Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chap 7: Security in Networks.  Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and.

Published byColin Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "Chap 7: Security in Networks.  Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and."— Presentation transcript:

1 Chap 7: Security in Networks

2  Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks  Controls against network attacks: physical security, policies, procedures, and other technical controls SE571 Security in Computing Dr. Ogara 2

3  Firewalls: design, capabilities, limitations  Intrusion detection systems  Private e-mail: PGP and S/MIME SE571 Security in Computing Dr. Ogara 3

4  Users Managed users  Employees/staff  Managed and unmanaged devices – Laptops, Smartphone Unmanaged users  Guests  Contractors  Consultants  Business partners  (Source: Bradford Network, 2011) SE571 Security in Computing Dr. Ogara 4

5  Mobile device proliferation Smartphone – different models/different companies Tablets/iPads EBook  IP everything – exponential growth in IP devices Surveillance camera Card readers (Source: Bradford Network, 2011) SE571 Security in Computing Dr. Ogara 5

6  Consumerization of IT Consumer markets driving IT Personal devices growing rapidly and must be supported by IT  Virtualization Server applications in private cloud Virtual desktop in virtual environment (Source: Bradford Network, 2011) SE571 Security in Computing Dr. Ogara 6

7  Study sponsored by Dell KACE  741 IT professionals participated  Employees using personal devices (87%) Email Calendar CRM/ERP  Employees using Smartphone (80%)  Employees using personal PCs (69%) https://www.kace.com/resources/Consumerization-of-IT-Survey-2011 SE571 Security in Computing Dr. Ogara 7

8  What are we protecting?  Why are we protecting ?  What are assets?  What are threats?  What are the controls? SE571 Security in Computing Dr. Ogara 8

9  Network infrastructure  Applications programs  Data SE571 Security in Computing Dr. Ogara 9

10  Interception Eavesdropping Passive wiretapping  Modification Active wiretapping Falsification Compromise of authenticity  Denial of service SE571 Security in Computing Dr. Ogara 10

11  Firewalls  Intrusion detection systems  Secure email SE571 Security in Computing Dr. Ogara 11

12  Network – a collection of communicating hosts  Node – single computing system in a network  Link – connection between two hosts  Host – single computer in a network  A workstation - an end-user computing device, usually designed for a single user at a time SE571 Security in Computing Dr. Ogara 12

13  Topology - the way a network is configured, in terms of nodes and connections  Protocol – standard method for transmitting data and/or establishing communications between different devices  Protocol stack – is a layered architecture for communications SE571 Security in Computing Dr. Ogara 13

14 SE571 Security in Computing Dr. Ogara 14

15  Two popular protocol stacks for implementing networks I. Open Systems Interconnection (OSI) II. Transmission Control Protocol and Internet Protocol (TCP/IP) SE571 Security in Computing Dr. Ogara 15

16  Contains 7 layers  Layers represent the different activities that must be performed for actual transmission of a message SE571 Security in Computing Dr. Ogara 16

17 SE571 Security in Computing Dr. Ogara 17

18 SE571 Security in Computing Dr. Ogara 18

19 SE571 Security in Computing Dr. Ogara 19  What happens when you send message to yourfriend@somewhere.net?  Physical Layer  Data link  Network layer Router sends message to destination router Adds 2 headers (source and destination IP address)

20 SE571 Security in Computing Dr. Ogara 20  Data link Network Interface Card (NIC) provides physical address called MAC (Media Access Control) address Two more headers added (source computer and router NIC address) Structure is called frame and contains destination MAC, source MAC and data

21 SE571 Security in Computing Dr. Ogara 21  Data link

22 SE571 Security in Computing Dr. Ogara 22  Network layer Router sends message to destination router Adds 2 headers (source and destination IP address) to data These are called packets

23  Common in most wide area network communications  Defined by protocols not layers although it is seen as 4 layers 1. Application 2. Transport 3. Internet 4. Physical SE571 Security in Computing Dr. Ogara 23

24  It denotes two models although used as a single acronym  TCP implements a connected communications session on top of the more basic IP transport protocol SE571 Security in Computing Dr. Ogara 24

25 SE571 Security in Computing Dr. Ogara 25

26  Records and checks correct sequencing of packets  Retransmits missing or faulty packets  Provides a stream of correct data in proper order to the invoking application  Problem - retransmissions of faulty or missing packets take time and induce overhead SE571 Security in Computing Dr. Ogara 26

