e-business ppt ids.vpn.pki2.pptx

8/10/2019 E-Business PPT IDS.VPN.PKI2.pptx

1/38

IDS,VPNs & PKI


2/38

Intrusion detection

system (IDS)


3/38

Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your

system.

Intruders may be from outside the network orlegitimate users of the network.

Intrusion can be a physical, system or remoteintrusion.


4/38

Different ways to intrude Buffer overflows:Almost all the security holes you read about in the press

are due to this problem. A typical example is a programmer who sets aside 256

characters to hold a login username. Surely, the programmer thinks, nobodywill ever have a name longer than that. But a hacker thinks, what happens if Ienter in a false username longer than that? Where do the additionalcharacters go? If they hackers do the job just right, they can send 300characters, including code that will be executed by the server, and voila,they've broken in. Hackers find these bugs in several ways. First of all, thesource code for a lot of services is available on the net. Hackers routinely lookthrough this code searching for programs that have buffer overflow problems.Secondly, hackers may look at the programs themselves to see if such aproblem exists, though reading assembly output is really difficult. Thirdly,hackers will examine every place the program has input and try to overflow itwith random data. If the program crashes, there is a good chance thatcarefully constructed input will allow the hacker to break in. Note that thisproblem is common in programs written in C/C++, but rare in programswritten in Java.

Unhandled input: Most programs are written to handle valid input. Mostprogrammers do not consider what happens when somebody enters inputthat doesn't match the specification.


5/38

Unexpected combinations: Programs are usually constructed using many layers ofcode, including the underlying operating system as the bottom most layer. Intruders canoften send input that is meaningless to one layer, but meaningful to another layer. Themost common language for processing user input on the web is PERL. Programs written inPERL will usually send this input to other programs for further evaluation. A common

hacking technique would be to enter something like "| mail < /etc/passwd". This getsexecuted because PERL asks the operating system to launch an additional program withthat input. However, the operating system intercepts the pipe '|' character and launches the'mail' program as well, which causes the password file to be emailed to the intruder.

Race conditions:Most systems today are "multitasking/multithreaded". This means

that they can execute more than one program at a time. There is a danger if two programsneed to access the same data at the same time. Imagine two programs, A and B, who needto modify the same file. In order to modify a file, each program must first read the file intomemory, change the contents in memory, then copy the memory back out into the file. Therace condition occurs when program A reads the file into memory, then makes the change.However, before A gets to write the file, program B steps in and does the fullread/modify/write on the file. Now program A writes its copy back out to the file. Since

program A started with a copy before B made its changes, all of B's changes will be lost.Since you need to get the sequence of events in just the right order, race conditions are veryrare. Intruders usually have to tries thousands of time before they get it right, and hackinto the system.


6/38

Intrusion Detection Systems (IDS) Intrusion Detection Systems look for attack

signatures, which are specific patterns that usuallyindicate malicious or suspicious intent.

Different ways of classifying an IDS

IDS based on

anomaly detection

signature based misuse host based

network based


7/38

1.Anomaly based IDS This IDS models the normal usage of the network as a

noise characterization.

Anything distinct from the noise is assumed to be anintrusion activity.

E.g flooding a host with lots of packet.

The primary strength is its ability to recognize novel

attacks.


8/38

Drawbacks of Anomaly detection

IDSAssumes that intrusions will be accompanied by

manifestations that are sufficiently unusual so as topermit detection.

These generate many false alarms and hencecompromise the effectiveness of the IDS.


9/38

2. Signature based IDS This IDS possess an attacked description that can be matched to

sensed attack manifestations. The question of what information is relevant to an IDS depends

upon what it is trying to detect. E.g DNS, FTP etc.

ID system is programmed to interpret a certain series of packets,or a certain piece of data contained in those packets,as an attack.For example, an IDS that watches web servers might beprogrammed to look for the string phf as an indicator of a CGIprogram attack.

