Topic 10: Network Security Management - PowerPoint PPT Presentation


Title: Topic 10: Network Security Management


1
Topic 10 Network Security Management
  • References
  • FD Chapter 10
  • WS Chapter 18 20

2
Outline
  • An introduction to network security
  • Preventing unauthorized access
  • Data encryption/decryption
  • Securing e-commerce transactions
  • Protecting network from the intrusion

3
An introduction to network security
4
Why Networks Need Security
  • In recent years, organizations have become
    increasingly dependent on the data communication
    networks for their daily business communications,
    database retrieval, distributed data processing,
    and the internetworking of LANs.
  • The losses associated with security failures can
    be huge.
  • More important than direct theft losses are the
    potential losses from the disruption of
    applications systems that run on computer
    networks.

5
Figure 10-2 Number of Incidents Reported to CERT
(Computer Emergency Response Team)
Source CERT Statistics, www.cert.org/stats/cert_s
tats.html
6
Percent of organizations reporting security
problems due to this cause in the last 12 months
Figure 10-5 Common Threats
7
Crime Is Soaring in Cyberspace
  • New York Times (01/27/03) P. C4 Tedeschi, Bob
    Cybersecurity consultants such as Ponemon
    Institute Chairman Larry Ponemon report that
    cybercrimes are increasing exponentially, yet
    quantifying losses is difficult because
    victimized companies are reluctant to publicly
    disclose electronic theft for a variety of
    reasons, including fear that it will inspire
    other hackers to attack them, shake the
    confidence of their customers and investors, or
    make them the target of rival businesses'
    ridicule. Ponemon adds that companies often hide
    these losses in their balance sheets, a practice
    that does not allow for "a clean picture of how
    expensive it is to have to deal with fraudulent
    or criminal activities." Mi2g estimates that the
    number of successful, confirmed worldwide hacker
    intrusions this month will probably exceed
    20,000, compared to 16,000 in October. Last year,
    the FBI and the Computer Security Institute held
    a survey of 500 computer security practitioners,
    and found that 80 percent of respondents admitted
    that their companies sustained financial losses
    from hack attacks the average loss was 2
    million, according to 223 respondents who
    quantified the damage. Deloitte Touche Tohmasu's
    Richard Power reports that the increase in
    cybercrime is partly attributable to the economic
    downturn, while cutbacks in corporate budgets and
    personnel only increase the difficulty businesses
    face in securing their computer systems. Law
    enforcement officials acknowledge that tracing
    cybercrime is hard, because hackers can use
    technology to remain anonymous--plus they have an
    advantage over the authorities in terms of skill
    and numbers. Complicating matters is the fact
    that perpetrators are often corporate insiders
    in fact, Gartner analyst John Pescatore
    attributes 70 percent of cyber-intrusions to
    employees who sold information to competitors in
    hopes of getting better jobs or building a
    financial cushion to sustain them if they are let
    go.http//www.nytimes.com/2003/01/27/technology/2
    7ECOM.html

8
Ex-Officials Urge U.S. to Boost Cybersecurity
  • Washington Post (04/09/03) P. E5 Krebs, Brian
    Former White House cybersecurity advisor Richard
    A. Clarke told a House Government Reform
    subcommittee yesterday that the Homeland Security
    Department is ill-equipped to effectively
    implement the White House's National Strategy to
    Secure Cyberspace, which he co-authored. He
    warned that legislators should not dismiss the
    ramifications of an assault on U.S. computer
    networks, arguing that such thinking is similar
    to the now-defunct assumption that a major
    foreign terrorist attack could never take place
    on American soil. Former National Infrastructure
    Protection Center (NIPC) director Michael Vatis,
    who also testified before the House panel, agreed
    with Clarke. He added that many positions in the
    Homeland Security Department's cybersecurity
    division are still unfilled, because most FBI
    cybersecurity specialists assigned to the NIPC
    were not transferred to the new department. The
    Homeland Security Department's David Wray
    admitted that over 200 positions are still
    vacant, but supported the Bush administration's
    decision to have all cybersecurity efforts
    coordinated by a single officer.Click Here to
    View Full Article

