Part 5:Security - PowerPoint PPT Presentation

About This Presentation
Title:

Part 5:Security

Description:

Part 5:Security Network Security (Access Control, Encryption, Firewalls) – PowerPoint PPT presentation

Number of Views:230
Avg rating:3.0/5.0
Slides: 32
Provided by: KimKih9
Category:

less

Transcript and Presenter's Notes

Title: Part 5:Security


1
Part 5Security
  • Network Security
  • (Access Control, Encryption, Firewalls)

2
Secure Networks
  • Secure network is not an absolute term
  • Need to define security policy for organization
  • Network security policy cannot be separated from
    security policy for attached computers
  • Costs and benefits of security policies must be
    assessed

3
Network Security Policy
  • Devising a network security policy can be complex
    because a rational policy requires an
    organization to assess the value of information.
    The policy must apply to information stored in
    computers as well as to information traversing a
    network.

4
Aspects of Security
  • Data integrity
  • Data availability
  • Data confidentiality
  • Privacy

5
Responsibility and Control
  • Accountability how an audit trail is kept
  • Authorization who is responsible for each item
    and how is responsibility delegated to others

6
Integrity Mechanisms
  • Techniques to ensure integrity
  • Parity bits
  • Checksums
  • CRCs
  • These cannot guarantee data integrity (e.g.,
    against intentional change)
  • Use of message authentication code (MAC) that
    cannot be broken or forged

7
Access Control and Passwords
  • Passwords used to control access
  • Over a network, passwords susceptible to snooping

8
Encryption and Confidentiality
  • To ensure confidentiality of a transmitted
    message, use encryption
  • Secret key or public key schemes

9
Public Key Cryptosystem
  • Each processor has private key S and public key
    P
  • S is kept secret, and cannot be deduced from P
  • P is made available to all processors
  • Encryption and decryption with S and P are
    inverse functions P(S(m)) m and S(P(m)) m

10
Message Digest
  • Digest function maps arbitrary length message m
    to fixed length digest d(m)
  • One-way function given d(m), can't find m
  • Collision-free infeasible to generate m and m'
    such that d(m) d(m')

11
Digital Signature
  • To sign message m, sender computes digest d(m)
  • Sender computes S(d(m)) and sends along with m
  • Receiver computes P(S(d(m))) d(m)
  • Receiver computes digest of m and compares with
    result above if match, signature is verified

12
Digital Signature
13
(No Transcript)
14
Internet Firewall
  • Protect an organizations computers from internet
    problems (firewall between two structures to
    prevent spread of fire)

15
Internet Firewall
  • All traffic entering the organization passes
    through the firewall
  • All traffic leaving the organization passes
    through the firewall
  • The firewall implements the security policy and
    rejects any traffic that doesnt adhere
  • The firewall must be immune to security attacks

16
Packet Filtering
  • Packet filter is embedded in router
  • Specify which packets can pass through and which
    should be blocked

17
Using Packet Filters to Create a Firewall
  • Three components in a firewall
  • Packet filter for incoming packets
  • Packet filter for outgoing packets
  • Secure computer system to run application-layer
    gateways or proxies

18
Virtual Private Networks
  • Two approaches to building corporate intranet for
    an organization with multiple sites
  • Private network connections (confidential)
  • Public internet connections (low cost)
  • Virtual Private Network
  • Achieve both confidentiality and low cost
  • Implemented in software

19
Virtual Private Network
  • VPN software in router at each site gives
    appearance of a private network

20
Virtual Private Network
  • Obtain internet connection for each site
  • Choose router at each site to run VPN software
  • Configure VPN software in each router to know
    about the VPN routers at other sites
  • VPN software acts as a packet filter next hop
    for outgoing datagram is another VPN router
  • Each outgoing datagram is encrypted

21
Tunneling
  • Desire to encrypt entire datagram so source and
    destination addresses are not visible on Internet
  • How can internet routers do proper forwarding?
  • Solution VPN software encrypts entire datagram
    and places inside another for transmission
  • Called IP-in-IP tunneling (encapsulation)

