Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Chapter 9 Copyright 2004 Prentice-Hall Panko’s Business Data Networks and Telecommunications, 5 th edition.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Information Security 1 Information Security: Lecture no 7 Jeffy Mwakalinga.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
Security Awareness: Applying Practical Security in Your World
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Business Data Communications, Fourth Edition Chapter 10: Network Security.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Department Of Computer Engineering
 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
Chapter 9 Panko’s Business Data Networks and Telecommunications, 6 th edition Copyright 2006 Prentice-Hall Security.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Lecture 24 Secure Communications CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Ian Goldberg.
Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Security Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.
Networks and Security Monday, 10 th Week. Types of Attacks/Security Issues  Viruses  Worms  Macro Virus  Virus  Trojan Horse  Phishing 
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Lecture 24 Secure Communications CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Ian Goldberg.
Types of Electronic Infection
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Not only business information, but a large amount of personal information too is now digitized and stored in computer connected to the internet. System.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
ELC 200 Day 11. Agenda Questions? Assignment 3 is Not Corrected  Missing assignments Assignment 4 is posted  Due March 9:30 AM  Assignment4.pdf.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
1 The Elements of Cryptography Chapter 7 Copyright 2003 Prentice-Hall.
Security School of Business Eastern Illinois University © Abdou Illia, Fall 2002 (Week 12, Wednesday 11/13/2002)
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Firewalls Priyanka Verma & Jessica Wong. What is it? n A firewall is a collection of security measures designed to prevent unauthorised electronic access.
Role Of Network IDS in Network Perimeter Defense.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Information Systems Design and Development Security Precautions Computing Science.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
1 Managing Security Additional notes. 2 Intercepting confidential messages Attacker Taps into the Conversation: Tries to Read Messages Client PC Server.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Chapter 40 Internet Security.
Network Security (the Internet Security)
Security in Networking
Security.
Presentation transcript:

Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.

2 Figure 9.1: Types of Attackers Wizard Internet Hackers Highly capable attackers Amateurs (Script Kiddies) Light skills, but numerous and armed with automated attack programs (kiddie scripts) of increasing potency

3 Figure 9.1: Types of Attackers Criminals Theft of credit card numbers, trade secrets, and other sensitive information Sell the information or attempt extortion to prevent the release of the information Individual criminals and organized crime Industrial and government espionage spies

4 Figure 9.1: Types of Attackers Employees Dangerous because of internal knowledge and access Often, large losses per incident due to theft, fraud, or sabotage

5 Figure 9.1: Types of Attackers Information Warfare and Cyberterrorism Massive attack by a government or terrorist group against a country’s IT infrastructure Attacks by amateur cyberterrorists are already starting to approach this level of threat

6 Figure 9.3: Attacks Requiring Protection Hacking Servers Access without permission or in excess of permission Attractive because of the data they store Hacking Clients Attractive because of their data or as a way to attack other systems by using the hacked client as an attack platform Soft targets compared to servers; most users are security novices

7 Figure 9.3: Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unavailable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability Single Message DOS Attack (Crashes the Victim) ServerAttacker

8 Figure 9.3: Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability. Message Stream DOS Attack (Overloads the Victim) ServerAttacker

9 Figure 9.4: Denial-of-Service Attacks Distributed DOS (DDoS) Attack: Messages Come from Many Sources Server DoS Attack Packets Computer with Zombie Computer with Zombie Attacker Attack Command Attack Command

10 Figure 9.3: Attacks Requiring Protection Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and attack methods Examines data that responses reveal IP addresses of potential victims What services victims are running; different services have different weaknesses Host’s operating system, version number, etc.

11 Figure 9.3: Attacks Requiring Protection Malicious Content Viruses Infect files; propagate by executing infected program Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a game, but actually are malicious) Snakes: combine worm with virus, Trojan horses, and other attacks

12 Figure 9.3: Attacks Requiring Protection Malicious Content Illegal content: pornography, sexual or racial harassment Spam (unsolicited commercial ) Security group is often called upon to address pornography, harassment, and spam

13 Figure 9.2: Types of Security Systems Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Client PC Server Message Exchange Secure Communication System

14 Figure 9.2: Types of Security Systems Attack Prevention System Corporate Network Hardened Client PC Hardened Server With Permissions Internet Attacker Attack Message Attack Message Firewall

15 Figure 9.5: Packet Filter Firewall Packet Filter Firewall IP-H TCP-H UDP-HApplication Message IP-HICMP Message Arriving Packets Permit Deny Corporate NetworkThe Internet Examines Packets in Isolation Fast but Misses Some Attacks

16 For Packets Containing TCP Segments: Rule 1 IF Interface = Internal AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007) THEN DENY Remark: Used by a well-known Trojan horse program. Figure 9.6: Access Control List Fragment

17 Figure 9.6: Access Control List Fragment Rule 2: IF Interface = External AND Destination Port Number = 80 AND Destination IP address = THEN PERMIT Remark: Going to a known webserver.

