security in networks single point of failure resillence or fault tolerance cs model
TRANSCRIPT
Security in Networks
• Single point of failure
• Resillence or fault tolerance
• CS model
Computer Security Objectives
• Data confidentiality• Assures that private or confidential information is not made available
or disclosed to unauthorized individuals• Privacy
• Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed
Confidentiality
• Data integrity• Assures that information and programs are changed only in a
specified and authorized manner• System integrity
• Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
Integrity
• Assures that systems work promptly and service is not denied to authorized users
Availability
CIA Triad
4
Securing data
Possible additional concepts:
Authenticity• Verifying that
users are who they say they are and that each input arriving at the system came from a trusted source
Accountability• The security goal
that generates the requirement for actions of an entity to be traced uniquely to that entity
Security in Networks caracteristica
• Environment of use
• Shape and size
• Mode of communication
• Media
• Protocols
• Type of networks
• Topologies
Security in Networks caracteristica
• Environment of use• Anonymity• Automation• Distance• Opaqueness• Routing diversity
Security in Networks caracteristica
• Shape and size• Boundary• Ownership• Control
Security in Networks caracteristica
• Mode of communication• Digital• Analog
Security in Networks caracteristica
• Media• Cable• Optical fiber• Wireless• Microwave• Infrared• Satellite
Security in Networks caracteristica
• Protocols• ISO OSI• TCP/IP• Adressing Scheme• Routing Concept
Security in Networks caracteristica
• Type of network• LAN• MAN• WAN• Internetworks (Internets)
Security in Networks caracteristica
• Topologies• Common bus• Star or Hub• Ring• Tree structure
• Distributed system• API’s
Security in Networks caracteristica
• Advanteges of computer networks• Ressource sharing• Distribution of the workload• Increased reliability• Expandability
Security in Networks Threats
• What makes a network vulnerable• Anonymity• Many points of attack – both targets and
origins• Sharing• Complexity of system• Unknown perimeter• Unknown path
Security in Networks Threats
• Who attacks networks• Challenge• Fame• Money and espionage• Ideology
• Hactivism• Cyberterrorism
Security in Networks Threats
• Areas• Precursors• Authentication Failure• Programming flaws• Confidentiality• Integrity• Avaliability
Security in Networks Controls
• Areas• Security threat analysis• Design and implementation• Architecture• Encryption• Content integrity• Strong authentication• Acess controls• Alarm and alerts• Traffic flow • Control review
Security in Networks Controls
• Security threat analysis• Read communication• Modify communication• Forge communication• Inhibit communication• Read data• Modify or destroy data at C
Security in Networks Controls
• Architecture• Segmentation• Redundancy• Single point of failure
Security in Networks Controls
• Encryption• Link encryption• End to end encryption• Comparison of encryption methods• Virtual Private Networks (VPN)• Public Key Infrastructure (PKI) and certificates• SSH encryption• SSL encryption• IPSec• Signed code• Encrypted e-mail
Security in Networks Controls
• Content integrity• Error correction codes• Cryptographic checksum
Security in Networks Controls
• Strong Authentication• One time password• Challenge response systems• Digital distributed authentication• Kerberos
Security in Networks Controls
• Access controls• ACL’s on routers• Firewall
Security in Networks Controls
• Alarm and alerts• Intrusion detection systems (IDS)• Intrusion prevention systems (IPS)• Honey pots
PrecursorsTable 7-7. Network Vulnerabilities and Controls.
Target Vulnerability Control
Precursors to attack
Port scan Firewall
Intrusion detection system
Running as few services as possible
Services that reply with only what is necessary
Social engineering Education, user awareness
Policies and procedures
Systems in which two people must agree to perform certain security-critical functions
Reconnaissance Firewall
"Hardened" (self-defensive) operating system and applications
Intrusion detection system
OS and application fingerprinting
Firewall
"Hardened" (self-defensive) applications
Programs that reply with only what is necessary
Intrusion detection system
Authentication
Authentication failures
• Impersonation Strong, one-time authentication
Guessing • Strong, one-time authentication
• Education, user awareness
Eavesdropping Strong, one-time authentication
Encrypted authentication channel
Spoofing Strong, one-time authentication
Session hijacking Strong, one-time authentication
Encrypted authentication channel
Virtual private network
Man-in-the-middle attack Strong, one-time authentication
Virtual private network
Protocol analysis
Programming flawsProgramming flaws
Buffer overflow Programming controls
Intrusion detection system
Controlled execution environment
Personal firewall
Addressing errors Programming controls
Intrusion detection system
Controlled execution environment
Personal firewall
Two-way authentication
Parameter modification, time-of-check to time-of-use errors
Programming controls
Intrusion detection system
Controlled execution environment
Intrusion detection system
Personal firewall
Server-side include Programming controls
Personal firewall
Controlled execution environment
Intrusion detection system
Programming flaws cont.
Cookie Firewall
Intrusion detection system
Controlled execution environment
Personal firewall
Malicious active code: Java, ActiveX
Intrusion detection system
Programming controls
Signed code
Malicious code: virus, worm, Trojan horse
Intrusion detection system
Signed code
Controlled execution environment
Intrusion detection system
Malicious typed code Signed code
Intrusion detection system
Controlled execution environment
Confidentiality
Confidentiality Protocol flaw Programming controls
Controlled execution environment
Eavesdropping Encryption
• Passive wiretap Encryption
Misdelivery Encryption
Exposure within the network
End-to-end encryption
• Traffic flow analysis • Encryption
• Traffic padding
• Onion routing
• Cookie Firewall
Intrusion detection system
Controlled execution environment
IntegrityIntegrity Protocol flaw Firewall
Controlled execution environment
Intrusion detection system
Protocol analysis
Audit
Active wiretap Encryption
Error detection code
Audit
Impersonation Firewall
Strong, one-time authentication
Encryption
Error detection code
Audit
Falsification of message Firewall
Encryption
Strong authentication
Error detection code
Audit
Integrity cont.
Noise Error detection code
Web site defacement Error detection code
Intrusion detection system
Controlled execution environment
Hardened host
Honeypot
Audit
DNS attack Firewall
Intrusion detection system
Strong authentication for DNS changes
Audit
AvaliabilityAvailability Protocol flaw Firewall
Redundant architecture
Transmission or component failure
Architecture
Connection flooding, e.g., echo-chargen, ping of death, smurf, syn flood
Firewall
Intrusion detection system
ACL on border router
Honeypot
DNS attack • Firewall
• Intrusion detection system
• ACL on border router
• Honeypot
Traffic redirection Encryption
Audit
Distributed denial of service
• Firewall
• Intrusion detection system
• ACL on border router
• Honeypot