Presentation is loading. Please wait.

Presentation is loading. Please wait.

7.3 Network Security Controls 1Network Security / G.Steffen.

Published byDustin Doyle Modified over 9 years ago

Similar presentations

Presentation on theme: "7.3 Network Security Controls 1Network Security / G.Steffen."— Presentation transcript:

1 7.3 Network Security Controls 1Network Security / G.Steffen

2 In This Section Defense techniques to the network security engineer Major controls: Firewalls Intrusion detection systems Encrypted e-mail 2Network Security / G.Steffen

3 Security Threat Analysis 3 steps in analyzing a security threat: Scrutinize all the parts of the systems Consider the possible damage to confidentiality, integrity, & availability Hypothesize the kinds of attacks that could cause the specific kind of damage Similar approach can be taken to analyze threats in a network. 3Network Security / G.Steffen

4 What an Attacker Might Do? Read communication Modify communication Forge communication Inhibit communication Inhibit all communication passing through a point Read data at some machine C between two people Modify or destroy data at C 4Network Security / G.Steffen

5 Kinds of Threats Intercepting data in traffic Accessing programs or data at remote hosts Modifying programs or data at remote hosts Modifying data in transit Inserting communications Impersonating a user Inserting a repeat of a previous communication Blocking selected traffic Blocking all traffic Running a program at a remote host Network Security / G.Steffen5

6 Architectural Security Control 1 Segmentation It reduces the number of threats It limits the amount of damage a single vulnerability can allow Network Security / G.Steffen6 Segmented Architecture

7 Architectural Security Control 2 Redundancy It allows a function to be performed on more than one node Failure over mode- The server communicates with each other periodically, each determining if the other is still active. Single points of failure Eliminating a single point in the network which if failed, could deny access to all or a significant part of the network Mobile agents Network Security / G.Steffen7

8 Encryption Encryption is the most important & versatile tool for a network security expert. Encryption is used for providing: Privacy Authenticity Integrity Limited access to data Note: Encryption protects only what is encrypted Network Security / G.Steffen8

9 Kinds of Encryption 1 Link Encryption Data are encrypted just before the system places them on the physical communication link Encryption occurs at layer 1 or 2 in the OSI model Encryption protects the message in transit between two computers This kind of encryption is invisible to user It is most appropriate when the transmission line is the point of greatest vulnerability Network Security / G.Steffen9

10 Kinds of Encryption 2 End-to-End Encryption It provides security from one end of a transmission to the other The message is transmitted in encrypted form through the network It addresses potential flaws in lower layers in the transfer model When used, messages sent through several hosts are protected Network Security / G.Steffen10

11 Virtual Private Networks (VPN) VPN allows users to access their internal networks and computers over the Internet or other public network, using encrypted tunnels (communication passes through encrypted tunnel). VPN are created when the firewall interacts with an authentication service inside the parameter. Firewall It is an access control device that sits between two networks or two network segments. It filters all traffic between the protected or “inside” network and a less trustworthy or “outside” network or segment. Network Security / G.Steffen11

12 Public Key Infrastructure (PKI) PKI It is a set of policies, products, & procedures leaving some room for interpretation. It is a process created to enable users to implement public key cryptography, usually in large settings. It offers each user a set of services related to identification & access control. It sets up entitles called certificate authorities that implement the PKI policy on certificates. It is not yet a mature process. Network Security / G.Steffen12

13 Encryption SSH (Secure Shell) encryption A pair of protocols, originally defined for UNIX It provides authenticated and encrypted path to the shell or operating system command interpreter. SSL (Secure Sockets layer) encryption It is also known as TLS (Transport Layer Security) It was originally designed by Netscape It interfaces between applications and the TCP/IP protocols to provide server authentication, optional client authentication, & an encrypted communication channel between client & server. Network Security / G.Steffen13

14 IP Security Protocol Suite (IPSec) IPSec It is designed to address fundamental shortcomings such as being subject to spoofing, eavesdropping, & session hijacking. It is implemented at the IP layer It is somewhat similar to SSL (supports authentication & confidentiality in a way that does not necessitate significant change either above or below it) Security association The basis of IPSec It is roughly compared to an SSL session Network Security / G.Steffen14

