06/15/22 06/15/22 ms ms 1 Overview of Network Security Overview of Network Security Mohamed Sharif Mohamed Sharif Lecture 7 Lecture 7
Internet Security Overview - Mason academic research system ...
Jun 02, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
04/12/2304/12/23 ms ms11
Overview of Network SecurityOverview of Network Security
Mohamed SharifMohamed Sharif
Lecture 7Lecture 7
04/12/2304/12/23 ms ms22
Presentation ContentPresentation Content
• What is Internet?What is Internet?
• What do we need to protect?What do we need to protect?
• Threat MotivationThreat Motivation
• Attack TypesAttack Types
• Security ObjectivesSecurity Objectives
• Security mechanismsSecurity mechanisms
• ReferencesReferences
04/12/2304/12/23 ms ms33
What is Internet?What is Internet?
• The Internet is a worldwide IP network, The Internet is a worldwide IP network, that links collection of different that links collection of different networks from various sources, networks from various sources, governmental, educational and governmental, educational and commercial.commercial.
04/12/2304/12/23 ms ms44
What do we need to protectWhat do we need to protect
• DataData
• ResourcesResources
• ReputationReputation
04/12/2304/12/23 ms ms55
Threat MotivationThreat Motivation
• Spy Spy
• JoyrideJoyride
• IgnoranceIgnorance
• Score KeeperScore Keeper
• RevengeRevenge
• GreedGreed
• TerroristTerrorist
04/12/2304/12/23 ms ms66
Types of AttacksTypes of Attacks
• PassivePassive
• ActiveActive– Denial of Services Denial of Services – Social EngineeringSocial Engineering
04/12/2304/12/23 ms ms77
TCP 3 way handshakeTCP 3 way handshake
ServerServer
SYN(X)SYN(X)
SYN(Y), ACK(X)SYN(Y), ACK(X)
ACK(Y)ACK(Y)
ClientClient
X, Y are sequence numbersX, Y are sequence numbers
Half openHalf open
Full openFull open
04/12/2304/12/23 ms ms88
TCP Session HijackTCP Session Hijack
ServerServer
SYN(X)SYN(X)
SYN(Y), ACK(X)SYN(Y), ACK(X)
AttackerAttacker
Client, 146.135.12.1Client, 146.135.12.1
Half openHalf open
Valid TCP ConnectionValid TCP Connection
Initiate TCP with 146.135.12.1 as sourceInitiate TCP with 146.135.12.1 as source
Complete TCP ConnectionComplete TCP Connection
04/12/2304/12/23 ms ms99
Security ObjectivesSecurity Objectives
• IdentificationIdentification
• AuthenticationAuthentication
• AuthorizationAuthorization
• Access ControlAccess Control
• Data IntegrityData Integrity
• ConfidentialityConfidentiality
• Non-repudiationNon-repudiation
04/12/2304/12/23 ms ms1010
IdentificationIdentification
• Something which uniquely identifies a Something which uniquely identifies a user and is called UserID.user and is called UserID.
• Sometime users can select their ID as Sometime users can select their ID as long as it is given too another user.long as it is given too another user.
• UserID can be one or combination of UserID can be one or combination of the following:the following:– User NameUser Name– User Student NumberUser Student Number– User SSNUser SSN
04/12/2304/12/23 ms ms1111
AuthenticationAuthentication
• The process of verifying the identity of The process of verifying the identity of a usera user
• Typically based onTypically based on– Something user knowsSomething user knows
• PasswordPassword
– Something user haveSomething user have• Key, smart card, disk, or other deviceKey, smart card, disk, or other device
– Something user isSomething user is• fingerprint, voice, or retinal scans fingerprint, voice, or retinal scans
04/12/2304/12/23 ms ms1212
Authentication Cont.Authentication Cont.
