Download presentation
Presentation is loading. Please wait.
Published byLetitia Parsons Modified over 9 years ago
1
Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.
2
2 Figure 9.1: Types of Attackers Wizard Internet Hackers Highly capable attackers Amateurs (Script Kiddies) Light skills, but numerous and armed with automated attack programs (kiddie scripts) of increasing potency
3
3 Figure 9.1: Types of Attackers Criminals Theft of credit card numbers, trade secrets, and other sensitive information Sell the information or attempt extortion to prevent the release of the information Individual criminals and organized crime Industrial and government espionage spies
4
4 Figure 9.1: Types of Attackers Employees Dangerous because of internal knowledge and access Often, large losses per incident due to theft, fraud, or sabotage
5
5 Figure 9.1: Types of Attackers Information Warfare and Cyberterrorism Massive attack by a government or terrorist group against a country’s IT infrastructure Attacks by amateur cyberterrorists are already starting to approach this level of threat
6
6 Figure 9.3: Attacks Requiring Protection Hacking Servers Access without permission or in excess of permission Attractive because of the data they store Hacking Clients Attractive because of their data or as a way to attack other systems by using the hacked client as an attack platform Soft targets compared to servers; most users are security novices
7
7 Figure 9.3: Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unavailable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability Single Message DOS Attack (Crashes the Victim) ServerAttacker
8
8 Figure 9.3: Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability. Message Stream DOS Attack (Overloads the Victim) ServerAttacker
9
9 Figure 9.4: Denial-of-Service Attacks Distributed DOS (DDoS) Attack: Messages Come from Many Sources Server DoS Attack Packets Computer with Zombie Computer with Zombie Attacker Attack Command Attack Command
10
10 Figure 9.3: Attacks Requiring Protection Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and attack methods Examines data that responses reveal IP addresses of potential victims What services victims are running; different services have different weaknesses Host’s operating system, version number, etc.
11
11 Figure 9.3: Attacks Requiring Protection Malicious Content Viruses Infect files; propagate by executing infected program Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a game, but actually are malicious) Snakes: combine worm with virus, Trojan horses, and other attacks
12
12 Figure 9.3: Attacks Requiring Protection Malicious Content Illegal content: pornography, sexual or racial harassment Spam (unsolicited commercial e-mail) Security group is often called upon to address pornography, harassment, and spam
13
13 Figure 9.2: Types of Security Systems Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Client PC Server Message Exchange Secure Communication System
14
14 Figure 9.2: Types of Security Systems Attack Prevention System Corporate Network Hardened Client PC Hardened Server With Permissions Internet Attacker Attack Message Attack Message Firewall
15
15 Figure 9.5: Packet Filter Firewall Packet Filter Firewall IP-H TCP-H UDP-HApplication Message IP-HICMP Message Arriving Packets Permit Deny Corporate NetworkThe Internet Examines Packets in Isolation Fast but Misses Some Attacks
16
16 For Packets Containing TCP Segments: Rule 1 IF Interface = Internal AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007) THEN DENY Remark: Used by a well-known Trojan horse program. Figure 9.6: Access Control List Fragment
17
17 Figure 9.6: Access Control List Fragment Rule 2: IF Interface = External AND Destination Port Number = 80 AND Destination IP address = 60.16.210.22 THEN PERMIT Remark: Going to a known webserver.
18
18 Figure 9.6: Access Control List Fragment Rule 3: IF Interface = External AND Destination Port Number = 80 AND Destination IP Address = NOT 60.16.210.22 THEN DENY Remark: Going to an unknown webserver.
19
19 Figure 9.6: Access Control List Fragment Rule 4: IF Interface = External AND (SYN = AND FIN = Set) THEN DENY REMARK: Used in host scanning attacks and not in real transactions. 60.14.27.9 1. To: 60.14.27.9; SYN FIN 2. From: 60.14.27.9; RST
20
20 Figure 9.6: Access Control List Fragment Order Rules are executed in order If passed or denied by one rule, will not reach subsequent rules Misconfiguration is easy, opening the network to attack Always test a firewall by hitting it with attack messages to see if they are handled properly
21
21 Stateful Firewall Does not examine packets in isolation Examines each packet to see if it is part of an ongoing conversation Catches attacks that packet filter firewalls cannot Refuses a TCP acknowledgement if an internal host has not opened a connection to that host Usually does not examine a packet in detail if the packet is part of an ongoing conversation This can miss attack packets Beyond what is In the book
22
22 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 1. HTTP Request Client PC Webserver 2. Inspect Request Message
23
23 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall 3. Examined HTTP Request HTTP Proxy Browser Webserver Application Client PC Webserver
24
24 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 4. HTTP Response Client PC Webserver 5. Inspect Response Message
25
25 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 6. Examined HTTP Response Client PC Webserver
26
26 Figure 9.7: Application (Proxy) Firewall Can examine the application message to filter packets by application content If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.
