Title: Internet Security
1Internet Security
2You Will Learn
- About the ways that computers and networks can be
attacked - How to safeguard network resources from
unauthorized access - What virtual private networks are and how they
ensure a secure connection so that data can be
transmitted over the Internet
3Types of Intrusion
- Flooding
- Data theft
- Computer infestations
- Cookies
4Flooding
- A type of Denial of Service (DoS) attack, which
overloads the server with false requests,
therefore preventing it from processing
legitimate requests - Halts resources
- Types of flooding attacks
- SYN flooding
- Ping flooding
- Mail flooding
5SYN Flooding
- Uses an invalid return address so synchronization
feature of TCP cannot complete, thereby disabling
the system
6A Normal SYN Operation
- TCP on the client sends a SYN (synchronize start)
packet to TCP on the server - TCP on the server responds with a SYN ACK
(synchronize acknowledge) - TCP on the client completes the handshake by
sending an ACK (acknowledge) packet to the
destination server
7A Normal SYN Operation
8A SYN Flood
9DoS Attacks
10Ping Flooding
- A type of DoS attack in which a host is flooded
with Ping requests to the point that the server
cannot function - Also known as ICMP flooding
- Ping of Death attack
- Occurs when a hacker uses the Ping protocol to
send a packet that is larger than the standard 64
bytes
11Mail Flooding
- A type of DoS attack in which an SMTP host is
sent a large number of huge e-mails, thus
overloading the system - Spam
- Unsolicited e-mail messages that are usually
trying to sell a product, and are sent in bulk
12Data Theft
- Monitor network until an opening is found
install programs that allow future access to the
files - Man in the middle attack
- Attackers intercept data that is being
transmitted across a network
13Computer Infestations
- Viruses (most common)
- Worms
- Trojan horses
14Virus
- Has an incubation period
- Can replicate by attaching itself to other
programs - Is destructive
- Usually spreads through infected e-mail messages
that arrive with a virus in an attachment
15Example of a Virus
16Worm
- Spreads copies of itself throughout the network
without needing a host program - Overloads network resources making the network
unusable
17Trojan Horse
- Substitutes itself for a legitimate program, but
damages the system - Does not need a host program
18Cookies
- Data stored on the clients system by a web site
for later retrieval - Many people feel that cookies allow companies to
intrude on privacy rights
19Protection Strategies
- All areas of a network need to be protected
- Entities you can protect
- Private network or intranet (client-to-gateway
security) - Extranet
- Transactions between individuals and a web site
- Transactions between individuals across the
Internet (client-to-client security) - Virtual private network
20(No Transcript)
21Goals of a Security System
- Privacy
- Authentication
- Data integrity
- Non-repudiation
- Ease of use
22Protection Strategies
- Authentication
- Encryption
- Firewalls
- Intrusion detection software
- Electronic transaction protocols
- Protecting privacy
- Protection against viruses
23Authentication
- Process of ensuring that a person or computer is
who or what it says it is before being allowed
access to a secured network or secured data
24Levels of Authentication
- None
- Connect
- Call
- Packet
- Packet integrity
- Packet privacy (includes encryption)
25User IDs and Passwords
- Most common method of authentication
- Can be set at many levels
- User ID is a code used to indicate who the user
is only that user knows the password - Passwords on the PC can be setup passwords,
operating system passwords, and passwords on
files, folders, and applications
26User IDs and Passwords Required by the Network
Operating System
- Each ID can be assigned certain rights that apply
to only that ID - Network administrator defines user permissions
(read, write, no access)
27Setting a Windows Password
28Securing User IDs and Passwords
- Passwords are encrypted at the entry point and
decrypted just before they are validated - Several encryption services (authentication
protocols) - Most popular
- CHAP (Challenge Handshake Authentication
Protocol) - Kerberos
29User IDs and Passwords Used by Internet
Applications
30Problems with Passwords
- Many people do not keep them secret
- People write down their passwords
- A good password is a mixture of letters, numbers,
and symbols, and has no logical meaning
31Smart Cards
- Can hold data about the card holder and then be
used to provide access to a single computer or
network - Disadvantage
- A reader device must be installed on each
computer or network device where the user must
gain access
32Example of a Smart Card
33Digital Certificates
- Digital signatures that verify the senders
identity - Assist in non-repudiation of origin and
non-repudiation of delivery - Issued only by certification authorities (eg,
VeriSign) - Sometimes used to help create a virtual private
network (VPN)
34Types of Digital Certificates
- Client SSL certificate
- Server SSL certificate
- S/MIME certificate
- Object-signing certificate
- CA certificate
35What Is in a Digital Certificate?
