Chapter 2 roadmap - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Chapter 2 roadmap

Description:

Encrypt all sensitive data (use ssh for remote logins). A. B. C. src:B dest:A payload ... in, logging out, unsuccessful login attempts, commands executed, and ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 46
Provided by: dont225
Category:

less

Transcript and Presenter's Notes

Title: Chapter 2 roadmap


1
Chapter 2 roadmap
  • 2.1 What is network security?
  • 2.2 Principles of cryptography
  • 2.3 Authentication
  • 2.4 Integrity
  • 2.5 Key Distribution and certification
  • 2.6 Access control firewalls
  • 2.7 Attacks and counter measures
  • 2.8 Security in many layers

2
Firewalls
isolates an organizations internal network from
a larger external network, allowing some packets
to pass, blocking others
firewall


3
Firewalls Why?
  • Prevent denial of service attacks
  • SYN flooding attacker establishes many bogus TCP
    connections, no resources left for real
    connections.
  • Prevent illegal modification/access of internal
    data.
  • e.g., attacker replaces CIAs homepage with
    something else
  • Allow only authorized access to inside network
    (set of authenticated users/hosts)
  • Prevent insider attacks on critical systems
  • Critical systems (human resources, payroll, etc.)
    can be hidden behind their own firewalls to
    prevent attacks from the inside.

4
Firewalls Policies
  • There are two main approaches to setting firewall
    policies regulating information flow.
  • Default Permit
  • Conditions are specified that will result in data
    being blocked any host or protocol not covered
    by these conditions will pass through by default.
  • Simpler to use, easy to configure, and more
    dangerous.
  • Default Deny
  • The particular protocols allowed through and the
    hosts that may pass data or be contacted are
    specified all others are denied.
  • Tends to be more secure.

5
Firewall Components Chokes/Packet Filters
Should arriving packet be allowed in? Departing
packet let out?

  • Computers or devices (such as routers) that
    restrict the flow of packets between the
    internal and external networks.
  • These filter packet-by-packet, making the
    decision to forward/drop packets based on
  • source IP address, destination IP address
  • TCP/UDP source and destination port numbers
  • ICMP message type
  • TCP SYN and ACK bits

6
Firewall Components Chokes/Packet Filters
  • Example 1 Block incoming and outgoing datagrams
    with IP protocol field 17 or with either source
    or destination port 23.
  • All incoming and outgoing UDP flows and telnet
    connections are blocked.
  • Example 2 Block inbound TCP segments with ACK0.
  • Prevents external clients from making TCP
    connections with internal clients, but allows
    internal clients to connect to outside.

7
Firewall Components Gates/Gateways
  • Specifically designated programs, devices, or
    computers within the firewalls perimeter that
    receive and handle connections to and from the
    external network.
  • For security and reliability, users should not
    have accounts on a gateway computer.
  • Several kinds of programs can run on gateways
  • Network client software such as telnet, ftp and
    netscape. Users get external access by logging
    on to the gateway and using this software.
    (Again, not recommended!)
  • Proxy servers that forward requests through the
    firewall from the internal network to the
    external one.
  • Network servers for receiving e-mail, serving web
    pages, and so on.

8
Firewall Components Gates/Gateways
gateway-to-remote host telnet session
host-to-gateway telnet session
  • Example allow select internal users to telnet
    outside.

application gateway
router and filter
1. Require all telnet users to telnet through
gateway. 2. For authorized users, gateway sets up
telnet connection to destination host. Gateway
relays data between the 2 connections. 3. Router
packet filter blocks all telnet connections not
originating from gateway.
9
Dual-ported Host Firewalls
  • The first Internet firewalls were Unix hosts with
    two network ports one for the internal network,
    and one for the external network.
  • In this firewall, the dual-ported host functions
    as both a choke and a gate.
  • Service is provided to internal users by either
    network clients or proxy servers.
  • Packet forwarding between network ports is
    disabled to protect the internal network.

externalnetwork
internalnetwork
firewall
10
Packet Filtering Firewalls
  • A simple firewall can be built be a single choke,
    using the packet filtering options on a router to
    block packets as needed between the external and
    internal networks.
  • These firewalls are cheap and simple.
  • Most firewalls built into cable/DSL routers are
    of this variety.
  • How powerful are they though?

externalnetwork
internalnetwork

firewall
11
Screened Host Firewalls
  • This is a more secure firewall built using a
    choke and a gateway computer.
  • The gate is a specially chosen computer running
    network servers and proxy servers.
  • Only external packets destined for the gateway
    are allowed through the choke.
  • All internal packets destined for the external
    network must first pass through a proxy server on
    the gateway, or they are filtered by the choke.

