Internet Security

1
Internet Security

• Chapter 12

2
You Will Learn

• About the ways that computers and networks can be
  attacked
• How to safeguard network resources from
  unauthorized access
• What virtual private networks are and how they
  ensure a secure connection so that data can be
  transmitted over the Internet

3
Types of Intrusion

• Flooding
• Data theft
• Computer infestations
• Cookies

4
Flooding

• A type of Denial of Service (DoS) attack, which
  overloads the server with false requests,
  therefore preventing it from processing
  legitimate requests
• Halts resources
• Types of flooding attacks
• SYN flooding
• Ping flooding
• Mail flooding

5
SYN Flooding

• Uses an invalid return address so synchronization
  feature of TCP cannot complete, thereby disabling
  the system

6
A Normal SYN Operation

• TCP on the client sends a SYN (synchronize start)
  packet to TCP on the server
• TCP on the server responds with a SYN ACK
  (synchronize acknowledge)
• TCP on the client completes the handshake by
  sending an ACK (acknowledge) packet to the
  destination server

7
A Normal SYN Operation
8
A SYN Flood
9
DoS Attacks
10
Ping Flooding

• A type of DoS attack in which a host is flooded
  with Ping requests to the point that the server
  cannot function
• Also known as ICMP flooding
• Ping of Death attack
• Occurs when a hacker uses the Ping protocol to
  send a packet that is larger than the standard 64
  bytes

11
Mail Flooding

• A type of DoS attack in which an SMTP host is
  sent a large number of huge e-mails, thus
  overloading the system
• Spam
• Unsolicited e-mail messages that are usually
  trying to sell a product, and are sent in bulk

12
Data Theft

• Monitor network until an opening is found
  install programs that allow future access to the
  files
• Man in the middle attack
• Attackers intercept data that is being
  transmitted across a network

13
Computer Infestations

• Viruses (most common)
• Worms
• Trojan horses

14
Virus

• Has an incubation period
• Can replicate by attaching itself to other
  programs
• Is destructive
• Usually spreads through infected e-mail messages
  that arrive with a virus in an attachment

15
Example of a Virus
16
Worm

• Spreads copies of itself throughout the network
  without needing a host program
• Overloads network resources making the network
  unusable

17
Trojan Horse

• Substitutes itself for a legitimate program, but
  damages the system
• Does not need a host program

18
Cookies

• Data stored on the clients system by a web site
  for later retrieval
• Many people feel that cookies allow companies to
  intrude on privacy rights

19
Protection Strategies

• All areas of a network need to be protected
• Entities you can protect
• Private network or intranet (client-to-gateway
  security)
• Extranet
• Transactions between individuals and a web site
• Transactions between individuals across the
  Internet (client-to-client security)
• Virtual private network

20
(No Transcript)
21
Goals of a Security System

• Privacy
• Authentication
• Data integrity
• Non-repudiation
• Ease of use

22
Protection Strategies

• Authentication
• Encryption
• Firewalls
• Intrusion detection software
• Electronic transaction protocols
• Protecting privacy
• Protection against viruses

23
Authentication

• Process of ensuring that a person or computer is
  who or what it says it is before being allowed
  access to a secured network or secured data

24
Levels of Authentication

• None
• Connect
• Call
• Packet
• Packet integrity
• Packet privacy (includes encryption)

25
User IDs and Passwords

• Most common method of authentication
• Can be set at many levels
• User ID is a code used to indicate who the user
  is only that user knows the password
• Passwords on the PC can be setup passwords,
  operating system passwords, and passwords on
  files, folders, and applications

26
User IDs and Passwords Required by the Network
Operating System

• Each ID can be assigned certain rights that apply
  to only that ID
• Network administrator defines user permissions
  (read, write, no access)

27
Setting a Windows Password
28
Securing User IDs and Passwords

• Passwords are encrypted at the entry point and
  decrypted just before they are validated
• Several encryption services (authentication
  protocols)
• Most popular
• CHAP (Challenge Handshake Authentication
  Protocol)
• Kerberos

29
User IDs and Passwords Used by Internet
Applications
30
Problems with Passwords

• Many people do not keep them secret
• People write down their passwords
• A good password is a mixture of letters, numbers,
  and symbols, and has no logical meaning

31
Smart Cards

• Can hold data about the card holder and then be
  used to provide access to a single computer or
  network
• Disadvantage
• A reader device must be installed on each
  computer or network device where the user must
  gain access

32
Example of a Smart Card
33
Digital Certificates

• Digital signatures that verify the senders
  identity
• Assist in non-repudiation of origin and
  non-repudiation of delivery
• Issued only by certification authorities (eg,
  VeriSign)
• Sometimes used to help create a virtual private
  network (VPN)

34
Types of Digital Certificates

• Client SSL certificate
• Server SSL certificate
• S/MIME certificate
• Object-signing certificate
• CA certificate

35
What Is in a Digital Certificate?

• Most conform to the X.509 certificate
  specification
• Certificates can be read by a computer only
  cannot be read by humans
• Parts of a digital certificate
• Data section
• Signature section