9
SETI_at_home Flaw Could Let Invaders In
  • CNet (04/07/03) Lemos, Robert Gray, Patrick The
    SETI_at_home project released a new version of its
    distributed client software on April 4 in order
    to close a buffer overflow flaw that could allow
    hackers to commandeer the computer systems of
    SETI_at_home volunteers. SETI_at_home is a distributed
    computing project in which PC users donate idle
    processing time to scan radio-telescope data for
    signs of intelligent extraterrestrial
    transmissions. Three vulnerabilities
  • The first one is the buffer overflow problem, to
    SETI_at_home in December, which were not disclosed
    to the public until this past weekend.
  • Another flaw resides in the project servers that
    could allow a hacker to breach the main servers
    and take advantage of all SETI_at_home clients.
  • The third flaw Wever alerted SETI_at_home to lies in
    the unencrypted data the client sends to the
    server--such information revolves around the
    computer that is running the client.http//news.c
    om.com/2100-1002-995801.html

10
Loss from Hack Attacks
  • The cost of cyberattacks to U.S. businesses
    doubled to 10 billion in 1999, according to
    estimates from the Computer Security Institute
    (CSI). The research group today is releasing the
    results of its survey of 643 large organizations,
    showing estimated losses of 266 million in 1999
    from cybercrime, which is more than twice the
    amount lost in 1998.
  • - Los Angeles Times (03/22/00) P. C1 Piller,
    Charles

11
A Hackers Story
  • Kevin Mitnick - a famous hacker
  • arrested At 130 a.m., February 15, 1995
  • released on January 21, 2000
  • What has he done?
  • Broke into LA Unified School Districts main
    computers when he was in high school.
  • Accessed North American Air Defense Command
    computers
  • He is referred to as electronic terrorist for
    many computer break-ins he has committed.
  • More stories

12
A True Story of Linux Hacking
  • How the hacker did?
  • Got the login for admin account
  • Delete netlog directory to prevent discovery
  • Load a DoS software bomb
  • Attack other computers using the bomb
  • How it is discovered?
  • When it attacks someone caught it
  • A complaint is sent to Tech

13
A True Story of Linux Hacking
  • From roger rick mailtoh4ker_at_hotmail.com
  • Sent Sunday, February 04, 2001 232 PM
  • To J.Stalcup_at_ttu.edu webmaster_at_ba.ttu.edu
  • Subject Compromised Box?
  • I believe on of your systems on your subnet has
    been compromised and is
  • now running a eggdrop on IRC EFnet. A eggdrop is
    a client that is always
  • connected to the EFnet server and allows a user
    to get Operator status.
  • This eggdrop could result in DoS attacks on your
    server if the user makes
  • the right people angry.
  • ÚÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -
  • H20B0NG ( bong_at_geek.ba.ttu.edu
    )
  • ³ ircname real eyes realize real lies
  • channels shells
  • ³ server irc.stanford.edu
  • ÀÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -
  • There is the bot and system information. If you
    are not concerned about
  • this, sorry for wasting your time. But it could
    result in downtime in
  • the long run. Look for a connection to a irc
    server on port 6667, It might

14
Security Threats - Type 1
  • Non-technical based threats and can be prevent
    and protected using managerial approaches.
    Typically, they are from disasters.
  • Nature disasters flood, fire, earthquake, etc
  • Terror attacks
  • Criminal cases
  • Accidents by human error
  • Direct consequences
  • Destroying host computers or large sections of
    the network.
  • Damaging data storages

15
How to prevent the losses from type 1 threats?
  • Discussion focus If you were CIO for a large
    company what you should do to prevent the losses
    from a disaster from a managerial point of view?