gateway
externalnetwork
internalnetwork

firewall
12
Screened Subnet Firewalls
  • For even higher security, two chokes and a
    gateway can be used to build a firewall.
  • The external choke and gateway are configured as
    in a screened host firewall.
  • The second choke is a failsafe if an attacker
    gains access to the gate, the internal choke
    prevents further attacks against the internal
    network.
  • Additional gateways can be added to the perimeter
    network between the chokes for other services.

gateway
externalnetwork
internalnetwork
perimeternetwork

firewall
13
Limitations of Firewalls
  • IP spoofing a firewall cant know if data really
    comes from the claimed source, so intruders
    maystill be let in.
  • If multiple applications need special treatment,
    each has its own gateway.
  • Client software must know how to contact the
    gateway.
  • For example, users must set the IP address of a
    proxy in their web browsers.
  • Filters often use an all or nothing policy for
    UDP.
  • Tradeoff degree of communication with outside
    world, level of security
  • The more exceptions and specializations needed
    for a firewall, the harder it is to configure and
    get to work properly big troubles!
  • Many highly protected sites still suffer from
    attacks, so are firewalls really the solution?

14
Chapter 2 roadmap
  • 2.1 What is network security?
  • 2.2 Principles of cryptography
  • 2.3 Authentication
  • 2.4 Integrity
  • 2.5 Key Distribution and certification
  • 2.6 Access control firewalls
  • 2.7 Attacks and counter measures
  • 2.8 Security in many layers

15
Internet Security Threats
  • Mapping
  • Before attacking you case the joint find out
    what services are implemented on network.
  • Use ping to determine what hosts have addresses
    on network.
  • Port-scanning try to establish TCP connection to
    each port in sequence (see what happens).
  • nmap (http//www.insecure.org/nmap/) mapper
    network exploration and security auditing.
  • Countermeasures?

16
Internet Security Threats
  • Mapping countermeasures
  • Record and log traffic entering network.
  • Look for suspicious activity (IP addresses, ports
    being scanned sequentially). A lot of network
    equipment can do this automatically now.
  • Have firewalls block ICMP packets and ping no
    longer works.
  • Put a default deny policy in place on all
    firewalls. If port numbers are blocked there,
    the network cannot be mapped from the outside.

17
Internet Security Threats
  • Packet sniffing
  • A problem for broadcast media.
  • Promiscuous NIC reads all packets passing by.
  • Can read all unencrypted data (e.g. passwords).
  • e.g. C sniffs Bs packets

C
A
B
Countermeasures?
18
Internet Security Threats
  • Packet sniffing countermeasures
  • All hosts in organization run software that
    checks periodically if host interface is in
    promiscuous mode.
  • Ensure all hosts in network require super-user
    privileges to put an interface in promiscuous
    mode.
  • Place one host per segment of broadcast media
    (switched Ethernet at hub).
  • Encrypt all sensitive data (use ssh for remote
    logins).

C
A
B
19
Internet Security Threats
  • Traffic analysis
  • An attacker acquires sensitive information
    without learning message content or sniffing
    whole packets.
  • Bad things can come from innocent-looking
    information.
  • e.g. C can learn what Bs work patterns are,
    that B is carrying out transactions with A, and
    so on.

C
A
B
Countermeasures?
20
Internet Security Threats
  • Traffic analysis countermeasures
  • Use some form of traffic padding. Fake traffic
    is inserted into the network to mask the real
    traffic.
  • If you have spare network capacity, why not use
    it?
  • Traffic padding can make other attacks harder too
    how can you tell which data to attack and
    attempt to compromise when it is not all real?

C
A
B
21
Internet Security Threats
  • IP Spoofing
  • Can generate raw IP packets directly from an
    application, putting any value into an IP
    packets source address field.
  • Receiver cant tell if source is spoofed.
  • e.g. C pretends to be B

C
A
B
Countermeasures?
22
Internet Security Threats
  • IP Spoofing ingress filtering
  • Routers should not forward outgoing packets with
    invalid source addresses (e.g., datagram source
    address not in routers network).
  • Great, but ingress filtering can not be mandated
    for all networks.

C
A
B
23
Internet Security Threats
  • Denial of service (DOS)
  • A flood of maliciously generated packets swamp
    receiver.
  • Distributed DOS (DDOS) multiple coordinated
    sources swamp receiver.
  • e.g., C and remote host SYN-attack A.

