Chapter 7 Security in Networks. Figure 7-1 Simple View of Network.

Slides:



Advertisements
Similar presentations
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Advertisements

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies
Security+ Guide to Network Security Fundamentals
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Firewalls and Intrusion Detection Systems
IS Network and Telecommunications Risks
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Telecommunication and Networks
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Department Of Computer Engineering
G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module E Network Basics.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
NW Security and Firewalls Network Security
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
 Computer Networking Computer Networking  Networking terminology Networking terminology  Client Server Model Client Server Model  Types of Networks.
Common Devices Used In Computer Networks
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Security in Networks Single point of failure Resillence or fault tolerance CS model.
NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.
Security fundamentals Topic 10 Securing the network perimeter.
Cryptography and Network Security Sixth Edition by William Stallings.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Chapter 14 Network Encryption
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
IS3220 Information Technology Infrastructure Security
Securing Access to Data Using IPsec Josh Jones Cosc352.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Domain 4 – Communication and Network Security
CompTIA Security+ Study Guide (SY0-401)
Firewalls Routers, Switches, Hubs VPNs
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Introduction to Network Security
Presentation transcript:

Chapter 7 Security in Networks

Figure 7-1 Simple View of Network.

Terminology Node: single computing system in a network. Link: connection between two hosts. Workstation: end user computing device for a single user. System: collection of processors and a mixture of workstations.

More Complex Network

Media Cable: ◦ UTP unshielded twisted pair  Cat 5 uses pins 1, 2, 3 & 6.  Cat 6 uses all 4-pairs of wires. Optical: fiber gigabit, 2.5 mile limit. Microwave: line of sight. Infrared: up to 9 miles. ◦ Portable devices.

Wireless Media Wireless: interference at the 2.4Ghz range. Wireless TypeTop Speed (mbps)Frequency (Ghz) a b g n & or 5

Figure 7-3 Microwave Transmission. Line-of-sight About 30 miles

Figure 7-4 Satellite Communication. Geosynchronous orbit.

OSI Model Physical Data Link Network Transport Session Presentation Application

OSI Layers Application – access to OSI environment and distributed IS Presentation – Hides implementation details of the data Session – controls communication between applications, sets- up/connects/terminates connections Source: Stallings, W. (2007). Data and computer communications (8th ed.). Upper Saddle River, NJ: Pearson Prentice Hall.

OSI Layers (Cont’d) Transport – reliable communications, end-to-end recovery and flow control Network – isolates upper layers from connectivity details Data Link – controls block transmission (error, flow, synchronization) Physical – unstructured data transmission Source: Stallings, W. (2007). Data and computer communications (8th ed.). Upper Saddle River, NJ: Pearson Prentice Hall.

Server Sample Flow Application Presentation Session Transport Network Data Link Physical Data Server Application Presentation Session Transport Network Data Link Physical Data

Internet Protocol Stack Transport Physical Data Link Control Network/Internet Transport Application

OSI vs. IP Physical Data Link Network Transport Session Presentation Application Physical Data Link Control Network/Internet Transport Application

Internet Protocols

Protocols at OSI Layers

Figure 7-6 Transformation.

Figure 7-7 Network Layer Transformation.

Figure 7-8 Data Link Layer Transformation.

Figure 7-9 Message Prepared for Transmission.

Local Area Network LAN Covers a small distance: less than 2 miles, fewer than 100 users. Locally controlled: owned and managed by on site personnel. Physically protected: at the business location. Limited scope: single group, department or activity.

Figure 7-10 Typical LAN.

Wide Area Network Larger than a LAN in size and distance. Can cover cities, states or countries. Physically exposed: use publically available communications media which is exposed.

Wide Area Network

Network Vulnerabilities Anonymity: unknown users on the Internet. Many points of attack. Sharing: access to many systems. Complexity: connections between many different types of systems and operating systems. Unknown Perimeter: bridging issues. Participation on the Internet.

Figure 7-11 Unclear Network Boundaries.

Figure 7-12 Uncertain Message Routing in a Network. Cannot predict path packets will take.

Figure 7-13 Path of Microwave Signals.

Why Attacks Networks Challenge: prove your skills. Money and espionage: steal trade secrets. Organized Crime: botnets, bank thefts. Cyberterrorism: local and remote. Hacktivism: politically motivated.

How to Attack Networks Reconnaissance ◦ Port scans: NMAP, fingerprint hosts, Apps. ◦ Social Engineering: trash, phone, phishing.  Maltego: track a persons connections.  Impersonation: gain physical access. ◦ Intelligence: Media, employee lists.  Way back machine: old web postings. ◦ Online documentation or posting.  Default usernames in applications, etc.

Wiretapping / Man in the Middle TEMPEST ◦ all electromagnetic transmissions have emanations. Packet Sniffing: Wireshark ◦ Encrypt transmisisons. Microwave/Satellite: easily accessible. Fiber: quantum cryptography Wireless: firesheep, wardriving.

Figure 7-14 Wiretap Vulnerabilities. Exposure points.

Figure 7-15 Key Interception by a Man-in-the-Middle Attack. Attacker acts as a proxy. Intercept and change messages. Defense: encryption and endpoint authentication.