• Authentication procedureAuthentication procedure– Two-Party AuthenticationTwo-Party Authentication
• One-Way AuthenticationOne-Way Authentication• Two-Way AuthenticationTwo-Way Authentication
– Third-Party Authentication Third-Party Authentication • KerberosKerberos• X.509 X.509
– Single Sign ON Single Sign ON • User can access several network resources User can access several network resources
by logging on once to a security system. by logging on once to a security system.
04/12/2304/12/23 ms ms1313
Clie nt
Use rID & P a ssw ord
S e rve rID &P a ssw ord
Authe ntica te d
Authe ntica te d
S e rve r
One -w a y Authe ntica tion
Tw o-w a y Authe ntica tion
T w o -P arty A uthe ntic atio ns
04/12/2304/12/23 ms ms1414
Authentic
ated
Client I
D, Pass
word
Server ID, Password
Authenticated
Ex cha nge Ke ys
Ex cha nge Da ta
Clie nt S e rve r
S e curity S e rve r
T h ir d -P a r ty A u th e n tic a tio n s
04/12/2304/12/23 ms ms1515
AuthorizationAuthorization
• The process of assigning access right The process of assigning access right to userto user
04/12/2304/12/23 ms ms1616
Access ControlAccess Control
• The process of enforcing access rightThe process of enforcing access right
• and is based on following three entitiesand is based on following three entities– Subject Subject
• is entity that can access an objectis entity that can access an object
– ObjectObject• is entity to which access can be controlledis entity to which access can be controlled
– Access RightAccess Right• defines the ways in which a subject can defines the ways in which a subject can
access an object.access an object.
04/12/2304/12/23 ms ms1717
Access Control Cont.Access Control Cont.
• Access Control is divided into twoAccess Control is divided into two– Discretionary Access Control (DAC)Discretionary Access Control (DAC)
• The owner of the object is responsible for The owner of the object is responsible for setting the access right. setting the access right.
– Mandatory Access Control (MAC)Mandatory Access Control (MAC)• The system defines access right based on The system defines access right based on
how the subject and object are classified. how the subject and object are classified.
04/12/2304/12/23 ms ms1818
Data Integrity.Data Integrity.
• Assurance that the data that Assurance that the data that arrives is the same as when it was arrives is the same as when it was sent.sent.
04/12/2304/12/23 ms ms1919
ConfidentialityConfidentiality
• Assurance that sensitive Assurance that sensitive information is not visible to an information is not visible to an eavesdropper. This is usually eavesdropper. This is usually achieved using encryption.achieved using encryption.
04/12/2304/12/23 ms ms2020
Non-repudiationNon-repudiation
• Assurance that any transaction Assurance that any transaction that takes place can subsequently that takes place can subsequently be proved to have taken place. be proved to have taken place. Both the sender and the receiver Both the sender and the receiver agree that the exchange took agree that the exchange took place. place.
04/12/2304/12/23 ms ms2121
Security MechanismsSecurity Mechanisms
• Web SecurityWeb Security
• Cryptographic techniquesCryptographic techniques
• Internet FirewallsInternet Firewalls
04/12/2304/12/23 ms ms2222
Web SecurityWeb Security
• Basic AuthenticationBasic Authentication
• Secure Socket Layer (SSL)Secure Socket Layer (SSL)
04/12/2304/12/23 ms ms2323
Basic AuthenticationBasic Authentication
A simple user ID and password-based A simple user ID and password-based authentication scheme, and provides the authentication scheme, and provides the following:following:
– To identify which user is accessing the server To identify which user is accessing the server – To limit users to accessing specific pages To limit users to accessing specific pages
(identified as Universal Resource Locators, URLs(identified as Universal Resource Locators, URLs
04/12/2304/12/23 ms ms2424
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
• Netscape Inc. originally created the SSL protocol, but Netscape Inc. originally created the SSL protocol, but now it is implemented in World Wide Web browsers and now it is implemented in World Wide Web browsers and servers from many vendors. SSL provides the followingservers from many vendors. SSL provides the following- Confidentiality through an encrypted connection based on Confidentiality through an encrypted connection based on
