Presentation is loading. Please wait.

Presentation is loading. Please wait.

1-1 Network Security MET CS-625 Unit 6. 1-2 Objectives Discuss security tradeoffs Examine specific threats in an enterprise network Discuss development.

Published byAnastasia Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "1-1 Network Security MET CS-625 Unit 6. 1-2 Objectives Discuss security tradeoffs Examine specific threats in an enterprise network Discuss development."— Presentation transcript:

1 1-1 Network Security MET CS-625 Unit 6

2 1-2 Objectives Discuss security tradeoffs Examine specific threats in an enterprise network Discuss development of a site security policy

3 1-3 Changes in security requirements It used to be that computers were kept in locked rooms Often users did not even have an account on the computer Now everyone has a computer that attaches to a network of secure and insecure devices When attached to the Internet the machine is potentially open to anyone in the world

4 1-4 The Orange Book Government publication describing security of computing systems Uses a gradation of security from D (insecure ie DOS) to A1 (super secure) Security is not black and white...it is a continuum

5 1-5 Tradeoffs in security design Services offered versus level of security Ease of use versus security Cost of security versus cost of loss

6 1-6 Extending the definition of security Security doesn ’ t only mean theft or compromise of data Can also mean complete loss of data or assets –Example: A fire destroys your disk farm For our discussion we ’ ll assume that the earthquake won ’ t hit

7 1-7 Why have a security policy? Inform users of the requirements for protecting information and assets Spell out procedures mechanisms to meet the requirements Provides a baseline to audit the site for compliance May also include an appropriate use policy

8 1-8 Physical threats Orange Book A1 security requires a machine in a vault with no external connections...including power It points out that if someone can touch your machine, it can be compromised This extends to all components of the network...switches, phone lines, etc

9 1-9 Social engineering Kevin Mitnick testified before Congress that most of his hacker work was accomplished without the use of technology Users are surprisingly naive when confronted by technology Humans tend to fall into easily discernible patterns Part of the security policy must acknowledge and plan for this

10 1-10 Network threats Any time a computer is connected to a network it is open to a variety of threats We ’ ll look at three broad categories –Unauthorized access –Impersonation –Denial of service

11 1-11 Unauthorized access Intruder gains access to information Hardest to protect against Many avenues –Social engineering –Packet snooping –Eavesdropping

12 1-12 Impersonation Related to unauthorized access Means the ability to present credentials to make it seem you are someone or something you are not Spoofing Replay

13 1-13 Sequence number attack TCP packets use a sequence number that increments in a known, non-random way for identification of a connection By making valid connections to a machine it may be possible to deduce the next sequence Attacker then starts sending packets to server with valid sequence numbers (possibly using DoS attack on some other machine)

14 1-14 Session hijacking Intruder monitors traffic between two machines Captures packets Starts to send packets with authorized machine ’ s credentials Somewhat easier than sequence number attack

15 1-15 Denial of service (DoS) Purpose: prevent use of a network resource Many scenarios Most rely on incapacitating a server with an overload of traffic Often very difficult to trace –SYN –Ping of Death –SMURF

16 1-16 SYN attack (LAND.C) Not used much anymore due to updates in server code Send forged packets to server with the server ’ s address in the destination field Standard SYN flood generates multiple SYN requests to a server using bogus destination addresses –Server must allocate buffers for each connection –Eventually memory is exhausted

17 1-17 Ping of death Max size of an IP packet is 64k However packets may be fragmented Fragments rely on sequence numbers and offsets Using an offset with multiple large IP packets can result in buffer overflows and server crashes This one is extremely difficult to trace

18 1-18 SMURF Smurfing also uses ICMP Echo packets (pings) In this attack the destination and source addresses are forged to be broadcast addresses In a poorly protected network this may generate a cascade of thousands of echo responses for each individual smurf packet

19 1-19 teardrop.c Teardrop attacks use IP fragment vulnerabilities Ping of Death simply sends an extremely large IP packet Teardrop sends fragments that overlap Result: Server crash

20 1-20 SMTP/Email attacks Bombing –Multiple identical messages to a single recipient Spamming –Multiple messages to multiple recipients Filters are useful in preventing an attack, however spam continues to be used as a marketing tool

