Chap 7: Security in Networks.  Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and.

Slides:



Advertisements
Similar presentations
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Advertisements

CCNA – Network Fundamentals
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
7.3 Network Security Controls 1Network Security / G.Steffen.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
OSI Model.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
COMPUTER NETWORKS.
Chapter Threats in Networks Network Security / G. Steffen.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Css security in Networks-css-ps2 1 Computer Systems Security Security in Networks (Security Controls) Topic 2 Pirooz Saeidi Source: Pfleeger, Chapter 7.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Web Server Administration Chapter 10 Securing the Web Environment.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Network Security David Lazăr.
Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
First, by sending smaller individual pieces from source to destination, many different conversations can be interleaved on the network. The process.
Security in Computing Security in Networks. I.Threats in networks A. Vulnerabilities 1.Anonymity 2.Shared resources 3.Size (many points of attack) 4.Complexity.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Security in Networks Single point of failure Resillence or fault tolerance CS model.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
CSCE Farkas1 CSCE 522 Network Security. Reading Pfleeger and Pfleeger: Chapter 6 CSCE Farkas2.
Security in network Outline Threats in network Network security controls Firewalls Intrusion detection system Secure Networks and Cryptography Example.
Role Of Network IDS in Network Perimeter Defense.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
TCP/IP Protocol Suite Suresh Kr Sharma 1 The OSI Model and the TCP/IP Protocol Suite Established in 1947, the International Standards Organization (ISO)
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Secure Sockets Layer (SSL)
Domain 4 – Communication and Network Security
Presentation transcript:

Chap 7: Security in Networks

 Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks  Controls against network attacks: physical security, policies, procedures, and other technical controls SE571 Security in Computing Dr. Ogara 2

 Firewalls: design, capabilities, limitations  Intrusion detection systems  Private PGP and S/MIME SE571 Security in Computing Dr. Ogara 3

 Users Managed users  Employees/staff  Managed and unmanaged devices – Laptops, Smartphone Unmanaged users  Guests  Contractors  Consultants  Business partners  (Source: Bradford Network, 2011) SE571 Security in Computing Dr. Ogara 4

 Mobile device proliferation Smartphone – different models/different companies Tablets/iPads EBook  IP everything – exponential growth in IP devices Surveillance camera Card readers (Source: Bradford Network, 2011) SE571 Security in Computing Dr. Ogara 5

 Consumerization of IT Consumer markets driving IT Personal devices growing rapidly and must be supported by IT  Virtualization Server applications in private cloud Virtual desktop in virtual environment (Source: Bradford Network, 2011) SE571 Security in Computing Dr. Ogara 6

 Study sponsored by Dell KACE  741 IT professionals participated  Employees using personal devices (87%) Calendar CRM/ERP  Employees using Smartphone (80%)  Employees using personal PCs (69%) SE571 Security in Computing Dr. Ogara 7

 What are we protecting?  Why are we protecting ?  What are assets?  What are threats?  What are the controls? SE571 Security in Computing Dr. Ogara 8

 Network infrastructure  Applications programs  Data SE571 Security in Computing Dr. Ogara 9

 Interception Eavesdropping Passive wiretapping  Modification Active wiretapping Falsification Compromise of authenticity  Denial of service SE571 Security in Computing Dr. Ogara 10

 Firewalls  Intrusion detection systems  Secure SE571 Security in Computing Dr. Ogara 11

 Network – a collection of communicating hosts  Node – single computing system in a network  Link – connection between two hosts  Host – single computer in a network  A workstation - an end-user computing device, usually designed for a single user at a time SE571 Security in Computing Dr. Ogara 12

 Topology - the way a network is configured, in terms of nodes and connections  Protocol – standard method for transmitting data and/or establishing communications between different devices  Protocol stack – is a layered architecture for communications SE571 Security in Computing Dr. Ogara 13

SE571 Security in Computing Dr. Ogara 14

 Two popular protocol stacks for implementing networks I. Open Systems Interconnection (OSI) II. Transmission Control Protocol and Internet Protocol (TCP/IP) SE571 Security in Computing Dr. Ogara 15

 Contains 7 layers  Layers represent the different activities that must be performed for actual transmission of a message SE571 Security in Computing Dr. Ogara 16

SE571 Security in Computing Dr. Ogara 17

SE571 Security in Computing Dr. Ogara 18

SE571 Security in Computing Dr. Ogara 19  What happens when you send message to  Physical Layer  Data link  Network layer Router sends message to destination router Adds 2 headers (source and destination IP address)

SE571 Security in Computing Dr. Ogara 20  Data link Network Interface Card (NIC) provides physical address called MAC (Media Access Control) address Two more headers added (source computer and router NIC address) Structure is called frame and contains destination MAC, source MAC and data

