ns-unit1 (1)
TRANSCRIPT
-
8/10/2019 NS-UNIT1 (1)
1/40
SUB:NETWORK SECURITY
UNIT-1
-
8/10/2019 NS-UNIT1 (1)
2/40
Information Security:
It can be defined as measures adopted toprevent the unauthorized use, misuse,
modification or denial of use of knowledge,
facts, data.
Information security has been affected by
twomajor developments over the last several
decades.
Introduction of computersinto organizations.
Introduction of distributed systems.
-
8/10/2019 NS-UNIT1 (1)
3/40
These two developments lead to computer
security and network security.
computer security deals with collection of
tools designed to protect data.
Network security measures are needed to
protect data during transmission.
-
8/10/2019 NS-UNIT1 (1)
4/40
OSI Security ArchitectureOR----Threeaspects of IS are:
Security Attack: Any action that comprisesthe security of information.
Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from asecurity.
Security Service: It is a processing or
communication service that enhances thesecurity of the data processing systems andinformation transfer.
-
8/10/2019 NS-UNIT1 (1)
5/40
Security Attacks
-
8/10/2019 NS-UNIT1 (1)
6/40
Interruption:This is an attack onavailability
Interception:This is an attack onconfidentiality
Modification:This is an attack on
integrity Fabrication:This is an attack on
authenticity
-
8/10/2019 NS-UNIT1 (1)
7/40
Availability:
Assures that systems work promptly andservice is not denied to authorized users.
Integrity:Assures that information and programs are
changed only in a specified and authorizedmanner.
Confidentiality:
Assures that private or confidential information isnot made available or disclosed to unauthorized
individuals
-
8/10/2019 NS-UNIT1 (1)
8/40
Authenticity:
Verifying that users are who they say they areand that each input arriving at the system
came from a trusted source.
-
8/10/2019 NS-UNIT1 (1)
9/40
Different kinds of attacks are:
InterruptionAn asset of the system is destroyed or becomes
unavailable or unusable. It is an attack on
availability.Examples:
Destruction of some hardware
Jamming wireless signals
Disabling file management systems
-
8/10/2019 NS-UNIT1 (1)
10/40
Interception
An unauthorized party gains access to an asset. Attackon confidentiality.
Examples:
Wire tapping to capture data in a network.
Illicitly copying data or programs
Eavesdropping
Modification:
When an unauthorized party gains access and tampersan asset. Attack is on Integrity.
Examples:
Changing data file
Altering a program and the contents of a message
-
8/10/2019 NS-UNIT1 (1)
11/40
Fabrication
An unauthorized party inserts a counterfeit
object into the system. Attack on Authenticity.
Also called impersonation.
Examples:
Hackers gaining access to a personal email and
sending message
Insertion of records in data files
nsertion of spurious messages in a network
-
8/10/2019 NS-UNIT1 (1)
12/40
Security Attacks
Security attacks can be classified in terms of
Passive attacks and Active attacks.
Apassive attack attempts to learn or make
use of information from the system but doesnot affect system resources.
An active attack attempts to alter system
resources or affect their operation
-
8/10/2019 NS-UNIT1 (1)
13/40
Passive Attacks: Two types:
Release of message content
It may be desirable to prevent the opponent fromlearning the contents (i.e sensitive or confidentialinfo) of the transmission.
Traffic analysis:
A more subtle technique where the opponentcould determinethe location and identity ofcommunicating hostsand could observe the
frequency & length of encrypted messages beingexchanged there by guessing the nature ofcommunication taking place.
-
8/10/2019 NS-UNIT1 (1)
14/40
Passive attacks:
Passive attacks are very difficult to detectbecause they do not involve any alternation of
the data.
As the communications take place in a verynormal fashion, neither the sender nor
receiver is aware that a third party has read
the messages or observed the traffic pattern.
So, the emphasis in dealing with passive
attacks is on preventionrather than detection.
-
8/10/2019 NS-UNIT1 (1)
15/40
Active Attacks:---------:Four types:
Masquerade: Here, an entity pretends to besome other entity. It usually includes one ofthe other forms of active attack.
Replay: It involves the passive capture of a
data unit and its subsequent retransmission toproduce an unauthorized effect.
Modification of messages: It means that some
portion of a legitimate message is altered, orthat messages are delayed to produce anunauthorized effect.
