploy firewalls to implement an encrypted connection between a user's distributed sites over a public network. A VPN can deploy firewalls to implement an encrypted connection between a user's distributed sites over a public network.
20css security in Networks-css-ps2 Virtual Private Networks (VPN) Communication passes through an encrypted tunnel. Communication passes through an encrypted tunnel. VPN is created when the firewall interacts with an authentication service inside the perimeter. VPN is created when the firewall interacts with an authentication service inside the perimeter. Any communication is done through the encrypted tunnel Any communication is done through the encrypted tunnel Pfleeger&Pfleeger
21css security in Networks-css-ps2 Virtual Private Networks (VPN) Firewall implements Access control on the basis of VPN. Firewall implements Access control on the basis of VPN. Example of a VPN with privileged access Example of a VPN with privileged access The firewall passes to internal server the privileged identity of User2 The firewall passes to internal server the privileged identity of User2 Pfleeger&Pfleeger
22css security in Networks-css-ps2 Public Key Infrastructure (PKI) and Certificates PKI is used to implement public key cryptography. PKI is used to implement public key cryptography. Offers each user a set of services on access control and identification. Offers each user a set of services on access control and identification. Integrate digital certificates, public-key cryptography, and certificate authorities into a total, enterprise-wide network security architecture. Integrate digital certificates, public-key cryptography, and certificate authorities into a total, enterprise-wide network security architecture. Involves registration authority to act as an interface between user and certificate authority Involves registration authority to act as an interface between user and certificate authority More information from: More information from:
23css security in Networks-css-ps2 Secure Shell (SSH) Encryption SSH is a pair of protocols originally for Unix but now available in Windows 2000 SSH is a pair of protocols originally for Unix but now available in Windows 2000 Provides authenticated and encrypted path to shell or command line interpreter Provides authenticated and encrypted path to shell or command line interpreter Replaces utilities such as Telnet, rlogin and rsh for remote access Replaces utilities such as Telnet, rlogin and rsh for remote access Protects against spoofing attacks and modification of data in communication. Protects against spoofing attacks and modification of data in communication.
24css security in Networks-css-ps2 Secure Socket Layer (SSL) Encryption SSL designed to protect communication between a web browser and a server. SSL designed to protect communication between a web browser and a server. Interfaces between applications and the TCP/IP protocols to provide server authentication. Interfaces between applications and the TCP/IP protocols to provide server authentication. Client and server negotiate a mutually supported set of encryption for session encryption and hashing Client and server negotiate a mutually supported set of encryption for session encryption and hashing
25css security in Networks-css-ps2 Secure Socket Layer (SSL) Encryption To use SSL, To use SSL, The client requests an SSL session The client requests an SSL session The server responds with its public key certificate with which the client authenticates the server The server responds with its public key certificate with which the client authenticates the server Client returns part of a symmetric session key encrypted under the server’s public key Client returns part of a symmetric session key encrypted under the server’s public key Client and server both compute the session key, and switch to encrypted communication, using the shared session key Client and server both compute the session key, and switch to encrypted communication, using the shared session key
26css security in Networks-css-ps2 Encryption-IP Security Protocol (IPSec) Adopted by IPv6, addresses many shortcomings of conventional IP such as spoofing, session hijacking, … Adopted by IPv6, addresses many shortcomings of conventional IP such as spoofing, session hijacking, … Implemented at IP layer so it effects all layers above it, including TCP and UDP. Implemented at IP layer so it effects all layers above it, including TCP and UDP. Works similar to SSL in terms of authentication and confidentiality and is independent of cryptographic protocols. Works similar to SSL in terms of authentication and confidentiality and is independent of cryptographic protocols.