18 Figure 9.6: Access Control List Fragment Rule 3: IF Interface = External AND Destination Port Number = 80 AND Destination IP Address = NOT THEN DENY Remark: Going to an unknown webserver.

19 Figure 9.6: Access Control List Fragment Rule 4: IF Interface = External AND (SYN = AND FIN = Set) THEN DENY REMARK: Used in host scanning attacks and not in real transactions To: ; SYN FIN 2. From: ; RST

20 Figure 9.6: Access Control List Fragment Order Rules are executed in order If passed or denied by one rule, will not reach subsequent rules Misconfiguration is easy, opening the network to attack Always test a firewall by hitting it with attack messages to see if they are handled properly

21 Stateful Firewall Does not examine packets in isolation Examines each packet to see if it is part of an ongoing conversation Catches attacks that packet filter firewalls cannot Refuses a TCP acknowledgement if an internal host has not opened a connection to that host Usually does not examine a packet in detail if the packet is part of an ongoing conversation This can miss attack packets Beyond what is In the book

22 Figure 9.7: Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 1. HTTP Request Client PC Webserver 2. Inspect Request Message

23 Figure 9.7: Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall 3. Examined HTTP Request HTTP Proxy Browser Webserver Application Client PC Webserver

24 Figure 9.7: Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 4. HTTP Response Client PC Webserver 5. Inspect Response Message

25 Figure 9.7: Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 6. Examined HTTP Response Client PC Webserver

26 Figure 9.7: Application (Proxy) Firewall Can examine the application message to filter packets by application content If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.

27 Figure 9.7: Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application Client PC Webserver There must be a proxy for each application

28 Figure 9.8: Network Address Translation (NAT) 12 NAT Firewall Client From , Port From , Port Internet Server Host IP Addr … Port … IP Addr … Port … InternalExternal Translation Table

29 Figure 9.8: Network Address Translation (NAT) 43 NAT Firewall Client Internet Server Host To , Port To , Port Translation Table IP Addr … Port … IP Addr … Port … InternalExternal

30 Figure 9.9: Intrusion Detection Dump Intrusion Detection System 4. Analysis of Dump Internal Host Network Administrator Attacker Legitimate Host 1. Attack Packet 2. All Packets 3. Notification of Possible Attack 1. Legitimate Packet

31 Firewalls versus Intrusion Detection Firewalls permit or deny traffic based on filtering rules Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific Some firewalls issue alerts when packets are dropped and most firewalls log all drops New Not in the book

32 Figure 9.10: Hardening Clients and Servers Known Weaknesses Known security weaknesses in operating systems and application programs Most download vendor patches to fix these known weaknesses Firms often fail to do so (vendors issue patches per week); must be installed on each server Host Firewalls Server firewalls and personal (client) firewalls

33 Figure 9.10: Hardening Clients and Servers Server Authentication Passwords Cracking with exhaustive search and dictionary attacks Strong passwords Super accounts Root in UNIX Administrator in Windows

34 Figure 9.10: Hardening Clients and Servers Server Authentication Rules for Strong Passwords At least 8 characters long At least one change of case At least one digit (0-9) not at the end At least one non-alphanumeric character not at the end

35 Figure 9.11: Kerberos Authentication (Simplified) Kerberos Server Verifier Applicant 4. Ticket 1. Initial Sign On 2. Request Ticket 3. Ticket

36 Figure 9.10: Hardening Clients and Servers Server Authentication Biometric authentication Fingerprint: least expensive Iris: most accurate Face recognition: controversial in public places for mass identification Other forms of biometric identification Smart cards (ID card with microprocessor and data)

37 Figure 9.10: Hardening Clients and Servers Limiting Permissions on Servers (Ch. 10) Only permit access to some directories Limit permissions (what the user can do) there Like controlling access to a high-security building; not allowed to go anywhere and remove items, etc.

38 Figure 9.2: Types of Security Systems Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Client PC Server Message Exchange Secure Communication System

39 Figure 9.12: Secure Communication System Client PC Server 1. Initial Negotiation of Security Parameters 2. Mutual Authentication 3. Key Exchange or Key Agreement 4. Subsequent Communication with Message-by-Message Confidentiality, Authentication, and Message Integrity

40 Figure 9.13: Symmetric Key Encryption for Confidentiality Plaintext “Hello” Encryption Method & Key Ciphertext “ ” Symmetric Key Interceptor Network Same Symmetric Key Party A Party B

41 Figure 9.13: Symmetric Key Encryption for Confidentiality Ciphertext “ ” Symmetric Key Interceptor Network Ciphertext “ ” Same Symmetric Key Party A Party B ???