16
Security Threats - Type 2
  • These are technical attacks. Need both technical
    and managerial approaches to prevent and protect
    the attacks.
  • Destruction Virus/Worm attacks
  • Disruption DoS (Denial of Service) and DDoS
    (Distributed DoS) attack
  • Unauthorized access often viewed as hackers
    gaining access to organizational data files and
    resources.
  • Most unauthorized access incidents involve
    employees. Serious intruders could change files
    to commit fraud or theft, or destroy information
    to injure the organization.
  • Story Microsoft network was hacked in Oct. 2000

17
Attacks Passive vs. Active
  • Passive Attacks
  • Eavesdropping and Monitoring
  • Targets Electronic mail, file transfers, and
    client/server exchanges
  • Active Attacks
  • Modification of transmitted data
  • Attempts to gain unauthorized access to computer
    systems
  • E.g. Modification, Hacking, Software bombing,
    Disrupting

18
Worm vs. Virus
19
Red Alert Worm
  • "'Code Red' Unleashed on Web"Los Angeles Times
    (08/01/01) P. C3 Piller, Charles
  • A malicious computer worm is spreading over the
    Internet, causing infected computers to search
    the Web to find more victims. Eventually the Code
    Red worm, which only recently began its spread,
    will cause its host computers to deluge the White
    House Web site with a barrage of data. However, a
    previous version of the worm was released earlier
    last month against the same White House target.
    That version also defaced the Web sites hosted on
    the servers it infected with a message claiming
    "Hacked by Chinese," though the Chinese
    government has denied the worm originated in that
    country. Officials at the White House have since
    used an address-change technique to divert the
    data flow from Code Red computers, and the site
    will also remain safe from the current version.
    Code Red, however, will continue to spread,
    reaching its peak within 36 hours of its August
    1st release date, according to Internet Security
    Systems researcher Chris Rouland. The worm is
    programmed to go dormant on August 28th.

20
A True Story of Red Alert Attack
  • When July 20, 2001
  • Where Dr. Lins Office
  • What computer 129.118.49.94, Windows 2000
    Advanced Server
  • How Not known yet
  • Who discovered the attack someone using
    DShield.org reported and sent BACS an email
  • Symptoms
  • When using asp scripts, the page displays
    Hacked by Chinese
  • A malicious program scans ports of other computer

21
Security Attacks
Normal flow
Interruption
Interception
Modification
Fabrication
22
How to protect your network
  • Managerial approaches
  • Technical approaches

23
Preventing unauthorized access
24
Preventing Unauthorized Access
  • Approaches to preventing unauthorized access
  • Developing a security policy
  • Developing user profiles
  • Strengthen physical security and software
    security
  • Securing dial-in service system
  • Fix security holes
  • Using firewall
  • Using encryption
  • A combination of all techniques is best to ensure
    strong security.

25
Securing Network Access Points
  • What is a firewall A router, gateway, or special
    purpose computer that examines packets flowing
    into and out of a network and restricts access to
    the organizations network.
  • Why using firewall With the increasing use of
    the Internet, it becomes important to prevent
    unauthorized access to your network from
    intruders on other networks.
  • Case Study Attack to a firewall

26
Securing Network Access Points
  • Packet-level firewall
  • Examines the source and destination address of
    every network packet that passes through it and
    only allows packets that have acceptable source
    and destination addresses to pass.
  • Vulnerable to IP-level spoofing, accomplished by
    changing the source address on incoming packets
    from their real address to an address inside the
    organizations network.
  • Many firewalls have had their security
    strengthened since the first documented case of
    IP spoofing in December 1994.

27
Spoof
  • "Spoof" was a game invented in 1933 by an English
    comedian, Arthur Roberts. Webster's defines the
    verb to mean (1) to deceive or hoax, and (2) to
    make good-natured fun of. On the Internet, "to
    spoof" can mean
  • To deceive for the purpose of gaining access to
    someone else's resources (for example, to fake an
    Internet address so that one looks like a certain
    kind of Internet user)
  • To simulate a communications protocol by a
    program that is interjected into a normal
    sequence of processes for the purpose of adding
    some useful function
  • To playfully satirize a Web site.

28
Application-level Firewall
  • Application-level firewall
  • Acts as an intermediate host computer or gateway
    between the Internet and the rest of the
    organizations network.
  • In many cases, needs special programming codes to
    permit the use of application software unique to
    the organization.
  • Difference
  • packet-level firewalling - prohibits only
    disabled accesses
  • application-level firewalling - permits only
    authorized accesses

29
Proxy Server
  • Proxy server - the technology for firewalls
  • Uses an address table to translate network
    addresses inside the organizations into fake
    addresses for use on the Internet (network
    address translation or address mapping). This
    way systems outside the organization never see
    the actual internal IP addresses.
  • Is becoming the application-level firewall of
    choice.
  • Many organizations use a combination of
    packet-level and application-level firewalls.