15 Related Terms Security Parameter Index (SPI) A data element that is essentially a pointer into a table of security associations. Encapsulated Security Payload (ESP) It replaces (includes) the conventional TCP header and data portion of a packet. It contains both an authenticated header (AH) and an encrypted portion. Internet Security Association Key Management Protocol (ISAKMP) It requires that a distinct key be generated for each security association. It is implemented through IKE or ISAKMP key exchange Network Security / G.Steffen15

16 Content Integrity Three potential threats: Malicious modification that changes content in a meaningful way Malicious or non-malicious modification that changes content in a way that is not necessarily meaningful Non-malicious modification that changes content in a way that will not be detected Network Security / G.Steffen16

17 Guard Modification Threats Error correcting codes Error detection & error correcting codes can be used to guard against modification in a transmission. Parity Check is the simplest error detection code technique. Even Parity – the parity bit is set so that the sum of all data bits plus the parity bit is even. Odd Parity – It is similar to the even parity bit except the sum is odd. Hash code or Huffman code are some other error detection codes Network Security / G.Steffen17

18 Cryptographic Checksum Cryptographic Checksum (Message Digest) It is a cryptographic function that produces a checksum. It prevents the attacker from changing the data block. Major uses of cryptographic checksum are code tamper protection & message integrity protection in transit. Network Security / G.Steffen18

19 Authentication Methods One-Time Password It is good for only one time use A password token can help in generating unpredictable passwords This technique is immune to spoofing as it works on a password generating algorithm Challenge-Response System It looks like a simple pocket calculator This device eliminates the small window of vulnerability in which a user could reuse a time-sensitive authenticator Digital Distributed Authentication Network Security / G.Steffen19

20 Access Controls ACLs on Routers Problems on adding ACLs to the routers Routers in a large network perform a lot of work Efficiency issues Nature of threat Firewalls Can examine an entire packet’s content, including the data portion. Network Security / G.Steffen 20 Access to Services & Servers in Kerberos

21 Wireless Security 1 Service Set Identifier (SSID) It is the identification of an access point It is a string of up to 32 characters Wired Equivalent Privacy (WEP) It uses an encryption key shared between the client and the access point. It uses either a 64bit or 128 bit encryption key. WiFI protected access (WPA) It is an alternate to WEP The encryption key is changed automatically on each pocket by a key change approach called Temporal Key Integrity Program (TKIP) Network Security / G.Steffen21

22 Wireless Security 2 Alarms & Alerts An intrusion detection system is a device that is placed inside a protected network to monitor what occurs within the network. Honey pots Loaded with servers, devices & data; it is a computer system or a network segment. A honeypot is put up for several reasons To watch what attackers do To lure an attacker to a place where you can identify and stop the attacker To provide an attractive but diversionary playground Network Security / G.Steffen22

23 Wireless Security 3 Traffic Flow Security Onion routing – messages are repeatedly encrypted and then sent through several network Network Security / G.Steffen23 Onion Routing

24 Summary 1 Network Security / G. Steffen24 TargetVulnerabilityControl Authentication Failures Impersonation Eavesdropping Spoofing Man-in-the Middle Attack Strong, One-Time Authentication Encrypted Authentication Channel Strong, One-Time Authentication VPN Protocol Analysis

25 Summary 2 Network Security / G. Steffen25 TargetVulnerabilityControl Programming Flaws Buffer Overflow Parameter Modifications Programming Controls Personal Firewall Intrusion Detection System Personal Firewall Confidentiality Protocol Flaw Eavesdropping, Passive Wiretap, Mis-delivery Cookie Programming Controls Controlled Execution Environment Encryption Firewall Intrusion Detection System

26 Summary 3 Network Security / G. Steffen26 TargetVulnerabilityControl Integrity Protocol Flaw Active Wiretap Noise DNS Attack Controlled Execution Environment Audit Encryption Error Detection Code Firewall Intrusion Detection System Strong Authentication for DNS Changes Audit

27 Summary 4 Network Security / G. Steffen27 TargetVulnerabilityControl Availability Protocol Flaw DNS Attack Traffic Redirection DDoS Firewall Redundant Architecture Firewall Intrusion Detection System ACL on Border Router Honeypot Encryption Audit ACL on Border Router Honeypot

Download ppt "7.3 Network Security Controls 1Network Security / G.Steffen."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IPSec.

IPSec.
Network Security.

Network Security.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
SSH Secure Login Connections over the Internet

SSH Secure Login Connections over the Internet

Similar presentations

Ads by Google