1. @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security Fall 2012 Yuan Xue

2. @Yuan Xue (yuan.xue@vanderbilt.edu) Outline Security Overview Cryptography Symmetric cipher

3. @Yuan Xue (yuan.xue@vanderbilt.edu) Security Overview – Quick Review Requirements -Security Triad Confidentiality Integrity Availability

4. @Yuan Xue (yuan.xue@vanderbilt.edu) Where the problem comes from? - Security Vulnerability, Threat and Attack Vulnerability: an aspect of the system that permits attackers to mount a successful attack, sometimes also called a “security hole”. Weakness: a potential vulnerability, whose risk is not clear. Sometimes several weaknesses might combine to yield a full-fledged vulnerability. Threat: a circumstance or scenario with the potential to exploit a vulnerability, and cause harm to a system. Attack: A deliberate attempt to breach system security. Note that not all attacks are successful. An attack usually refers to a specific action. A threat refers to a broader class of ways that things could go wrong. Attacks are usually classified into two types:  Passive attack refers to attack that does not result in a change to the system, and attempts to break the system solely based upon observed data.  Active attack, on the other hand, involves modifying, replaying, inserting, deleting, or blocking data.

5. @Yuan Xue (yuan.xue@vanderbilt.edu) Network Threats Attacks against confidentiality eavesdropping traffic flow analysis

6. @Yuan Xue (yuan.xue@vanderbilt.edu) Network Threats Attacks against integrity

7. @Yuan Xue (yuan.xue@vanderbilt.edu) Network Threats Attacks against availability Denial of service

8. @Yuan Xue (yuan.xue@vanderbilt.edu) What are the solutions - Security Mechanisms Network Security Cryptographic Approach  Encryption  Data integrity protection & Digital Signature  Authentication Network Approach  Traffic control System Approach  Intrusion detection systems  Firewall System Security Authentication Access Control (Authorization) Multi-level Security Program Security Programming frameworks Strong typing system

9. @Yuan Xue (yuan.xue@vanderbilt.edu) An Example Two models to protect files on your disk Encryption Access control

10. @Yuan Xue (yuan.xue@vanderbilt.edu) OSI Security Architecture X.800 “Security Architecture for OSI” Defines a systematic way of defining and providing security requirements Provides a useful abstract overview of the security concepts Security Attacks Security Mechanisms Security Services

11. @Yuan Xue (yuan.xue@vanderbilt.edu) Security Mechanism and Service Security Mechanism a mechanism that is designed to detect, prevent, or recover from a security attack. More than a particular algorithm or protocol Specific mechanism Encryption Integrity protection Digital signature Notarization Authentication exchange Access control Traffic padding Routing control Pervasive mechanism: trusted functionality, security labels, event detection, security audit trails, security recovery Security Service (X.800) A service that is provided by a protocol layer that ensures adequate security of the systems or data transfers. Authentication Access Control Data Confidentiality Connection/connectionless/s elective field/traffic flow Data Integrity  Connection/connectionless/s elective field/with or without recovery Non-Repudiation Source/destination Implementation/ Placement Physical/logical

12. @Yuan Xue (yuan.xue@vanderbilt.edu) Relationship Between Security Service and Security Mechanisms

13. @Yuan Xue (yuan.xue@vanderbilt.edu) Challenges of Computer Security Requirements are straightforward Mechanisms used to meet these requirements can be quite complex Principle of Easiest Penetration An intruder are expected to use any available means of penetration. Computer security specialists must consider all possible means of penetration. Integration of security design with system design Tension between usability/utility and security/privacy

14. @Yuan Xue (yuan.xue@vanderbilt.edu) Why many solutions fail? Protect wrong things Protect right things in the wrong way

15. @Yuan Xue (yuan.xue@vanderbilt.edu) Issues that will be addressed in this class

16. @Yuan Xue (yuan.xue@vanderbilt.edu) Network Security Issues From a Computer to Internet Single computer Networking environment  Secure communication in a public environment  Computer system security with remote access Internet Link IP TCP/UDP Application Link IP TCP/UDP Application Link IP Link IP Network Security

17. @Yuan Xue (yuan.xue@vanderbilt.edu) Multi/Demultiplex port CW port Congestion window port Congestion window port SSL_CTX SSL SSL_SESSION HTTP Application Transport Network Link Fragment/Reassemble Forward Routing IP Address Routing table Forwarding table WPA/WPA2 with 802.11 SMTP PGP FTP User ID/Email/Key ID UDPTCP SSL HTTPS CW port Stream Frame Packet payloadTCP hdr payload SSL hdr payloadSSL hdr payloadIPSecSSLIP IPSec SADB TCP payloadIPSecSSLIPTCP (Transport mode) MAC

18. @Yuan Xue (yuan.xue@vanderbilt.edu) Web Security In A Picture Web Server TCP SSL HTTPS Server side script database Web Browser TCP SSL Client side script HTTP certificate SSL Authentication via X.509 certificate HTTP Authentication User+Password In HTML FORM Password file

19. @Yuan Xue (yuan.xue@vanderbilt.edu) How to study network security? Learning methodology examine all possible vulnerabilities of the system consider available countermeasures.

20. @Yuan Xue (yuan.xue@vanderbilt.edu) Readings Required Reading [WS] Chapter 1 Additional Reading [MB] 1.1-1.2 http://en.wikipedia.org/wiki/Information_security