30
Network Address Translation (NAT)
  • The process of translating between one set of
    private addresses inside a network and a set of
    public address outside the network.
  • Transparent
  • A NAT proxy server uses an address table to
    translate the private IP addresses used inside
    the organization into proxy IP address used on
    the Internet. It uses the source port number in
    the TCP packet to a unique number that it uses as
    an index into its address table to find the IP
    address of the actual sending computer in the
    internal network.

31
Proxy Server Features
  • Reverse hosting.
  • Reverse proxy.
  • Multi-protocol support.
  • Virtual private networking ability.
  • Application-level proxy
  • Circuit level proxy with SOCKS 4 client support
    and SOCKS 5 logic policy support.
  • Secure Sockets Layer (SSL) tunneling.
  • Authentication.
  • Enterprise security management such as LDAP based
    user/group/password management for proxy
    authentication, Simple Network Management
    Protocol (SNMP) support, etc.

32
(Demilitarized Zone)
33
DMZ
  • Features
  • Allows limited accesses to DMZ from the outside
    (Using a packet level firewall)
  • Prevent unauthorized accesses to departmental
    networks from the Internet (using a proxy server)
  • Allows full accesses to DMZ and the Internet from
    internal networks
  • Limits inter-departmental accesses (using the
    proxy server for each department)

34
Network Eavesdropping
  • Another way to gain unauthorized access, where
    the intruder inserts a listening device or
    computer into the organizations network to
    record messages.
  • Targets
  • Network cables,
  • Network devices such as controllers, hubs, and
    bridges
  • Certain types of cable can impair or increase
    security by making eavesdropping easier (i.e.
    wireless) or more difficult (i.e. fiber optic).
  • Physical security of the networks local loop and
    interexchange telephone circuits is the
    responsibility of the common carrier.

35
Trojan Horse - A Malicious Sniffer
A tiny program that runs on a workstation (PC or
Macintosh). In its simplest form, it simply
records every key pressed, including your
username and password when logging onto any
computer network. Trojan Horse may steal the
important security information without awareness.
36
Data encryption/decryption
37
Outline of Encryption
  • Symmetric key encryption
  • Public-key encryption
  • Key management
  • Digital signature
  • Digital certificate
  • Certificate authority

38
Encryption
  • Encryption A means of disguising information by
    the use of mathematical rules known as algorithms
    to prevent unauthorized access.
  • Five components to the algorithm
  • Plaintext The original readable message or data
  • Ciphertext encrypted message produced as output.
  • Encryption algorithm Performs various
    substitutions and transformations on the
    plaintext.
  • Secret key Input to the encryption algorithm.
    Substitutions and transformations performed
    depend on this key
  • Decryption algorithm Encryption algorithm run in
    reverse. Uses ciphertext and the secret key to
    produce the original plaintext.

39
Using Encryption
  • Today, the U.S. government considers encryption
    to be a weapon, and regulates its export in the
    same way it regulates the export of machine guns
    or bombs. The government is also trying to
    develop a policy called key escrow (key
    recovery), requiring key registration with the
    government.

40
Location of Encryption Devices
  • Link encryption
  • Each vulnerable communications link is equipped
    on both ends with an encryption device.
  • All traffic over all communications links is
    secured.
  • Vulnerable at each switch
  • End-to-end encryption
  • the encryption process is carried out at the two
    end systems.
  • Encrypted data are transmitted unaltered across
    the network to the destination, which shares a
    key with the source to decrypt the data
  • Packet headers cannot be secured

41
Encryption Methods
  • The essential technology underlying virtually all
    automated network and computer security
    applications is cryptography
  • Two fundamental approaches are in use
  • conventional encryption, also known as symmetric
    encryption
  • public-key encryption, also known as asymmetric
    encryption

