Internet Security - PowerPoint PPT Presentation

1 / 113
About This Presentation
Title:

Internet Security

Description:

Bastion host. Three-homed firewall. Back-to-back firewall. Dead zone. 75 ... Bastion Host ... Bastion Host. 80. Three-Homed Firewall. Uses three network cards for the entry ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 114
Provided by: anned157
Category:

less

Transcript and Presenter's Notes

Title: Internet Security


1
Internet Security
  • Chapter 12

2
You Will Learn
  • About the ways that computers and networks can be
    attacked
  • How to safeguard network resources from
    unauthorized access
  • What virtual private networks are and how they
    ensure a secure connection so that data can be
    transmitted over the Internet

3
Types of Intrusion
  • Flooding
  • Data theft
  • Computer infestations
  • Cookies

4
Flooding
  • A type of Denial of Service (DoS) attack, which
    overloads the server with false requests,
    therefore preventing it from processing
    legitimate requests
  • Halts resources
  • Types of flooding attacks
  • SYN flooding
  • Ping flooding
  • Mail flooding

5
SYN Flooding
  • Uses an invalid return address so synchronization
    feature of TCP cannot complete, thereby disabling
    the system

6
A Normal SYN Operation
  • TCP on the client sends a SYN (synchronize start)
    packet to TCP on the server
  • TCP on the server responds with a SYN ACK
    (synchronize acknowledge)
  • TCP on the client completes the handshake by
    sending an ACK (acknowledge) packet to the
    destination server

7
A Normal SYN Operation
8
A SYN Flood
9
DoS Attacks
10
Ping Flooding
  • A type of DoS attack in which a host is flooded
    with Ping requests to the point that the server
    cannot function
  • Also known as ICMP flooding
  • Ping of Death attack
  • Occurs when a hacker uses the Ping protocol to
    send a packet that is larger than the standard 64
    bytes

11
Mail Flooding
  • A type of DoS attack in which an SMTP host is
    sent a large number of huge e-mails, thus
    overloading the system
  • Spam
  • Unsolicited e-mail messages that are usually
    trying to sell a product, and are sent in bulk

12
Data Theft
  • Monitor network until an opening is found
    install programs that allow future access to the
    files
  • Man in the middle attack
  • Attackers intercept data that is being
    transmitted across a network

13
Computer Infestations
  • Viruses (most common)
  • Worms
  • Trojan horses

14
Virus
  • Has an incubation period
  • Can replicate by attaching itself to other
    programs
  • Is destructive
  • Usually spreads through infected e-mail messages
    that arrive with a virus in an attachment

15
Example of a Virus
16
Worm
  • Spreads copies of itself throughout the network
    without needing a host program
  • Overloads network resources making the network
    unusable

17
Trojan Horse
  • Substitutes itself for a legitimate program, but
    damages the system
  • Does not need a host program

18
Cookies
  • Data stored on the clients system by a web site
    for later retrieval
  • Many people feel that cookies allow companies to
    intrude on privacy rights

19
Protection Strategies
  • All areas of a network need to be protected
  • Entities you can protect
  • Private network or intranet (client-to-gateway
    security)
  • Extranet
  • Transactions between individuals and a web site
  • Transactions between individuals across the
    Internet (client-to-client security)
  • Virtual private network

20
(No Transcript)
21
Goals of a Security System
  • Privacy
  • Authentication
  • Data integrity
  • Non-repudiation
  • Ease of use

22
Protection Strategies
  • Authentication
  • Encryption
  • Firewalls
  • Intrusion detection software
  • Electronic transaction protocols
  • Protecting privacy
  • Protection against viruses

23
Authentication
  • Process of ensuring that a person or computer is
    who or what it says it is before being allowed
    access to a secured network or secured data

24
Levels of Authentication
  • None
  • Connect
  • Call
  • Packet
  • Packet integrity
  • Packet privacy (includes encryption)

25
User IDs and Passwords
  • Most common method of authentication
  • Can be set at many levels
  • User ID is a code used to indicate who the user
    is only that user knows the password
  • Passwords on the PC can be setup passwords,
    operating system passwords, and passwords on
    files, folders, and applications