22
Tunneling
  • Datagram from computer x at site 1 to computer y
    at site 2
  • Router R1 on site 1 encrypts, encapsulates in new
    datagram for transmission to router R2 on site 2

23
Other Security Methods
24
PGP Pretty Good Privacy
  • PGP is a security technology which allows us to
    send email that is authenticated and/or
    encrypted.
  • Authentication confirms the identity of the
    sender or a message.
  • Encryption scrambles the contents of a message so
    that only the intended recipients can read it.
  • Each user of PGP has a public and a private key.
    They are generated in matched pairs a public key
    only ever works with its twin private key.
  • A user's public key is not a secret and can be
    distributed widely.
  • A user's private key however must be kept secret,
    and is protected by a pass phrase (like a
    password but longer).

25
PGP Pretty Good Privacy
  • A public key is used in two ways Alice can
    authenticate a signed message from Bob using his
    public key. If the message matches Bob's public
    key then Alice can be sure that the message came
    from Bob.Alice can send a secure message to Bob
    by encrypting the message using Bob's public key.
    The only person who can decrypt the message is
    Bob.
  • A private key also has two uses Bob can send an
    authenticated message to Alice by signing it with
    his private key. Since Bob is the only person who
    has his private key (and the pass phrase that
    protects it), Alice knows that if the message
    matches Bob's public key, then it must have been
    sent by Bob.Bob can read a secure message sent
    by Alice by decrypting it with his private key.

26
SSL (Secure Sockets Layer)
  • The SSL (Secure Sockets Layer) Handshake Protocol
    was developed to provide security and privacy
    over the Internet.
  • The SSL protocol runs in a "layer" above TCP/IP
    and below higher-level protocols such as HTTP or
    IMAP.
  • The SSL protocol is able to negotiate encryption
    keys as well as authenticate the server before
    data is exchanged by the higher-level
    application.
  • The SSL protocol maintains the security and
    integrity of the transmission channel by using
    encryption, authentication and message
    authentication codes.

27
HTTPS
  • HTTPS stands for Hypertext Transfer Protocol over
    Secure Socket Layer, or HTTP over SSL.
  • HTTPS encrypts and decrypts the page requests and
    page information between the client browser and
    the web server using a secure Socket Layer (SSL).
  • SSL transactions are negotiated by means of a
    keybased encryption algorithm between the client
    and the server.

28
IPsec
  • Short for IP Security, IPsec is a set of
    protocols developed by the IETF to support secure
    exchange of packets at the IP layer.
  • IPsec supports two encryption modes Transport
    and Tunnel.
  • Transport mode encrypts only the data portion
    (payload) of each packet, but leaves the header
    untouched.
  • The more secure Tunnel mode encrypts both the
    header and the payload. On the receiving side, an
    IPSec-compliant device decrypts each packet.

29
SET Secure Electronic Transactions
  • Short for Secure Electronic Transaction, a
    standard that will enable secure credit card
    transactions on the Internet.
  • SET has been endorsed by virtually all the major
    players in the electronic commerce arena,
    including Microsoft, Netscape, Visa, and
    Mastercard.
  • By employing digital signatures, SET will enable
    merchants to verify that buyers are who they
    claim to be.
  • It will protect buyers by providing a mechanism
    for their credit card number to be transferred
    directly to the credit card issuer for
    verification and billing without the merchant
    being able to see the number.

30
Summary
  • Security is desirable but must be defined by an
    organization
  • Assess value of information and define a security
    policy
  • Aspects to consider include privacy and data
    integrity, availability, and confidentiality

31
Summary (continued)
  • Mechanisms to provide aspects of security
  • Encryption secret and public key cryptosystems
  • Firewalls packet filtering
  • Virtual private networks
  • Use Internet to transfer data among
    organizations sites but ensure that data cannot
    be read by others
Write a Comment
User Comments (0)
About PowerShow.com