Presentation is loading. Please wait.

Presentation is loading. Please wait.

G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey.

Published byBarnaby Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey."— Presentation transcript:

1 G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey

2 G53SEC Overview of Today’s Lecture: Threat Models Communication Models Protocol Design Principles IPSec SSL/TLS DNS Firewalls IDS Honeypots 2

3 G53SEC Introduction: Networks Data sent from one node to another Network protocols - transmission and its problems OSI security architecture Security Services, implemented by Security Mechanisms (mostly cryptography) Access Control – Firewalls Intrusion Detection Systems 3

4 G53SEC Threat Models: Passive attackers - eavesdropping / wiretapping / sniffing - Traffic Analysis (e.g. linkability) Active attackers - Spoofing attacks (MiM, Phishing, e-mail) - Squatting attacks (Phishing) 4

5 G53SEC Communication Models: In formal models protocol analysis - internet – cloud - messages can be seen/modified by anyone Not best model for all security issues In security analysis - Adversary can only read messages directly addressed to him/her - can spoof addresses 5

6 G53SEC Examples of Security Analysis: TCP session hijacking - Due to address based authentication - 3 way handshake protocol - Attacker can't see output of this session -Attacker able to execute commands with another users privileges 6

7 G53SEC Examples of Security Analysis: TCP SYN flooding - victim stores number sent by user - attacker never finished 3 way handshake - attacker initiates large number of SYN requests - victim reaches its half-open connection limit - Denial of service - Prevention – modification to handshake protocol to be stateless 7

8 G53SEC Protocol Design Principles: Open Systems Interconnection model Framework for layering network protocols 7 layers 8 OSI model Application Presentation Session Transport Network Link Physical

9 G53SEC IP Security: IP connectionless and stateless provides a best-effort service no guaranteed delivery of packets no mechanism for maintaining order NO security protection (IPv4) In IPv6 – security architecture - IPsec 9

10 G53SEC IP Security: Optional in IPv4 and mandatory for IPv6 2 major security mechanisms - IP Authentication Header - IP Encapsulation Security Payload Does not contain mechanism to prevent traffic analysis 10

11 G53SEC IP Security – Authentication Header: Protects the integrity and authentication of IP packets Does not protect confidentiality Originally developed due to export restrictions of encryption mechanisms Restrictions lifted, thus Encapsulating Security Payloads now preferred to simplify IPsec implementation 11

12 G53SEC IP Security – Encapsulating Security Payloads: Provides: - confidentiality - data origin authentication - some replay protection - limited traffic flow confidentiality Achieved by encryption of payload Encapsulated within original IP packet 12

13 G53SEC IP Security – Encapsulating Security Payloads: transport mode - a protocol frame is encapsulated - and encrypted - provides end-to-end protection of packets - end hosts need to be IPsec aware 13

14 G53SEC IP Security – Encapsulating Security Payloads: tunnel mode - entire datagram treated as new payload - can be thought of as IP within IP - can be performed at security gateways - host need not be IPsec aware - provides traffic flow confidentiality 14

15 G53SEC IP Security: IPsec services use encryption But are not tied to one particular key management protocol Considers possibility of future flaws Summary IPsec provides transparent security for everyone using IP, without changing interface of IP Provides host-to-host security but with an overhead 15

16 G53SEC Secure Socket Layer/ Transport Layer Security: TCP – a stateful connection oriented protocol Performs address based entity authentication Vulnerable to attacks – hijacking, flooding Lacks strong cryptographic mechanisms These were introduced in SSL by Netscape TLS identical to SSL v.3 16

17 G53SEC Secure Socket Layer/ Transport Layer Security: SSL Sits between application layer and TCP Relies on properties guaranteed by TCP Stateful and connection oriented Contains handshake protocol where client and server agree on cipher suite This is then used for secure transmisison Most widely used Internet security protocol 17

18 G53SEC Domain Name System: www.nottingham.ac.uk – Domain namewww.nottingham.ac.uk 128.243.40.30 – IP address Translation of domain name to IP address – DNS Information maintained by DNS servers DNS lookup – name -> IP address DNS reverse lookup – IP address -> name 18

19 G53SEC Domain Name System: Attacker can corrupt DNS information thus can redirect users to fake sites or make sites seem unavailable – DoS attack This gets even worse when corruption is propagated between DNS servers Work on secure DNS service (DNSEC) underway 19