36
Data Section of a Digital Certificate

• Version number of the X.509 that the certificate
  supports
• Serial number
• Name of the authority that issued the certificate
• Dates and times when certificate is valid
• Person/company to whom it was issued
• Algorithm used to encode the certificate
• Additional information (eg, type of certificate)

37
Signature Section of a Digital Certificate

• Algorithm that was used by the certification
  authority to create the digital certificate
• Certification authoritys digital signature

38
How Digital Certificates Work

• Involves three parties
• Person needing the certificate
• Authority issuing it
• Company with whom the person wants to use the
  certificate

39
How Digital Certificates Work

• Individual applies to a certification authority
  for a certificate
• CA validates identity of individual and issues a
  digital certificate
• CA informs the corporate intranet that a digital
  certificate has been issued to the vendor, and
  monitors the life cycle of the certificate
• At logon, the individuals browser presents the
  certificate to the secure gateway, which
  validates it and allows the individual access

40
How Digital Certificates Work
41
How to Protect Your Digital Certificate

• Require a password
• Store the certificate away from your computer
  (such as a PCMCIA card or smart card)

42
Using a Digital Certificate (VeriSign)
43
Using a Digital Certificate
44
Using a Digital Certificate
45
Using a Digital Certificate
46
Using a Digital Certificate
47
Using a Digital Certificate
48
Using a Digital Certificate
49
Encryption

• Process of coding data to prevent unauthorized
  parties from being able to change or view it
• Methods vary, but the most secure method uses
  three keys others use one or two keys

50
Symmetric Encryption (Private Key)

• Uses one key (session key or secret key) for both
  encryption and decryption
• Ciphertext (the unreadable data)

51
Effectiveness of Encryption is Determined by

• The algorithm or set of rules used to encrypt the
  data
• The complexity or length of the session key used
  to do the encryption
• The longer the session key, the more secure the
  data

52
Symmetric Encryption (Private Key)
53
Algorithms Used for Encryption

• DES (Data Encryption Standard)
• Triple DES
• Skipjack
• Blowfish

54
DES (Data Encryption Standard)

• Uses a 64-bit key to encrypt and decrypt data
• Runs the main algorithm 16 times to produce the
  encrypted data
• Can be used in one of four modes
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)

55
Triple DES

• Uses three 64-bit keys
• Repeats the process three times, once with each
  64-bit key

56
Triple DES
57
Skipjack and Blowfish

• Skipjack
• Uses 80-bit keys and is repeated 32 times to
  produce ciphertext
• Can run using all four modes DES uses
• Blowfish
• Uses either fixed-length keys or variable length
  keys, from 32-bits to 448-bits
• Can be downloaded for free

58
Asymmetric or Public Key Encryption

• Requires two keys (a public key for encryption
  and a private key for decryption)
• Public key is available to anyone
• Private key is kept on the users computer and
  should be secure it is the only key that can
  decrypt the message
• Asymmetric algorithms RC2, RC4, and RC5
• Slower then using session keys

59
How Public Key Encryption Works
60
Pretty Good Privacy (PGP) Encryption

• Encrypts and decrypts messages that are sent over
  the Internet
• Sends digital signatures to ensure identity of
  sender
• Verifies that the message was not altered during
  transmission
• Uses three keys
• Receivers public key
• Receivers private key
• A short key generated by the encryption software

61
How PGP Works
62
Secure Multi-Purpose Internet Mail Extensions

• A secure version of MIME
• Works like public key encryption
• A message is sent with receivers public key and
  can be opened only with receivers private key

63
Hashing

• Validates that data sent over a network has not
  been altered while in transit by sending a
  calculated, fixed-length value (a hash) that is
  compared to another hash calculated by the
  receiver of the data
• Also called one-way encryption
• Algorithms used
• SHA-1 (Secure Hash Algorithm 1)
• MD5 (Message Digest 5)

64
Hashing
65
Firewalls

• Control information that is sent and received
  from outside the network
• Can be installed on several different types of
  gateways (router, server, or PC)
• Can filter data packets, ports, applications, and
  information (eg, inappropriate Web content)

66
Personal Firewalls

• Filter information
• Block open ports
• Stop suspicious programs
• Allow users to set the level of security

67
Setting the Level of Security on a Firewall
68
Personal Firewalls
69
A Proxy Server Used as a Firewall

• Can filter traffic in both directions

70
A Proxy Server Used as a Firewall
71
Firewalls that Filter Ports and Packets

• Prevent software on the outside from using
  certain ports on the network
• Screening router can use stateful inspection

72
Firewalls that Filter Ports and Packets
73
DMZ (Demilitarized Zone) Configurations

• Area between a private network and the Internet,
  but not a direct part of either network
• Protect the private network while still offering
  services to the Internet community

74
Ways to Set up a DMZ

• Screened host
• Bastion host
• Three-homed firewall
• Back-to-back firewall
• Dead zone

75
Screened Host

• A router is used to filter all traffic to the
  private intranet but allow full access to the
  computer in the DMZ

76
Screened Host
77
Screened Host
78
Bastion Host

• A computer that stands outside the protected
  network and is exposed to an attack by using two
  network cards, one for the DMZ and one for the
  intranet
• Also called dual-homed host or dual-homed firewall

