Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security IS250 Spring 2010 John Chuang. 2 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or.

Published byDebra West Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security IS250 Spring 2010 John Chuang. 2 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or."— Presentation transcript:

1 Network Security IS250 Spring 2010 John Chuang

2 2 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or lack thereof) -Denial of service (DoS) attacks -DDoS and botnets  Operational security -Firewalls -Intrusion detection systems -Virtual private networks

3 John Chuang3 Securing the Network Stack  Application (layer 7): various security protocols  Transport (layer 4): Transport Layer Security (TLS)  Network (layer 3): IPsec  Data Link (layer 2): Wired Equivalent Privacy (WEP); 802.11i  Physical (layer 1): control of access to cables; perimeter security; acoustic security; … IPsec TLS HTTPS, SSH, PGP, S-BGP, DNSSEC,… Physical layer security WEP; 802.11i; … Unfortunately, IP address spoofing (forging of source address) is still unsolved, and source of many network security problems.

4 John Chuang4 Attacks  Eavesdropping -passwords, credit card numbers, etc.  Data tampering  Impersonation -Replay attack -Man-in-the-middle attack (e.g., IP address spoofing) -Phishing attack  Unauthorized access -System vulnerabilities -Password guessing (e.g., dictionary attack) -Social engineering (e.g., bribe, black-mail)  Denial-of-Service attack  Spam  Malware: Trojan horses, viruses, worms  …  Wide ranging scope  Some common attacks:

5 John Chuang5 Security Properties “CIA” and “AAA”  Confidentiality -Prevents eavesdropping  Integrity -Prevents modification of data  Authentication -Proves your identity to a third party; prevents impersonation  Accountability (non-repudiation) -Enables failure analysis; serves as deterrent  Authorization -Prevents misuse  Availability -Safeguards against denial-of-service

6 John Chuang6 Cryptographic Techniques  Encryption -Symmetric-key (e.g., AES) -Asymmetric-key (e.g., RSA)  Cryptographic hash (message digest) -e.g., MD5, SHA-1  Digital signature  Confidentiality  Authentication  Integrity  Non-Repudiation

7 John Chuang7 Encryption  Encryption/decryption algorithms are published  Encryption/decryption keys are kept secret  Symmetric cryptography -e-key = d-key  Asymmetric (public-key) cryptography -e-key != d-key -One key made public; the other kept private encryptiondecryption plaintext e-keyd-key ciphertext

8 John Chuang8 Key Exchange  How do Alice and Bob securely exchange encryption/decryption keys?  Asymmetric (public-key) cryptography -Each principal has public key K and private key K -1 -K -1 is kept secret, and cannot be deduced from K -K is made available to all  To achieve confidentiality: -A  B: {message}K B  To achieve integrity/authentication: -A  B: {message}K A -1 Note: “message” can be session key Note: this is a simplified form of a digital signature

9 John Chuang9 Public Key Management  How does Bob know that K A is really the public key of Alice?

10 John Chuang10 Public Key Certificate  A binding of key to identity, signed by a certificate authority (CA) A, K A, {H(A, K A )}K CA -1  PKI (public key infrastructure) provides support for certificate hierarchy with root certificate at the top of the tree CA signature Alice’s certificate Crypto hash

11 John Chuang11 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or lack thereof) -Denial of service (DoS) attacks -DDoS and botnets  Operational security -Firewalls -Intrusion detection systems -Virtual private networks

12 John Chuang12 Availability  Denial-of-Service (DoS) Attack: -Make a computer resource or service unavailable to users by overwhelming the computational and/or communication resources of the victim system  DoS statistics (Moore et al., Usenix 2001): -Prevalence: 13,000 DoS attacks recorded in 3 weeks -Duration: an attack can last for hours -Intensity: 600,000 packets per second  2008 ISP Infrastructure Security Report (Arbor, 2008) -Largest DDoS attack peak traffic volume of 40Gbps

13 John Chuang13 TCP SYN Flood Attack  Recall TCP session establishment -A  B: SYN -B  A: SYN + ACK -A  B: ACK  B has to keep state for every half-open connection, and an idle connection is closed only after long timeout  An attacker sends many SYN messages (with spoofed source IP addresses) to victim B  Legitimate clients cannot establish TCP session with B

