networksecurity (2)

8/3/2019 networksecurity (2)

1/35

Overview of Network SecurityOverview of Network Security


2/35

Presentation ContentPresentation Content

WhatWhat isis Internet?Internet?

WhatWhat dodo wewe needneed toto protect?protect?

ThreatThreat MotivationMotivation

AttackAttack TypesTypes

SecuritySecurity ObjectivesObjectives SecuritySecurity mechanismsmechanisms

ReferencesReferences


3/35

What is Internet?What is Internet?

TheThe InternetInternet isis aa worldwideworldwide IPIP network,network,

thatthat linkslinks collectioncollection ofof differentdifferentnetworksnetworks fromfrom variousvarious sources,sources,

governmental,governmental, educationaleducational andand

commercialcommercial..


4/35

What do we need to protectWhat do we need to protect

DataData

ResourcesResources

ReputationReputation


5/35

Threat MotivationThreat Motivation

SpySpy

JoyrideJoyride

IgnoranceIgnorance

ScoreScore KeeperKeeper

RevengeRevenge GreedGreed

TerroristTerrorist


6/35

Types of AttacksTypes of Attacks

PassivePassive

ActiveActive DenialDenial ofof ServicesServices

SocialSocial EngineeringEngineering


7/35

TCP 3 way handshakeTCP 3 way handshake

ServerServer

SYN(X)SYN(X)

SYN(Y), ACK(X)SYN(Y), ACK(X)

ACK(Y)ACK(Y)

ClientClient

X, Y are sequence numbersX, Y are sequence numbers

Half openHalf open

Full openFull open


8/35

TCP Session HijackTCP Session Hijack

ServerServer

SYN(X)SYN(X)

SYN(Y), ACK(X)SYN(Y), ACK(X)

AttackerAttacker

Client, 146.135.12.1Client, 146.135.12.1

Half openHalf open

Valid TCP ConnectionValid TCP Connection

Initiate TCP with 146.135.12.1 as sourceInitiate TCP with 146.135.12.1 as source

Complete TCP ConnectionComplete TCP Connection


9/35

Security ObjectivesSecurity Objectives

IdentificationIdentification

AuthenticationAuthentication

AuthorizationAuthorization AccessAccess ControlControl

DataData IntegrityIntegrity

ConfidentialityConfidentiality NonNon--repudiationrepudiation


10/35

IdentificationIdentification

SomethingSomething whichwhich uniquelyuniquely identifiesidentifies aa

useruser andand isis calledcalled UserIDUserID..

SometimeSometime usersusers cancan selectselect theirtheir IDID asas

longlong asas itit isis givengiven tootoo anotheranother useruser..

UserIDUserID cancan bebe oneone oror combinationcombination ofof

thethe followingfollowing::

UserUser NameName UserUser StudentStudent NumberNumber

UserUser SSNSSN


11/35

AuthenticationAuthentication

TheThe processprocess ofof verifyingverifying thethe identityidentity ofof

aa useruser

TypicallyTypically basedbased onon

SomethingSomething useruser knowsknows PasswordPassword

SomethingSomething useruser havehave

Key,Key, smartsmart card,card, disk,disk, oror otherother devicedevice SomethingSomething useruser isis

fingerprint,fingerprint, voice,voice, oror retinalretinal scansscans


12/35

Authentication Cont.Authentication Cont.

AuthenticationAuthentication procedureprocedure

TwoTwo--PartyParty AuthenticationAuthentication

OneOne--WayWay AuthenticationAuthentication

TwoTwo--WayWay AuthenticationAuthentication ThirdThird--PartyParty AuthenticationAuthentication

KerberosKerberos

XX..509509

SingleSingle SignSign ONON

UserUser cancan accessaccess severalseveral networknetwork resourcesresources

byby logginglogging onon onceonce toto aa securitysecurity systemsystem..