21 1-21 Session replay Record an entire TCP/IP stream Modify the stream Replay it

22 1-22 Cookie Poisoning Analyze the format of data stored in a cookie –Not all sites encrypt data Modify cookie Log back on to site Ex: LastPageVisited%2Fkidpub%2Fschools%2Fkidpub- schools- directory.phpwww.kidpub.com/102424989729282960 4757327755579229604673*AuthorIDP3c2236b9bc02 9www.kidpub.com/102462152012829604682327735 579229604673*

23 1-23 Parameter tampering Change parameters in URL request strings –Ex: http://www.com/order?price=9.99&item=1234 http://www.com/order?price=9.99&item=1234 Can also examine hidden fields in forms Simple to avoid by using POST instead of GET in http sources

24 1-24 Buffer overflows Attacker crafts code that overwrites a portion of stack Code replaces return address on stack with one attacker chooses Return address point either to Attacking code or somewhere else malicious Results can be crash or control

25 1-25 Cross-site scripts Insert script code (such as JavaScript) into form fields Script is executed on the browser Social engineering attack To avoid, use server-side parsing of inputs (data validation)

26 1-26 Code injection Pass extra SQL commands on http request string Ex: http://my.com/getCart?SQL= ‘ select creditCard from master where ID=12345 ’http://my.com/getCart?SQL= ‘ select Mod: http://my.com/getCart?SQL= ‘ select creditCard from master where ID=12345 ’ + ’ OR ID=* ’http://my.com/getCart?SQL= ‘ select

27 1-27 File enumeration Examine source code and site to find file names, directories, etc Use files to determine if site is vulnerable to other attack modes

28 1-28 Forceful browsing Access site pages out of order May be able to bypass security checks Data validation may also be weak on pages deep in site Can be used with other attacks such as parameter tampering

29 1-29 Other vulnerabilities Weak encryption Open access to admin pages Information leakage Access to logs

30 1-30 Way to avoid problems Practice least privilege –Users get no more access than what they need to do job Secure defaults Validate all data from external sources –Data are called ‘ tainted ’ if from outside Prevent information leakage Defense in depth

31 1-31 Application layer options SHTML PGP Block encryption –3DES –Blowfish –IDEA –RC5 Message digests (MD5 etc)

32 1-32 Hashing Used to provide evidence that message has not been tampered with No key involved Algorithms are collision resistant Hash algorithm is one-way –SHA1 and MD5 are in common use Typically will hash an encrypted message twice –Original + encrypted

33 1-33 SHTML Uses encryption of data stream between client and server Only recently has strong encryption become available in the US Still vulnerable to certain attacks because key exchange must happen in the clear

34 1-34 Symmetric vs asymmetric cryptography Symmetric –Algorithm uses same key on both sides of transaction –Keys must be exchanged in trusted manner –Rotation keys often used Asymmetric –Only one key is available to public –No need to exchange keys –PGP/PKI is example

35 1-35 PGP Pretty Good Privacy Uses private/public key encryption Extremely strong encryption Used both for encryption and digital signatures Until recent;y PGP was a controlled technology

36 1-36

37 1-37 Public-Key Encryption Components Plaintext Encryption algorithm Public and private key Ciphertext Decryption algorithm

38 1-38 Public-Key Encryption Operation

39 1-39 Public-Key Signature Operation

40 1-40 Characteristics of Public-Key Computationally infeasible to determine the decryption key given knowledge of the cryptographic algorithm and the encryption key Either of the two related keys can be used for encryption, with the other used for decryption

41 1-41 Steps in Public Key Encryption Each user generates a pair of keys to be used for the encryption and decryption of messages. Each user places one of the two keys in a public register or other accessible file. This is the public key. The companion key is kept private. If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice's public key. When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice's private key.

42 1-42 Digital Signature Process

43 1-43 RSA Encryption Algorithm Developed in 1977, first published in 1978 Widely accepted and implemented approach to public-key encryption For plaintext block M and ciphertext block C –C = M e mod n –M = C d mod n = (M e ) d mod n = M ed mod n Both sender and receiver must know values of n and e; only receiver knows value of d Public key of KU = {e, n} Private key of KR = {d, n}.