symmetric keyssymmetric keys- Authentication using public key identification and verification Authentication using public key identification and verification - Connection reliability through integrity checkingConnection reliability through integrity checking
• There are two parts to SSL standard, as follows:There are two parts to SSL standard, as follows: The SSL Handshake is a protocol for initial authentication and The SSL Handshake is a protocol for initial authentication and
transfer of encryption keys. transfer of encryption keys. The SSL Record protocol is a protocol for transferring encrypted The SSL Record protocol is a protocol for transferring encrypted
datadata
04/12/2304/12/23 ms ms2525
Secure Socket Layer Cont..Secure Socket Layer Cont.. The client sends a "hello" message to the Web server, and the The client sends a "hello" message to the Web server, and the
server responds with a copy of its digital certificate. server responds with a copy of its digital certificate. The client decrypts the server's public key using the well-The client decrypts the server's public key using the well-
known public key of the Certificate Authority such as VeriSign. known public key of the Certificate Authority such as VeriSign. The client generates two random numbers that will be used for The client generates two random numbers that will be used for
symmetric key encryption, one number for the receiving symmetric key encryption, one number for the receiving channel and one for the sending channel. These keys are channel and one for the sending channel. These keys are encrypted using the server's public key and then transmitted encrypted using the server's public key and then transmitted to the server. to the server.
The client issues a challenge (some text encrypted with the The client issues a challenge (some text encrypted with the send key) to the server using the send symmetric key and send key) to the server using the send symmetric key and waits for a response from the server that is using the receive waits for a response from the server that is using the receive symmetric key.symmetric key.
Optional, server authenticates client Optional, server authenticates client Data is exchanged across the secure channel. Data is exchanged across the secure channel.
04/12/2304/12/23 ms ms2626
Cryptographic TechniquesCryptographic Techniques
• Secret Key AlgorithmSecret Key Algorithm
• Public Key AlgorithmPublic Key Algorithm
• Secure Hash FunctionSecure Hash Function
• Digital SignatureDigital Signature
• Certificate AuthorityCertificate Authority
04/12/2304/12/23 ms ms2727
Secret Key AlgorithmSecret Key Algorithm
Encryption
Secret Key
DecryptionClear TextC ipher TextC lear Text
Secret Key
Bob Alice
04/12/2304/12/23 ms ms2828
Public Key AlgorithmPublic Key Algorithm
Clear Text
Alice's PublicKey
Bob Alice
Encryption
Alice'sPrivate Key
DecryptionClear TextCipher Text
04/12/2304/12/23 ms ms2929
Secure Hash FunctionSecure Hash Function
ClearText
Key
Bob Alice
OriginalClearText
OriginalClearText
HashFunction
MessagDigest
HashFunction
ComputedMessagDigestKey
OriginalMessage
Digest
OriginalMessage
DigestCompare
?
Non-Secure
Netw ork
04/12/2304/12/23 ms ms3030
Digital SignatureDigital Signature
Clear Text
Alice'sPrivate Key
Alice Bob
Encryption
Alice'sPublic Key
Decryption &Authentication
Clear TextCipher Text
04/12/2304/12/23 ms ms3131
Certificate AuthorityCertificate Authority
Alice Bob
CertificateAuthority Publish Public
Key
Request Bob'sPublic Key
Bob's PublicKey
Cipher Text
04/12/2304/12/23 ms ms3232
X.509 CertificateX.509 Certificate
• Is a Is a ITU-T RecommendationITU-T Recommendation..• Specifies the authentication service for X.500 Specifies the authentication service for X.500
directoriesdirectories • X.500 specifies the directory services.X.500 specifies the directory services.• Version 1 was published in 1988.Version 1 was published in 1988.• Version 2 was published in 1993.Version 2 was published in 1993.• Version 3 was proposed in 1994 and approved Version 3 was proposed in 1994 and approved
in 1997.in 1997. • Binds the subject (user's) name and the user's Binds the subject (user's) name and the user's
public key. public key.
