Topic 10: Network Security Management Chapter 18: Doing Business on the Internet Chapter 20: Network

1
Topic 10 Network Security Management- Chapter
18 Doing Business on the Internet - Chapter 20
Network Security

• Business Data Communications, 4e

2
Why Networks Need Security

• In recent years, organizations have become
  increasingly dependent on the data communication
  networks for their daily business communications,
  database retrieval, distributed data processing,
  and the internetworking of LANs.
• The losses associated with security failures can
  be huge.
• More important than direct theft losses are the
  potential losses from the disruption of
  applications systems that run on computer
  networks.

3
Loss from Hack Attacks

• The cost of cyberattacks to U.S. businesses
  doubled to 10 billion in 1999, according to
  estimates from the Computer Security Institute
  (CSI). The research group today is releasing the
  results of its survey of 643 large organizations,
  showing estimated losses of 266 million in 1999
  from cybercrime, which is more than twice the
  amount lost in 1998.
• - Los Angeles Times (03/22/00) P. C1 Piller,
  Charles

4
A Hackers Story

• Kevin Mitnick - a famous hacker
• arrested At 130 a.m., February 15, 1995
• released on January 21, 2000
• What has he done?
• Broke into LA Unified School Districts main
  computers when he was in high school.
• Accessed North American Air Defense Command
  computers
• He is referred to as electronic terrorist for
  many computer break-ins he has committed.
• More stories

5
A True Story of Linux Hacking

• How the hacker did?
• Got the login for admin account
• Delete netlog directory to prevent discovery
• Load a DoS software bomb
• Attack other computers using the bomb
• How it is discovered?
• When it attacks someone caught it
• A complaint is sent to Tech

6
A True Story of Linux Hacking

• From roger rick mailtoh4ker_at_hotmail.com
• Sent Sunday, February 04, 2001 232 PM
• To J.Stalcup_at_ttu.edu webmaster_at_ba.ttu.edu
• Subject Compromised Box?
• I believe on of your systems on your subnet has
  been compromised and is
• now running a eggdrop on IRC EFnet. A eggdrop is
  a client that is always
• connected to the EFnet server and allows a user
  to get Operator status.
• This eggdrop could result in DoS attacks on your
  server if the user makes
• the right people angry.
• ÚÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -
• H20B0NG ( bong_at_geek.ba.ttu.edu
  )
• ³ ircname real eyes realize real lies
• channels shells
• ³ server irc.stanford.edu
• ÀÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -
• There is the bot and system information. If you
  are not concerned about
• this, sorry for wasting your time. But it could
  result in downtime in
• the long run. Look for a connection to a irc
  server on port 6667, It might

7
Security Threats

• Passive attacks
• Eavesdropping on, or monitoring, transmissions
• Electronic mail, file transfers, and
  client/server exchanges are examples of
  transmissions that can be monitored
• Active attacks
• Modification of transmitted data
• Attempts to gain unauthorized access to computer
  systems

8
Security Threats - Type 1

• Non-technical based threats and can be prevent
  and protected using managerial approaches.
  Typically, they are from disasters.
• Nature disasters flood, fire, earthquake, etc
• Terror attacks
• Criminal cases
• Accidents by human error
• Direct consequences
• Destroying host computers or large sections of
  the network.
• Damaging data storages

9
How to prevent the losses from type 1 threats?

• Discussion focus If you were CIO for a large
  company what you should do to prevent the losses
  from a disaster from a managerial point of view?

10
Security Threats - Type 2

• These are technical attacks. Need both technical
  and managerial approaches to prevent and protect
  the attacks.
• Destruction Virus/Worm attacks
• Disruption DoS (Denial of Service) and DDoS
  (Distributed DoS) attack
• Unauthorized access often viewed as hackers
  gaining access to organizational data files and
  resources.
• Most unauthorized access incidents involve
  employees. Serious intruders could change files
  to commit fraud or theft, or destroy information
  to injure the organization.
• Story Microsoft network was hacked in Oct. 2000

11
Attacks Passive vs. Active

• Passive Attacks
• Eavesdropping
• Monitoring
• Active Attacks
• Modification
• Hacking
• Software bombing
• Disrupting