14 John Chuang14 Smurf Attack  ICMP Echo Request attack  Attacker sends ICMP Echo Request (ping) messages to IP broadcast addresses (e.g., 128.32.255.255)  These ping messages have spoofed IP source address of target victim  Hosts receiving the Echo Request messages will respond with Echo Response (pong) messages  Target is flooded with ICMP Echo Response (pong) messages  This is an example of a reflected attack http://bluebuddies.com/gallery/Smurf_Art_Showcase/gif/Impus_Art_Smurf_Attack.gif

15 John Chuang15 Distributed DoS (DDoS) Attack  Attacker takes over machines via viruses and launches DoS attacks from these “zombies” or “bots”  Largest botnets can have millions of bots  Defensive approaches: filtering, traceback  Misaligned incentives an important contributor -Many owners unaware that their machine is a zombie -Owners not motivated to diligently patch their machines to protect against malware in the absence of perceived harm

16 John Chuang16 Botnets  (Application layer overlay) network of bots (Trojan horses) under the command & control of botnet operator  Botnet operators may control millions of machines and use them to launch DDoS attacks, send spam, perform keylogging, commit click fraud,… -Estimate: 70-90% of spam come from botnets  Underground market for botnet service -e.g., $500 for a DDoS attack using 10K bots -e.g., sites asked to pay $10-50k in extortion Source: Cisco

17 John Chuang17 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or lack thereof) -Denial of service (DoS) attacks -DDoS and botnets  Operational security -Firewalls -Intrusion detection systems -Virtual private networks

18 John Chuang18 Firewall  A firewall isolates an organization’s internal network from the public Internet -All traffic must pass through firewall -Only authorized traffic, as defined by local security policy, can pass  Two basic types: packet filter, application gateway http://www.randommart.com/images/firewall_1_images/firewall.diagram2.gif

19 John Chuang19 Firewall Policy Examples PolicyFirewall Setting No outside web accessDrop all outgoing packets to any IP address, destination port 80 No incoming TCP connections, except to public web server at IP address 1.2.3.4 Drop all incoming TCP SYN packets to any IP except 1.2.3.4, port 80 Allow DNS packets to leave network Allow outgoing UDP packets to any IP address, destination port 53 Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Prevent your network from being used for a Smurf attack Drop all ICMP ping packets going to a broadcast address

20 John Chuang20 Application Gateway  Filters packets on application data as well as on IP/TCP/UDP fields host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter Source: Kurose and Ross, Computer Networking, 5th Edition  Example: allow select internal users to telnet outside 1.require all telnet users to telnet through gateway 2.for authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections 3.router filter blocks all telnet connections not originating from gateway

21 John Chuang21 Web server FTP server DNS server application gateway Internet demilitarized zone (DMZ) internal network firewall IDS sensors Intrusion Detection System  Monitors and reports suspicious traffic by performing deep packet inspection -Signature-based or Anomaly-based Source: Kurose and Ross, Computer Networking, 5th Edition

22 John Chuang22 Virtual Private Networks  Problem: -build a corporate intranet for an organization with multiple sites  Solutions: -Public internet connections (low cost) -Private (dedicated) network connections (confidential) -Virtual Private Network (both confidentiality and low cost) -Implemented in software

23 John Chuang23 VPN  VPN software in router at each site gives appearance of a private network  Implementation: -Obtain internet connection for each site -Choose router at each site to run VPN software -Configure VPN software in each router to know about the VPN routers at other sites -VPN software acts as a packet filter; next hop for outgoing datagram is another VPN router -Outgoing datagrams encrypted using IPsec Source: Doug Comer

24 John Chuang24 IPSec (RFC 2402, 2406)  Transport mode: payload encrypted; not header  Tunneling mode: entire packet encrypted; then encapsulated in separate packet (to keep source/destination addresses confidential)  Example: -Datagram from host x at site 1 to host y at site 2 -Router R 1 on site 1 encrypts, encapsulates in new datagram for transmission to router R 2 on site 2 Source: Doug Comer

Download ppt "Network Security IS250 Spring 2010 John Chuang. 2 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.

Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder

Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Security i206 Fall 2010 John Chuang Some slides adapted from Coulouris, Dollimore and Kindberg; Dave Messerschmidt; Adrian Perrig.

Security i206 Fall 2010 John Chuang Some slides adapted from Coulouris, Dollimore and Kindberg; Dave Messerschmidt; Adrian Perrig.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Similar presentations

Ads by Google