27  Data structure Includes a sequence number, an acknowledgment number for connecting the packets of a communication session, flags, and source and destination port numbers Port - unique channel number by which computers can route their respective packets to each of them SE571 Security in Computing Dr. Ogara 27

28 SE571 Security in Computing Dr. Ogara 28

29  Covers a small distance typically within a single building  Connects several small computers, such as personal computers, as well as printers and perhaps some dedicated file storage devices SE571 Security in Computing Dr. Ogara 29

30 SE571 Security in Computing Dr. Ogara 30

31  Single control – usually controlled by one organization  Covers a significant distance  Physically exposed Examples, campus area networks, metropolitan area networks SE571 Security in Computing Dr. Ogara 31

32  Anonymity Anonymous attackers  Many points of attack—both targets and origins Less rigorous security  Sharing  Complexity of system  Unknown perimeter - untrusted hosts in networks SE571 Security in Computing Dr. Ogara 32

33  Fame or recognition  Money and espionage  Organized crime  Advance an ideology SE571 Security in Computing Dr. Ogara 33

34  What are the targets?  What are the vulnerabilities?  What are the controls? SE571 Security in Computing Dr. Ogara 34

35  Port scan Gives external picture – open doors Standard ports or services running?  Social engineering Use of social skills and personal interaction to get someone to reveal security-relevant information  Reconnaissance  OS and application fingerprinting SE571 Security in Computing Dr. Ogara 35

36  Firewall  “Hardened” (self-defensive) applications  Programs that reply with only what is necessary  Intrusion detection system  Run few services as possible SE571 Security in Computing Dr. Ogara 36

37  Education, user awareness  Policies and procedures  Systems in which two people must agree to perform certain security-critical functions SE571 Security in Computing Dr. Ogara 37

38  Impersonation  Guessing  Eavesdropping  Session hijacking  Spoofing  Man-in-the-middle attack SE571 Security in Computing Dr. Ogara 38

39  Strong, one-time authentication  Virtual private network  Encrypted authentication channel  Education, user awareness  Virtual private network  Protocol analysis SE571 Security in Computing Dr. Ogara 39

40  Buffer overflow  Addressing errors  Parameter modification, time-of-check to time-of-use errors  Server-side include Cookies Malicious active code: Java, ActiveX Malicious code: virus, worm, Trojan horse SE571 Security in Computing Dr. Ogara 40

41  Programming controls  Intrusion detection system  Personal firewall  Two-way authentication  Controlled execution environment  Signed code SE571 Security in Computing Dr. Ogara 41

42  Protocol flaw  Malicious code: virus, worm, Trojan horse  Eavesdropping  Passive wiretap  Misdelivery  Exposure within network  Traffic flow analysis  Cookie SE571 Security in Computing Dr. Ogara 42

43  Firewall  Encryption  Intrusion detection system  Controlled execution environment  Programming controls SE571 Security in Computing Dr. Ogara 43

44  Protocol flaw  Impersonation  Active wiretap  Falsification of message  Noise  Website defacement  DNS attack SE571 Security in Computing Dr. Ogara 44

45  Firewall  Encryption  Intrusion detection system  Controlled execution environment  Audit  Protocol analysis  Strong authentication  Error detection code  Honey pot SE571 Security in Computing Dr. Ogara 45

46  Protocol flaw  Transmission of component failure  DNS attack  Traffic redirection  Distributed denial of service  Connection flooding SE571 Security in Computing Dr. Ogara 46

47  Encryption  Firewall  Intrusion detection system  Honey pot SE571 Security in Computing Dr. Ogara 47

48  Most important and versatile tool for network security expert  Important Privacy Authenticity Integrity Limited access to data  Not a silver bullet  Protects encrypted data only SE571 Security in Computing Dr. Ogara 48

49  Can be applied in two ways Link encryption End-to-end encryption SE571 Security in Computing Dr. Ogara 49

50  Data is encrypted before the system places them on the physical communications link  Encryption takes place in layer 1 or 2 of the OSI model  Encryption protects message during transit  Message is plaintext inside the hosts SE571 Security in Computing Dr. Ogara 50

51  Data exposed in sending host  Data exposed in intermediate nodes  Applied by sending host  Invisible to user  Host maintains encryption  Encryption done in hardware  Provides node authentication  All or no data encrypted SE571 Security in Computing Dr. Ogara 51

52 SE571 Security in Computing Dr. Ogara 52

53 SE571 Security in Computing Dr. Ogara 53

54 SE571 Security in Computing Dr. Ogara 54  Security available from one end of transmission to the other  Encryption can be applied by either hardware or software running on the computer  Encryption takes place at the highest level of OSI model – application and presentation