13/35

Client

UserID & Password

ServerID &

Password

Authenticated

Authenticated

Server

One-way Authentication

Two-way Authentication

Two-Party Authentications


14/35

Authen

ticated

ClientID

,Pas

sword

Serve

rID,Passw

ord

Authentica

ted

Exchange Keys

Exchange Data

Client Server

Security Server

Third-Party Authentications


15/35

AuthorizationAuthorization

TheThe processprocess ofof assigningassigning accessaccess rightright

toto useruser


16/35

Access ControlAccess Control

TheThe processprocess ofof enforcingenforcing accessaccess rightright

andand isis basedbased onon followingfollowing threethree entitiesentities

SubjectSubject

isis entityentity thatthat cancan accessaccess anan objectobject

ObjectObject

isis entityentity toto whichwhich accessaccess cancan bebe controlledcontrolled

AccessAccess RightRight definesdefines thethe waysways inin whichwhich aa subjectsubject cancanaccessaccess anan objectobject..


17/35

Access ControlAccess Control

AccessAccess ControlControl isis divideddivided intointo twotwo

DiscretionaryDiscretionary AccessAccess ControlControl (DAC)(DAC)

TheThe ownerowner ofof thethe objectobject isis responsibleresponsible forfor

settingsetting thethe accessaccess rightright.. MandatoryMandatory AccessAccess ControlControl (MAC)(MAC)

TheThe systemsystem definesdefines accessaccess rightright basedbased onon

howhow thethe subjectsubject andand objectobject areare classifiedclassified..


18/35

Data Integrity.Data Integrity.

Assurance Assurance thatthat thethe datadata thatthat

arrivesarrives isis thethe samesame asas whenwhen itit waswas

sentsent..


19/35

ConfidentialityConfidentiality

Assurance Assurance thatthat sensitivesensitive

informationinformation isis notnot visiblevisible toto anan

eavesdroppereavesdropper.. ThisThis isis usuallyusuallyachievedachieved usingusing encryptionencryption..


20/35

NonNon--repudiationrepudiation

Assurance Assurance thatthat anyany transactiontransaction

thatthat takestakes placeplace cancan subsequentlysubsequently

bebe provedproved toto havehave takentaken placeplace..

BothBoth thethe sendersender andand thethe receiverreceiver

agreeagree thatthat thethe exchangeexchange tooktook

placeplace..


21/35

Security MechanismsSecurity Mechanisms

WebWeb SecuritySecurity

CryptographicCryptographic techniquestechniques

InternetInternet FirewallsFirewalls


22/35

Web SecurityWeb Security

BasicBasic AuthenticationAuthentication

SecureSecure SocketSocket LayerLayer (SSL)(SSL)


23/35

Basic AuthenticationBasic Authentication

A A simplesimple useruser IDID andand passwordpassword--basedbased

authenticationauthentication scheme,scheme, andand providesprovides thethe

followingfollowing::

ToTo identifyidentify whichwhich useruser isis accessingaccessing thethe serverserver

ToTo limitlimit usersusers toto accessingaccessing specificspecific pagespages

(identified(identified asas UniversalUniversal ResourceResource Locators,Locators, URLsURLs


24/35

Secure Socket Layer (SSL)Secure Socket Layer (SSL)

NetscapeNetscape IncInc.. originallyoriginally createdcreated thethe SSLSSL protocol,protocol, butbutnownow itit isis implementedimplemented inin WorldWorld WideWide WebWeb browsersbrowsers andandserversservers fromfrom manymany vendorsvendors.. SSLSSL providesprovides thethe followingfollowing-- ConfidentialityConfidentiality throughthrough anan encryptedencrypted connectionconnection basedbased onon

symmetricsymmetric keyskeys-- AuthenticationAuthentication usingusing publicpublic keykey identificationidentification andand verificationverification

-- ConnectionConnection reliabilityreliability throughthrough integrityintegrity checkingchecking

ThereThere areare twotwo partsparts toto SSLSSL standard,standard, asas followsfollows::

TheThe SSLSSL HandshakeHandshake isis aa protocolprotocol forfor initialinitial authenticationauthentication andandtransfertransfer ofof encryptionencryption keyskeys..