-
8/10/2019 NS-UNIT1 (1)
16/40
Denial of service: This attack prevents or
inhibits the normal use or management of
communication facilities.
-
8/10/2019 NS-UNIT1 (1)
17/40
Active attacks:
it is quite difficult to preventactive attacksabsolutely, because of the wide variety of
potential physical, software and network
vulnerabilities.
Instead, the goal is to detectactive attacks
and to recoverfrom any disruption or delays
caused by them.
-
8/10/2019 NS-UNIT1 (1)
18/40
Security Services:
It is a processing or communication servicethat is provided by a system to give a specific
kind of production to system resources.
Security services implement security policiesand are implemented by security mechanisms.
-
8/10/2019 NS-UNIT1 (1)
19/40
Confidentiality
Confidentiality is the protection of transmitted
data from passive attacks.
It is used to prevent the disclosure of information
to unauthorized individuals or systems.
It has been defined as ensuring that information
is accessible only to those authorized to have
access.
Protection of traffic flow from analysis. Ex: Acredit card number has to be secured during
online transaction.
-
8/10/2019 NS-UNIT1 (1)
20/40
Authentication
This service assures that a communication isauthentic.
For a single message transmission, its function isto assure the recipient that the message is fromintended source.
For an ongoing interaction two aspects areinvolved:
First, during connection initiation the serviceassures the authenticity of both parties.
Second, the connection between the two hosts isnot interfered allowing a third party tomasquerade as one of the two parties.
-
8/10/2019 NS-UNIT1 (1)
21/40
Integrity
Integrity means that data cannot be modifiedwithout authorization.
Like confidentiality, it can be applied to a
stream of messages, a single message orselected fields within a message.
Two types of integrity services are available. They are
Connection-Oriented Integrity Service:
Connectionless-Oriented Integrity Service:
-
8/10/2019 NS-UNIT1 (1)
22/40
Connection-Oriented Integrity Service:
It assuresthat messages are received as sent,with no duplication, insertion, modification,reordering or replays.
Destruction of data is also covered here.
Hence, it attends to both message streammodification and denial of service.
Connectionless-Oriented Integrity Service:
It deals with individual messages regardless oflarger context, providing protectionagainstmessage modificationonly.
-
8/10/2019 NS-UNIT1 (1)
23/40
Non-repudiation
Non-repudiation prevents either sender or
receiver from denying a transmitted message.This capability is crucial to e-commerce. Without
it an individual or entity can deny that he, she orit is responsible for a transaction, therefore not
financially liable. Access Control
It is the ability to limit and control the access tohost systems and applications via communication
links. For this, each entity trying to gain accessmust first be identified or authenticated, so thataccess rights can be tailored to the individuals.
-
8/10/2019 NS-UNIT1 (1)
24/40
Availability
It is defined to be the property of a system ora system resource being accessible and usable
upon demand by an authorized system entity.
-
8/10/2019 NS-UNIT1 (1)
25/40
Security Mechanisms:
Specific Security Mechanisms: Encipherment: It refers to the process of applying
mathematical algorithms for converting data into aform that is not intelligible. This depends on algorithmused and encryption keys.
Digital Signature: The appended data or acryptographic transformation applied to any data unitallowing to prove the source and integrity of the dataunit and protect against forgery.
Access Control: A variety of techniques used forenforcing access permissions to the system resources.
Data Integrity: A variety of mechanisms used to assurethe integrity of a data unit or stream of data units.
-
8/10/2019 NS-UNIT1 (1)
26/40
Authentication Exchange: A mechanism intendedto ensure the identity of an entity by means of
information exchange.Traffic Padding: The insertion of bits into gaps in
a data stream to frustrate traffic analysisattempts.
Routing Control: Enables selection of particularphysically secure routes for certain data andallows routing changes once a breach of securityis suspected.
Notarization: The use of a trusted third party toassure certain properties of a data exchange
-
8/10/2019 NS-UNIT1 (1)
27/40
A Model Of Inter Network Security
-
8/10/2019 NS-UNIT1 (1)
28/40
The general model shows that there are fourbasictasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation. The algorithm should be suchthat an opponent cannot defeat its purpose
2. Generate the secret information to be used with thealgorithm
3. Develop methods for the distribution and sharing ofthe secret information
4. Specify a protocol to be used by the two principals thatmakes use of the security algorithm and the secretinformation to achieve a particular security service
-
8/10/2019 NS-UNIT1 (1)
29/40
Buffer Overflow & Format String
Vulnerabilities
Vulnerability: Vulnerability is an inherent
weakness in design, configuration,
implementation or management of a networkor system that renders it susceptible to a
threat.