- Most conform to the X.509 certificate
specification - Certificates can be read by a computer only
cannot be read by humans - Parts of a digital certificate
- Data section
- Signature section
36Data Section of a Digital Certificate
- Version number of the X.509 that the certificate
supports - Serial number
- Name of the authority that issued the certificate
- Dates and times when certificate is valid
- Person/company to whom it was issued
- Algorithm used to encode the certificate
- Additional information (eg, type of certificate)
37Signature Section of a Digital Certificate
- Algorithm that was used by the certification
authority to create the digital certificate - Certification authoritys digital signature
38How Digital Certificates Work
- Involves three parties
- Person needing the certificate
- Authority issuing it
- Company with whom the person wants to use the
certificate
39How Digital Certificates Work
- Individual applies to a certification authority
for a certificate - CA validates identity of individual and issues a
digital certificate - CA informs the corporate intranet that a digital
certificate has been issued to the vendor, and
monitors the life cycle of the certificate - At logon, the individuals browser presents the
certificate to the secure gateway, which
validates it and allows the individual access
40How Digital Certificates Work
41How to Protect Your Digital Certificate
- Require a password
- Store the certificate away from your computer
(such as a PCMCIA card or smart card)
42Using a Digital Certificate (VeriSign)
43Using a Digital Certificate
44Using a Digital Certificate
45Using a Digital Certificate
46Using a Digital Certificate
47Using a Digital Certificate
48Using a Digital Certificate
49Encryption
- Process of coding data to prevent unauthorized
parties from being able to change or view it - Methods vary, but the most secure method uses
three keys others use one or two keys
50Symmetric Encryption (Private Key)
- Uses one key (session key or secret key) for both
encryption and decryption - Ciphertext (the unreadable data)
51Effectiveness of Encryption is Determined by
- The algorithm or set of rules used to encrypt the
data - The complexity or length of the session key used
to do the encryption - The longer the session key, the more secure the
data
52Symmetric Encryption (Private Key)
53Algorithms Used for Encryption
- DES (Data Encryption Standard)
- Triple DES
- Skipjack
- Blowfish
54DES (Data Encryption Standard)
- Uses a 64-bit key to encrypt and decrypt data
- Runs the main algorithm 16 times to produce the
encrypted data - Can be used in one of four modes
- Electronic Code Book (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback (CFB)
- Output Feedback (OFB)
55Triple DES
- Uses three 64-bit keys
- Repeats the process three times, once with each
64-bit key
56Triple DES
57Skipjack and Blowfish
- Skipjack
- Uses 80-bit keys and is repeated 32 times to
produce ciphertext - Can run using all four modes DES uses
- Blowfish
- Uses either fixed-length keys or variable length
keys, from 32-bits to 448-bits - Can be downloaded for free
58Asymmetric or Public Key Encryption
- Requires two keys (a public key for encryption
and a private key for decryption) - Public key is available to anyone
- Private key is kept on the users computer and
should be secure it is the only key that can
decrypt the message - Asymmetric algorithms RC2, RC4, and RC5
- Slower then using session keys
59How Public Key Encryption Works
60Pretty Good Privacy (PGP) Encryption
- Encrypts and decrypts messages that are sent over
the Internet - Sends digital signatures to ensure identity of
sender - Verifies that the message was not altered during
transmission - Uses three keys
- Receivers public key
- Receivers private key
- A short key generated by the encryption software
61How PGP Works
62Secure Multi-Purpose Internet Mail Extensions
- A secure version of MIME
- Works like public key encryption
- A message is sent with receivers public key and
can be opened only with receivers private key
63Hashing
- Validates that data sent over a network has not
been altered while in transit by sending a
calculated, fixed-length value (a hash) that is
compared to another hash calculated by the
receiver of the data - Also called one-way encryption
- Algorithms used
- SHA-1 (Secure Hash Algorithm 1)
- MD5 (Message Digest 5)
64Hashing
65Firewalls
- Control information that is sent and received
from outside the network - Can be installed on several different types of
gateways (router, server, or PC) - Can filter data packets, ports, applications, and
information (eg, inappropriate Web content)
66Personal Firewalls
- Filter information
- Block open ports
- Stop suspicious programs
- Allow users to set the level of security
67Setting the Level of Security on a Firewall
68Personal Firewalls
69A Proxy Server Used as a Firewall
- Can filter traffic in both directions
70A Proxy Server Used as a Firewall
71Firewalls that Filter Ports and Packets
- Prevent software on the outside from using
certain ports on the network - Screening router can use stateful inspection
72Firewalls that Filter Ports and Packets
73DMZ (Demilitarized Zone) Configurations
- Area between a private network and the Internet,
but not a direct part of either network - Protect the private network while still offering
services to the Internet community
74Ways to Set up a DMZ
- Screened host
- Bastion host
- Three-homed firewall
- Back-to-back firewall
- Dead zone
75Screened Host
- A router is used to filter all traffic to the
private intranet but allow full access to the
computer in the DMZ