04/12/2304/12/23 ms ms3333
X.509 Certificate (cont..)X.509 Certificate (cont..)• X09 certificate consists of the following fields:X09 certificate consists of the following fields:
– VersionVersion
– Serial NumberSerial Number
– Algorithm IdentifierAlgorithm Identifier
– Issuer nameIssuer name
– Validity periodValidity period
– Subject nameSubject name
– Subject public key informationSubject public key information
– Issuer unique identifier (Version 2 & 3 only)Issuer unique identifier (Version 2 & 3 only)
– Subject unique identifier (Version 2 & 3 only)Subject unique identifier (Version 2 & 3 only)
– Extensions (Version 3 only)Extensions (Version 3 only)
– SignatureSignature
04/12/2304/12/23 ms ms3434
X.509 Certificate (Cont..)X.509 Certificate (Cont..)
• Version 1Version 1– BasicBasic
• Version 2 Version 2 – Adds unique identifier to prevent reuse of X.500Adds unique identifier to prevent reuse of X.500
• Version 3 Version 3 – Adds extension to carry additional information and Adds extension to carry additional information and
some of them aresome of them are• Distinguish different certificatesDistinguish different certificates• Alternative to X.500 nameAlternative to X.500 name• Limit on further certification by subjectLimit on further certification by subject• Policy and UsagePolicy and Usage
04/12/2304/12/23 ms ms3535
X.509 Certificate Revocation List (CRL)X.509 Certificate Revocation List (CRL)
• Is to prevent fraud and misuse.Is to prevent fraud and misuse.• A certificate may be revoked for one the A certificate may be revoked for one the
following reason:following reason:– The user’s private is compromisedThe user’s private is compromised– The user is no longer certified by this CAThe user is no longer certified by this CA– The CA’s private key a compromisedThe CA’s private key a compromised
• Version 1 was published in 1988.Version 1 was published in 1988.• Version 2 was published in 1997.Version 2 was published in 1997.
04/12/2304/12/23 ms ms3636
X.509 CRL (cont..)X.509 CRL (cont..)
• X09 CRL consists of the following fields:X09 CRL consists of the following fields:– VersionVersion
– Serial NumberSerial Number
– Revocation DateRevocation Date
– Algorithm IdentifierAlgorithm Identifier
– Issuer nameIssuer name
– Last updateLast update
– Next updateNext update
– Extensions (Version 2 only)Extensions (Version 2 only)
– SignatureSignature
04/12/2304/12/23 ms ms3737
Internet FirewallInternet Firewall
• A firewall is to control traffic flow between A firewall is to control traffic flow between networks.networks.
• Firewall uses the following techniques:Firewall uses the following techniques:– Packet FiltersPacket Filters– Application Proxy Application Proxy – Socks serversSocks servers– Secure TunnelSecure Tunnel– Screened Subnet ArchitectureScreened Subnet Architecture
04/12/2304/12/23 ms ms3838
Packet FilteringPacket Filtering
• Most commonly used firewall techniqueMost commonly used firewall technique• Operates at IP levelOperates at IP level• Checks each IP packet against the filter rules Checks each IP packet against the filter rules
before passing (or not passing) it on to its before passing (or not passing) it on to its destination. destination.
• Very fast than other firewall techniquesVery fast than other firewall techniques• Hard to configureHard to configure
04/12/2304/12/23 ms ms3939
Packet Filter Cont..Packet Filter Cont..
PacketFilteringServer
Non-SecureNetw ork
SecureNetw ork
04/12/2304/12/23 ms ms4040
Application ProxyApplication Proxy
• Application Level GatewayApplication Level Gateway• The communication steps are as followsThe communication steps are as follows
– User connects to proxy server User connects to proxy server – From proxy server, user connects to destination From proxy server, user connects to destination
serverserver
• Proxy server can provideProxy server can provide– Content ScreeningContent Screening– LoggingLogging– AuthenticationAuthentication
04/12/2304/12/23 ms ms4141
Application (telnet) Proxy Cont..Application (telnet) Proxy Cont..
