Computer Systems Security

1
Computer Systems Security

• Security in Networks
• Topic Three
• Pirooz Saeidi

2
Agenda

• More on Firewalls
• Intrusion Detection Systems
• Secure E-mail
• Concluding Network Security

3
More on Firewalls

• Effective means of protecting local and networked
  systems from network-based security threats
• While maintaining access to outside world via
  WANs and the Internet.

4
Firewall Characteristics

• All traffic (in or out) must pass through
  firewall.
• Only authorised traffic will be allowed to pass.
• The firewall itself must be immune to
  penetration. i.e. use a trusted system with a
  secure operating system.

5
Four general techniques used by firewalls

• Service control
• Type of service inbound or outbound
• Filter traffic on the basis of IP address and TCP
  port number
• Provide proxy software to receive or interpret
  service request before passing it on.
• May also host the server software (e.g. Web or
  mail service).
• User Control
• control access to service using ACLs
• Behaviour Control
• e.g. filter e-mail for spam

6
Three Common types of Firewalls

• Packet Filtering Routers
• Application-level Gateways
• Circuit-level Gateways

7
Packet Filtering Routers

• Have filtering rules to forward or discard
  incoming IP packets

8
Application-level Gateways

• Also called a proxy server
• Acts as relay of application-level traffic.e.g.
  user contacts the gateway using Telnet,
• The gateway then asks the user for the name of
  the remote host. The user then responds and
  provides user id, etc.

9
Circuit-level Gateways

• Does not allow end-to-end TCP connection.
• It sets up 2 TCP connections, one between itself
  and a TCP user on an inner host and one between
  itself and a TCP user on an outside host.
• The security function determines which
  connections will be allowed.
• Typical use is when system administrator trusts
  the internal users but may configure the the
  gateway to support (say a) proxy service on
  inbound connections, and circuit level
  connections for outbound connections

10
Circuit-level Gateways
11
Intrusion Detection Systems (IDS)

• An IDS attempts to detect an intruder breaking
  into a system or a legitimate user misusing
  system resources.
• The IDS runs constantly in the background, and
  only notifies the user when it detects something
  suspicious.
• There are two types of potential intruders
  Outside Intruders and Inside Intruders.
• There are two main types of IDS
• Host based
• checking system logs for evidence of malicious
  or suspicious application activity in real time
• and Network based
• a form of a packet monitor.

12
Host-Based IDS (HIDS)

• Collects and analyzes data that was created on a
  computer that hosts a service, such as a Web
  server.
• Once data is collected for a given computer, it
  can either be analyzed locally or sent to a
  separate host for analysis.
• An example of an HIDS is a set of programs that
  receive application or operating system audit
  logs.
• Very effective for detecting insider abuses.
• Among host-based IDS implementations are Windows
  NT/2000 Security Event Logs, and UNIX Syslog in
  their raw forms or in their secure forms such as
  Solaris' BSM

13
Network-Based IDS (NIDS)

• Examins data packets that travel over the actual
  network.
• Implementation tends to be more distributed than
  host-based IDS.
• Instead of analysing information that originates
  and stays on a computer, NIDS uses methods such
  as packet-sniffing to pull data from TCP/IP or
  other protocol packets moving across the network.
  
• This inspection of the links between computers
  makes NIDS very useful for detecting the
  intrusions from outside the network

14
Network-Based IDS (NIDS)

• NIDS are best at detecting the following
  activities
• Unauthorised outsider access
• Tracking unauthorised access before a log on
  attempt.    
• Bandwidth theft or denial of service
• Packets that initiate or carry these attacks can
  best be noticed with NIDS.

15
Network-Based IDS (NIDS)

• two approaches to build intrusion detection
  systems
• Anomaly detection
• an alarm for strange system behaviour.
• Misuse Detection or Signature-Based
• Characterise attacks in terms of a pattern or a
  signature so that even similar attacks may be
  detected.

16
Secure Email

• Current message contents are not secure
• Can be inspected either in transit or by
  privileged users on destination.
• Desired Email Privacy Enhancement Services
• confidentiality (protection from disclosure)
• authentication (of originator)
• message integrity (protection from modification)
• protection from denial by sender (non-repudiation
  of origin)

17
Secure Email Implementation

• Use public key algorithms and certificates to
  exchange session keys and authenticate contents
• Also private key encryption for performance

18
PEM Privacy Enhanced E-mail

• original Internet standard for secure email
• confidentiality - DES encryption
• integrity - DES encrypted hash (MD2/MD5)
• authentication - either DES or RSA encrypted hash
  
• non-repudiation - RSA encrypted hash

19
PEM

• key management uses
• A central on-line, private-key server
• public-key certificates, using X.509 strong
  authentication signed by a Certification
  Authority (CA) hierarchy.
• X.509 Federal Public Key Infrastructure

20
S/MIME

• S/MIME is revised version with wider usage
• uses DES, Triple-DES, RC2 private key ciphers
• RC2 is a variable key-size block cipher designed
  by Ronald Rivest for RSA Security
• X.509 certificates, central or "web of trust"
  certification
• Web of trust
• A method of key certification but different from
  PKI
• i.e.. It does not use a hierarchy of CAs
• each user signs a key and decisions will be
  made on what keys are to be certified.

21
Pretty Good Privacy (PGP)

• Widely used de facto secure email standard
• developed by Phil Zimmermann
• available on most operating systems
• originally free. Commercial versions available
• Confidentiality IDEA (International Data
  Encryption Algorithm) encryption
• integrity - RSA encrypted MIC (Message Integrity
  Check, MD5)
• authentication non-repudiation - RSA encrypted
  MIC (Message Integrity Code )
• uses common key distribution
• trusted introducers used to validate keys
• no certification authority hierarchy needed

22
PGP in practice

• The application must be integrated into existing
  email
• each user has a keyring of known keys
• containing their own public and private keys
  (protected by a password)
• public keys given to you directly by a person
• public keys signed by trusted introducers
• Keys used for signing or encrypting messages to
  be sent and validate messages received

23
Summary of Network Security

• We made an analysis of security threats followed
  by design and implementation issues.
• Then we elaborated on different types of network
  security controls and
• Secure network applications.
• Most materials in these lecture are base on
  PfleegerPfleeger book. The full sample chapter
  can be accessed via
• ftp//ftp.prenhall.com/pub/esm/web_marketing/ptr/p
  fleeger/ch07.pdf