55 SE571 Security in Computing Dr. Ogara 55  Data encrypted in sending host  Data encrypted in intermediate nodes  User applies encryption  User selects encryption  Either software or hardware implementation  User chooses to encrypt or not  Provides user authentication

56 SE571 Security in Computing Dr. Ogara 56

57 SE571 Security in Computing Dr. Ogara 57

58  Communication passes through an encrypted tunnel  User’s client establishes communication with network firewall  User and firewall negotiate a session encryption key SE571 Security in Computing Dr. Ogara 58

59  Firewall and user encrypt all traffic between them  Firewall authenticates user through authentication server  Firewall implements access control (provide appropriate security privileges) SE571 Security in Computing Dr. Ogara 59

60 SE571 Security in Computing Dr. Ogara 60

61 SE571 Security in Computing Dr. Ogara 61  PKI is a process created to enable users to implement public key cryptography  Provides identification and access control information to users Create certificates associating user’s identity with cryptographic key Give out certificates from its database Sign certificates thus adding credibility to authenticity of certificates Confirm or deny that certificate is valid Invalidate certificates for users who are no longer allowed to access or whose private key has been exposed

62 SE571 Security in Computing Dr. Ogara 62  PKI sets up entities called certificate authorities that implement PKI policy  Assumption is certificate authorities are trusted  Functions of certificate authorities Manage public key certificates for their whole life cycle Issue certificates by binding a user’s or system identity to a public key with a digital signature Schedule expiry dates for certificates Ensure that certificates are revoked by publishing certificate revocation list

63 SE571 Security in Computing Dr. Ogara 63  SSH stands for secure shell is a pair of protocols (V1 and V2)  Provides an authenticated and encrypted path to a shell or operating system command interpreter  Protects against spoofing attacks and modification of data in communications  Protocol involves negotiation between local and remote sites for encryption algorithm (e.g. DES, IDEA, AES) and authentication

64 SE571 Security in Computing Dr. Ogara 64  SSL stands for Secure Socket Layer  Also known as TLS – Transport Layer Security  Protocol was originally designed by Netscape to protect communication between web browser and server  It interfaces between apps(e.g. browser) and TCP/IP protocols to provide server authentication, client authentication and encrypted communication channel between client and server

65 SE571 Security in Computing Dr. Ogara 65  SSL protocol is the most widely used secure communication protocol in the Internet  Only protects data between client’s browser and server

66 SE571 Security in Computing Dr. Ogara 66  Stands for IP Security Protocol  Similar to SSL i.e. supports authentication and confidentiality  Defines standard means for handling encrypted data  Designed to handle shortcomings of IPv6 such as: Spoofing Eavesdropping Session hijacking

67 SE571 Security in Computing Dr. Ogara 67  Fundamental data structures are AH – authenticated header ESP – Encapsulated Security Payload  Contains both authenticated and encrypted portion Packets: (a) Conventional Packet; (b) IPSec Packet

68  SSID – Service Set Identifier Authenticate remote computer  WEP – Wired Equivalent Privacy Uses encryption to prevent eavesdropping and impersonation Uses encryption key for authentication IEEE standard 802.11 Uses 64 and 128 bit encryption Not effective against brute force attack SE571 Security in Computing Dr. Ogara 68

69  WPA and WPA2– WIFI Protected Access Addresses known security deficiencies in WEP IEEE standard 802.11i Uses encryption key that is unchanged until user enters new key at the client and access point Encryption key is changed automatically at each packet (Temporal Key Integrity Program) SE571 Security in Computing Dr. Ogara 69

70  Computer system open to attackers  Goal Watch what attackers do Lure attackers in order to study their habits Divert attackers attention so as to leave your system alone SE571 Security in Computing Dr. Ogara 70

71  Device that filters traffic between protected/inside network and less trustworthy/outside network  Purpose Keep bad things outside the protected environment Use security policies to limit access from outside SE571 Security in Computing Dr. Ogara 71

72  Packet filtering gateways or screening routers  Stateful inspection firewalls  Application proxies  Guards  Personal firewalls SE571 Security in Computing Dr. Ogara 72

73  Most effective  Control access based on packet address or transport protocol such as HTTP SE571 Security in Computing Dr. Ogara 73

74  Maintains state information from one packet to another in the input stream SE571 Security in Computing Dr. Ogara 74

75  Packet filters look only at the headers of packets, not at the data inside the packets SE571 Security in Computing Dr. Ogara 75