26
User IDs and Passwords Required by the Network
Operating System
  • Each ID can be assigned certain rights that apply
    to only that ID
  • Network administrator defines user permissions
    (read, write, no access)

27
Setting a Windows Password
28
Securing User IDs and Passwords
  • Passwords are encrypted at the entry point and
    decrypted just before they are validated
  • Several encryption services (authentication
    protocols)
  • Most popular
  • CHAP (Challenge Handshake Authentication
    Protocol)
  • Kerberos

29
User IDs and Passwords Used by Internet
Applications
30
Problems with Passwords
  • Many people do not keep them secret
  • People write down their passwords
  • A good password is a mixture of letters, numbers,
    and symbols, and has no logical meaning

31
Smart Cards
  • Can hold data about the card holder and then be
    used to provide access to a single computer or
    network
  • Disadvantage
  • A reader device must be installed on each
    computer or network device where the user must
    gain access

32
Example of a Smart Card
33
Digital Certificates
  • Digital signatures that verify the senders
    identity
  • Assist in non-repudiation of origin and
    non-repudiation of delivery
  • Issued only by certification authorities (eg,
    VeriSign)
  • Sometimes used to help create a virtual private
    network (VPN)

34
Types of Digital Certificates
  • Client SSL certificate
  • Server SSL certificate
  • S/MIME certificate
  • Object-signing certificate
  • CA certificate

35
What Is in a Digital Certificate?
  • Most conform to the X.509 certificate
    specification
  • Certificates can be read by a computer only
    cannot be read by humans
  • Parts of a digital certificate
  • Data section
  • Signature section

36
Data Section of a Digital Certificate
  • Version number of the X.509 that the certificate
    supports
  • Serial number
  • Name of the authority that issued the certificate
  • Dates and times when certificate is valid
  • Person/company to whom it was issued
  • Algorithm used to encode the certificate
  • Additional information (eg, type of certificate)

37
Signature Section of a Digital Certificate
  • Algorithm that was used by the certification
    authority to create the digital certificate
  • Certification authoritys digital signature

38
How Digital Certificates Work
  • Involves three parties
  • Person needing the certificate
  • Authority issuing it
  • Company with whom the person wants to use the
    certificate

39
How Digital Certificates Work
  • Individual applies to a certification authority
    for a certificate
  • CA validates identity of individual and issues a
    digital certificate
  • CA informs the corporate intranet that a digital
    certificate has been issued to the vendor, and
    monitors the life cycle of the certificate
  • At logon, the individuals browser presents the
    certificate to the secure gateway, which
    validates it and allows the individual access

40
How Digital Certificates Work
41
How to Protect Your Digital Certificate
  • Require a password
  • Store the certificate away from your computer
    (such as a PCMCIA card or smart card)

42
Using a Digital Certificate (VeriSign)
43
Using a Digital Certificate
44
Using a Digital Certificate
45
Using a Digital Certificate
46
Using a Digital Certificate
47
Using a Digital Certificate
48
Using a Digital Certificate
49
Encryption
  • Process of coding data to prevent unauthorized
    parties from being able to change or view it
  • Methods vary, but the most secure method uses
    three keys others use one or two keys

50
Symmetric Encryption (Private Key)
  • Uses one key (session key or secret key) for both
    encryption and decryption
  • Ciphertext (the unreadable data)

51
Effectiveness of Encryption is Determined by
  • The algorithm or set of rules used to encrypt the
    data
  • The complexity or length of the session key used
    to do the encryption
  • The longer the session key, the more secure the
    data

52
Symmetric Encryption (Private Key)
53
Algorithms Used for Encryption
  • DES (Data Encryption Standard)
  • Triple DES
  • Skipjack
  • Blowfish

54
DES (Data Encryption Standard)
  • Uses a 64-bit key to encrypt and decrypt data
  • Runs the main algorithm 16 times to produce the
    encrypted data
  • Can be used in one of four modes
  • Electronic Code Book (ECB)
  • Cipher Block Chaining (CBC)
  • Cipher Feedback (CFB)
  • Output Feedback (OFB)