76Screened Host
77Screened Host
78Bastion Host
- A computer that stands outside the protected
network and is exposed to an attack by using two
network cards, one for the DMZ and one for the
intranet - Also called dual-homed host or dual-homed firewall
79Bastion Host
80Three-Homed Firewall
- Uses three network cards for the entry point to
the DMZ - One connects to the Internet
- One connects to the DMZ network
- One connects to the intranet
81Three-Homed Firewall
82Back-to-Back Firewall
- Uses two firewalls, one between the Internet and
the DMZ and one between the DMZ and the intranet - Offers exceptional protection
- Expensive and complicated to implement
83Back-to-Back Firewall
84Dead Zone
- A network between two routers that uses another
network protocol other than TCP/IP - Most secure of all DMZ configurations
- Routers at each entry point into the dead zone
must use protocol switching for communication
85Intrusion Detection Software
- Monitors if and when an unauthorized person tries
to gain access to a computer or network - Provides alarms that go off when suspicious
activity is detected - Keeps logs that can be used as evidence
- Notes multiple log-in failures
86Electronic Transaction Protocols
- Make sure that transactions over the Internet are
secure - Two most popular
- Secure sockets layer (SSL)
- Secure electronic transaction (SET)
87Secure Sockets Layer
- Provides security between application protocols
(such as FTP, HTTP, or Telnet) and TCP/IP - Provides data encryption and server
authentication and can provide client
authentication for a TCP/IP connection - Uses both the senders and receivers public and
private keys to ensure a secure transaction
88One Way SSL Can Work
89Secure Electronic Transaction
- Offers a secure medium for credit card
transactions using digital signatures - Protects information in the transaction from
being stolen or altered - Provides a mechanism for credit card numbers to
be transferred directly to the credit issuer for
verification and billing without the merchant
being able to see the number
90Using SET
91Protecting Privacy
- Control cookies
- Eliminate span
- Protect against viruses
92Controlling Cookies
- Both Netscape Navigator and Internet Explorer
have options to reject cookies - Many web sites rely heavily on cookies some will
not let you in unless you enable cookies
93Controlling Cookies with Netscape Navigator
94Controlling Cookies with Internet Explorer
95Eliminating Spam
- Limit how much information you volunteer to
people - Create a separate e-mail account just for junk
mail - Many ISPs offer spam rejection services
- Complain to the ISP that the spam originator
subscribes to
96Protecting Against Viruses
- Use antivirus software, which works by
inoculation (process of calculating and recording
checksums) - Update antivirus software regularly
- Stay informed about new viruses and virus hoaxes
- Be suspicious of e-mail from unknown senders (55
of viruses are acquired through e-mail
attachments)
97Protecting Against Viruses
98Protecting Against Viruses
99Downloading Updates to Antivirus Software
100Antivirus Software
101Virtual Private Networks (VPNs)
- Use a public network (usually the Internet) to
provide a secure connection between two private
networks or a node and private network - Offer networking capabilities at reduced costs
102Tunneling
- Process by which a packet is encapsulated in a
secure protocol before it is sent over a public
network - Allows two ends of the VPN to communicate
103Example of Tunneling
104Tunneling Protocols Used for VPNs
- Layer 2 Forwarding (L2F)
- Point-to-Point Tunneling Protocol (PPTP)
- Layer 2 Tunneling Protocol (L2TP)
- Internet Protocol Security (IPsec)
- Only tunneling protocol that operates at Network
layer - Only one that uses three keys
- Internet Key Exchange (IKE)
- Works with IPsec, but at the Application layer of
the OSI model
105Tunneling Protocols Used for VPNs
106Data Link Layer Protocols
- Layer 2 Forwarding (L2F)
- Connects two computers through the Internet
- Developed by Cisco
- Point-to-Point Tunneling Protocol (PPTP)
- Most common
- Secures private packets over any public network
- Remains with the packet until it reaches its
destination at the gateway to the private network - Layer 2 Tunneling Protocol (L2TP)
- Combines PPTP and L2F to allow ISPs to operate
virtual private networks
107Internet Protocol Security
- Standard platform for creating secure networks
and electronic tunnels - Verifies and encrypts each packet of data at the
Network layer to ensure maximum protection - Uses three keys
- Public key
- Private key
- Session key
- Developed by Internet Engineering Task Force
108IPsec Uses Three Keys
109VPN Hardware and Software
- Components required for optimum performance
- Security gateway (firewall) that controls access
to the private network - Certificate authority to issue and revoke public
and private keys and digital certificates - Security policy server to authenticate users
trying to access the network
110VPN Hardware and Software
111A Security Gateway
- Stands between the Internet and the private
network - Encrypts and decrypts packets and tunnels them
over the Internet - Can be a router, a dedicated hardware device, or
a server
112Example of a Security Gateway
113Chapter Summary
- Different ways that people illegally intrude on a
network, and the potential damage - How to protect your networks information and
your personal information - Installing firewalls
- Using intrusion detection software
- Implementing authentication systems
- Virtual private networks (VPNs) and how they
provide secure transactions across the Internet