42
Conventional Encryption Operation
43
Conventional Encryption Requirements Weaknesses
  • Requirements
  • A strong encryption algorithm
  • Secure process for sender receiver to obtain
    secret keys
  • Methods of Attack
  • Cryptanalysis
  • Brute force

44
Symmetric Key Encryption - DES
  • Data encryption standard (DES)
  • A commonly used encryption algorithm.
  • Symmetric (the key used to decrypt a particular
    bit stream is the same one used to encrypt it)
  • Symmetric algorithms can cause problem with key
    management keys must be dispersed and stored
    carefully.
  • A 56-bit version of DES is the most commonly used
    encryption technique today.

45
Data Encryption Standard (DES)
  • Adopted in 1977, reaffirmed for 5 years in 1994,
    by NBS/NIST
  • Plaintext is 64 bits (or blocks of 64 bits), key
    is 56 bits
  • Plaintext goes through 16 iterations, each
    producing an intermediate value that is used in
    the next iteration.
  • DES is now too easy to crack to be a useful
    encryption method

46
Triple DEA (TDEA)
  • Alternative to DES, uses multiple encryption with
    DES and multiple keys
  • With three distinct keys, TDEA has an effective
    key length of 168 bits, so is essentially immune
    to brute force attacks
  • Principal drawback of TDEA is that the algorithm
    is relatively sluggish in software

47
Public-Key Encryption
  • Based on mathematical functions rather than on
    simple operations on bit patterns
  • Asymmetric, involving the use of two separate
    keys
  • Misconceptions about public key encryption
  • it is more secure from cryptanalysis
  • it is a general-purpose technique that has made
    conventional encryption obsolete

48
Public-Key Encryption Operation
49
Public-Key Signature Operation
50
Characteristics of Public-Key
  • Infeasible to determine the decryption key given
    knowledge of the cryptographic algorithm and the
    encryption key.
  • Either of the two related keys can be used for
    encryption, with the other used for decryption.
  • Slow, but provides tremendous flexibility to
    perform a number of security-related functions
  • Most widely used algorithm is RSA, invented by
    Ron Rivest, Adi Shamir and Len Adleman at MIT in
    1977.

51
Conventional EncryptionKey Distribution
  • Both parties must have the secret key
  • Key is changed frequently
  • Requires either manual delivery of keys, or a
    third-party encrypted channel
  • Most effective method is a Key Distribution
    Center (e.g. Kerberos)

52
Public-Key EncryptionKey Distribution
  • Parties create a pair of keys public key is
    broadly distributed, private key is not
  • To reduce computational overhead, the following
    process is then used
  • 1. Prepare a message.
  • 2. Encrypt that message using conventional
    encryption with a one-time conventional session
    key.
  • 3. Encrypt the session key using public-key
    encryption with recipients public key.
  • 4. Attach the encrypted session key to the
    message and send it.

53
Digital Signature
  • An electronic message that can be used by someone
    to authenticate the identity of the sender of a
    message or of the signer of a document.
  • Can also be used to ensure that the original
    content of the message or document that has been
    conveyed is unchanged.
  • Additional benefits
  • Easy transportation, not easily repudiated, not
    imitated by someone else, and automatically
    time-stamped.

54
Digital Signature Process
55
Level 2 Encryption
Alice
Bob
Alice encrypts with Bobs public key
Bob decrypts with his private key
56
Public Key Certificates
  • 1. A public key is generated by the user and
    submitted to Agency X for certification.
  • 2. X determines by some procedure, such as a
    face-to-face meeting, that this is authentically
    the users public key.
  • 3. X appends a timestamp to the public key,
    generates the hash code of the result, and
    encrypts that result with Xs private key forming
    the signature.
  • 4. The signature is attached to the public key.

57
Certificate Authority
  • A certificate authority is a trusted organization
    that can vouch for the authenticity of the person
    or organization using authentication.
  • A person wanting to use a CA registers with the
    CA and must provide some proof of identify.
  • The CA issues a digital certificate that is the
    requestor's public key encrypted using the CA's
    private key as proof of identify.
  • This certificate is then attached to the user's
    email or Web transactions in addition to the
    authentication information.
  • The receiver then verifies the certificate by
    decrypting it with the CA's public key -- and
    must also contact the CA to ensure that the
    user's certificate has not been revoked by the
    CA.
  • For higher level security certification, the CA
    requires that a unique fingerprint (key) be
    issued by the CA for each message sent by the
    user.