SE571 Security in Computing Dr. Ogara 21  Data link

SE571 Security in Computing Dr. Ogara 22  Network layer Router sends message to destination router Adds 2 headers (source and destination IP address) to data These are called packets

 Common in most wide area network communications  Defined by protocols not layers although it is seen as 4 layers 1. Application 2. Transport 3. Internet 4. Physical SE571 Security in Computing Dr. Ogara 23

 It denotes two models although used as a single acronym  TCP implements a connected communications session on top of the more basic IP transport protocol SE571 Security in Computing Dr. Ogara 24

SE571 Security in Computing Dr. Ogara 25

 Records and checks correct sequencing of packets  Retransmits missing or faulty packets  Provides a stream of correct data in proper order to the invoking application  Problem - retransmissions of faulty or missing packets take time and induce overhead SE571 Security in Computing Dr. Ogara 26

 Data structure Includes a sequence number, an acknowledgment number for connecting the packets of a communication session, flags, and source and destination port numbers Port - unique channel number by which computers can route their respective packets to each of them SE571 Security in Computing Dr. Ogara 27

SE571 Security in Computing Dr. Ogara 28

 Covers a small distance typically within a single building  Connects several small computers, such as personal computers, as well as printers and perhaps some dedicated file storage devices SE571 Security in Computing Dr. Ogara 29

SE571 Security in Computing Dr. Ogara 30

 Single control – usually controlled by one organization  Covers a significant distance  Physically exposed Examples, campus area networks, metropolitan area networks SE571 Security in Computing Dr. Ogara 31

 Anonymity Anonymous attackers  Many points of attack—both targets and origins Less rigorous security  Sharing  Complexity of system  Unknown perimeter - untrusted hosts in networks SE571 Security in Computing Dr. Ogara 32

 Fame or recognition  Money and espionage  Organized crime  Advance an ideology SE571 Security in Computing Dr. Ogara 33

 What are the targets?  What are the vulnerabilities?  What are the controls? SE571 Security in Computing Dr. Ogara 34

 Port scan Gives external picture – open doors Standard ports or services running?  Social engineering Use of social skills and personal interaction to get someone to reveal security-relevant information  Reconnaissance  OS and application fingerprinting SE571 Security in Computing Dr. Ogara 35

 Firewall  “Hardened” (self-defensive) applications  Programs that reply with only what is necessary  Intrusion detection system  Run few services as possible SE571 Security in Computing Dr. Ogara 36

 Education, user awareness  Policies and procedures  Systems in which two people must agree to perform certain security-critical functions SE571 Security in Computing Dr. Ogara 37

 Impersonation  Guessing  Eavesdropping  Session hijacking  Spoofing  Man-in-the-middle attack SE571 Security in Computing Dr. Ogara 38

 Strong, one-time authentication  Virtual private network  Encrypted authentication channel  Education, user awareness  Virtual private network  Protocol analysis SE571 Security in Computing Dr. Ogara 39

 Buffer overflow  Addressing errors  Parameter modification, time-of-check to time-of-use errors  Server-side include Cookies Malicious active code: Java, ActiveX Malicious code: virus, worm, Trojan horse SE571 Security in Computing Dr. Ogara 40

 Programming controls  Intrusion detection system  Personal firewall  Two-way authentication  Controlled execution environment  Signed code SE571 Security in Computing Dr. Ogara 41

 Protocol flaw  Malicious code: virus, worm, Trojan horse  Eavesdropping  Passive wiretap  Misdelivery  Exposure within network  Traffic flow analysis  Cookie SE571 Security in Computing Dr. Ogara 42

 Firewall  Encryption  Intrusion detection system  Controlled execution environment  Programming controls SE571 Security in Computing Dr. Ogara 43

 Protocol flaw  Impersonation  Active wiretap  Falsification of message  Noise  Website defacement  DNS attack SE571 Security in Computing Dr. Ogara 44

 Firewall  Encryption  Intrusion detection system  Controlled execution environment  Audit  Protocol analysis  Strong authentication  Error detection code  Honey pot SE571 Security in Computing Dr. Ogara 45

 Protocol flaw  Transmission of component failure  DNS attack  Traffic redirection  Distributed denial of service  Connection flooding SE571 Security in Computing Dr. Ogara 46

 Encryption  Firewall  Intrusion detection system  Honey pot SE571 Security in Computing Dr. Ogara 47

 Most important and versatile tool for network security expert  Important Privacy Authenticity Integrity Limited access to data  Not a silver bullet  Protects encrypted data only SE571 Security in Computing Dr. Ogara 48