Most signature analysis systems are based off of simple patternmatching algorithms. In most cases, the IDS simply looks for asub string within a stream of data carried by network packets.

When it finds this sub string (for example, the `phf'' in ``GET/cgi-bin/phf?''), it identifies those network packets as vehicles ofan attack.


10/38

Drawbacks of Signature based IDS They are unable to detect novel attacks.

Suffer from false alarms

Have to programmed again for every new pattern to bedetected.


11/38

3. Host/Applications based IDS The host operating system or the application logs in

the audit information.

These audit information includes events like the use of

identification and authentication mechanisms (loginsetc.) , file opens and program executions, adminactivities etc.

This audit is then analyzed to detect trails of intrusion.


12/38

Drawbacks of the host based IDS The kind of information needed to be logged inis a matter of experience.

Unselective logging of messages may greatly

increase the audit and analysis burdens. Selective logging runs the risk that attack

manifestations could be missed.


13/38

Strengths of the host based IDSAttack verification

System specific activity

Encrypted and switch environments Monitoring key components

Near Real-Time detection and response.

No additional hardware


14/38

Stack based IDS They are integrated closely with the TCP/IP stack,

allowing packets to be watched as they traverse theirway up the OSI layers.

This allows the IDS to pull the packets from the stackbefore the OS or the application have a chance toprocess the packets.


15/38

4. Network based IDS This IDS looks for attack signatures in network traffic

via a promiscuous interface.

A filter is usually applied to determine which trafficwill be discarded or passed on to an attack recognitionmodule. This helps to filter out known un-malicioustraffic.


16/38

Strengths of Network based IDS Cost of ownership reduced

Packet analysis

Evidence removal Real time detection and response

Malicious intent detection

Complement and verification

Operating system independence


17/38

Future of IDS To integrate the network and host based IDS for better

detection.

Developing IDS schemes for detecting novel attacksrather than individual instantiations.


18/38

Virtual private network(VPN)


19/38

Traditional Connectivity


20/38

What is VPN?Virtual Private Network is a type of private network

that uses public telecommunication, such as theInternet, instead of leased lines to communicate.

Became popular as more employees worked in remotelocations.


21/38

What Makes a VPN?A well-designed VPN can greatly benefit a company. For example,it can:

Extend geographic connectivity

Improve security Reduce operational costs versus traditional VAN

Reduce transit time and transportation costs for remote users

Improve productivity

Simplify network topology

Provide global networking opportunities

Provide telecommuter support

Provide broadband networking compatibility

Provide faster ROI (return on investment) than traditional WAN


22/38

Private Networks v/s.

Virtual Private NetworksEmployees can access the network (Intranet) from

remote locations.

Secured networks.

The Internet is used as the backbone for VPNs

Saves cost tremendously from reduction of equipmentand maintenance costs.

Scalability


23/38

Three types of VPN:

(From Gartner Consulting)


24/38

Brief Overview of How it WorksTwo connections one is made to the Internet and the

second is made to the VPN.

Datagrams contains data, destination and source

information.Firewalls VPNs allow authorized users to pass

through the firewalls.

Protocols protocols create the VPN tunnels.


25/38

Four Critical FunctionsAuthentication validates that the data was sent from

the sender.

Access control limiting unauthorized users from

accessing the network.Confidentiality preventing the data to be read or

copied as the data is being transported.

Data Integrity ensuring that the data has not been

altered


26/38

Four Protocols used in VPNPPTP -- Point-to-Point Tunneling Protocol

L2TP -- Layer 2 Tunneling Protocol

IPsec -- Internet Protocol Security

SOCKS is not used as much as the ones above


27/38

VPN Encapsulation of Packets


28/38

Virtual Private Networks (VPN)Basic Architecture


29/38

Advantages: Cost Savings Eliminating the need for expensive long-distance

leased lines

Reducing the long-distance telephone charges forremote access.