12
Worm vs. Virus
13
Red Alert Worm

• "'Code Red' Unleashed on Web"Los Angeles Times
  (08/01/01) P. C3 Piller, Charles
• A malicious computer worm is spreading over the
  Internet, causing infected computers to search
  the Web to find more victims. Eventually the Code
  Red worm, which only recently began its spread,
  will cause its host computers to deluge the White
  House Web site with a barrage of data. However, a
  previous version of the worm was released earlier
  last month against the same White House target.
  That version also defaced the Web sites hosted on
  the servers it infected with a message claiming
  "Hacked by Chinese," though the Chinese
  government has denied the worm originated in that
  country. Officials at the White House have since
  used an address-change technique to divert the
  data flow from Code Red computers, and the site
  will also remain safe from the current version.
  Code Red, however, will continue to spread,
  reaching its peak within 36 hours of its August
  1st release date, according to Internet Security
  Systems researcher Chris Rouland. The worm is
  programmed to go dormant on August 28th.

14
A True Story of Red Alert Attack

• When July 20, 2001
• Where Dr. Lins Office
• What computer 129.118.49.94, Windows 2000
  Advanced Server
• How Not known yet
• Who discovered the attack someone using
  DShield.org reported and they sent BACS an email
• Symptoms
• When using asp scripts, the page displays
  Hacked by Chinese
• A malicious program scans ports of other computer

15
Security Attacks
Normal flow
Interruption
Interception
Modification
Fabrication
16
Preventing Unauthorized Access

• Approaches to preventing unauthorized access
• Developing a security policy
• Developing user profiles
• Strengthen physical security and software
  security
• Securing dial-in service system
• Fix security holes
• Using firewall
• Using encryption
• A combination of all techniques is best to ensure
  strong security.

17
Securing Network Access Points

• What is a firewall A router, gateway, or special
  purpose computer that examines packets flowing
  into and out of a network and restricts access to
  the organizations network.
• Why using firewall With the increasing use of
  the Internet, it becomes important to prevent
  unauthorized access to your network from
  intruders on other networks.
• Case Study Attack to a firewall

18
Securing Network Access Points

• Packet-level firewall
• Examines the source and destination address of
  every network packet that passes through it and
  only allows packets that have acceptable source
  and destination addresses to pass.
• Vulnerable to IP-level spoofing, accomplished by
  changing the source address on incoming packets
  from their real address to an address inside the
  organizations network.
• Many firewalls have had their security
  strengthened since the first documented case of
  IP spoofing in December 1994.

19
Spoof

• "Spoof" was a game invented in 1933 by an English
  comedian, Arthur Roberts. Webster's defines the
  verb to mean (1) to deceive or hoax, and (2) to
  make good-natured fun of. On the Internet, "to
  spoof" can mean
• To deceive for the purpose of gaining access to
  someone else's resources (for example, to fake an
  Internet address so that one looks like a certain
  kind of Internet user)
• To simulate a communications protocol by a
  program that is interjected into a normal
  sequence of processes for the purpose of adding
  some useful function
• To playfully satirize a Web site.

20
Application-level Firewall

• Application-level firewall
• Acts as an intermediate host computer or gateway
  between the Internet and the rest of the
  organizations network.
• In many cases, needs special programming codes to
  permit the use of application software unique to
  the organization.
• Difference
• packet-level firewalling - prohibits only
  disabled accesses
• application-level firewalling - permits only
  authorized accesses

21
Proxy Server

• Proxy server - the technology for firewalls
• Uses an address table to translate network
  addresses inside the organizations into fake
  addresses for use on the Internet (network
  address translation or address mapping). This
  way systems outside the organization never see
  the actual internal IP addresses.
• Is becoming the application-level firewall of
  choice.
• Many organizations use a combination of
  packet-level and application-level firewalls.

22
Network Address Translation (NAT)

• The process of translating between one set of
  private addresses inside a network and a set of
  public address outside the network.
• Transparent
• A NAT proxy server uses an address table to
  translate the private IP addresses used inside
  the organization into proxy IP address used on
  the Internet. It uses the source port number in
  the TCP packet to a unique number that it uses as
  an index into its address table to find the IP
  address of the actual sending computer in the
  internal network.

