Presentation is loading. Please wait.

Presentation is loading. Please wait.

Final Exam Review IT443 – Network Security Administration 1.

Published byJune Chase Modified over 9 years ago

Similar presentations

Presentation on theme: "Final Exam Review IT443 – Network Security Administration 1."— Presentation transcript:

1 Final Exam Review IT443 – Network Security Administration 1

2 Fundamental Tenet of Cryptography What is it? If lots of smart people have failed to solve a problem, then it probably wont be solved (soon). 2

3 Network Basics Network Layers –Application layer –Transport layer –IP layer –Data link layer –TCP, UDP, IP, SSH, HTTP –IP address, MAC address, TCP address? –Port number 3

4 Layer Encapsulation 4 4 Get index.html Connection ID Source/Destination Link Address User AUser B

5 Network Basics Headers –[ether net header [IP header [TCP header [Payload]]]] TCP / UDP –TCP is reliable Acknowledgement, retransmission, discard duplicates, … –TCP 3-way handshake SYN, ACK, FIN 5

6 Establishing a TCP Connection Three-way handshake to establish connection –Host A sends a SYN (open) to the host B –Host B returns a SYN acknowledgment (SYN ACK) –Host A sends an ACK to acknowledge the SYN ACK 6 SYN SYN ACK ACK Data Each host tells its ISN to the other host.

7 Unreliable Message Delivery Service User Datagram Protocol (UDP) –IP plus port numbers –Optional error checking on the packet contents Lightweight communication between processes –Avoid overhead and delays of ordered, reliable delivery For example: VoIP, video conferencing, gaming 7 SRC port DST port checksumlength DATA

8 TCP Header 8 Source portDestination port Sequence number Acknowledgment Advertised window HdrLen Flags 0 ChecksumUrgent pointer Options (variable) Data Flags: SYN FIN RST PSH URG ACK

9 Network Basics IP layer –Routing (different paths) –IP prefix, e.g., 12.34.158.0/24 –Classful Addressing (Class A, B, C) –Classless Inter-Domain Routing (CIDR) –Private networks 10.0.0.0/8 (255.0.0.0) 172.16.0.0/12 (255.240.0.0) 192.168.0.0/16 (255.255.0.0) 9

10 IP Packet 10 20-byteheader 4-bit Version 4-bit Header Length 8-bit Type of Service (TOS) 16-bit Total Length (Bytes) 16-bit Identification 3-bit Flags 13-bit Fragment Offset 8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

11 Network Basics DNS –Hierarchical name space –Local DNS server / caching –dig / dig -x Data link layer –MAC address –ARP messages / ARP table 11

12 Network Basics Potential Questions Topics Is 192.168.x.x globally accessible? Which of the following header contain destination information: A. TCP header B. IP header C. Ethernet header Compare and contrast TCP and UDP and briefly describe their similarities and differences. 12

13 Recon & Info Gathering Social Engineering: “the weakest link”, –Physical or automated (e.g., phishing) –Defenses: user awareness Physical Security –Physical access, theft, dumpster diving –Defenses: locks, policies (access, screen savers, etc.), encrypted file systems, paper shredders http://www.guardian.co.uk/politics/2008/sep/30/terrorism.ebay Web Searching and Online Recon –Check company website, get contact names, look for comments in html, etc. –Use Search Engines: Google!, Usenet to discover technologies in use, employee names, etc. –Defenses: “Security Through Obscurity”, Policies 13

14 Crypto Basics Encryption/Decryption –Plaintext, ciphertext, key –Secret key/symmetric key crypto What are some of the symmetric key encryption algorithms? –Public key/asymmetric key crypto What are some of the asymmetric key encryption algorithms? –Hash function What are some of the hash algorithms? 14

15 Secret Key Cryptography Stream cipher Block cipher –Converts one input plaintext block of fixed size k bits to an output ciphertext block of k bits –DES, IDEA, AES, … –AES Selected from an open competition, organized by NSA Joan Daemen and Vincent Rijmen (Belgium) Block size=128 bits, Key Size= 128/192/256 bits 15

16 Electronic Code Book (ECB) 16 EEEE Key 128 M 1 M 2 M 3 M 4 128 46 + padding 128 Plaintext  C 1 C 2 C 3 C 4 128 Ciphertext 

17 Cipher Block Chaining (CBC) 17 Initialization Vector E E EE Key C1C2C3C4C1C2C3C4 128 M1M2M3M4M1M2M3M4 46 + padding 128

18 Public Key Cryptography Public key crypto –Public/private key pair –Encryption/decryption (different keys) –Sign/verify (digital signature) –Much slower than secret key operations Algorithms –DSA, RSA 18

19 Diffie-Hellman Predates RSA Does neither encryption nor signatures What is it good for then? How does it work? 19

20 Crypto Basics Hash function –One way transformation –Collision resistance –Applications Message digest/checksum File integrity Password … 20