Transferring the support burden to the serviceproviders

Operational costs


30/38

Advantages: ScalabilityFlexibility of growth

Efficiency with broadband technology


31/38

DisadvantagesVPNs require an in-depth understanding of publicnetwork security issues and proper deployment ofprecautions

Availability and performance depends on factorslargely outside of their control

Immature standards

VPNs need to accommodate protocols other than IPand existing internal network technology


32/38

Applications: Site-to-Site VPNsLarge-scale encryptionbetween multiple fixedsites such as remoteoffices and central offices

Network traffic is sentover the branch officeInternet connection

This saves the companyhardware andmanagement expenses


33/38


34/38

PKI A PKI (public key infrastructure) enables users of abasically unsecure public network such as the Internet tosecurely and privately exchange data and money throughthe use of a public and a private cryptographic key pair that

is obtained and shared through a trusted authority. The public keyinfrastructure provides for a digital

certificatethat can identify an individual or anorganization and directory services that can store and,

when necessary, revoke the certificates. Although the

components of a PKI are generally understood, a number ofdifferent vendor approaches and services are emerging.Meanwhile, an Internet standard for PKI is being workedon.
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.html


35/38

A public key infrastructure consists of: A certificate authority (CA) that issues and verifies digital

certificate. A certificate includes the public key or informationabout the public key

A registration authority (RA) that acts as the verifier for thecertificate authority before a digital certificate is issued to arequestor

One or more directories where the certificates (with their publickeys) are held

A certificate management system

ow u c an r va e ey
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213831,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214245,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214245,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213831,00.html


36/38

ow u c an r va e eyCryptography Works In public key cryptography, a public and private key are

created simultaneously usingthe same algorithm(a

popular one is known as RSA) by a certificate authority(CA). The private key is given only to the requesting partyand the public key is made publicly available (as part of adigital certificate) in a directory that all parties can access.The private key is never shared with anyone or sent acrossthe Internet. You use the private key to decrypt text that

has been encrypted with your public key by someone else(who can find out what your public key is from a publicdirectory). Thus, if I send you a message, I can find out

your public key (but not your private key) from a centraladministrator and encrypt a message to you using yourpublic key. When you receive it, you decrypt it with your

private key. In addition to encrypting messages (whichensures privacy), you can authenticate yourself to me (so Iknow that it is really you whosent the message) by using

your private key to encrypt a digital certificate. When Ireceive it, I can use your public key to decrypt it.
http://whatis.techtarget.com/definition/0,,sid9_gci211545,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214273,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci211545,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214273,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214273,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci211545,00.html


37/38

Who Provides the Infrastructure A number of products are offered that enable a company or group of

companies to implement a PKI. The acceleration of e-commerceand

business-to-business commerce over the Internet has increased thedemand for PKI solutions. Related ideas are the virtual private network(VPN) and the IP Security (IPsec) standard. Among PKI leaders are:

RSA, which has developed the main algorithms used by PKI vendors Verisign, which acts as a certificate authority and sells software that

allows a company to create its own certificate authorities GTE CyberTrust, which provides a PKI implementation methodology

and consultation service that it plans to vend to other companies for afixed price Xcert, whose Web Sentry product that checks the revocation status of

certificates on a server, using the Online Certificate Status Protocol(OCSP)

Netscape, whose Directory Server product is said to support 50 millionobjects and process 5,000 queries a second; Secure E-Commerce, which

allows a company or extranetmanager to manage digital certificates;and Meta-Directory, which can connect all corporate directories into asingle directory for security management
http://searchcio.techtarget.com/sDefinition/0,,sid19_gci212029,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid19_gci212029,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213324,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214037,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213324,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214037,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212089,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212089,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212089,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214037,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213324,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid19_gci212029,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid19_gci212029,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid19_gci212029,00.html


38/38

e-business ppt ids.vpn.pki2.pptx

Documents