42 Figure 9.13: Symmetric Key Encryption for Confidentiality Symmetric Key Interceptor Network Ciphertext “ ” Decryption Method & Key Plaintext “Hello” Same Symmetric Key Party A Party B

43 Figure 9.14: Symmetric Key Encryption for Confidentiality Shared Symmetric Key Party A Party B Shared Symmetric Key In Symmetric Key Encryption, Both sides Encrypt and Decrypt with The Same Symmetric Key

44 Figure 9.14: Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Party A Party B Decrypt with Party B’s Private Key

45 Figure 9.14: Public Key Encryption for Confidentiality Decrypt with Party A’s Private Key Party A Encrypt with Party A’s Public Key Party B

46 Quiz 1. In two-way conversations encrypted with symmetric key encryption, how many keys are used? 2. In two-way conversations encrypted with Public key encryption, how many keys are used?

47 Quiz 3. In public key encryption for confidentiality, the sender always encrypts with the _____ key of the _____. 4. In public key encryption for confidentiality, the receiver always decrypts with the ___ key of the _____.

48 Symmetric Versus Public Key Encryption Symmetric key encryption is very fast, so it can be used to encrypt long messages for confidentiality, including messages, website communication, database transactions, and almost all other user applications. However, public key encryption can provide confidentiality for very short messages. We will see how this helps in transferring symmetric keys and in digital signatures.

49 Figure 9.15: Public Key Distribution for Symmetric Keys Party A Party B 1.Create Symmetric Session Key 2. Encrypt Session Key with Party B’s Public Key 4. Decrypt Session Key with Party B’s Private Key 3. Send the Symmetric Session Key Encrypted With Party B’s Public Key

50 Figure 9.15: Public Key Distribution for Symmetric Keys Party A Party B 5. Subsequent Bulk Encryption For Confidentiality with Symmetric Session Key For All Messages

51 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol Client Applicant Server Verifier Challenge 1. Creates Challenge Message 2. Sends Challenge Message Note: Both the Client and the Server Know the Client’s Password

52 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol 3. Applicant Creates the Response Message: a)Adds Password to Challenge Message b)Hashes the Resultant Bit String c) This Gives the Response Message PasswordChallenge Response Hashing

53 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol PasswordChallenge Expected Response Hashing Transmitted Response 4. Applicant Sends Response Message 5. Verifier Adds password to the challenge message it sent. Hashes the combination. This should be the expected response message.

54 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol Expected ResponseTransmitted Response = ? 6. If the Two are Equal, The Client Knows the Password and is Authenticated

55 Figure 9.17: Digital Signature Sender Receiver DSPlaintext Add Digital Signature to Each Message Provides Message-by-Message Authentication Encrypted for Confidentiality

56 Figure 9.17: Digital Signature: Sender DS Plaintext MD Hash Sign (Encrypt) MD with Sender’s Private Key To Create the Digital Signature: 1.Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the sender’s private key to create the digital Signature

57 Figure 9.17: Digital Signature Sender Encrypts Receiver Decrypts Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DSPlaintext Transmission

58 Figure 9.17: Digital Signature: Receiver DSReceived Plaintext MD 1. Hash 2. Decrypt with True Party’s Public Key 3. Are they Equal? 1. Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key

59 Figure 9.18: Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception

60 Digital Certificates Digital certificates are electronic documents that give the true party’s name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true party’s private key and so will not be authenticated

61 Digital Signatures and Digital Certificates Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature DSPlaintext Applicant Verifier Certificate Authority Digital Certificate: True Party’s Public Key

62 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server Create & Distribute (1)Private Key and (2) Digital Certificate Applicant (Lee) Verifier (Cheng)

63 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 4. Certificate for Brown Applicant (Lee) Verifier (Cheng) 3. Request Certificate for Brown

64 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 6. Check Certificate Revocation List (CRL) For Lee’s Digital Certificate Applicant (Lee) 5. Certificate for Lee Verifier (Cheng) 7. Revoked or OK

65 Figure 9.20: Security at Multiple Layers LayerExample Application Application-specific (for instance, passwords for a database program); Application (Proxy) Firewalls TransportSSL (TLS), Packet Filter Firewalls InternetIPsec, Packet Filter Firewalls Data Link Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) PhysicalPhysical locks on computers, Notebook Encryption

66 Figure 9.20: Security at Multiple Layers Having security at multiple layers provides protection if one layer’s security fails Having security at multiple layers also slows processing on the device So provide protection in at least two layers but not in all layers

67 Figure 9.21: Creating Appropriate Security Understanding Needs Need to make security proportional to risks Organizations face different risks Policies and Enforcement Policies bring consistency Must be enforced. Training in the importance of security and in protection techniques Social engineering prevention training

68 Figure 9.21: Creating Appropriate Security Policies and Enforcement Security audits: attack your system proactively You must really be able to trust your testers Incident handling Stopping the attack Restoring the system Prosecution Planning and practicing before the incident Privacy Need to protect employee & customer privacy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.