 Can be applied in two ways Link encryption End-to-end encryption SE571 Security in Computing Dr. Ogara 49

 Data is encrypted before the system places them on the physical communications link  Encryption takes place in layer 1 or 2 of the OSI model  Encryption protects message during transit  Message is plaintext inside the hosts SE571 Security in Computing Dr. Ogara 50

 Data exposed in sending host  Data exposed in intermediate nodes  Applied by sending host  Invisible to user  Host maintains encryption  Encryption done in hardware  Provides node authentication  All or no data encrypted SE571 Security in Computing Dr. Ogara 51

SE571 Security in Computing Dr. Ogara 52

SE571 Security in Computing Dr. Ogara 53

SE571 Security in Computing Dr. Ogara 54  Security available from one end of transmission to the other  Encryption can be applied by either hardware or software running on the computer  Encryption takes place at the highest level of OSI model – application and presentation

SE571 Security in Computing Dr. Ogara 55  Data encrypted in sending host  Data encrypted in intermediate nodes  User applies encryption  User selects encryption  Either software or hardware implementation  User chooses to encrypt or not  Provides user authentication

SE571 Security in Computing Dr. Ogara 56

SE571 Security in Computing Dr. Ogara 57

 Communication passes through an encrypted tunnel  User’s client establishes communication with network firewall  User and firewall negotiate a session encryption key SE571 Security in Computing Dr. Ogara 58

 Firewall and user encrypt all traffic between them  Firewall authenticates user through authentication server  Firewall implements access control (provide appropriate security privileges) SE571 Security in Computing Dr. Ogara 59

SE571 Security in Computing Dr. Ogara 60

SE571 Security in Computing Dr. Ogara 61  PKI is a process created to enable users to implement public key cryptography  Provides identification and access control information to users Create certificates associating user’s identity with cryptographic key Give out certificates from its database Sign certificates thus adding credibility to authenticity of certificates Confirm or deny that certificate is valid Invalidate certificates for users who are no longer allowed to access or whose private key has been exposed

SE571 Security in Computing Dr. Ogara 62  PKI sets up entities called certificate authorities that implement PKI policy  Assumption is certificate authorities are trusted  Functions of certificate authorities Manage public key certificates for their whole life cycle Issue certificates by binding a user’s or system identity to a public key with a digital signature Schedule expiry dates for certificates Ensure that certificates are revoked by publishing certificate revocation list

SE571 Security in Computing Dr. Ogara 63  SSH stands for secure shell is a pair of protocols (V1 and V2)  Provides an authenticated and encrypted path to a shell or operating system command interpreter  Protects against spoofing attacks and modification of data in communications  Protocol involves negotiation between local and remote sites for encryption algorithm (e.g. DES, IDEA, AES) and authentication

SE571 Security in Computing Dr. Ogara 64  SSL stands for Secure Socket Layer  Also known as TLS – Transport Layer Security  Protocol was originally designed by Netscape to protect communication between web browser and server  It interfaces between apps(e.g. browser) and TCP/IP protocols to provide server authentication, client authentication and encrypted communication channel between client and server

SE571 Security in Computing Dr. Ogara 65  SSL protocol is the most widely used secure communication protocol in the Internet  Only protects data between client’s browser and server

SE571 Security in Computing Dr. Ogara 66  Stands for IP Security Protocol  Similar to SSL i.e. supports authentication and confidentiality  Defines standard means for handling encrypted data  Designed to handle shortcomings of IPv6 such as: Spoofing Eavesdropping Session hijacking

SE571 Security in Computing Dr. Ogara 67  Fundamental data structures are AH – authenticated header ESP – Encapsulated Security Payload  Contains both authenticated and encrypted portion Packets: (a) Conventional Packet; (b) IPSec Packet

 SSID – Service Set Identifier Authenticate remote computer  WEP – Wired Equivalent Privacy Uses encryption to prevent eavesdropping and impersonation Uses encryption key for authentication IEEE standard Uses 64 and 128 bit encryption Not effective against brute force attack SE571 Security in Computing Dr. Ogara 68

 WPA and WPA2– WIFI Protected Access Addresses known security deficiencies in WEP IEEE standard i Uses encryption key that is unchanged until user enters new key at the client and access point Encryption key is changed automatically at each packet (Temporal Key Integrity Program) SE571 Security in Computing Dr. Ogara 69

 Computer system open to attackers  Goal Watch what attackers do Lure attackers in order to study their habits Divert attackers attention so as to leave your system alone SE571 Security in Computing Dr. Ogara 70

 Device that filters traffic between protected/inside network and less trustworthy/outside network  Purpose Keep bad things outside the protected environment Use security policies to limit access from outside SE571 Security in Computing Dr. Ogara 71