23
Proxy Server Software

• There are numerous proxy server software products
  on the market, priced ranging 300 to 1000
  currently. Examples are
• Microsoft Proxy Server http//www.microsoft.com/p
  roxy/default.asp,
• Netscape Proxy Server http//home.netscape.com/pr
  oxy/v3.5/,
• Novell BorderManager http//www.novell.com/border
  manager/
• Squid http//squid.nlanr.net,
• Harvest http//harvest.transarc.com,
• WinGate http//www.wingate.com,
• WinProxy http//www.ositis.com/dloadfr.htm,
  etc.

24
Proxy Server Features

• Reverse hosting.
• Reverse proxy.
• Multi-protocol support.
• Virtual private networking ability.
• Application-level proxy
• Circuit level proxy with SOCKS 4 client support
  and SOCKS 5 logic policy support.
• Secure Sockets Layer (SSL) tunneling.
• Authentication.
• Enterprise security management such as LDAP based
  user/group/password management for proxy
  authentication, Simple Network Management
  Protocol (SNMP) support, etc.

25
(Demilitarized Zone)
26
DMZ

• Features
• Allows limited accesses to DMZ from the outside
  (Using a packet level firewall)
• Prevent unauthorized accesses to departmental
  networks from the Internet (using a proxy server)
• Allows full accesses to DMZ and the Internet from
  internal networks
• Limits inter-departmental accesses (using the
  proxy server for each department)

27
Network Eavesdropping

• Another way to gain unauthorized access, where
  the intruder inserts a listening device or
  computer into the organizations network to
  record messages.
• Targets
• Network cables,
• Network devices such as controllers, hubs, and
  bridges
• Certain types of cable can impair or increase
  security by making eavesdropping easier (i.e.
  wireless) or more difficult (i.e. fiber optic).
• Physical security of the networks local loop and
  interexchange telephone circuits is the
  responsibility of the common carrier.

28
Trojan Horse - A Malicious Sniffer
A tiny program that runs on a workstation (PC or
Macintosh). In its simplest form, it simply
records every key pressed, including your
username and password when logging onto any
computer network. Trojan Horse may steal the
important security information without awareness.
29
Outline of Encryption

• Symmetric key encryption
• Public-key encryption
• Key management
• Digital signature
• Digital certificate
• Certificate authority

30
Encryption

• Encryption A means of disguising information by
  the use of mathematical rules known as algorithms
  to prevent unauthorized access.
• Five components to the algorithm
• Plaintext The original readable message or data
• Ciphertext encrypted message produced as output.
  
• Encryption algorithm Performs various
  substitutions and transformations on the
  plaintext.
• Secret key Input to the encryption algorithm.
  Substitutions and transformations performed
  depend on this key
• Decryption algorithm Encryption algorithm run in
  reverse. Uses ciphertext and the secret key to
  produce the original plaintext.

31
Using Encryption

• Today, the U.S. government considers encryption
  to be a weapon, and regulates its export in the
  same way it regulates the export of machine guns
  or bombs. The government is also trying to
  develop a policy called key escrow (key
  recovery), requiring key registration with the
  government.

32
Encryption Methods

• The essential technology underlying virtually all
  automated network and computer security
  applications is cryptography
• Two fundamental approaches are in use
• conventional encryption, also known as symmetric
  encryption
• public-key encryption, also known as asymmetric
  encryption

33
Conventional Encryption Operation
34
Conventional Encryption Requirements Weaknesses

• Requirements
• A strong encryption algorithm
• Secure process for sender receiver to obtain
  secret keys
• Methods of Attack
• Cryptanalysis
• Brute force

35
Symmetric Key Encryption - DES

• Data encryption standard (DES)
• A commonly used encryption algorithm.
• Symmetric (the key used to decrypt a particular
  bit stream is the same one used to encrypt it)
• Symmetric algorithms can cause problem with key
  management keys must be dispersed and stored
  carefully.
• A 56-bit version of DES is the most commonly used
  encryption technique today.