55
Triple DES
  • Uses three 64-bit keys
  • Repeats the process three times, once with each
    64-bit key

56
Triple DES
57
Skipjack and Blowfish
  • Skipjack
  • Uses 80-bit keys and is repeated 32 times to
    produce ciphertext
  • Can run using all four modes DES uses
  • Blowfish
  • Uses either fixed-length keys or variable length
    keys, from 32-bits to 448-bits
  • Can be downloaded for free

58
Asymmetric or Public Key Encryption
  • Requires two keys (a public key for encryption
    and a private key for decryption)
  • Public key is available to anyone
  • Private key is kept on the users computer and
    should be secure it is the only key that can
    decrypt the message
  • Asymmetric algorithms RC2, RC4, and RC5
  • Slower then using session keys

59
How Public Key Encryption Works
60
Pretty Good Privacy (PGP) Encryption
  • Encrypts and decrypts messages that are sent over
    the Internet
  • Sends digital signatures to ensure identity of
    sender
  • Verifies that the message was not altered during
    transmission
  • Uses three keys
  • Receivers public key
  • Receivers private key
  • A short key generated by the encryption software

61
How PGP Works
62
Secure Multi-Purpose Internet Mail Extensions
  • A secure version of MIME
  • Works like public key encryption
  • A message is sent with receivers public key and
    can be opened only with receivers private key

63
Hashing
  • Validates that data sent over a network has not
    been altered while in transit by sending a
    calculated, fixed-length value (a hash) that is
    compared to another hash calculated by the
    receiver of the data
  • Also called one-way encryption
  • Algorithms used
  • SHA-1 (Secure Hash Algorithm 1)
  • MD5 (Message Digest 5)

64
Hashing
65
Firewalls
  • Control information that is sent and received
    from outside the network
  • Can be installed on several different types of
    gateways (router, server, or PC)
  • Can filter data packets, ports, applications, and
    information (eg, inappropriate Web content)

66
Personal Firewalls
  • Filter information
  • Block open ports
  • Stop suspicious programs
  • Allow users to set the level of security

67
Setting the Level of Security on a Firewall
68
Personal Firewalls
69
A Proxy Server Used as a Firewall
  • Can filter traffic in both directions

70
A Proxy Server Used as a Firewall
71
Firewalls that Filter Ports and Packets
  • Prevent software on the outside from using
    certain ports on the network
  • Screening router can use stateful inspection

72
Firewalls that Filter Ports and Packets
73
DMZ (Demilitarized Zone) Configurations
  • Area between a private network and the Internet,
    but not a direct part of either network
  • Protect the private network while still offering
    services to the Internet community

74
Ways to Set up a DMZ
  • Screened host
  • Bastion host
  • Three-homed firewall
  • Back-to-back firewall
  • Dead zone

75
Screened Host
  • A router is used to filter all traffic to the
    private intranet but allow full access to the
    computer in the DMZ

76
Screened Host
77
Screened Host
78
Bastion Host
  • A computer that stands outside the protected
    network and is exposed to an attack by using two
    network cards, one for the DMZ and one for the
    intranet
  • Also called dual-homed host or dual-homed firewall

79
Bastion Host
80
Three-Homed Firewall
  • Uses three network cards for the entry point to
    the DMZ
  • One connects to the Internet
  • One connects to the DMZ network
  • One connects to the intranet

81
Three-Homed Firewall
82
Back-to-Back Firewall
  • Uses two firewalls, one between the Internet and
    the DMZ and one between the DMZ and the intranet
  • Offers exceptional protection
  • Expensive and complicated to implement

83
Back-to-Back Firewall
84
Dead Zone
  • A network between two routers that uses another
    network protocol other than TCP/IP
  • Most secure of all DMZ configurations
  • Routers at each entry point into the dead zone
    must use protocol switching for communication

85
Intrusion Detection Software
  • Monitors if and when an unauthorized person tries
    to gain access to a computer or network
  • Provides alarms that go off when suspicious
    activity is detected
  • Keeps logs that can be used as evidence
  • Notes multiple log-in failures

86
Electronic Transaction Protocols
  • Make sure that transactions over the Internet are
    secure
  • Two most popular
  • Secure sockets layer (SSL)
  • Secure electronic transaction (SET)