27css security in Networks-css-ps2 IP Security Protocol (IPSec) IPSEc is based on security association, a set of security parameters for a secured communication channel. IPSEc is based on security association, a set of security parameters for a secured communication channel. The main data structures of IPSEc are AH (Authentication header) and ESP (Encapsulated Security Payload) The main data structures of IPSEc are AH (Authentication header) and ESP (Encapsulated Security Payload)
28css security in Networks-css-ps2 IP Security Protocol (IPSec) ESP replaces the TCP header and data portion of a packet ESP replaces the TCP header and data portion of a packet Packets: (a) Conventional Packet; (b) IPSec Packet. Pfleeger&Pfleeger
29css security in Networks-css-ps2 IP Security Protocol (IPSec) ESP replaces the conventional TCP header and data portion of a packet and ESP replaces the conventional TCP header and data portion of a packet and contains both of an authenticated portion and an encrypted portion contains both of an authenticated portion and an encrypted portion The Encapsulated Security Packet Pfleeger&Pfleeger
30css security in Networks-css-ps2 Content Integrity Controls Guarding against modification in transmission. We can use methods such as: Guarding against modification in transmission. We can use methods such as: Error Correcting Codes Error Correcting Codes Cryptographic checksums Cryptographic checksums
31css security in Networks-css-ps2 Error Correcting Codes Error Detection Codes Error Detection Codes Parity checking (odd or even parity bit) Parity checking (odd or even parity bit) Usually used to detect non-malicious changes (e.g. noise) Usually used to detect non-malicious changes (e.g. noise) Hash code: a unique signed number returned by a hash function Hash code: a unique signed number returned by a hash function Huffman code Huffman code A data compression method that changes the length of the encoded token in proportion to its information content, that is the more frequently a token is used, the shorter the binary string used to represent it in the compressed stream A data compression method that changes the length of the encoded token in proportion to its information content, that is the more frequently a token is used, the shorter the binary string used to represent it in the compressed stream Error Correction Error Correction Correct without retransmission Correct without retransmission
32css security in Networks-css-ps2 Cryptographic Checksum Also called message digest is a cryptographic function that produces a checksum. Also called message digest is a cryptographic function that produces a checksum. The checksum is assigned to a file and used to "test" the file at a later stage to verify that the data contained in the file has not been maliciously changed. The checksum is assigned to a file and used to "test" the file at a later stage to verify that the data contained in the file has not been maliciously changed.
33css security in Networks-css-ps2 Strong Authentication Controls Networked environments as well as both ends of communication need authentication. Networked environments as well as both ends of communication need authentication. We will consider the following methods: We will consider the following methods: One-Time Password One-Time Password Challenge-Response Systems Challenge-Response Systems Digital Distributed Authentication Digital Distributed Authentication Kerberos Kerberos
34css security in Networks-css-ps2 One-Time Password Guards against wiretapping and spoofing Guards against wiretapping and spoofing Password is effective only once Password is effective only once Uses a secretly maintained password list, or Uses a secretly maintained password list, or each user can use a device to randomly generate new passwords every minute (computation is based on the value of current “time” interval). each user can use a device to randomly generate new passwords every minute (computation is based on the value of current “time” interval). Within the same “minute” the receiving computer should be able to compute the same password to match. Within the same “minute” the receiving computer should be able to compute the same password to match.
35css security in Networks-css-ps2 Challenge_Response Systems The user authenticates to a simple device by means of say a PIN. The user authenticates to a simple device by means of say a PIN. The system prompts the user with a new challenge for each use: The system prompts the user with a new challenge for each use: The remote system sends a random number (the “challenge”) which the user enters into the device. The remote system sends a random number (the “challenge”) which the user enters into the device. The device responds to that number with another number, which the user transmits to the system and so on. The device responds to that number with another number, which the user transmits to the system and so on.
36css security in Networks-css-ps2 Authentication in Distributed Systems – Kerberos Designed at MIT. Designed at MIT. Used for authentication between clients and servers. Used for authentication between clients and servers. Based on the idea that a central server provides authenticated tokens called tickets to requesting applications. Based on the idea that a central server provides authenticated tokens called tickets to requesting applications. A ticket is non-forgeable and non-replayable. A ticket is non-forgeable and non-replayable.
37css security in Networks-css-ps2 Authentication in Distributed Systems – Kerberos Kerberos design goals was to enable systems to withstand attacks in distributed systems. The main characteristics are: Kerberos design goals was to enable systems to withstand attacks in distributed systems. The main characteristics are: 1. No passwords are communicated on the network. User’s password is stored only at the Kerberos server. User’s password is stored only at the Kerberos server. It is not sent from the user’s workstation when it initiates a session. It is not sent from the user’s workstation when it initiates a session. 2. Provides cryptographic protection against spoofing. Each access is mediated by a ticket-granting server Each access is mediated by a ticket-granting server Which knows the identity of the user based on the authentication performed initially by the server. Which knows the identity of the user based on the authentication performed initially by the server.
