Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.

Published byPatricia Anthony Modified over 8 years ago

Similar presentations

Presentation on theme: "@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013

2 @Yuan Xue (yuan.xue@vanderbilt.edu) Outline Review of Network Architecture Weakness at different layers Placement of Security Function Security function  encryption + message authentication Security Service and Mechanism

3 @Yuan Xue (yuan.xue@vanderbilt.edu) In A Nutshell KDC-based Decentralized Secret Key Distribution Message Encryption Message Authentication Public-key-based RSA, Diffei-Hellman Public-key-based RSA, Diffei-Hellman Announcement Directory Certificate Public-key management Session Keys Public Keys Decentralized (Web of Trust) Decentralized (Web of Trust)

4 @Yuan Xue (yuan.xue@vanderbilt.edu) Let’s first review the computer network architecture… Where Should We Implement The Security Functions?

5 @Yuan Xue (yuan.xue@vanderbilt.edu) Our Goal Suppose you are building a computer network. What technologies would serve as the underlying building blocks what kind of software architecture would you design to integrate these building blocks into an effective communication service what would be the weaknesses in the design that may be exploited by attackers

6 @Yuan Xue (yuan.xue@vanderbilt.edu) Direct Link Network Point-to-point network Encoding Framing Error detection

7 @Yuan Xue (yuan.xue@vanderbilt.edu) Multiple Access Network Media Access Control Protocol When the link is shared by multiple hosts, their accesses to the link need mediation. Ethernet -- CSMA/CD (Carrier Sense Multiple Access / Collision Detection)

8 @Yuan Xue (yuan.xue@vanderbilt.edu) Where the functions are implemented? Network adaptor encoding, framing, error detection, and media access control. MAC Address In Ethernet, each adaptor has a unique Ethernet address, which is also the MAC address of the corresponding host.

9 @Yuan Xue (yuan.xue@vanderbilt.edu) Where the functions are implemented? Packet reception Each frame transmitted on an Ethernet is received by every adaptor connected to that Ethernet. Each adaptor recognizes those frames addressed to its own address, and passes only those frames to the host. An adaptor can also be programmed to run in promiscuous mode, in which case it delivers all received frames to the host.

10 @Yuan Xue (yuan.xue@vanderbilt.edu) Where does the security issue come from? Frequency jamming Eavesdropping (e.g., packet sniffing) MAC address spoofing Etc. …

11 @Yuan Xue (yuan.xue@vanderbilt.edu) From Direct Link Network To InterNetworking

12 @Yuan Xue (yuan.xue@vanderbilt.edu) InterNetworking Issues Heterogeneity Scale Solution Internet Protocol (IP) is the key tool to build scalable, heterogeneous internetworks. Functions Fragmentation and Reassembly Addressing Routing and Forwarding

13 @Yuan Xue (yuan.xue@vanderbilt.edu) Addressing providing suitable identifiers for all these hosts in internetworks. Hierarchical addresses a network part + a host part. Address classes flexibility, allowing networks of vastly different sizes to be accommodated fairly efficiently.

14 @Yuan Xue (yuan.xue@vanderbilt.edu) Routing and Forwarding Forwarding

15 @Yuan Xue (yuan.xue@vanderbilt.edu) Routing and Forwarding Routing Distance vector Link state

16 @Yuan Xue (yuan.xue@vanderbilt.edu) Internet Routing Internet is organized into autonomous systems provide hierarchically aggregate routing information in a large internetwork to improve scalability. intra-domain routing within a single autonomous system  RIP and OSPF are used for intra-domain routing inter-domain routing between autonomous systems.  BGP (Border Gateway Protocol) is the routing protocol used in Internet for inter-domain routing.

17 @Yuan Xue (yuan.xue@vanderbilt.edu) More Security Issues IP spoofing Authentication of routing messages Etc …

18 @Yuan Xue (yuan.xue@vanderbilt.edu) End-to-End Protocols Problem turn this host-to-host packet delivery service into a communication channel between application processes. End-to-end protocols of Internet UDP and TCP Connectionless vs. Connection-oriented protocol More on TCP  Connection establishment  Reliable transmission  Congestion control

19 @Yuan Xue (yuan.xue@vanderbilt.edu) Security Issues Port scanning TCP SYN flooding TCP sequence number prediction Etc …

20 @Yuan Xue (yuan.xue@vanderbilt.edu) Network Architecture

21 @Yuan Xue (yuan.xue@vanderbilt.edu) Placement of Security Function What to encrypt/protect Message format Where the security function should be located? Network stack Link vs. End-to-end Where each layer is located and how it may get attacked Aspects to consider Message security (which fields in the packet are protected) Number of keys required Number of encryption/decryptions Transparency to users/end hosts

22 @Yuan Xue (yuan.xue@vanderbilt.edu) Link vs. End-to-End Encryption

23 @Yuan Xue (yuan.xue@vanderbilt.edu) Message format

24 @Yuan Xue (yuan.xue@vanderbilt.edu) Security Architecture, Service and Mechanism

25 @Yuan Xue (yuan.xue@vanderbilt.edu) OSI Security Architecture ITU-T X.800 “Security Architecture for OSI” Defines a systematic way of defining and providing security requirements Provides a useful abstract overview of the security concepts

26 @Yuan Xue (yuan.xue@vanderbilt.edu) Security Services (X.800) Authentication - assurance that the communicating entity is the one claimed Peer authentication Data origin authentication Access Control - prevention of the unauthorized use of a resource Data Confidentiality –protection of data from unauthorized disclosure Connection/connectionless/selective field/traffic flow Data Integrity - assurance that data received is as sent by an authorized entity  Connection/connectionless/selective field/with or without recovery Non-Repudiation - protection against denial by one of the parties in a communication Source/destination Refer to table 1.2 in [WS]

27 @Yuan Xue (yuan.xue@vanderbilt.edu) Security Mechanisms (X.800) Specific security mechanisms: encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization Pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery Refer to table 1.3 in [WS]

28 @Yuan Xue (yuan.xue@vanderbilt.edu) Relationship Between Security Service and Security Mechanisms

Download ppt "@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
OSI Model OSI MODEL.

OSI Model OSI MODEL.
OSI Model OSI LAYER / MODEL.

OSI Model OSI LAYER / MODEL.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Chapter 1 – Introduction

Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
1 Fall 2005 Internetworking: Concepts, Architecture and TCP/IP Layering Qutaibah Malluhi CSE Department Qatar University.

1 Fall 2005 Internetworking: Concepts, Architecture and TCP/IP Layering Qutaibah Malluhi CSE Department Qatar University.
Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.

Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.
CSIT435 Spring 2001 Final Examination Study Guide.

CSIT435 Spring 2001 Final Examination Study Guide.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.

EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Introduction CS-480b Dick Steflik. X.800 – OSI Security Services Security Service – a service provided by a protocol layer of communicating open systems,

Introduction CS-480b Dick Steflik. X.800 – OSI Security Services Security Service – a service provided by a protocol layer of communicating open systems,
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Bazara Barry1 Security on Networks and Information Systems Bazara I. A. Barry Department of Computer Science – University of Khartoum www.itrc.sd/staff/bazara.html.

Bazara Barry1 Security on Networks and Information Systems Bazara I. A. Barry Department of Computer Science – University of Khartoum
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google