Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Networking & Distributed Security (Part C)

Published byRandell Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 9 Networking & Distributed Security (Part C)"— Presentation transcript:

1 Chapter 9 Networking & Distributed Security (Part C)

2 csci5233 computer security & integrity (Chap. 9) 2 Outline

3 csci5233 computer security & integrity (Chap. 9) 3 Electronic Mails Security Goals vs Threats GoalsThreats confidentiality 1. interception integrity 2. interception and subsequent replay 3. content modification 4. content forgery by outsider 5. content forgery by recipient 6. origin forgery by recipient authenticity 7. origin modification 8. origin forgery by outsider nonrepudiation  Threats 2 through 8 above reliable delivery  interception (blocked delivery)  denial of message transmission

4 csci5233 computer security & integrity (Chap. 9) 4 Privacy-enhanced E-Mails (PEM) Internet standards 1987: RFC989 (PEM version 1)RFC989 1989: RFC1113 (version 2)RFC1113 1993: RFC1421, 1422, 1423, 1424 (Part I, II, III, IV), version 3RFC1421 Protection of privacy-enhanced emails occurs in the body of the message. The header of the message is not changed to ensure compatibility with the then existing email systems. Overview: Fig. 9-27, 9-28 (p.424) 1) The message header and body is encrypted under a symmetric key, K  E (message, K) 2) K is encrypted by the recipient’s public key  Rpub (K) 3) A duplicate header is prepended to the message, which contains both Rpub(K) and E(message, K). Q: In step 2, can symmetric key, instead of the recipient’s public key, be used to encrypt the message key?

5 csci5233 computer security & integrity (Chap. 9) 5 Privacy-enhanced E-Mails (PEM) The answer: YES. See p.425. Q: What would be the requirements if symmetric key is used? Proc-Type field: processing type DEK-Info field: data exchange key field Key-Info: key exchange Message encryption: DES Key exchange: DES or RSA In principle, any encryption algorithms can be used.

6 csci5233 computer security & integrity (Chap. 9) 6 Privacy-enhanced E-Mails (PEM) Security features: Confidentiality – message encryption Authenticity - ? Nonrepudiability - ? Integrity - ? Answers: p.425

7 csci5233 computer security & integrity (Chap. 9) 7 Privacy-enhanced E-Mails (PEM) Advantages: The user may choose to use PEM or not in sending an email. PEM provide strong end-to-end security for emails. Problems? 1.Key management 2.The end points may not be secure. Yet another privacy enhanced email protocol: PGP: p.426

8 csci5233 computer security & integrity (Chap. 9) 8 Firewalls Q: Which is more important, protection of emails or protection of network-connected resources? (see argument on p.427) A firewall works in a way similar to a filter, which lets through only desirable interactions while keeping all others out of the protected network. Analogy: a gate keeper, a security gateway A firewall is a device or a process that filters all traffic between a protected (inside) network and a less trustworthy (outside) network. Scenarios: oInternal users sending company secrets outside oOutside people breaking into systems inside

9 csci5233 computer security & integrity (Chap. 9) 9 Firewalls Alternative security policies: To block all incoming traffic, but allow outgoing traffic to pass. To allow accesses only from certain places To allow accesses only from certain users To allow accesses for certain activities (such as specific port numbers) oPort 79: finger; Port 23: telnet; Port 513: rlogin; oPort 21: ftp; Port 177: X Windows oICMP messages: the PROTOCOL field of IP header = 1 oEach of these mechanisms is a potential back door into the system.

10 csci5233 computer security & integrity (Chap. 9) 10 Types of Firewalls Screening Routers The simplest, but may be the most effective type of firewalls. A router plays the role of a ‘gateway’ between two networks. (Fig. 9-31, p.429) A screening router takes advantage of a router’s ability of “screening” passing-through packets and forwards only packets that are desirable. Example: Fig. 9-32. A router has a unique advantage because it sits between an outside and the inside network. (Fig. 9-33)

11 csci5233 computer security & integrity (Chap. 9) 11 Types of Firewalls Proxy Gateways “proxy”: authority or power to act for another A firewall that simulates the effects of an application by running “pseudo-applications”. To the inside it implements part of the application protocol to make itself look as if it is the outside connection. To the outside it implements part of the application protocol to act just like the inside process would. It examines the content, not just the header, of a packet. Examples of using proxy firewalls: pp.431-432

12 csci5233 computer security & integrity (Chap. 9) 12 Types of Firewalls Guards A “sophisticated” proxy firewall A guard firewall examines and interprets the content of a packet. A guard usually implements and enforces certain business policies. Example: enforcing an email “quota” (p.433) Other examples Trade-offs? Table 9-3 (p.434) Comparing the types of firewalls

13 csci5233 computer security & integrity (Chap. 9) 13 Firewalls Examples of Firewall Configurations Screening router only: Fig. 9-35 Proxy firewall only: Fig. 9-36 A combined approach: Fig. 9-37 Q: Does it make sense to reverse the position of the screening router and the proxy firewall in Fig. 9-37?

14 csci5233 computer security & integrity (Chap. 9) 14 DMZ (Demilitarized zone) The segment in a network bounded by two firewalls.

15 csci5233 computer security & integrity (Chap. 9) 15 Considerations about Firewalls Firewalls provide perimeter protection of a network, if the network’s perimeter is clearly defined and can be controlled by the firewall. A firewall is a prime target to attack. A firewall does not solve all security problems. Why not? A firewall may have a negative effect on software portability. (See VM: Ch. 16 – Through the firewall)

16 csci5233 computer security & integrity (Chap. 9) 16 Summary Network security is a rich area, in terms of complexity of the problem and research opportunities. Intrusion detection Honeypots Security versus performance … Next: –Buffer overflow (VM: Ch 7) –Applying cryptography (VM: Ch 11)

Download ppt "Chapter 9 Networking & Distributed Security (Part C)"

Similar presentations

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 12 Network Security.

Chapter 12 Network Security.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google