36
Data Encryption Standard (DES)

• Adopted in 1977, reaffirmed for 5 years in 1994,
  by NBS/NIST
• Plaintext is 64 bits (or blocks of 64 bits), key
  is 56 bits
• Plaintext goes through 16 iterations, each
  producing an intermediate value that is used in
  the next iteration.
• DES is now too easy to crack to be a useful
  encryption method

37
Triple DEA (TDEA)

• Alternative to DES, uses multiple encryption with
  DES and multiple keys
• With three distinct keys, TDEA has an effective
  key length of 168 bits, so is essentially immune
  to brute force attacks
• Principal drawback of TDEA is that the algorithm
  is relatively sluggish in software

38
Public-Key Encryption

• Based on mathematical functions rather than on
  simple operations on bit patterns
• Asymmetric, involving the use of two separate
  keys
• Misconceptions about public key encryption
• it is more secure from cryptanalysis
• it is a general-purpose technique that has made
  conventional encryption obsolete

39
Public-Key Encryption Operation
40
Public-Key Signature Operation
41
Characteristics of Public-Key

• Infeasible to determine the decryption key given
  knowledge of the cryptographic algorithm and the
  encryption key.
• Either of the two related keys can be used for
  encryption, with the other used for decryption.
• Slow, but provides tremendous flexibility to
  perform a number of security-related functions
• Most widely used algorithm is RSA, invented by
  Ron Rivest, Adi Shamir and Len Adleman at MIT in
  1977.

42
Conventional EncryptionKey Distribution

• Both parties must have the secret key
• Key is changed frequently
• Requires either manual delivery of keys, or a
  third-party encrypted channel
• Most effective method is a Key Distribution
  Center (e.g. Kerberos)

43
Public-Key EncryptionKey Distribution

• Parties create a pair of keys public key is
  broadly distributed, private key is not
• To reduce computational overhead, the following
  process is then used
• 1. Prepare a message.
• 2. Encrypt that message using conventional
  encryption with a one-time conventional session
  key.
• 3. Encrypt the session key using public-key
  encryption with recipients public key.
• 4. Attach the encrypted session key to the
  message and send it.

44
Digital Signature

• An electronic message that can be used by someone
  to authenticate the identity of the sender of a
  message or of the signer of a document.
• Can also be used to ensure that the original
  content of the message or document that has been
  conveyed is unchanged.
• Additional benefits
• Easy transportation, not easily repudiated, not
  imitated by someone else, and automatically
  time-stamped.

45
Digital Signature Process
46
Public Key Certificates

• 1. A public key is generated by the user and
  submitted to Agency X for certification.
• 2. X determines by some procedure, such as a
  face-to-face meeting, that this is authentically
  the users public key.
• 3. X appends a timestamp to the public key,
  generates the hash code of the result, and
  encrypts that result with Xs private key forming
  the signature.
• 4. The signature is attached to the public key.

47
Certificate Authority

• A certificate authority is a trusted organization
  that can vouch for the authenticity of the person
  or organization using authentication.
• A person wanting to use a CA registers with the
  CA and must provide some proof of identify.
• The CA issues a digital certificate that is the
  requestor's public key encrypted using the CA's
  private key as proof of identify.
• This certificate is then attached to the user's
  email or Web transactions in addition to the
  authentication information.
• The receiver then verifies the certificate by
  decrypting it with the CA's public key -- and
  must also contact the CA to ensure that the
  user's certificate has not been revoked by the
  CA.
• For higher level security certification, the CA
  requires that a unique fingerprint (key) be
  issued by the CA for each message sent by the
  user.

48
VeriSign, Inc

• Headquartered in Mountain View, California, a
  leading provider of Internet trust services
  authentication, validation and payment - needed
  by Web sites, enterprises, and e-commerce service
  providers to conduct trusted and secure
  electronic commerce and communications over IP
  networks.
• To date, VeriSign has issued over 215,000 Web
  site digital certificates and over 3.9 million
  digital certificates for individuals.

49
VeriSign

• "Group Approves VeriSign's Control Over Web
  Addresses Wall Street Journal (04/03/01) P. B4
  Bridis, Ted
• In a 12-3 vote, ICANN's board approved its
  new deal with VeriSign, allowing the company to
  retain control of the .com domain without
  divesting portions of its business. By Dec. 2002,
  VeriSign will give up the .org domain, and the
  .net domain will be surrendered at a later date,
  although VeriSign will have a chance to bid for
  control of the .net domain. There were a few
  changes made to the agreement. The 10,000 fee
  that registrars pay to VeriSign was dropped and
  VeriSign now has to spend 200 million toward the
  research necessary to create a directory of all
  domain names. Further, VeriSign must keep the
  registrar and registry portions of its business
  separate or it will face fines. The U.S. Commerce
  Department still has to approve the deal, and
  four members of Congress have suggested that the
  Commerce Department "fully analyze" competitive
  concerns stemming from the new deal. These
  suggestions, which were made by Reps.
• (http//www.washingtonpost.com/wp-dyn/articles/A35
  085-2001Apr3.html)