21 Modern Hash Functions MD5 (128 bits) –Previous versions (i.e., MD2, MD4) have weaknesses. –Broken; collisions published in August 2004 –Too weak to be used for serious applications SHA (Secure Hash Algorithm) –Weaknesses were found SHA-1 (160 bits) –Broken, but not yet cracked –Collisions in 2 69 hash operations, much less than the brute-force attack of 2 80 operations –Results were circulated in February 2005, and published in CRYPTO ’05 in August 2005 SHA-256, SHA-384, … 21

22 Crypto Basics Potential Question Topics In secret key encryption, can the encrypted file’s size be smaller than the original file’s? Are the following desired properties of hash functions? a. One-way property, that is, it’s easy to reverse the hash computation, but computationally infeasible to compute the hash function itself. b. Collision free, that is, it’s computationally infeasible to find two messages that have the same hash value. c. Only authorized parties can perform hash functions. 22

23 Authentication What’s authentication –User authentication Allow a user to prove his/her identity to another entity (e.g., a system, a device). –Message authentication Verify that a message has not been altered without proper authorization. 23

24 Authentication Threat –Eavesdropping –Password guessing –Server database reading (compromised) 24

25 Authentication Challenge/response 25 AliceBob I’m Alice a challenge R H(K Alice-Bob, R) AliceBob I’m Alice R Sig Alice {R}

26 Eavesdropping & Server Database Reading If public key crypto is not available, protection against both eavesdropping and server database reading is difficult: –Hash => subject to eavesdropping –Challenge requires Bob to store Alice’s secret in a database 26 AliceBob I’m Alice A challenge R H(K Alice-Bob, R) AliceBob I’m Alice, H(K Alice-Bob )

27 Mutual Authentication Reflection Attack 27 Trudy Bob I’m Alice, R 2 R 1, f(K Alice-Bob, R 2 ) f(K Alice-Bob, R 1 ) Trudy Bob I’m Alice, R 1 R 3, f(K Alice-Bob, R 1 )

28 Mutual Authentication Reflection Attack 28 Alice Bob I’m Alice, R 2 R 1, f(K Alice-Bob, R 2 ) f(K Alice-Bob, R 1 ) Alice Bob I’m Alice R1R1 R1R1 f(K Alice-Bob, R 1 ), R 2 f(K Alice-Bob, R 2 ) Countermeasure

29 Authentication Key Distribution Center –If node A wants to communicate with node B A sends a request to the KDC The KDC securely sends to A: E KA (R AB ) and E KB (R AB, A) Certificate –How do you know the public key of a node? –Certification Authorities (CA) –Everybody needs to know the CA public key –The CA generates certificates: Signed(A, public-key, validity information) [Alice’s public key is 876234] carol [Carol’s public key is 676554] Ted & [Alice’s public key is 876234] carol 29

30 Authentication Password guessing –Online vs. offline –Dictionary attack –Password salt 30

31 Authentication Potential Question Topics Assume Alice and Bob share a secret K Alice-Bob, what is the security flaw when they use the following protocol for Bob to authenticate Alice? 31 AliceBob I’m Alice, H(K Alice-Bob )

32 Some Issues for Password Systems A password should be easy to remember but hard to guess –that’s difficult to achieve! Some questions –what makes a good password? –where is the password stored, and in what form? –how is knowledge of the password verified? 32

33 IPsec Which layer Why we need it –IP spoofing –Payload modification –Eavesdropping 33

34 SSL Which layer Why we need it –Think about https Main processes –Negotiate cipher suites –Authenticate servers –Verify certificates 34

35 Firewall / IDS What are their roles –Prevent vs. detect Firewall –Packet filtering (stateless) vs. session filtering (stateful) –iptables 35

36 Internet Security Mechanisms 36 Goal: prevent if possible; detect quickly otherwise; and confine the damage Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response: Recovery, Forensics

37 Firewall / IDS IDS –Accuracy, e.g., false alarm –Misuse detection (signatures) –Anomaly detection –Host-based (e.g., aide) –Network-based (e.g., snort) 37

38 Firewall Potential Question Topics A stateless firewall on a server cannot limit the number of TCP connections per client. Describe the goal of the following firewall rule: iptables -A INPUT -p icmp -j DROP Compose a firewall rule to block access to a SSL connection. 38

39 IDS Questions –Explain the following snort rule and describe how to trigger the alert: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:“Test attack"; content:"test_attack"; … … ) –Compare host-based and network-based IDS, and briefly describe the difference. 39

Download ppt "Final Exam Review IT443 – Network Security Administration 1."

Similar presentations

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 03.01.2010.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
5/12/05CS118/Spring051 A Day in the Life of an HTTP Query 1.HTTP Brower application Socket interface 3.TCP 4.IP 5.Ethernet 2.DNS query 6.IP router 7.Running.

5/12/05CS118/Spring051 A Day in the Life of an HTTP Query 1.HTTP Brower application Socket interface 3.TCP 4.IP 5.Ethernet 2.DNS query 6.IP router 7.Running.
Chapter 20: Network Security Business Data Communications, 4e.

Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Similar presentations

Ads by Google