58
VeriSign, Inc
  • Headquartered in Mountain View, California, a
    leading provider of Internet trust services
    authentication, validation and payment - needed
    by Web sites, enterprises, and e-commerce service
    providers to conduct trusted and secure
    electronic commerce and communications over IP
    networks.
  • To date, VeriSign has issued over 215,000 Web
    site digital certificates and over 3.9 million
    digital certificates for individuals.

59
VeriSign
  • "Group Approves VeriSign's Control Over Web
    Addresses Wall Street Journal (04/03/01) P. B4
    Bridis, Ted
  • In a 12-3 vote, ICANN's board approved its
    new deal with VeriSign, allowing the company to
    retain control of the .com domain without
    divesting portions of its business. By Dec. 2002,
    VeriSign will give up the .org domain, and the
    .net domain will be surrendered at a later date,
    although VeriSign will have a chance to bid for
    control of the .net domain. There were a few
    changes made to the agreement. The 10,000 fee
    that registrars pay to VeriSign was dropped and
    VeriSign now has to spend 200 million toward the
    research necessary to create a directory of all
    domain names. Further, VeriSign must keep the
    registrar and registry portions of its business
    separate or it will face fines. The U.S. Commerce
    Department still has to approve the deal, and
    four members of Congress have suggested that the
    Commerce Department "fully analyze" competitive
    concerns stemming from the new deal. These
    suggestions, which were made by Reps.
  • (http//www.washingtonpost.com/wp-dyn/articles/A35
    085-2001Apr3.html)

60
Securing e-commerce transactions
61
Secure Transactions for E-Payment
Secure transactions must have at least the
following characteristics Confidentiality
others cannot eavesdrop on an exchange.
Integrity the messages received are identical
to the messages sent. Authenticity you are
assured of the persons with whom you are making
an exchange. Non-Repudiation none of the
involved parties can deny that the exchange took
place.
62
Confidentiality
  • The protection of transmitted data from passive
    attacks release of message contents, and traffic
    analysis.
  • With respect to the release of message contents,
    several levels of protection can be identified.
    The broadest service protects all user data
    transmitted between two users over a period of
    time.

63
Authentication
  • Authentication service is concerned with assuring
    that a communication is authentic.
  • In the case of a single message, to assure the
    recipient that the message is from the source
    that it claims to be from
  • In the case of an ongoing interaction, to assure
    that the two entities are authentic
  • To assure that the connection is not interfered
    with in such a way that a third party can
    masquerade as one of the two legitimate parties
    for the purpose of unauthorized transmission and
    reception.

64
Integrity
  • The integrity service is applied particularly to
    total stream protection.
  • In connection-oriented service, to assure
    messages are received as sent, without
    duplication, insertion, modification, recording,
    or replays.
  • In connectionless service, generally provides
    protection against message modification.

65
Non-repudiation
  • To prevent either sender or receiver from denying
    a transmitted message.
  • The receiver can prove that the message was in
    fact sent by the alleged sender.
  • The sender can prove that the message was in fact
    received by the alleged receiver.

66
How to prevent repudiation?
  • What is repudiation Denial of the message
    previously sent
  • Idea keep the original message encrypted using
    senders private key
  • How using digital signature

67
Internet Security Architecture
PGP S/MIME
Application oriented
SET
HTTP S-HTTP
FTP
SMTP
Transport oriented
SSL or TLS
TCP
Network oriented
IP/IPSec
68
IPSec
  • Why IPSec?
  • In 1994, IAB (Internet Architecture Board) issued
    Security in the Internet Architecture (RFC
    1636)
  • In 1996, CERTs annual report listed 8000
    reported security incidents affecting 4 million
    hosts, identifying IP spoofing attacks.
  • IAB proposed security features for IPv6, which
    are applicable to IPv4. So came IPSec.
  • IP Sec can secure communications across a LAN,
    WANs, and/or the Internet
  • Examples of use
  • Secure branch office connectivity over the
    Internet
  • Secure remote access over the Internet
  • Establishing extranet and intranet connectivity
    with partners
  • Enhancing electronic commerce security