Figure 7-16 Smurf Attack. Directed broadcast IP addresses. Forged source address. Response traffic larger than query traffic. 1 request = 1 reply per host on a network. Forged source will reply with a reset packet, if the remote IP address exists.

Figure 7-17 Three-Way Connection Handshake. Normal connection setup.

Figure 7-18 Distributed Denial-of-Service Attack. Multiple (thousands) remote IP addresses attacking a site. Overwhelm servers and networks. Usually the source is a bot network.

Figure 7-19 Segmented Architecture. Reduce number of threats and single points of failure. Isolate business functions.

Figure 7-20 Link Encryption. Encrypt as you go on the wire.

Figure 7-21 Message Under Link Encryption.

Figure 7-22 End-to-End Encryption. Encryption performed at highest level.

Figure 7-23 End-to-End Encrypted Message.

Figure 7-24 Encrypted Message Passing Through a Host. Message protected from disclosure.

Figure 7-25 Establishing a Virtual Private Network. Secure authentication, cryptographic hashes for integrity and ciphers for confidentiality.

Figure 7-26 VPN to Allow Privileged Access. Virtual dedicated link between entities on a public network.

Figure 7-27 Packets: (a) Conventional Packet; (b) IPSec Packet. Encapsulated security payload (ESP) provides authentication, integrity & confidentiality.

Figure 7-28 Encapsulated Security Packet.

Kerberos Authentication Authentication, Authorization, Accountability (AAA). Use secret key encryption. Provide mutual authentication of clients and servers. Protect against network sniffing and replay attacks.

Kerberos Operational Steps 1. Kerberos principle (user’s client) contacts the Key Distribution Center (KDC) to authenticate. 2. KDC sends a session key to the user encrypted with the user’s secret key. 1.KDC sends a Ticket Granting Ticket (TGT) encrypted with Ticket Granting Service’s (TGS) secret key. 3. User’s client decrypts the session key and uses it to request permission to print from the TGS. 4. The TGS verifies user’s session key and sends the user a C/S Client Server session key to use to print. The TGS also sends a service ticket, encrypted with the printers private key. 5. Client connects to printer. Printer sees a valid C/S session key and knows the user has permission to print and knows the user is an authentic user.

Figure 7-29 Initiating a Kerberos Session.

Figure 7-30 Obtaining a Ticket to Access a File.

Figure 7-31 Access to Services and Servers in Kerberos.

Firewalls Firewall: permit or deny transmissions between networks based upon a set of rules. Packet Filter Firewall: rule based, stateless, fast. ◦ Each packet must be investigated. Stateful Firewall: tracks active sessions ◦ Maintain state table of sessions ◦ Slower than packet filtering but more secure. Application: works at application layer L7 ◦ inspecting all packets for improper content, can restrict or prevent outright the spread of networked computer worms and trojans.computer wormstrojans Proxy: intercept service requests and make the request on the internal network for external client.

Figure 7-32 Layered Network Protection.

Figure 7-33 Onion Routing. A has a message for B. Wrap message for B in a package to D. Wrap message for D in a package to C. “Disguise traffic flows”. A sends package to C.

Figure 7-34 Packet Filter Blocking Addresses and Protocols. Use a screening router (packet filtering gateway) to block traffic. Simple and sometimes most effective type of firewall.

Figure 7-35 Three Connected LANs. One inside network, two outside. Create screening router to only allow traffic between networks.

Figure 7-36 Filter Screening Outside Addresses. Packet filter firewall, screen out fake network traffic. Outside is trying to act as coming from internal network.

Figure 7-37 Actions of Firewall Proxies. Intercepts service requests and then makes requests internal on behalf of external clients.

Figure 7-38 Firewall with Screening Router. Use ACLs to limit traffic.

Figure 7-39 Firewall on Separate LAN. Proxy firewall example.

Figure 7-40 Firewall with Proxy and Screening Router. Router: ACL Firewall: rules Internal network, IDS, Host-based IDS, honeypot.

Figure 7-41 Common Components of an Intrusion Detection Framework.

SNORT & Honey Pot IDS Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly- based inspection.Sourcefire Honey Pot ◦ Watch for suspicious traffic. ◦ Learn what attackers are trying to do. ◦ Acts as a diversion and can lure attackers

Figure 7-42 Stealth Mode IDS Connected to Two Networks. Use two network interfaces, one to watch network the other for sending alerts. Avoid being knocked off network by DOS attacks.

Intrusion Prevention (IPS) Identify malicious activity, log information about activity, attempt to block/stop activity, and report activity. Intrusion prevention systems can be classified into four different types: [6][7] [6][7] ◦ Network-based Intrusion Prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity. ◦ Wireless Intrusion Prevention Systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. ◦ Network Behavior Analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations. ◦ Host-based Intrusion Prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Security Pretty Good Privacy ◦ Asymmetric encryption ◦ Confidentiality ◦ Integrity ◦ Authentication ◦ Nonrepudiation ◦ Web of Trust  You trust all the the digital certificates that I trust.

Figure 7-43 Overview of Encrypted Processing.

Figure 7-44 Encrypted –Secured Message.

Figure 7-45 Encrypted Processing in Message Transmission.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.