 Packet filtering gateways or screening routers  Stateful inspection firewalls  Application proxies  Guards  Personal firewalls SE571 Security in Computing Dr. Ogara 72

 Most effective  Control access based on packet address or transport protocol such as HTTP SE571 Security in Computing Dr. Ogara 73

 Maintains state information from one packet to another in the input stream SE571 Security in Computing Dr. Ogara 74

 Packet filters look only at the headers of packets, not at the data inside the packets SE571 Security in Computing Dr. Ogara 75

 Receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result SE571 Security in Computing Dr. Ogara 76

 Application program that runs on a workstation to block unwanted traffic, usually from the network  Protect a (sub)network of multiple hosts result  May complement the work of a conventional firewall by screening the kind of data a single host will accept SE571 Security in Computing Dr. Ogara 77

 Connection flooding Echo-Chargen  Chargen is protocol used to generate packets  Attacker makes host A to generate echo packets to host B and host B replies to the echos  Host A and B generates endless loop Ping of Death  Attacker sends flood of pings to intended host  Pings saturate victim’s bandwidth SE571 Security in Computing Dr. Ogara 78

 Connection flooding Smurf – Attacker sends broadcast echo requests to the network with victim’s return address Syn flood – Attacker sends many SYN requests and never responds with ACKs thereby filling the victim’s SYN_RECV queue Teardrop – Attacker sends series of data grams that can not be reassembled properly SE571 Security in Computing Dr. Ogara 79

 Traffic redirection  Attackers disrupt routers traffic redirection  DNS attacks  Attackers redirect routing of traffic by overtaking domain server or causing it to cache spurious entries (DNS cache poisoning)  E.g. An attack in 2005 used a flaw in a Symantec firewall to allow a change in DNS records used by Windows machines. The poisoned DNS cache redirected users to advertising sites SE571 Security in Computing Dr. Ogara 80

 Also called DDoS  Attacker discretely plants Trojan horse into machine e.g. through attachment  Attacker repeats process using many targets (Zombie)  Attacker sends a signal to all Zombies to launch an attack against a victim (n attacks from n Zombies) SE571 Security in Computing Dr. Ogara 81

SE571 Security in Computing Dr. Ogara 82

 Also called IDS  Device that monitors activities to identify malicious and suspicious events  Functions Monitor users and system activity auditing system configuration for vulnerabilities and misconfigurations assessing the integrity of critical system and data files recognizing known attack patterns in system activity identifying abnormal activity through statistical analysis managing audit trails and highlighting user violation of policy or normal activity correcting system configuration errors SE571 Security in Computing Dr. Ogara 83

SE571 Security in Computing Dr. Ogara 84

 Signature based perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type  Heuristic/Anomaly based build a model of acceptable behavior and flag exceptions to that model  A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network while a host-based IDS runs on a single workstation or client to protect that one host SE571 Security in Computing Dr. Ogara 85

 Filter on packet headers  Filter on packet content  Maintain connection state  Use complex, multipacket signatures  Use minimal number of signatures with maximum effect SE571 Security in Computing Dr. Ogara 86

 Filter in real time, online  Hide its presence  Use optimal sliding time window size to match signatures SE571 Security in Computing Dr. Ogara 87

 IDSs detect an ever-growing number of serious problems  Adding their signatures to the IDS model helps them to improve over time  Easier and cheaper to manage SE571 Security in Computing Dr. Ogara 88

 Similar IDS may have identical vulnerabilities  Difficult to measure and adjust its sensitivity  Must be monitored and alarms responded to otherwise it is useless SE571 Security in Computing Dr. Ogara 89

 is important in ecommerce  is a medium of communications SE571 Security in Computing Dr. Ogara 90

 Message confidentiality (the message is not exposed en route to the receiver)  Message integrity (what the receiver sees is what was sent)  Sender authenticity (the receiver is confident who the sender was)  Nonrepudiation (the sender cannot deny having sent the message) SE571 Security in Computing Dr. Ogara 91

 message interception (confidentiality)  message interception (blocked delivery)  message interception and subsequent replay  message content modification  message origin modification  message content forgery by outsider  message origin forgery by outsider  message content forgery by recipient  message origin forgery by recipient  denial of message transmission SE571 Security in Computing Dr. Ogara 92

 Developed by Internet Society  Allows for security enhanced messages  Works for both asymmetric and symmetric encryptions  Standard supports multiple encryption algorithms DES, 3DES and AES for confidentiality RSA and Diffe-Hellman for key exchange SE571 Security in Computing Dr. Ogara 93

SE571 Security in Computing Dr. Ogara 94

SE571 Security in Computing Dr. Ogara 95

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.