Top Banner
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
31

Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Dec 19, 2015

Download

Documents

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security

Network Security

(Access Control, Encryption, Firewalls)

Page 2: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

2

Secure Networks

Secure network is not an absolute term Need to define security policy for organization Network security policy cannot be separated

from security policy for attached computers Costs and benefits of security policies must

be assessed

Page 3: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

3

Network Security Policy

Devising a network security policy can be complex because a rational policy requires an organization to assess the value of information. The policy must apply to information stored in computers as well as to information traversing a network.

Page 4: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

4

Aspects of Security

Data integrity Data availability Data confidentiality Privacy

Page 5: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

5

Responsibility and Control

Accountability: how an audit trail is kept Authorization: who is responsible for each

item and how is responsibility delegated to others

Page 6: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

6

Integrity Mechanisms

Techniques to ensure integrity Parity bits Checksums CRCs

These cannot guarantee data integrity (e.g., against intentional change)

Use of message authentication code (MAC) that cannot be broken or forged

Page 7: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

7

Access Control and Passwords

Passwords used to control access Over a network, passwords susceptible to

snooping

Page 8: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

8

Encryption and Confidentiality

To ensure confidentiality of a transmitted message, use encryption

Secret key or public key schemes

encryption decryptionmessage m message m

Secret key S

Secret key S

Page 9: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

9

Public Key Cryptosystem Each processor has private key S and public key P S is kept secret, and cannot be deduced from P P is made available to all processors Encryption and decryption with S and P are inverse

functions: P(S(m)) = m and S(P(m)) = m

encryption

private key S public key P

message m message mdecryption

encryption

private key Spublic key P

message m message mdecryption

Page 10: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

10

Message Digest

Digest function maps arbitrary length message m to fixed length digest d(m)

One-way function: given d(m), can't find m Collision-free: infeasible to generate m and m'

such that d(m) = d(m')

message

digest

Page 11: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

11

Digital Signature

To sign message m, sender computes digest d(m)

Sender computes S(d(m)) and sends along with m

Receiver computes P(S(d(m))) = d(m) Receiver computes digest of m and

compares with result above; if match, signature is verified

Page 12: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

12

Digital Signature

signature

Sender: Alice

Alice's Private Key Alice's Public Key

verifysignature

computesignature

computedigest

computedigest

Receiver: Bob

Page 13: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

13

Sender: Alice

Apply Key: Apply Key:

verifycompute

compute

compute

Receiver: Bob

doc

Page 14: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

14

Internet Firewall

Protect an organization’s computers from internet problems (firewall between two structures to prevent spread of fire)

Page 15: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

15

Internet Firewall

All traffic entering the organization passes through the firewall

All traffic leaving the organization passes through the firewall

The firewall implements the security policy and rejects any traffic that doesn’t adhere

The firewall must be immune to security attacks

Page 16: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

16

Packet Filtering

Packet filter is embedded in router Specify which packets can pass through and

which should be blocked

Page 17: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

17

Using Packet Filters to Create a Firewall Three components in a firewall

Packet filter for incoming packets Packet filter for outgoing packets Secure computer system to run application-

layer gateways or proxies

Page 18: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

18

Virtual Private Networks

Two approaches to building corporate intranet for an organization with multiple sites: Private network connections (confidential) Public internet connections (low cost)

Virtual Private Network Achieve both confidentiality and low cost Implemented in software

Page 19: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

19

Virtual Private Network

VPN software in router at each site gives appearance of a private network

Page 20: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

20

Virtual Private Network

Obtain internet connection for each site Choose router at each site to run VPN software Configure VPN software in each router to know

about the VPN routers at other sites VPN software acts as a packet filter; next hop

for outgoing datagram is another VPN router Each outgoing datagram is encrypted

Page 21: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

21

Tunneling Desire to encrypt entire datagram so source

and destination addresses are not visible on Internet

How can internet routers do proper forwarding? Solution: VPN software encrypts entire

datagram and places inside another for transmission

Called IP-in-IP tunneling (encapsulation)

Page 22: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

22

Tunneling

Datagram from computer x at site 1 to computer y at site 2 Router R1 on site 1 encrypts, encapsulates in new datagram

for transmission to router R2 on site 2

Page 23: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Other Security Methods

Page 24: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

24

PGP is a security technology which allows us to send email that is authenticated and/or encrypted.

Authentication confirms the identity of the sender or a message.

Encryption scrambles the contents of a message so that only the intended recipients can read it.

Each user of PGP has a public and a private key. They are generated in matched pairs: a public key only ever works with its twin private key.

A user's public key is not a secret and can be distributed widely.

A user's private key however must be kept secret, and is protected by a pass phrase (like a password but longer).

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy

Page 25: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

25

A public key is used in two ways: Alice can authenticate a signed message from Bob using his public key. If the message matches Bob's public key then Alice can be sure that the message came from Bob.Alice can send a secure message to Bob by encrypting the message using Bob's public key. The only person who can decrypt the message is Bob.

A private key also has two uses: Bob can send an authenticated message to Alice by signing it with his private key. Since Bob is the only person who has his private key (and the pass phrase that protects it), Alice knows that if the message matches Bob's public key, then it must have been sent by Bob.Bob can read a secure message sent by Alice by decrypting it with his private key.

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy

Page 26: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

26

The SSL (Secure Sockets Layer) Handshake Protocol was developed to provide security and privacy over the Internet.

The SSL protocol runs in a "layer" above TCP/IP and below higher-level protocols such as HTTP or IMAP.

The SSL protocol is able to negotiate encryption keys as well as authenticate the server before data is exchanged by the higher-level application.

The SSL protocol maintains the security and integrity of the transmission channel by using encryption, authentication and message authentication codes.

SSL (Secure Sockets Layer)SSL (Secure Sockets Layer)

Page 27: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

27

HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL.

HTTPS encrypts and decrypts the page requests and page information between the client browser and the web server using a secure Socket Layer (SSL).

SSL transactions are negotiated by means of a keybased encryption algorithm between the client and the server.

HTTPSHTTPS

Page 28: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

28

Short for IP Security, IPsec is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer.

IPsec supports two encryption modes: Transport and Tunnel.

Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched.

The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.

IPsecIPsec

Page 29: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

29

Short for Secure Electronic Transaction, a standard that will enable secure credit card transactions on the Internet.

SET has been endorsed by virtually all the major players in the electronic commerce arena, including Microsoft, Netscape, Visa, and Mastercard.

By employing digital signatures, SET will enable merchants to verify that buyers are who they claim to be.

It will protect buyers by providing a mechanism for their credit card number to be transferred directly to the credit card issuer for verification and billing without the merchant being able to see the number.

SET – Secure Electronic TransactionsSET – Secure Electronic Transactions

Page 30: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

30

Summary

Security is desirable but must be defined by an organization Assess value of information and define a security

policy Aspects to consider include privacy and data

integrity, availability, and confidentiality

Page 31: Part 5:Security Network Security (Access Control, Encryption, Firewalls)

FALL 2005 CSI 4118 – UNIVERSITY OF OTTAWA – R.L.PROBERT

31

Summary (continued)

Mechanisms to provide aspects of security Encryption: secret and public key

cryptosystems Firewalls: packet filtering

Virtual private networks Use Internet to transfer data among

organization’s sites but ensure that data cannot be read by others