50
Secure Transactions for E-Payment
Secure transactions must have at least the
following characteristics Confidentiality
others cannot eavesdrop on an exchange.
Integrity the messages received are identical
to the messages sent. Authenticity you are
assured of the persons with whom you are making
an exchange. Non-Repudiation none of the
involved parties can deny that the exchange took
place.
51
Confidentiality

• The protection of transmitted data from passive
  attacks release of message contents, and traffic
  analysis.
• With respect to the release of message contents,
  several levels of protection can be identified.
  The broadest service protects all user data
  transmitted between two users over a period of
  time.

52
Authentication

• Authentication service is concerned with assuring
  that a communication is authentic.
• In the case of a single message, to assure the
  recipient that the message is from the source
  that it claims to be from
• In the case of an ongoing interaction, to assure
  that the two entities are authentic
• To assure that the connection is not interfered
  with in such a way that a third party can
  masquerade as one of the two legitimate parties
  for the purpose of unauthorized transmission and
  reception.

53
Integrity

• The integrity service is applied particularly to
  total stream protection.
• In connection-oriented service, to assure
  messages are received as sent, without
  duplication, insertion, modification, recording,
  or replays.
• In connectionless service, generally provides
  protection against message modification.

54
Non-repudiation

• To prevent either sender or receiver from denying
  a transmitted message.
• The receiver can prove that the message was in
  fact sent by the alleged sender.
• The sender can prove that the message was in fact
  received by the alleged receiver.

55
How to prevent repudiation?

• What is repudiation Denial of the message
  previously sent
• Idea keep the original message encrypted using
  senders private key
• How using digital signature

56
Internet Security Architecture
PGP S/MIME
Application oriented
SET
HTTP S-HTTP
FTP
SMTP
Transport oriented
SSL or TLS
TCP
Network oriented
IP/IPSec
57
IPSec

• Why IPSec?
• In 1994, IAB (Internet Architecture Board) issued
  Security in the Internet Architecture (RFC
  1636)
• In 1996, CERTs annual report listed 8000
  reported security incidents affecting 4 million
  hosts, identifying IP spoofing attacks.
• IAB proposed security features for IPv6, which
  are applicable to IPv4. So came IPSec.
• IP Sec can secure communications across a LAN,
  WANs, and/or the Internet
• Examples of use
• Secure branch office connectivity over the
  Internet
• Secure remote access over the Internet
• Establishing extranet and intranet connectivity
  with partners
• Enhancing electronic commerce security

58
Benefits of IPSec

• When implemented in a firewall or router,
  provides strong security for all traffic crossing
  the perimeter
• IPSec in a firewall is resistant to bypass
• Runs below the transport layer (TCP, UDP) and so
  is transparent to applications
• Can be transparent to end users because it is
  under transport layer
• Can provide security for individual users if
  needed, e.g. a remote access VPN for mobile users

59
IPSec Functions

• IPSec provides three main facilities
• authentication-only function referred to as
  Authentication Header (AH)
• combined authentication/encryption function
  called Encapsulating Security Payload (ESP)
• Transport mode protects upper-layer protocols,
  and is for end-end communications good for small
  networks
• Tunnel mode protects entire IP packet, and is
  used between two security gateways more
  efficient for VPNs
• a key exchange function
• Supports DES or other algorithms HMAC, a new
  scheme, is required for authentication.

60
ESP Encryption Authentication
61
IPSec Key Management

• Manual
• System administrator (SA) manually configures
  each system with its own keys and with the keys
  of other communicating systems
• Practical for small, relatively static
  environments
• Automated
• Enables the on-demand creation of keys for SAs
  and facilitates the use of keys in a large
  distributed system
• Most flexible but requires more effort to
  configure and requires more software

62
Web Security

• Web Vulnerabilities
• Unauthorized alteration of data at the Web site
• Unauthorized access to the underlying operating
  system at the Web server
• Eavesdropping on messages passed between a Web
  server and a Web browser
• Impersonation
• Securing the Web site itself
• install all operating system security patches
• install the Web server software with minimal
  system privileges
• use a more secure platform
• Securing the Web application
• Secure HyperText Transfer Protocol (S-HTTP)
• Secure Sockets Layer (SSL)