44 1-44 RSA Requirements It is possible to find values of e, d, n such that M ed = M mod n for all M < n. It is relatively easy to calculate M e and C d for all values of M < n. It is infeasible to determine d given e and n. –This requirement can be met with large values of e and n

45 1-45 Approaches to Defeating RSA Brute force approach: try all possible private keys. –The larger the number of bits in e and d, the more secure the algorithm. –However, the larger the size of the key, the slower the system will run. Cryptanalysis: factoring n into its two prime factors –A hard problem, but not as hard as it used to be –Currently, a 1024-bit key size is considered strong enough for virtually all applications

46 1-46 Key Management Symmetric encryption requires both parties to share a secret key Secure distribution of keys is the most difficult problem for symmetric encryption Public key encryption solves this problem, but adds the issue of authenticity Public key certiciates address this issue

47 1-47 Public Key Certificates

48 1-48 Public Key Certificate Process 1. A public key is generated by the user and submitted to Agency X for certification. 2. X determines by some procedure, such as a face-to- face meeting, that this is authentically the user ’ s public key. 3. X appends a timestamp to the public key, generates the hash code of the result, and encrypts that result with X ’ s private key forming the signature. 4. The signature is attached to the public key.

49 1-49 Virtual Private Networks (VPNs) Internet connectivity provides easier access for telecommuters and off-site employees Use of a public network exposes corporate traffic to eavesdropping and provides an entry point for unauthorized users A variety of encryption and authentication packages and products are available to secure and authenticate remote access Need for a standard that allows a variety of platforms to interconnect securely

50 1-50 Applications of IPSec Secures communications across a LAN, WANs, and/or the Internet Can encrypt and/or authenticate all traffic at the IP level Examples of use: –Secure branch office connectivity over the Internet –Secure remote access over the Internet –Establishing extranet and intranet connectivity with partners –Enhancing electronic commerce security

51 1-51 Benefits of IPSec When implemented in a firewall or router, provides strong security for all traffic crossing the perimeter IPSec in a firewall is resistant to bypass Runs below the transport layer (TCP, UDP) and so is transparent to applications Can be transparent to end users Can provide security for individual users if needed

52 1-52 IPSec Functions IPSec provides three main facilities –authentication-only function referred to as Authentication Header (AH) –combined authentication/encryption function called Encapsulating Security Payload (ESP) –a key exchange function For VPNs, both authentication and encryption are generally desired

53 1-53 ESP Transport and Tunneling Transport Mode –provides protection primarily for upper-layer protocols. –Typically used for end-to-end communication between two hosts –encrypts and optionally authenticates the IP payload but not the IP header –useful for relatively small networks; for a full-blown VPN, tunnel mode is far more efficient Tunnel Mode –Provides protection to the entire packet –Original packet is encapsulated in ESP fields, protecting contents from examination –Used when one or both ends is a security gateway –Multiple hosts on networks behind firewalls may engage in secure communications without implementing IPSec

54 1-54 IPSec Key Management Manual –System administrator manually configures each system with its own keys and with the keys of other communicating systems –Practical for small, relatively static environments Automated –Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system –Most flexible but requires more effort to configure and requires more software

55 1-55 IPSec and VPNs Organizations need to isolate their networks and at the same time send and receive traffic over the Internet Authentication and privacy mechanisms of secure IP allow for security strategy IPSec can be implemented in routers or firewalls owned and operated by the organization, allowing the network manager complete control over security aspects of the VPN

56 1-56 Transport layer Secure socket layer (SSL) Secure shell (SSH) Socket security (SOCKS)

57 1-57 Network layer / Link layer IPSec (IP Security suite) Cisco layer 2 forwarding protocol for VPN Point to point tunneling

58 1-58 Creating security policies What are you trying to protect? What are you protecting it from? How likely are the threats? Implement measures to protect your assets Continuously review and revise your policy

59 1-59 Resources www.rootshell.com www.cert.org

Download ppt "1-1 Network Security MET CS-625 Unit 6. 1-2 Objectives Discuss security tradeoffs Examine specific threats in an enterprise network Discuss development."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Chapter 18: Network Security Business Data Communications, 5e.

Chapter 18: Network Security Business Data Communications, 5e.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Similar presentations

Ads by Google