76  Receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result SE571 Security in Computing Dr. Ogara 76

77  Application program that runs on a workstation to block unwanted traffic, usually from the network  Protect a (sub)network of multiple hosts result  May complement the work of a conventional firewall by screening the kind of data a single host will accept SE571 Security in Computing Dr. Ogara 77

78  Connection flooding Echo-Chargen  Chargen is protocol used to generate packets  Attacker makes host A to generate echo packets to host B and host B replies to the echos  Host A and B generates endless loop Ping of Death  Attacker sends flood of pings to intended host  Pings saturate victim’s bandwidth SE571 Security in Computing Dr. Ogara 78

79  Connection flooding Smurf – Attacker sends broadcast echo requests to the network with victim’s return address Syn flood – Attacker sends many SYN requests and never responds with ACKs thereby filling the victim’s SYN_RECV queue Teardrop – Attacker sends series of data grams that can not be reassembled properly SE571 Security in Computing Dr. Ogara 79

80  Traffic redirection  Attackers disrupt routers traffic redirection  DNS attacks  Attackers redirect routing of traffic by overtaking domain server or causing it to cache spurious entries (DNS cache poisoning)  E.g. An attack in 2005 used a flaw in a Symantec firewall to allow a change in DNS records used by Windows machines. The poisoned DNS cache redirected users to advertising sites SE571 Security in Computing Dr. Ogara 80

81  Also called DDoS  Attacker discretely plants Trojan horse into machine e.g. through email attachment  Attacker repeats process using many targets (Zombie)  Attacker sends a signal to all Zombies to launch an attack against a victim (n attacks from n Zombies) SE571 Security in Computing Dr. Ogara 81

82 SE571 Security in Computing Dr. Ogara 82

83  Also called IDS  Device that monitors activities to identify malicious and suspicious events  Functions Monitor users and system activity auditing system configuration for vulnerabilities and misconfigurations assessing the integrity of critical system and data files recognizing known attack patterns in system activity identifying abnormal activity through statistical analysis managing audit trails and highlighting user violation of policy or normal activity correcting system configuration errors SE571 Security in Computing Dr. Ogara 83

84 SE571 Security in Computing Dr. Ogara 84

85  Signature based perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type  Heuristic/Anomaly based build a model of acceptable behavior and flag exceptions to that model  A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network while a host-based IDS runs on a single workstation or client to protect that one host SE571 Security in Computing Dr. Ogara 85

86  Filter on packet headers  Filter on packet content  Maintain connection state  Use complex, multipacket signatures  Use minimal number of signatures with maximum effect SE571 Security in Computing Dr. Ogara 86

87  Filter in real time, online  Hide its presence  Use optimal sliding time window size to match signatures SE571 Security in Computing Dr. Ogara 87

88  IDSs detect an ever-growing number of serious problems  Adding their signatures to the IDS model helps them to improve over time  Easier and cheaper to manage SE571 Security in Computing Dr. Ogara 88

89  Similar IDS may have identical vulnerabilities  Difficult to measure and adjust its sensitivity  Must be monitored and alarms responded to otherwise it is useless SE571 Security in Computing Dr. Ogara 89

90  Email is important in ecommerce  Email is a medium of communications SE571 Security in Computing Dr. Ogara 90

91  Message confidentiality (the message is not exposed en route to the receiver)  Message integrity (what the receiver sees is what was sent)  Sender authenticity (the receiver is confident who the sender was)  Nonrepudiation (the sender cannot deny having sent the message) SE571 Security in Computing Dr. Ogara 91

92  message interception (confidentiality)  message interception (blocked delivery)  message interception and subsequent replay  message content modification  message origin modification  message content forgery by outsider  message origin forgery by outsider  message content forgery by recipient  message origin forgery by recipient  denial of message transmission SE571 Security in Computing Dr. Ogara 92

93  Developed by Internet Society  Allows for security enhanced messages  Works for both asymmetric and symmetric encryptions  Standard supports multiple encryption algorithms DES, 3DES and AES for confidentiality RSA and Diffe-Hellman for key exchange SE571 Security in Computing Dr. Ogara 93

94 SE571 Security in Computing Dr. Ogara 94

95 SE571 Security in Computing Dr. Ogara 95

Download ppt "Chap 7: Security in Networks.  Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and."

Similar presentations

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
7.3 Network Security Controls 1Network Security / G.Steffen.

7.3 Network Security Controls 1Network Security / G.Steffen.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Similar presentations

Ads by Google