63
SSL TLS

• Protocols that sit between the underlying
  transport protocol (TCP) and the application
• Provides security at the socket level, just
  above the basic TCP/IP service
• Can provide security for a variety of Internet
  services, not just the WWW
• Secure Socket Layer (SSL)
• Originated by Netscape
• Transport Layer Security (TLS)
• TLS has been developed by a working group of the
  IETF, and is essentially SSLv3.1

64
SSL Implementation

• Focused on the initialization/handshaking to set
  up a secure channel
• Client specifies encryption method and provides
  challenge text
• Server authenticates with public key certificate
• Client send master key, encrypted with server key
• Server returns a message encrypted with the
  master key
• The message (key) is used to generate the key
  sending message from client to the server
• Digital signatures used in initialization are
  based on RSA after initialization, single key
  encryption systems like DES can be used

65
Secure Hypertext Transfer Protocol (S-HTTP)

• The logical extension of HTTP.
• A method that is used to support the encryption
  and decryption of specific WWW documents sent
  over the Internet.
• Uses RSA public-key encryption. A main use is
  expected to be for online payments.
• Supported by America Online, CompuServe, IBM,
  Netscape, Prodigy, SPRY (at http//www.spry.com,
  and now owned by CompuServe), and Spyglass.
• Designed by Allan Schiffman, then at EIT (which
  is now working with Terisa Systems).

66
PGP

• Pretty Good Privacy
• A freeware public key encryption package
  developed by Philip Zimmermann that is often used
  to encrypt e-mail.
• User post their public key on web pages, for
  example, and anyone wishing to send them an
  encrypted message simply cuts and pastes the key
  off the web page in to PGP software, which
  encrypts and sends the message.

67
Secure Electronic Transactions

• SET is a payment protocol supporting the use of
  bank/credit cards for transactions
• Supported by MasterCard, Visa, and many companies
  selling goods and services online
• SET is an open industry standard, using RSA
  public-key and DES single-key encryption

68
SET Participants Interactions
69
Agents in SET

• Cardholder, workstation of the person holding the
  card
• Merchant, needs merchant CA (MCA)
• CAs
• Security services
• Certificates
• Financial institution

70
Electronic Shopping

• Shopping browsing
• Item and merchant selection
• Ordering and negotiating
• Payment selection
• Payment authorization and transport
• Confirmation and delivery
• Good delivery
• Merchant reimbursement

71
Ideal Components of Electronic Cash

• Independent of physical location
• Security
• Privacy
• Off-line payment
• No need for third-party vendor
• Transferability to other users
• Divisibility
• Making change

72
E-Cash

• Created by David Chaum in Amsterdam in 1990
• Maintains the anonymity of cash transactions
• Users maintain an account with a participating
  financial institution, and also have a wallet
  on their computers hard drive
• Digital coins, or tokens, are stored in the wallet

73
Digital Wallet (SET)

• In the physical world, your wallet stores your
  credit cards and cash. In the online world, your
  digital wallet is installed as a plug-in to your
  web browser. Like your real wallet, your digital
  wallet stores your credit card number and your
  shipping information. Unlike your real wallet,
  you need to the know the secret "password" to use
  what's inside. Your wallet implements the
  "encryption" that makes SET secure.
• See Digital Wallet Demo

74
Free Trade Zones (FTZ)

• Area where communication and transactions occur
  between trusted parties
• Isolated from both the external environment and
  the enterprises internet network
• Supported by firewalls on both ends
• Inside the FTZ, all communications can be in
  clear mode without any encryption
• Necessary because logical boundaries between BTB
  and IB are becoming fuzzy.

75
Intrusion Detection System
Internet
Internal Subnet
NAT Proxy Server with network-based IDS
Router
Router
Network-based IDS Sensor
Firewall
Web Server with host-based IDS and
application-based IDS
Switch
Internal Subnet
Router
Switch
Mail Server with host-based IDS
DMZ
Network-based IDS Sensor
DNS Server with host-based IDS
Internal Subnet
IDS Management Console
76
Detecting Unauthorized Access

• Using Intruder Detection System (IDS). There are
  three type of IDS
• Network-based
• Host-based
• Application-based
• Two techniques for IDS
• Misuse detection
• Anomaly detection

77
Computer forensics

• The use of computer analysis techniques to gather
  evidence for criminal and/or civil trials
• Includes the following steps
• Identify potential evidence.
• Preserve evidence by making backup copies and use
  those copies for all analysis.
• Analyze the evidence.
• Prepare a detailed legal report for use in
  prosecutions.