27
27 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application Client PC Webserver There must be a proxy for each application
28
28 Figure 9.8: Network Address Translation (NAT) 12 NAT Firewall Client From 172.47.9.6, Port 59789 From 60.168.34.2, Port 63472 Internet Server Host IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … InternalExternal Translation Table
29
29 Figure 9.8: Network Address Translation (NAT) 43 NAT Firewall Client Internet Server Host To 172.47.9.6, Port 59789 To 60.168.34.2, Port 63472 Translation Table IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … InternalExternal
30
30 Figure 9.9: Intrusion Detection Dump Intrusion Detection System 4. Analysis of Dump Internal Host Network Administrator Attacker Legitimate Host 1. Attack Packet 2. All Packets 3. Notification of Possible Attack 1. Legitimate Packet
31
31 Firewalls versus Intrusion Detection Firewalls permit or deny traffic based on filtering rules Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific Some firewalls issue alerts when packets are dropped and most firewalls log all drops New Not in the book
32
32 Figure 9.10: Hardening Clients and Servers Known Weaknesses Known security weaknesses in operating systems and application programs Most download vendor patches to fix these known weaknesses Firms often fail to do so (vendors issue 30-50 patches per week); must be installed on each server Host Firewalls Server firewalls and personal (client) firewalls
33
33 Figure 9.10: Hardening Clients and Servers Server Authentication Passwords Cracking with exhaustive search and dictionary attacks Strong passwords Super accounts Root in UNIX Administrator in Windows
34
34 Figure 9.10: Hardening Clients and Servers Server Authentication Rules for Strong Passwords At least 8 characters long At least one change of case At least one digit (0-9) not at the end At least one non-alphanumeric character (#@%^&*!) not at the end
35
35 Figure 9.11: Kerberos Authentication (Simplified) Kerberos Server Verifier Applicant 4. Ticket 1. Initial Sign On 2. Request Ticket 3. Ticket
36
36 Figure 9.10: Hardening Clients and Servers Server Authentication Biometric authentication Fingerprint: least expensive Iris: most accurate Face recognition: controversial in public places for mass identification Other forms of biometric identification Smart cards (ID card with microprocessor and data)
37
37 Figure 9.10: Hardening Clients and Servers Limiting Permissions on Servers (Ch. 10) Only permit access to some directories Limit permissions (what the user can do) there Like controlling access to a high-security building; not allowed to go anywhere and remove items, etc.
38
38 Figure 9.2: Types of Security Systems Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Client PC Server Message Exchange Secure Communication System
39
39 Figure 9.12: Secure Communication System Client PC Server 1. Initial Negotiation of Security Parameters 2. Mutual Authentication 3. Key Exchange or Key Agreement 4. Subsequent Communication with Message-by-Message Confidentiality, Authentication, and Message Integrity
40
40 Figure 9.13: Symmetric Key Encryption for Confidentiality Plaintext “Hello” Encryption Method & Key Ciphertext “11011101” Symmetric Key Interceptor Network Same Symmetric Key Party A Party B
41
41 Figure 9.13: Symmetric Key Encryption for Confidentiality Ciphertext “11011101” Symmetric Key Interceptor Network Ciphertext “11011101” Same Symmetric Key Party A Party B ???
42
42 Figure 9.13: Symmetric Key Encryption for Confidentiality Symmetric Key Interceptor Network Ciphertext “11011101” Decryption Method & Key Plaintext “Hello” Same Symmetric Key Party A Party B
43
43 Figure 9.14: Symmetric Key Encryption for Confidentiality Shared Symmetric Key Party A Party B Shared Symmetric Key In Symmetric Key Encryption, Both sides Encrypt and Decrypt with The Same Symmetric Key
44
44 Figure 9.14: Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Party A Party B Decrypt with Party B’s Private Key
45
45 Figure 9.14: Public Key Encryption for Confidentiality Decrypt with Party A’s Private Key Party A Encrypt with Party A’s Public Key Party B
46
46 Quiz 1. In two-way conversations encrypted with symmetric key encryption, how many keys are used? 2. In two-way conversations encrypted with Public key encryption, how many keys are used?