TheThe SSLSSL RecordRecord protocolprotocol isis aa protocolprotocol forfor transferringtransferring encryptedencrypteddatadata


25/35

yy TheThe clientclient sendssends aa "hello""hello" messagemessage toto thethe WebWeb server,server, andand

thethe serverserver respondsresponds withwith aa copycopy ofof itsits digitaldigital certificatecertificate..

yy TheThe clientclient decryptsdecrypts thethe server'sserver's publicpublic keykey usingusing thethe wellwell--

knownknown publicpublic keykey ofof thethe CertificateCertificate AuthorityAuthority suchsuch asas VeriSignVeriSign..


26/35

Cryptographic TechniquesCryptographic Techniques

SecretSecret KeyKey AlgorithmAlgorithm

PublicPublic KeyKey AlgorithmAlgorithm

SecureSecure HashHash FunctionFunction

DigitalDigital SignatureSignature

CertificateCertificate AuthorityAuthority


27/35

Secret Key AlgorithmSecret Key Algorithm

Clear Text

Secret Key

Bob Alice

Encryption

Secret Key

Decryption

Clear TextCipher Text


28/35

Public Key AlgorithmPublic Key Algorithm

Clear Text

Alice's Public

Key

Bob Alice

Encryption

Alice's

Private Key

Decryption

Clear TextCipher Text


29/35

Secure Hash FunctionSecure Hash Function

Clear

Text

Key

Bob Alice

Original

Clear

Text

Original

Clear

Text

Hash

Function

Messag

Digest

Hash

Function

Computed

MessagDigestKey

OriginalMessage

Digest

OriginalMessage

Digest

Compare

?

Non-

Secure

Network


30/35

Digital SignatureDigital Signature

Clear Text

Alice's

Private Key

Alice Bob

Encryption

Alice's

Pu

blic Key

Decryption &

AuthenticationClear TextCipher Text


31/35

CertificateAuthorityCertificateAuthority

Alice Bob

Certificate

Authority Publish Public

Key

Request Bob's

Public Key

Bob's Public

Key

Cipher Text


32/35

Internet FirewallInternet Firewall

A A firewallfirewall isis toto controlcontrol traffictraffic flowflow betweenbetween

networksnetworks..

FirewallFirewall usesuses thethe followingfollowing techniquestechniques::

PacketPacket FiltersFilters ApplicationApplication ProxyProxy

SocksSocks serversservers

SecureSecure TunnelTunnel

ScreenedScreened SubnetSubnet ArchitectureArchitecture


33/35

Packet FilteringPacket Filtering

MostMost commonlycommonly usedused firewallfirewall techniquetechnique

OperatesOperates atat IPIP levellevel

ChecksChecks eacheach IPIP packetpacket againstagainst thethe filterfilter rulesrules

beforebefore passingpassing (or(or notnot passing)passing) itit onon toto itsits

destinationdestination..

VeryVery fastfast thanthan otherother firewallfirewall techniquestechniques

HardHard toto configureconfigure


34/35

Packet FilterPacket Filter

Packet

Filtering

Server

Non-Secure

Network

Secure

Network


35/35

Firewall Conclusion;Firewall Conclusion;--

NotNot thethe completecomplete answeranswer TheThe foxfox isis insideinside thethe henhousehenhouse

HostHost securitysecurity ++ UserUser educationeducation

CannotCannot controlcontrol backback doordoor traffictraffic

anyany dialdial--inin accessaccess ManagementManagement problemsproblems

CannotCannot fullyfully protectprotect againstagainst newnew virusesviruses AntivirusAntivirus onon eacheach hosthost MachineMachine

NeedsNeeds toto bebe correctlycorrectly configuredconfigured

TheThe securitysecurity policypolicy mustmust bebe enforcedenforced

networksecurity (2)

Documents