38css security in Networks-css-ps2 Authentication in Distributed Systems – Kerberos 3.Limited period of validity (of tickets) Tickets contain timestamps with which the server will determine the ticket’s validity. Tickets contain timestamps with which the server will determine the ticket’s validity. The attacker therefore will not have time to complete a long term attack. The attacker therefore will not have time to complete a long term attack. Timestamps prevent replay attacks Timestamps prevent replay attacks In a replay attack a valid data transmission is maliciously or fraudulently repeated or delayed. In a replay attack a valid data transmission is maliciously or fraudulently repeated or delayed. The server compares the timestamps of requests with current time. And accepts requests only if they are reasonably close to current time. The server compares the timestamps of requests with current time. And accepts requests only if they are reasonably close to current time. This time-checking prevents most replay attacks, since the attacker’s presentation of tickets will be delayed! This time-checking prevents most replay attacks, since the attacker’s presentation of tickets will be delayed! 4.Mutual authentication The user of a service can be assured of any server’s authenticity by requesting an authenticating response from the server. The user of a service can be assured of any server’s authenticity by requesting an authenticating response from the server.
39css security in Networks-css-ps2 Authentication in Distributed Systems -Kerberos Uses public key technology for key exchange. Uses public key technology for key exchange. A central server provides authenticated tokens, called tickets to requesting applications. A central server provides authenticated tokens, called tickets to requesting applications. Ticket is an encrypted data structure naming a user and a service the user has permission to access. Ticket is an encrypted data structure naming a user and a service the user has permission to access.
40css security in Networks-css-ps2 Kerberos The user first establishes a session with Kerberos server as follows: The user first establishes a session with Kerberos server as follows: The user’s workstation sends user’s identity to Kerberos server. The user’s workstation sends user’s identity to Kerberos server. The Kerberos server verifies that the user is authorised by sending two messages. One to the user and the other to the ticket-granting server. The Kerberos server verifies that the user is authorised by sending two messages. One to the user and the other to the ticket-granting server.
41css security in Networks-css-ps2 Kerberos User’s message contains: User’s message contains: A session key S G to communicate with ticket granting server G; and a ticket T G. A session key S G to communicate with ticket granting server G; and a ticket T G. S G Is encrypted under user’s password: S G Is encrypted under user’s password: E(S G+ T G, PW) E(S G+ T G, PW) Ticket granting server’s message contains: Ticket granting server’s message contains: A copy of the session key S G and the encrypted identity of the user A copy of the session key S G and the encrypted identity of the user
42css security in Networks-css-ps2 Kerberos Kerberos If the workstation can decrypt E(S G+ T G, PW) using pw, then the user has been successful in authentication. If the workstation can decrypt E(S G+ T G, PW) using pw, then the user has been successful in authentication. Diagram show how a Kerberos session is initiated Diagram show how a Kerberos session is initiated Pfleeger&Pfleeger
43css security in Networks-css-ps2 Kerberos Now the user (U) wants to access the services of the distributed system (say access file F) Now the user (U) wants to access the services of the distributed system (say access file F) Using key S G the user requests a ticket from ticket granting server to access file F. Using key S G the user requests a ticket from ticket granting server to access file F. The ticket granting server verifies U’s access permission and returns a ticket and a session key. The ticket granting server verifies U’s access permission and returns a ticket and a session key.
44css security in Networks-css-ps2 Kerberos The ticket contains the following: The ticket contains the following: U’s authenticated identity U’s authenticated identity An identification of F An identification of F Access rights Access rights A session key S F (with file server) A session key S F (with file server) Ticket expiry date Ticket expiry date Diagram shows how a Ticket can be obtained to access a file Diagram shows how a Ticket can be obtained to access a file Pfleeger&Pfleeger
45css security in Networks-css-ps2 Access Control Access control enforce what and How of security control policies. Access control enforce what and How of security control policies. Mechanisms such as: Mechanisms such as: ACLs on Routers ACLs on Routers Firewalls Firewalls We will look at them later We will look at them later
46css security in Networks-css-ps2 ACLs on Routers Routers can be configured with ACLs to deny access to particular hosts from particular hosts. Routers can be configured with ACLs to deny access to particular hosts from particular hosts. This is very expensive. Brings a large load to routers. This is very expensive. Brings a large load to routers. Routers inspect the source and destination addresses. But with UDP datagrams, attackers can forge source address so that their attack can not be blocked by router’s ACL.. Routers inspect the source and destination addresses. But with UDP datagrams, attackers can forge source address so that their attack can not be blocked by router’s ACL.. Limited and restricted use of ACLs is a more viable option. Limited and restricted use of ACLs is a more viable option.