Every network and system has some kind ofvulnerability.
-
8/10/2019 NS-UNIT1 (1)
30/40
Buffer Overflow: A buffer overflow occurswhen a program or process tries to store more
data in a buffer than it was intended to hold.
It happens when the attacker intentionally
enters more data than a program was writtento handle.
This allows an attacker to overwrite data thatcontrols the program and can take overcontrol of the program to execute theattackerscode instead of programmerscode.
-
8/10/2019 NS-UNIT1 (1)
31/40
Exploiting the overflowable buffer involves
the following tasks:
Finding a way of injecting into the buffer
Specify a return address where malicious
code resides for the program to execute the
code
Determining the payload/code to be executed
-
8/10/2019 NS-UNIT1 (1)
32/40
Format String Vulnerability: A format string
vulnerability occurs when programmers pass
externally supplied data to aprintf function as
or as part of the format string argument.
Format string attacks can be used to crash a
program or to execute harmful code.
Format string bugs most commonly appear
when a programmer wishes to print a string
containing user supplied data.
-
8/10/2019 NS-UNIT1 (1)
33/40
Format string vulnerability attacks fall into
three categories:
denial of service, readingand writing.
denial of service attacks are characterized byutilizing multiple instances of the %s format
specifier to read data off of the stack until the
program attempts to read data from an illegal
address, which will cause the program to
crash.
-
8/10/2019 NS-UNIT1 (1)
34/40
reading attacks typically utilize the %x format
specifier to print sections of memory that we
do not normally have access to. This is aserious problem and can lead to disclosure of
sensitive information.
writing attacks utilize the %d, %u or %xformat specifiers to overwrite the Instruction
Pointer and force execution of user-supplied
shell code. This is exploited using single write
method or multiple writes method.
-
8/10/2019 NS-UNIT1 (1)
35/40
Session Hijacking:
Session Hijacking is security threat to whichmost systems are prone to.
Session hijack is a process whereby the
attacker inserts themselves into an existingcommunication session between twocomputers.
The three main protocols that manage thedata flow on which session hijacking occursare TCP, UDP, and HTTP.
-
8/10/2019 NS-UNIT1 (1)
36/40
Session hijacking can be done at two levels:
1.Network Level Hijacking:
( involves TCP and UDP sessions)
It refers to the interception and tamperingofpackets transmitted between client and server
during a TCP or UDP session.2. Application Level Hijacking:
(occurs with HTTP sessions. )
to obtaining session IDs to gain control of theHTTP user session as defined by the webapplication.
-
8/10/2019 NS-UNIT1 (1)
37/40
TCP Session Hijacking
Fig: The three way handshake method for session
establishment and sending Data over TCP
-
8/10/2019 NS-UNIT1 (1)
38/40
The goal of the TCP session hijacker is to create astate where the client and server are unable to
exchange data, so that he can forge acceptablepackets for both ends, which mimic the realpackets.
why the client and server will drop packetssent
between them: because
the serverssequence number no longer matches
the clientsACK number and likewise, the clientssequence number no longer matches
the serversACK number.
-
8/10/2019 NS-UNIT1 (1)
39/40
To hijack the session in the TCP network thehijacker should employ following techniques:
IP Spoofing: IP spoofing is a technique used to
gain unauthorized access to computers.
Blind Hijacking: If source routing is disabled, thesession hijacker can also employ blind hijacking
where he injects his malicious data intointercepted communications in the TCP session. Itis called blindbecause the hijacker can send thedata or commands, but cannot see the response.
Man in the Middle attack (packet sniffing): Thistechnique involves using a packet sniffer thatintercepts the communication between the clientand server.
-
8/10/2019 NS-UNIT1 (1)
40/40
Route Table Modification:An attacker wouldbe able to put himself in such a position toblock packets by modifying routing tables.
ARP Attacks: Address Resolution Protocol(ARP) spoofing, also known as ARP poisoning
or ARP Poison Routing (APR), is a techniqueused to attack an Ethernet wired or wirelessnetwork.
It allows an attacker to sniff data frames on alocal area network (LAN), modify the traffic, orstop the traffic altogether.