78
Computer Forensics

• "Whodunnit? Economist (03/31/01) Vol. 358, No.
  8215, P. 73
• Computer forensics--the tools and
  techniques used to find, keep, and analyze the
  digital evidence from cybercrimes--is a field
  that is becoming more commercially viable by the
  day. Computer forensics experts must search
  through data that is often encrypted or put in
  graphics files in order to establish an "audit
  trail." Such experts are needed to combat the
  growing popularity of programs on the Internet
  that enable a hacker to gain control of a
  computer's operating system. With more and more
  computers attached to large networks, and
  with few users taking anything more than minimal
  security precautions--if even that--hackers
  relying on these programs could easily have a
  field day employing ordinary users' systems to
  mount sophisticated hacking attacks. However,
  there are now automated investigation tools that
  can counter the hacking programs, such as
  Coroners Toolkit, which speeds up and
  standardizes the digital-forensic examination
  process. A group of anti-hacking experts have
  even set up a network of "honeypots," vulnerable
  but unimportant computers designed to lure
  hackers so that the experts can study their
  habits and techniques.
• http//www.economist.com/science/displaySto
  ry.cfm?Story_ID550004

79
Entrapment - Honey-Pot

• A server that contains highly interesting fake
  information available only through illegal
  intrusion to bait or "entrap" the intruder and
  also possibly divert the hacker's attention from
  the real network assets.
• The honey pot server has sophisticated tracking
  software to monitor access to this information
  that allows the organization and law enforcement
  officials to trace and document the intruders
  actions. If the hacker is subsequently found to
  be in possession of information from the honey
  pot, that fact can be used in prosecution.

80
VPN
A virtual private network (VPN) is an extension
of an enterprises private intranet across a
public network such as the Internet, creating a
secure private connection, essentially through a
private tunnel. VPN provides cost-effective data
transmission with high security.
81
VPN is a cost-effective solution
According to industry analyst Forrester Research
Inc., when comparing the cost of traditional
leased line network versus today's Internet-based
VPN, the cost differences for 1,000 users are
eye-popping.
82
Monthly costs for leased-line network and
Internet VPN
City Distance (mi.) T1 Fees
Internet VPN Fee
SF-Denver 1,267 13,535 1,900 Denver-Chicago 1,
023 12,315 1,900 Chicago-NY
807 11,235 1,900 SF-LA 384
5,520 1,900 Denver-Salt Lake 537
6,285 1,900 Denver-Dallas 794
7,570 1,900 NY-DC 235 4,775 1,900 NY-Bos
ton 194 4,570 1,900
83
Virtual Private Networks

• There are two important disadvantages of VPNs
• Traffic on the Internet is unpredictable.
• There are several competing standards for
  Internet-based VPN, so not all vendors equipment
  and services are compatible.

84
Typical VPN implementation
Extranet VPNs between a corporation and its
strategic partners, customers, and suppliers.
85
Typical VPN implementation
Intranet VPNs between internal corporate
departments and branch offices
86
Typical VPN implementation
Remote Access VPNs between a corporation and
remote or mobile employees
87
Technologies in VPNs

• Tunneling and Security Protocols
• IP Security (IPSec)
• Point-to-Point Tunneling Protocol (PPTP)
• Layer2 Tunneling Protocol (L2TP)
• SOCKS (a layer 3 VPN protocol)
• Cryptography Key Management
• ISAKMP/Oakley (Internet Security Association and
  Key Management Protocol)
• VPN Hardware
• Security policy server
• Certificate authority
• Security gateway

88
VPN Solution Providers
IBM - eNetwork ATT - WorldNet VPN
service Checkpoint -VPN-1 Microsoft - PPTP by
Windows NT 4.0 FreeGate - Virtual Services
Management TradeWave - TradeVPI MultiVPN -
Ascend VTCP/Secure - InfoExpress SmartGate -
V-ONE Countless VPN solutions 3Com, Bay,
Lucent, ADI, Aventail, PSINet, RedCreek, Shiva,
TimeStep, VPNet