20 G53SEC Firewalls: Cryptographic mechanisms – confidentiality and integrity Authentication protocols – verify sources of data Access control at network level – firewalls Firewall “A network device controlling traffic between two parts of a network” 20

21 G53SEC Firewalls: Generally installed between LAN and Internet or between different LANs or on individual hosts Should control traffic to and from a protected network But ALL traffic has to go through it in order for it to be effective e.g. issue Dial-in lines and Wifi LANs 21

22 G53SEC Firewalls: Defend a protected network against parties accessing services that should only be available internally Can also restrict access from inside to outside services (e.g. IRC, P2P) Virtual Private Network - A secure connection between two gateways Network Address Translation - hides internal machines with private addresses 22

23 G53SEC Firewalls: Packet filters: - Specify which packets are allowed or dropped - Rules based on source and destination IP address - and TCP and UDP port numbers - possible for both inbound and outbound - Can be implemented in a router examining packet headers 23

24 G53SEC Firewalls: Packet filters - Issues: - Only crude rules enforced - Certain common protocols are difficult to handle - We can have blanket rules (e.g. block all port 21 traffic) - We cannot have dynamically defined rules 24

25 G53SEC Firewalls: Stateful Packet filters: - Understand requests and replies - Can support policies for a wider range of protocols than simple packet filters - Again can be done in routers (fast and cheap) - iptables – a Linux implementation 25

26 G53SEC Firewalls: Circuit-Level Proxies: - rules similar to packet filters - allowed connections generate new connections from firewall to destination - rarely used in practice these days - functionally similar to stateful packet filters but with lower performance 26

27 G53SEC Firewalls: Application-Level Proxies: - Client - > Server - Client -> Proxy -> Server-> Proxy -> Client - Another instance of controlled invocation e.g. Mail proxy – filters emails for spam, viruses, etc… - Proxy server – only entity seen by the outside world - Transparent to users 27

28 G53SEC Firewalls: Application-Level Proxies: - Typically run on a hardened PC - Provide close control over content - Offer high level of security Issues - Large overhead per connection - More expensive than packet filters - Configuration complex - A separate proxy server required for each service to be protected 28

29 G53SEC Firewalls: Policies: Permissive – allow everything except dangerous services - easy to make a mistake or forget something Restrictive – block everything except designated useful services - More secure but if blocked something that is needed – DoS 29

30 G53SEC Firewalls: Location of firewall important Demilitarised Zone (DMZ) – selective access to services from both inside and outside networks Firewall issues: No protection against insider threats May cause inconvenience Tunnelling Encrypted traffic cannot be examined 30

31 G53SEC Intrusion Detection Systems: Cryptographic mechanisms help, but… Impossible to prevent all attacks DoS attacks Insider Attacks Badly configured firewalls Already happening attacks not detectable -> Intrusion Detection Systems 31

32 G53SEC Intrusion Detection Systems: Consists of a number of sensors (network or host) Sensors collect various data Data is analysed Intrusion reported and possibly reactions triggered 32

33 G53SEC Intrusion Detection Systems: Misuse Detection - looks for attack signatures - signatures – patterns of network traffic - e.g. no. of failed login attempts - only as good as its database of attack signatures - new attacks -> signature needs to be created - IDS needs to update its database 33

34 G53SEC Intrusion Detection Systems: Anomaly Detection - Statistical / Behaviour-based detection - uses statistical techniques - first ‘normal’ behaviour is established as baseline - during operation if behaviour of monitored system deviates from baseline and exceeds a threshold -> -> alarm is issued 34

35 G53SEC Intrusion Detection Systems: Anomaly Detection - Possibility of detecting novel attacks - However only detects anomalies - Anomaly is not necessarily an attack - Attack is not necessarily anomalous - False positives (false alarm) - False negatives (attack detected as normal) 35

36 G53SEC Intrusion Detection Systems: Network based IDS - attack signatures of network traffic - e.g. SNORT, Firestorm Host Based IDS - attack signatures from system activity Most effective IDS systems to date combine the two. 36

37 G53SEC Vulnerability Assessment and Honeypots: Vulnerability Assessment - examines the security state of a network or a host - info on open ports, package version, etc.. Honeypots - a resource to track attackers and to learn and gather evidence about their activities - designed to mimic real systems - low and high interaction hneypots 37

38 G53SEC 38 Summary: Networking Protocols Firewalls Intrusion Detection

Download ppt "G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey."

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google