69
Benefits of IPSec
  • When implemented in a firewall or router,
    provides strong security for all traffic crossing
    the perimeter
  • IPSec in a firewall is resistant to bypass
  • Runs below the transport layer (TCP, UDP) and so
    is transparent to applications
  • Can be transparent to end users because it is
    under transport layer
  • Can provide security for individual users if
    needed, e.g. a remote access VPN for mobile users

70
IPSec Functions
  • IPSec provides three main facilities
  • authentication-only function referred to as
    Authentication Header (AH)
  • combined authentication/encryption function
    called Encapsulating Security Payload (ESP)
  • Transport mode protects upper-layer protocols,
    and is for end-end communications good for small
    networks
  • Tunnel mode protects entire IP packet, and is
    used between two security gateways more
    efficient for VPNs
  • a key exchange function
  • Supports DES or other algorithms HMAC, a new
    scheme, is required for authentication.

71
ESP Encryption Authentication
72
IPSec Key Management
  • Manual
  • System administrator (SA) manually configures
    each system with its own keys and with the keys
    of other communicating systems
  • Practical for small, relatively static
    environments
  • Automated
  • Enables the on-demand creation of keys for SAs
    and facilitates the use of keys in a large
    distributed system
  • Most flexible but requires more effort to
    configure and requires more software

73
Web Security
  • Web Vulnerabilities
  • Unauthorized alteration of data at the Web site
  • Unauthorized access to the underlying operating
    system at the Web server
  • Eavesdropping on messages passed between a Web
    server and a Web browser
  • Impersonation
  • Securing the Web site itself
  • install all operating system security patches
  • install the Web server software with minimal
    system privileges
  • use a more secure platform
  • Securing the Web application
  • Secure HyperText Transfer Protocol (S-HTTP)
  • Secure Sockets Layer (SSL)

74
SSL TLS
  • Protocols that sit between the underlying
    transport protocol (TCP) and the application
  • Provides security at the socket level, just
    above the basic TCP/IP service
  • Can provide security for a variety of Internet
    services, not just the WWW
  • Secure Socket Layer (SSL)
  • Originated by Netscape
  • Transport Layer Security (TLS)
  • TLS has been developed by a working group of the
    IETF, and is essentially SSLv3.1

75
SSL Implementation
  • Focused on the initialization/handshaking to set
    up a secure channel
  • to negotiate on an acceptable protocol version.
    i.e., v2 or v3,
  • to select the appropriate set of cryptographic
    algorithms, i.e., cipher and hash methods,
  • to authenticate uni- or bi-directionally, and
  • to securely distribute shared secrets.
  • Digital signatures used in initialization are
    based on RSA after initialization, single key
    encryption systems like DES can be used

76
Simplified SSL Handshake
  • Client sends request to connect
  • Server sends signed certificate
  • Client verifies certificate signer is in its
    acceptable Certificate Authority (CA) list.
  • Client generates session key to be used for
    encryption and sends it to the server encrypted
    with the server's public key (from certificate
    received in step 2.)
  • Server uses private key to decrypt client
    generated session key.
  • (Client HTTP Request and Server HTTP Response)
  • (References 1 2)

77
Recited from http//www.ececs.uc.edu/
78
Secure Hypertext Transfer Protocol (S-HTTP)
  • The logical extension of HTTP.
  • A method that is used to support the encryption
    and decryption of specific WWW documents sent
    over the Internet.
  • Uses RSA public-key encryption. A main use is
    expected to be for online payments.
  • Supported by America Online, CompuServe, IBM,
    Netscape, Prodigy, SPRY (at http//www.spry.com,
    and now owned by CompuServe), and Spyglass.
  • Designed by Allan Schiffman, then at EIT (which
    is now working with Terisa Systems).