47
47 Quiz 3. In public key encryption for confidentiality, the sender always encrypts with the _____ key of the _____. 4. In public key encryption for confidentiality, the receiver always decrypts with the ___ key of the _____.
48
48 Symmetric Versus Public Key Encryption Symmetric key encryption is very fast, so it can be used to encrypt long messages for confidentiality, including e-mail messages, website communication, database transactions, and almost all other user applications. However, public key encryption can provide confidentiality for very short messages. We will see how this helps in transferring symmetric keys and in digital signatures.
49
49 Figure 9.15: Public Key Distribution for Symmetric Keys Party A Party B 1.Create Symmetric Session Key 2. Encrypt Session Key with Party B’s Public Key 4. Decrypt Session Key with Party B’s Private Key 3. Send the Symmetric Session Key Encrypted With Party B’s Public Key
50
50 Figure 9.15: Public Key Distribution for Symmetric Keys Party A Party B 5. Subsequent Bulk Encryption For Confidentiality with Symmetric Session Key For All Messages
51
51 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol Client Applicant Server Verifier Challenge 1. Creates Challenge Message 2. Sends Challenge Message Note: Both the Client and the Server Know the Client’s Password
52
52 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol 3. Applicant Creates the Response Message: a)Adds Password to Challenge Message b)Hashes the Resultant Bit String c) This Gives the Response Message PasswordChallenge Response Hashing
53
53 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol PasswordChallenge Expected Response Hashing Transmitted Response 4. Applicant Sends Response Message 5. Verifier Adds password to the challenge message it sent. Hashes the combination. This should be the expected response message.
54
54 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol Expected ResponseTransmitted Response = ? 6. If the Two are Equal, The Client Knows the Password and is Authenticated
55
55 Figure 9.17: Digital Signature Sender Receiver DSPlaintext Add Digital Signature to Each Message Provides Message-by-Message Authentication Encrypted for Confidentiality
56
56 Figure 9.17: Digital Signature: Sender DS Plaintext MD Hash Sign (Encrypt) MD with Sender’s Private Key To Create the Digital Signature: 1.Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the sender’s private key to create the digital Signature
57
57 Figure 9.17: Digital Signature Sender Encrypts Receiver Decrypts Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DSPlaintext Transmission
58
58 Figure 9.17: Digital Signature: Receiver DSReceived Plaintext MD 1. Hash 2. Decrypt with True Party’s Public Key 3. Are they Equal? 1. Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key
59
59 Figure 9.18: Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception
60
60 Digital Certificates Digital certificates are electronic documents that give the true party’s name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true party’s private key and so will not be authenticated
61
61 Digital Signatures and Digital Certificates Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature DSPlaintext Applicant Verifier Certificate Authority Digital Certificate: True Party’s Public Key
62
62 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server Create & Distribute (1)Private Key and (2) Digital Certificate Applicant (Lee) Verifier (Cheng)
63
63 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 4. Certificate for Brown Applicant (Lee) Verifier (Cheng) 3. Request Certificate for Brown
64
64 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 6. Check Certificate Revocation List (CRL) For Lee’s Digital Certificate Applicant (Lee) 5. Certificate for Lee Verifier (Cheng) 7. Revoked or OK
65
65 Figure 9.20: Security at Multiple Layers LayerExample Application Application-specific (for instance, passwords for a database program); Application (Proxy) Firewalls TransportSSL (TLS), Packet Filter Firewalls InternetIPsec, Packet Filter Firewalls Data Link Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) PhysicalPhysical locks on computers, Notebook Encryption
66
66 Figure 9.20: Security at Multiple Layers Having security at multiple layers provides protection if one layer’s security fails Having security at multiple layers also slows processing on the device So provide protection in at least two layers but not in all layers
67
67 Figure 9.21: Creating Appropriate Security Understanding Needs Need to make security proportional to risks Organizations face different risks Policies and Enforcement Policies bring consistency Must be enforced. Training in the importance of security and in protection techniques Social engineering prevention training
68
68 Figure 9.21: Creating Appropriate Security Policies and Enforcement Security audits: attack your system proactively You must really be able to trust your testers Incident handling Stopping the attack Restoring the system Prosecution Planning and practicing before the incident Privacy Need to protect employee & customer privacy
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.