Non-SecureNetw ork
SecureNetw ork
TelnetTelnetTelnetd
Porxy Server
Telnetd
04/12/2304/12/23 ms ms4242
SOCKS ServerSOCKS Server
• Circuit-level gatewaysCircuit-level gateways • Generally for Generally for outboundoutbound TCP traffic from TCP traffic from
secure networksecure network • Client code must be installed on the user’s Client code must be installed on the user’s
machine.machine.• The communication steps are as follows: The communication steps are as follows:
– User starts application using destination server IP address User starts application using destination server IP address – SOCKS server intercepts and authenticates the IP address SOCKS server intercepts and authenticates the IP address
and the userID and the userID – SOCKS creates a second session to non-secure systemSOCKS creates a second session to non-secure system
04/12/2304/12/23 ms ms4343
Socks Servers Cont..Socks Servers Cont..
Non-Secure
Netw ork
SecureNetw ork
SockSifiedClient
StandardServer
Socksserver
04/12/2304/12/23 ms ms4444
Secure Tunnel Cont..Secure Tunnel Cont..
W orkstation
Laptop
server
Router
Internet
W orkstation
Laptop
server
Router
W orkstation
Laptop
server
Router
VPN
Coporate IntranetBusiness Partner
Branch Office
Remote Access
04/12/2304/12/23 ms ms4545
Secure IP TunnelSecure IP Tunnel
• A secure channel between the secure network A secure channel between the secure network and an external trusted server through a non-and an external trusted server through a non-secure network (e.g., Internet)secure network (e.g., Internet)
• Encrypts the data between the Firewall and the Encrypts the data between the Firewall and the external trusted hostexternal trusted host
• Also identifies of the session partners and the Also identifies of the session partners and the messagesmessages authenticity authenticity
04/12/2304/12/23 ms ms4646
VPN SolutionsVPN Solutions
• IP Security (IPSec)IP Security (IPSec)
• Layer 2 Tunnel Protocol (L2TP)Layer 2 Tunnel Protocol (L2TP)
• Virtual CircuitsVirtual Circuits
• Multi Protocol Label Switching (MPLS)Multi Protocol Label Switching (MPLS)
04/12/2304/12/23 ms ms4747
IPSec SolutionIPSec Solution
• IPSec is an Internet standard for IPSec is an Internet standard for ensuring secure private communication ensuring secure private communication over IP networks, and it was developed over IP networks, and it was developed by IPSec working group of IETFby IPSec working group of IETF
• IPSec implements network layer IPSec implements network layer security security
04/12/2304/12/23 ms ms4848
Principle of IPSec protocolsPrinciple of IPSec protocols• Authentication Header (AH)Authentication Header (AH)
– Provides data origin authentication, data integrity and replay Provides data origin authentication, data integrity and replay protectionprotection
• Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)– Provides data confidentiality, data origin authentication, data Provides data confidentiality, data origin authentication, data
integrity and replay protectionintegrity and replay protection
• Internet Security Association and Key Management Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE)Protocol (ISAKMP) or Internet Key Exchange (IKE)– Provides a method for automatically setting up security association Provides a method for automatically setting up security association
and managing their cryptographic key. and managing their cryptographic key.
• Security Association (SA)Security Association (SA)– Provides all the relevant information that communicating systems Provides all the relevant information that communicating systems
need to execute the IPSec protocols.need to execute the IPSec protocols.
04/12/2304/12/23 ms ms4949
Operation Modes of IPSecOperation Modes of IPSec
• Transport ModeTransport Mode– The IP payload is encrypted and the IP headers are left The IP payload is encrypted and the IP headers are left
alone alone
IP HeaderIP Header PayloadPayload
The IP datagram is encryptedThe IP datagram is encrypted
04/12/2304/12/23 ms ms5050
Operation Modes of IPSec Conti...Operation Modes of IPSec Conti...