47css security in Networks-css-ps2 Honeypots Controls Like catching a mouse we can set a trap with an attractive bait! Like catching a mouse we can set a trap with an attractive bait! A honeypot is a computer system or a network segment open to attackers to A honeypot is a computer system or a network segment open to attackers to See what the attackers do See what the attackers do tempt the attacker to a place so that you can learn its habits and stop future attacks tempt the attacker to a place so that you can learn its habits and stop future attacks Make a playground to divert him/her from the real system Make a playground to divert him/her from the real system
48css security in Networks-css-ps2 Firewalls A firewall is a device or, software, or a combination of both designed to prevent unauthorised users from accessing a network and/or a single workstation. A firewall is a device or, software, or a combination of both designed to prevent unauthorised users from accessing a network and/or a single workstation. Networks usually use hardware firewalls which are implemented on the router level. These firewalls are expensive, and it is difficult to configure them. Networks usually use hardware firewalls which are implemented on the router level. These firewalls are expensive, and it is difficult to configure them. Software Firewalls are used in single workstations and are usually less expensive and it is easier to configure them Software Firewalls are used in single workstations and are usually less expensive and it is easier to configure them
49css security in Networks-css-ps2 Firewalls Inspect each individual inbound or outbound packet of data to or from the system Inspect each individual inbound or outbound packet of data to or from the system Check if it should be allowed to enter or otherwise it should be blocked Check if it should be allowed to enter or otherwise it should be blocked
50css security in Networks-css-ps2 Types of firewalls Packet filtering gateways or screening routers Packet filtering gateways or screening routers Stateful inspection firewalls Stateful inspection firewalls Application proxies Application proxies Guards Guards Personal firewalls Personal firewalls
51css security in Networks-css-ps2 Packet filtering gateways Control is based on packet address or a specific transport protocol (e.g. HTTP). Control is based on packet address or a specific transport protocol (e.g. HTTP). Example: a packet filter can block traffic using Telnet protocol but allows HTTP traffic. Example: a packet filter can block traffic using Telnet protocol but allows HTTP traffic.
52css security in Networks-css-ps2 Stateful inspection firewalls Keeps a history of previously seen packets to make better decisions about current and future packets. Keeps a history of previously seen packets to make better decisions about current and future packets. Useful to counter attacks which force very short length packets into, say a TCP packet stream. Useful to counter attacks which force very short length packets into, say a TCP packet stream. Remember TCP packets arrive in different order and firewall will not be able to detect the signature of an attack split across 2 or more packets. Remember TCP packets arrive in different order and firewall will not be able to detect the signature of an attack split across 2 or more packets.
53css security in Networks-css-ps2 Application Proxies Packet filters deal with header information but not data inside the message. So the SMTP example we sow in the tutorial last week leaves a back door open to anything inbound to port 25. Packet filters deal with header information but not data inside the message. So the SMTP example we sow in the tutorial last week leaves a back door open to anything inbound to port 25. Also a flawed applications that acts on behalf of the user (e.g. an agent), with all user’s privileges can cause damage. Also a flawed applications that acts on behalf of the user (e.g. an agent), with all user’s privileges can cause damage.
54css security in Networks-css-ps2 Application Proxies Application Proxies have access to the entire range of information in the network stack. They can also filter harmful or disqualified commands in the data stream. Application Proxies have access to the entire range of information in the network stack. They can also filter harmful or disqualified commands in the data stream. The proxy controls actions through the firewall on the basis of the data visible inside the protocol, and not just on external header information The proxy controls actions through the firewall on the basis of the data visible inside the protocol, and not just on external header information
55css security in Networks-css-ps2 Next lecture Will conclude network security buy looking at two more controls: Will conclude network security buy looking at two more controls: and and Intrusion Detection Systems Intrusion Detection Systems