87
Secure Sockets Layer
  • Provides security between application protocols
    (such as FTP, HTTP, or Telnet) and TCP/IP
  • Provides data encryption and server
    authentication and can provide client
    authentication for a TCP/IP connection
  • Uses both the senders and receivers public and
    private keys to ensure a secure transaction

88
One Way SSL Can Work
89
Secure Electronic Transaction
  • Offers a secure medium for credit card
    transactions using digital signatures
  • Protects information in the transaction from
    being stolen or altered
  • Provides a mechanism for credit card numbers to
    be transferred directly to the credit issuer for
    verification and billing without the merchant
    being able to see the number

90
Using SET
91
Protecting Privacy
  • Control cookies
  • Eliminate span
  • Protect against viruses

92
Controlling Cookies
  • Both Netscape Navigator and Internet Explorer
    have options to reject cookies
  • Many web sites rely heavily on cookies some will
    not let you in unless you enable cookies

93
Controlling Cookies with Netscape Navigator
94
Controlling Cookies with Internet Explorer
95
Eliminating Spam
  • Limit how much information you volunteer to
    people
  • Create a separate e-mail account just for junk
    mail
  • Many ISPs offer spam rejection services
  • Complain to the ISP that the spam originator
    subscribes to

96
Protecting Against Viruses
  • Use antivirus software, which works by
    inoculation (process of calculating and recording
    checksums)
  • Update antivirus software regularly
  • Stay informed about new viruses and virus hoaxes
  • Be suspicious of e-mail from unknown senders (55
    of viruses are acquired through e-mail
    attachments)

97
Protecting Against Viruses
98
Protecting Against Viruses
99
Downloading Updates to Antivirus Software
100
Antivirus Software
101
Virtual Private Networks (VPNs)
  • Use a public network (usually the Internet) to
    provide a secure connection between two private
    networks or a node and private network
  • Offer networking capabilities at reduced costs

102
Tunneling
  • Process by which a packet is encapsulated in a
    secure protocol before it is sent over a public
    network
  • Allows two ends of the VPN to communicate

103
Example of Tunneling
104
Tunneling Protocols Used for VPNs
  • Layer 2 Forwarding (L2F)
  • Point-to-Point Tunneling Protocol (PPTP)
  • Layer 2 Tunneling Protocol (L2TP)
  • Internet Protocol Security (IPsec)
  • Only tunneling protocol that operates at Network
    layer
  • Only one that uses three keys
  • Internet Key Exchange (IKE)
  • Works with IPsec, but at the Application layer of
    the OSI model

105
Tunneling Protocols Used for VPNs
106
Data Link Layer Protocols
  • Layer 2 Forwarding (L2F)
  • Connects two computers through the Internet
  • Developed by Cisco
  • Point-to-Point Tunneling Protocol (PPTP)
  • Most common
  • Secures private packets over any public network
  • Remains with the packet until it reaches its
    destination at the gateway to the private network
  • Layer 2 Tunneling Protocol (L2TP)
  • Combines PPTP and L2F to allow ISPs to operate
    virtual private networks

107
Internet Protocol Security
  • Standard platform for creating secure networks
    and electronic tunnels
  • Verifies and encrypts each packet of data at the
    Network layer to ensure maximum protection
  • Uses three keys
  • Public key
  • Private key
  • Session key
  • Developed by Internet Engineering Task Force

108
IPsec Uses Three Keys
109
VPN Hardware and Software
  • Components required for optimum performance
  • Security gateway (firewall) that controls access
    to the private network
  • Certificate authority to issue and revoke public
    and private keys and digital certificates
  • Security policy server to authenticate users
    trying to access the network

110
VPN Hardware and Software
111
A Security Gateway
  • Stands between the Internet and the private
    network
  • Encrypts and decrypts packets and tunnels them
    over the Internet
  • Can be a router, a dedicated hardware device, or
    a server

112
Example of a Security Gateway
113
Chapter Summary
  • Different ways that people illegally intrude on a
    network, and the potential damage
  • How to protect your networks information and
    your personal information
  • Installing firewalls
  • Using intrusion detection software
  • Implementing authentication systems
  • Virtual private networks (VPNs) and how they
    provide secure transactions across the Internet
Write a Comment
User Comments (0)
About PowerShow.com