• Tunnel ModeTunnel Mode– The entire original IP datagram is encrypted and it becomes The entire original IP datagram is encrypted and it becomes
the payload in the new IP the payload in the new IP
New IP HeaderNew IP Header IP HeaderIP Header PayloadPayload
The original IP datagram is the encrypted and is The original IP datagram is the encrypted and is payload for the new IP headerpayload for the new IP header
04/12/2304/12/23 ms ms5151
IPSec ExampleIPSec Example• This example combines IPSec protocols and is AH in tunnel mode This example combines IPSec protocols and is AH in tunnel mode
protecting ESP traffic in transport mode. This example assume that protecting ESP traffic in transport mode. This example assume that the SA’s for communicates points have set up. the SA’s for communicates points have set up.
Workstation
Laptop
serverH1
G1
Internet
Coporate Intranet
Workstation
Laptop
serverH2
G2
Branch Office
AH in Tunnel Mode
ESP in Transport Mode
04/12/2304/12/23 ms ms5252
IP HeaderIP HeaderH1 to H2H1 to H2 PayloadPayload
New IP Hdr.New IP Hdr.G1 to G2G1 to G2
IP HeaderIP HeaderH1 to H2H1 to H2 PayloadPayloadESP Hdr.ESP Hdr. ESP Trl.ESP Trl. ESP Auth.ESP Auth.
IP HeaderIP HeaderH1 to H2H1 to H2 PayloadPayloadESP Hdr.ESP Hdr. ESP Trl.ESP Trl. ESP Auth.ESP Auth.AH Hdr.AH Hdr.
EncryptedEncrypted
EncryptedEncrypted
AuthenticatedAuthenticated
04/12/2304/12/23 ms ms5353
New IP Hdr.New IP Hdr.G1 to G2G1 to G2
IP HeaderIP HeaderH1 to H2H1 to H2 PayloadPayloadESP Hdr.ESP Hdr. ESP Trl.ESP Trl. ESP Auth.ESP Auth.AH Hdr.AH Hdr.
EncrypteEncryptedd
AuthenticatedAuthenticated
IP HeaderIP HeaderH1 to H2H1 to H2 PayloadPayloadESP Hdr.ESP Hdr. ESP Trl.ESP Trl. ESP Auth.ESP Auth.
EncrypteEncryptedd
IP HeaderIP HeaderH1 to H2H1 to H2 PayloadPayload
04/12/2304/12/23 ms ms5454
Screened Subnet Architecture Cont..Screened Subnet Architecture Cont..
DNon-
SecureNetw ork
SecureNetw ork
PacketFiltering
PacketFiltering
TelentProxyServer
SocksServer
HTTPProxyServer
FTPProxyServer
ScreenedSubnet
Demilitarized Zone (DMZ)
04/12/2304/12/23 ms ms5555
Screened Subnet ArchitectureScreened Subnet Architecture
• The DMZ (perimeter network) is set up The DMZ (perimeter network) is set up between the secure and non-secure networksbetween the secure and non-secure networks
• It is accessible from both networks and It is accessible from both networks and contains machines that act as gateways for contains machines that act as gateways for specific applicationsspecific applications
04/12/2304/12/23 ms ms5656
Firewall ConclusionFirewall Conclusion• Not the complete answer Not the complete answer
• The fox is inside the henhouseThe fox is inside the henhouse• Host security + User educationHost security + User education
• Cannot control back door traffic Cannot control back door traffic • any dial-in accessany dial-in access• Management problemsManagement problems
• Cannot fully protect against new viruses Cannot fully protect against new viruses • Antivirus on each host MachineAntivirus on each host Machine
• Needs to be correctly configured Needs to be correctly configured • The security policy must be enforcedThe security policy must be enforced
Related Documents