79
Bastion Host
80
Three-Homed Firewall

• Uses three network cards for the entry point to
  the DMZ
• One connects to the Internet
• One connects to the DMZ network
• One connects to the intranet

81
Three-Homed Firewall
82
Back-to-Back Firewall

• Uses two firewalls, one between the Internet and
  the DMZ and one between the DMZ and the intranet
• Offers exceptional protection
• Expensive and complicated to implement

83
Back-to-Back Firewall
84
Dead Zone

• A network between two routers that uses another
  network protocol other than TCP/IP
• Most secure of all DMZ configurations
• Routers at each entry point into the dead zone
  must use protocol switching for communication

85
Intrusion Detection Software

• Monitors if and when an unauthorized person tries
  to gain access to a computer or network
• Provides alarms that go off when suspicious
  activity is detected
• Keeps logs that can be used as evidence
• Notes multiple log-in failures

86
Electronic Transaction Protocols

• Make sure that transactions over the Internet are
  secure
• Two most popular
• Secure sockets layer (SSL)
• Secure electronic transaction (SET)

87
Secure Sockets Layer

• Provides security between application protocols
  (such as FTP, HTTP, or Telnet) and TCP/IP
• Provides data encryption and server
  authentication and can provide client
  authentication for a TCP/IP connection
• Uses both the senders and receivers public and
  private keys to ensure a secure transaction

88
One Way SSL Can Work
89
Secure Electronic Transaction

• Offers a secure medium for credit card
  transactions using digital signatures
• Protects information in the transaction from
  being stolen or altered
• Provides a mechanism for credit card numbers to
  be transferred directly to the credit issuer for
  verification and billing without the merchant
  being able to see the number

90
Using SET
91
Protecting Privacy

• Control cookies
• Eliminate span
• Protect against viruses

92
Controlling Cookies

• Both Netscape Navigator and Internet Explorer
  have options to reject cookies
• Many web sites rely heavily on cookies some will
  not let you in unless you enable cookies

93
Controlling Cookies with Netscape Navigator
94
Controlling Cookies with Internet Explorer
95
Eliminating Spam

• Limit how much information you volunteer to
  people
• Create a separate e-mail account just for junk
  mail
• Many ISPs offer spam rejection services
• Complain to the ISP that the spam originator
  subscribes to

96
Protecting Against Viruses

• Use antivirus software, which works by
  inoculation (process of calculating and recording
  checksums)
• Update antivirus software regularly
• Stay informed about new viruses and virus hoaxes
• Be suspicious of e-mail from unknown senders (55
  of viruses are acquired through e-mail
  attachments)

97
Protecting Against Viruses
98
Protecting Against Viruses
99
Downloading Updates to Antivirus Software
100
Antivirus Software
101
Virtual Private Networks (VPNs)

• Use a public network (usually the Internet) to
  provide a secure connection between two private
  networks or a node and private network
• Offer networking capabilities at reduced costs

102
Tunneling

• Process by which a packet is encapsulated in a
  secure protocol before it is sent over a public
  network
• Allows two ends of the VPN to communicate

103
Example of Tunneling
104
Tunneling Protocols Used for VPNs

• Layer 2 Forwarding (L2F)
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• Internet Protocol Security (IPsec)
• Only tunneling protocol that operates at Network
  layer
• Only one that uses three keys
• Internet Key Exchange (IKE)
• Works with IPsec, but at the Application layer of
  the OSI model

105
Tunneling Protocols Used for VPNs
106
Data Link Layer Protocols

• Layer 2 Forwarding (L2F)
• Connects two computers through the Internet
• Developed by Cisco
• Point-to-Point Tunneling Protocol (PPTP)
• Most common
• Secures private packets over any public network
• Remains with the packet until it reaches its
  destination at the gateway to the private network
• Layer 2 Tunneling Protocol (L2TP)
• Combines PPTP and L2F to allow ISPs to operate
  virtual private networks

107
Internet Protocol Security

• Standard platform for creating secure networks
  and electronic tunnels
• Verifies and encrypts each packet of data at the
  Network layer to ensure maximum protection
• Uses three keys
• Public key
• Private key
• Session key
• Developed by Internet Engineering Task Force

108
IPsec Uses Three Keys
109
VPN Hardware and Software

• Components required for optimum performance
• Security gateway (firewall) that controls access
  to the private network
• Certificate authority to issue and revoke public
  and private keys and digital certificates
• Security policy server to authenticate users
  trying to access the network

110
VPN Hardware and Software
111
A Security Gateway

• Stands between the Internet and the private
  network
• Encrypts and decrypts packets and tunnels them
  over the Internet
• Can be a router, a dedicated hardware device, or
  a server

112
Example of a Security Gateway
113
Chapter Summary

• Different ways that people illegally intrude on a
  network, and the potential damage
• How to protect your networks information and
  your personal information
• Installing firewalls
• Using intrusion detection software
• Implementing authentication systems
• Virtual private networks (VPNs) and how they
  provide secure transactions across the Internet