C
A
B
Countermeasures?
24
Internet Security Threats
  • Denial of service (DOS) countermeasures
  • filter out flooded packets (e.g., SYN) before
    reaching host throw out good with bad
  • traceback to source of floods (most likely an
    innocent, compromised machine)
  • use a dedicated hardware appliance to filter
    excessive packets or process connection attempts

C
A
B
25
Other Good Ideas
  • Backups and Comparison Copies
  • Making copies of data being transmitted or stored
    can be very useful for security purposes.
  • If data is damaged or destroyed, it can be
    restored.
  • If data is modified, a comparison copy can detect
    when and how it was changed, and restore it as
    well.
  • Backups can be to disk, tape, CD, DVD, or even
    paper.
  • Backups can be either full or incremental.
  • The backup copies themselves must be secured!
  • Protect them from overwriting.
  • Store them safely off-site under lock and key to
    prevent theft and possible damage.
  • Encrypt them to protect the contents.
  • Verify that the backups actually work properly!

26
Other Good Ideas
  • Auditing and Logging
  • Auditing refers to the process of monitoring to
    ensure that security mechanisms in place work and
    that any indications of misbehaviour are
    recorded.
  • Logging is used to record what is happening
  • User activity (logging in, logging out,
    unsuccessful login attempts, commands executed,
    and so on).
  • Use of administrator or super-user privileges
    (e.g. su).
  • Network traffic of various protocols at different
    periods.
  • Logging can be used to produce audit trails
    tracing the history of the network or individuals
    using it.
  • Logs are susceptible to modification attacks (to
    cover up attacks, falsely implicate others, and
    so on).
  • Record logs to different physically secure
    machines or possibly even printers.
  • Encrypt logs as they are written.

27
Chapter 2 roadmap
  • 2.1 What is network security?
  • 2.2 Principles of cryptography
  • 2.3 Authentication
  • 2.4 Integrity
  • 2.5 Key Distribution and certification
  • 2.6 Access control firewalls
  • 2.7 Attacks and counter measures
  • 2.8 Security in many layers
  • 2.8.1. Secure email
  • 2.8.2. Secure sockets
  • 2.8.3. IPsec
  • 2.8.4. 802.11 WEP

28
Secure E-Mail
  • Alice wants to send confidential e-mail, m, to
    Bob.
  • Alice
  • Generates random symmetric private key, KS.
  • Encrypts message with KS (for efficiency, as
    discussed before).
  • Also encrypts KS with Bobs public key.
  • Sends both KS(m) and KB(KS) to Bob.

29
Secure E-Mail
  • Alice wants to send confidential e-mail, m, to
    Bob.
  • Bob
  • Uses his private key to decrypt and recover KS.
  • Uses KS to decrypt KS(m) to recover his message
    m.

30
Secure E-Mail (Continued)
  • Alice wants to provide sender authentication
    and message integrity.
  • Alice digitally signs a digest of the message.
  • Sends both message (in the clear) and the
    digitally signed digest.

31
Secure E-Mail (Continued)
  • Alice wants to provide secrecy, sender
    authentication, and message integrity.

Alice uses three keys her private key, Bobs
public key, and the newly created symmetric key.
32
Pretty Good Privacy (PGP)
  • Internet e-mail encryption scheme, de-facto
    standard.
  • Uses symmetric key cryptography, public key
    cryptography, hash function, and digital
    signature as described.
  • Provides secrecy, sender authentication,
    integrity.
  • Inventor Phil Zimmerman, was the target of a
    3-year federal investigation for violating U.S.
    export restrictions on cryptographic software.

A PGP signed message
  • ---BEGIN PGP SIGNED MESSAGE---
  • Hash SHA1
  • BobMy husband is out of town tonight.
    Passionately yours, Alice
  • ---BEGIN PGP SIGNATURE---
  • Version PGP 5.0
  • Charset noconv
  • yhHJRHhGJGhgg/12EpJlo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2
  • ---END PGP SIGNATURE---

33
Secure Sockets Layer (SSL)
  • Transport layer security to any TCP-based
    application using SSL services.
  • Used between Web browsers, servers for e-commerce
    (shttp).
  • Security services
  • Server authentication.
  • Data encryption.
  • Client authentication (optional).
  • Server authentication
  • SSL-enabled browser includes public keys for
    trusted CAs.
  • Browser requests server certificate, issued by
    trusted CA.
  • Browser uses CAs public key to extract servers
    public key from certificate.
  • Check your browsers security menu to see its
    trusted CAs.

34
SSL (Continued)
  • Encrypted SSL session
  • Browser generates symmetric session key, encrypts
    it with servers public key, sends encrypted key
    to server.
  • Using private key, server decrypts session key.
  • Only the browser and server know session key.
  • All data sent into TCP socket (by client or
    server) encrypted with session key.
  • SSL basis of IETF Transport Layer Security
    (TLS).
  • SSL can be used for non-Web applications, e.g.,
    IMAP.
  • Client authentication can be done with client
    certificates which have also been issued by CAs.

