NetworkInformation Security - PowerPoint PPT Presentation

1 / 20

About This Presentation

Title:

NetworkInformation Security

Description:

Access Control Mechanisms: Internet firewall ... Security perimeter involves installing a firewall at each external connection. ... – PowerPoint PPT presentation

Number of Views:44

Avg rating:3.0/5.0

Slides: 21

Provided by: KAI873

Category:

more less

Transcript and Presenter's Notes

Title: NetworkInformation Security

1
Network/Information Security

The terms network security and information
security refer in a broad sense to confidence
that information and services available on a
network cannot be accessed by unauthorized
users. (Comer 1995)
Need to protect
Physical resources (disks, computers, cables,
bridges, routers, etc.)
Abstract resources (information)

2
Security Requirements

Data integrity - protecting information from
unauthorized change.
Data availability - guaranteeing that outsiders
cannot prevent legitimate data access.
Confidentiality/Privacy - preventing unauthorized
listening.

3
Security Requirements (contd..)

Authentication - ensuring that a message indeed
originated from its apparent source.
Non-repudiation - ensuring that a party to a
transaction cannot subsequently deny that this
transaction took place.

4
Internet Security Mechanisms

Authentication Mechanisms IP source
authentication, Public key encryption
Privacy Mechanism Encryption
Access Control Mechanisms Internet firewall
Authentication and privacy mechanisms can be
added to application programs. Access control
requires basic changes to Internet infrastructure.

5
IP Source Authentication

Server maintains a list of valid IP source
addresses.
Weak because it can be broken easily.
An imposter can gain control of an intermediate
router and impersonate an authorized client.
An imposter can also impersonate a server.

6
Public Key Encryption System

Each end-entity has a cryptographic key pair
a private key that is kept secret at that
end-entity, and
a public key which is distributed.
Keys, which are large integers, are used to
encode and decode messages.
A message encoded using one key can be decoded
using the other.

7
Public Key Encryption System (contd.)

Message encrypted by a public key can only be
decrypted by the holder of the corresponding
private key.
Private key can be used to generate a digital
signature and anyone knowing the public key can
authenticate it.
Guessing or calculating the secret private key is
an extremely difficult task.

8
Public Key Encryption System (contd.)

Public key encryption scheme can also handle the
problem of privacy.
Sender uses the receivers public key to encode
the message. Receiver uses its private key to
decode the message.
Messages can be encoded twice to authenticate the
sender and to enforce privacy. First with the
senders private key and then with the receivers
public key.

9
Certificates and Certification Authorities

To ensure authenticity, public keys are generally
distributed in the form of certificates.
A certificate contains
a public key value
identity of the holder of the corresponding
private key
digital signature of the certification authority
(CA)

10
Certificates and Certification Authorities
(contd.)

A CA is a trusted party whose public key is
known, e.g., VeriSign, Inc.
The recipient uses the public key of the CA, to
decrypt the sender's public key in the
certificate.
The most vulnerable part of this method is the
CAs private key, which is used to digitally sign
the certificate.

11
SSL Handshake

12
Secure Sockets Layer (SSL)

The leading security protocol on the internet.
Developed by Netscape.
At the start of an SSL session, the browser sends
its public key to the server.
Server uses the browsers public key to encrypt a
secret key and sends it to the browser.
During the session, the server and browser
exchange data via secret key encryption.

13
SSL (contd.)

SSL has merged with other protocols and
authentication methods to create a new protocol
known as Transport Layer Security (TLS).
Typically only server authentication is done.
Authentication of browsers (users) identity
requires certificates to be issued to users.

14
Internet Firewalls

Firewall protects an organizations internal
networks, routers, computers, and data against
unauthorized access.
Security perimeter involves installing a firewall
at each external connection.
For effective control all firewalls must use
exactly the same access restrictions.

15
Internet Firewall Implementation

A firewall must handle datagrams at the same
speed as the connection to the outside world.
To operate at network speeds, routers include a
high-speed filtering mechanism.
Filters form the basic building blocks of a
firewall.

16
Packet Filters

Provides a basic level of network security at the
IP level.
Filtering is based on any combination of source
IP address, destination IP address, protocol,
source protocol port number, and destination
protocol port number.
Packet filters do not maintain context or
understand the application they are dealing with.

17
Packet Filters

Specifying the datagrams that should be filtered
is not very effective.
Instead we specify which datagrams to admit.
Security concerns
IP spoofing (mimicing IP addresses of trusted
machines)
IP tunneling (one datagram is temporarily
encapsulated in another)

18
Packet Filters

If an organizations firewall restricts incoming
datagrams except for ports that correspond to
services the organization makes available
externally, an arbitrary application inside the
organization cannot become a client of a server
outside the organization. (Comer, 1995)

19
Proxy Firewalls

Most secure form of firewall
All incoming traffic is tunneled to the
appropriate proxy gateway for mail, HTTP, FTP,
etc.
Proxies then direct the information to the
internal network.
Proxies are applications that make decisions
based on context, authorization, authentication
rules instead of IP addresses.

20
Proxy Firewalls (contd.)