35
IPsec Network Layer Security
  • Network-layer secrecy
  • Sending host encrypts the data in IP datagram.
  • TCP and UDP segments ICMP and SNMP messages.
  • Network-layer authentication
  • Destination host can authenticate source IP
    addresses.
  • Two principle protocols
  • Authentication header (AH) protocol
  • Encapsulation security payload (ESP) protocol
  • For both AH and ESP protocols, the source and
    destination handshake
  • Create network-layer logical channel called a
    security association (SA).
  • Each SA unidirectional.
  • Uniquely determined by
  • Security protocol (AH or ESP).
  • Source IP address.
  • 32-bit connection ID.

36
Authentication Header (AH) Protocol
  • AH header includes
  • Connection identifier.
  • Authentication data source-signed message digest
    calculated over original IP datagram.
  • Next header field specifies type of data (e.g.,
    TCP, UDP, ICMP).
  • Sequence number to prevent playback attacks.
  • Provides source authentication, data integrity,
    but not confidentiality.
  • AH header inserted between IP header, data field.
  • IP protocol field 51
  • Intermediate routers process datagrams as usual.

37
Encapsulation Security Payload (ESP) Protocol
  • Provides secrecy, host authentication, and data
    integrity.
  • Packet data and the ESP trailer are encrypted.
  • Next header field is in the ESP trailer.
  • Sequence number and connection identifier are in
    the ESP header.
  • ESP authentication field is similar to AH
    authentication field.
  • IP protocol field 50.

authenticated
encrypted
ESP header
IP header
TCP/UDP segment
38
IPsec SA and Key Management
  • To successfully deploy IPsec, a scalable and
    automated SA and key management scheme is
    needed.
  • Several protocols have been defined.
  • The Internet Key Exchange (IKE) algorithm, which
    is the default key management protocol for IPsec.
  • The Internet Security Association and Key
    Management Protocol (ISKMP) defines procedures
    for setting up and tearing down SAs and working
    with keys.

39
IEEE 802.11 Security
  • War-driving drive around the community and see
    what 802.11 wireless networks are available.
  • In 2001, in the San Francisco Bay area alone,
    more than 9000 were accessible from public
    roadways.
  • 85 used no encryption/authentication!
  • Packet-sniffing and various attacks would be
    easy!
  • Recent studies have shown similar results only
    with way more access points!
  • Wired Equivalent Privacy (WEP) authentication as
    in protocol ap4.0
  • Host requests authentication from access point.
  • Access point sends 128 bit nonce.
  • Host encrypts nonce using shared symmetric key.
  • Access point decrypts nonce, authenticates host.

40
IEEE 802.11 Security
  • Wired Equivalent Privacy (WEP) data encryption
  • Host and access point share 40 bit symmetric key
    (semi-permanent).
  • Host appends 24-bit initialization vector (IV) to
    create 64-bit key.
  • 64 bit key used to generate stream of keys, kiIV.
  • kiIV used to encrypt ith byte, di, in frame
  • ci di XOR kiIV
  • IV and encrypted bytes, ci sent in frame.

41
802.11 WEP Encryption
Sender-side WEP encryption
42
Breaking 802.11 WEP Encryption
  • Security Hole
  • 24-bit IV, one IV per frame, -gt IVs eventually
    reused
  • IV transmitted in plaintext -gt IV reuse detected
  • Attack
  • Trudy causes Alice to encrypt known plaintext d1
    d2 d3 d4
  • Trudy sees ci di XOR kiIV
  • Trudy knows ci di, so can compute kiIV
  • Trudy knows encrypting key sequence k1IV k2IV
    k3IV
  • Next time IV is used, Trudy can decrypt!

43
802.11b Security At Western
  • Wireless users at Western are forced to
    authenticate themselves securely before accessing
    the network.
  • This prevents outsiders from easily getting
    inside access to the campus network.
  • Once a wireless device contacts an access point,
    access is restricted until a web browser is
    opened and redirected to a secure login page.
  • You can then provide your UWO user id and
    password to authenticate with the network.
  • Once authenticated, access is opened up and you
    are allowed fuller access of network services.

44
802.11b Security At Western
  • Western does not currently use traditional
    WEP-based encryption, and does not plan to.
  • How could you safely share a secret WEP key
    between 20,000-30,000 users? You cant!
  • Besides, as we just saw, WEP might not be very
    safe.
  • Western is continuing to look at more advanced
    wireless encryption protocols as they continue to
    develop.
  • Just to be safe, use higher-level security
    protocols as much as possible (such as SSL, SSH,
    and so on).
  • Many insecure unencrypted protocols are blocked,
    so you cannot use them anyways!

45
Network Security Summary
  • Basic techniques...
  • cryptography (symmetric and public)
  • authentication
  • message integrity
  • key distribution
  • . used in many different security scenarios
  • secure email
  • secure transport (SSL)
  • IPsec
  • 802.11 WEP
Write a Comment
User Comments (0)
About PowerShow.com