79
PGP
  • Pretty Good Privacy
  • A freeware public key encryption package
    developed by Philip Zimmermann that is often used
    to encrypt e-mail.
  • User post their public key on web pages, for
    example, and anyone wishing to send them an
    encrypted message simply cuts and pastes the key
    off the web page in to PGP software, which
    encrypts and sends the message.

80
Secure Electronic Transactions
  • SET is a payment protocol supporting the use of
    bank/credit cards for transactions
  • Supported by MasterCard, Visa, and many companies
    selling goods and services online
  • SET is an open industry standard, using RSA
    public-key and DES single-key encryption

81
Features of SET
  • 1. Establishes industry standards to keep your
    order and payment information confidential.
  • 2. Increases integrity for all transmitted data
    through encryption.
  • 3. Provides authentication that a cardholder is a
    legitimate user of a branded payment card
    account.
  • 4. Provides authentication that a merchant can
    accept branded payment card transactions through
    its relationship with an acquiring financial
    institution.
  • 5. Allows the use of the best security practices
    and system design techniques to protect all

82
E-Cash
  • Created by David Chaum in Amsterdam in 1990
  • Maintains the anonymity of cash transactions
  • Users maintain an account with a participating
    financial institution, and also have a wallet
    on their computers hard drive
  • Digital coins, or tokens, are stored in the wallet

83
Digital Wallet (SET)
  • In the physical world, your wallet stores your
    credit cards and cash. In the online world, your
    digital wallet is installed as a plug-in to your
    web browser. Like your real wallet, your digital
    wallet stores your credit card number and your
    shipping information. Unlike your real wallet,
    you need to the know the secret "password" to use
    what's inside. Your wallet implements the
    "encryption" that makes SET secure.
  • See Digital Wallet Demo

84
Public Key Infrastructure (PKI)
  • Enables users of a public network to securely and
    privately exchange data and money through the use
    of a public and a private cryptographic key pair
    that is obtained and shared through a trusted
    authority.
  • Provides for a digital certificate that can
    identify an individual or an organization and
    directory services that can store and, when
    necessary, revoke the certificates.
  • Different vendors may adopt different approaches
    and services. An Internet standard for PKI is
    being worked on.

85
PKI
  • A public key infrastructure consists of
  • A certificate authority (CA) that issues and
    verifies digital certificate. A certificate
    includes the public key or information about the
    public key
  • A registration authority (RA) that acts as the
    verifier for the certificate authority before a
    digital certificate is issued to a requestor
  • One or more directories where the certificates
    (with their public keys) are held
  • A certificate management system

86
Protecting the network from the intrusion
87
Intrusion Detection System
Internet
Internal Subnet
NAT Proxy Server with network-based IDS
Router
Router
Network-based IDS Sensor
Firewall
Web Server with host-based IDS and
application-based IDS
Switch
Internal Subnet
Router
Switch
Mail Server with host-based IDS
DMZ
Network-based IDS Sensor
DNS Server with host-based IDS
Internal Subnet
IDS Management Console
88
Detecting Unauthorized Access
  • Using Intruder Detection System (IDS). There are
    three type of IDS
  • Network-based
  • Host-based
  • Application-based
  • Two techniques for IDS
  • Misuse detection
  • Anomaly detection

89
Computer forensics
  • The use of computer analysis techniques to gather
    evidence for criminal and/or civil trials
  • Includes the following steps
  • Identify potential evidence.
  • Preserve evidence by making backup copies and use
    those copies for all analysis.
  • Analyze the evidence.
  • Prepare a detailed legal report for use in
    prosecutions.

90
Computer Forensics
  • "Whodunnit? Economist (03/31/01) Vol. 358, No.
    8215, P. 73
  • Computer forensics--the tools and
    techniques used to find, keep, and analyze the
    digital evidence from cybercrimes--is a field
    that is becoming more commercially viable by the
    day. Computer forensics experts must search
    through data that is often encrypted or put in
    graphics files in order to establish an "audit
    trail." Such experts are needed to combat the
    growing popularity of programs on the Internet
    that enable a hacker to gain control of a
    computer's operating system. With more and more
    computers attached to large networks, and
    with few users taking anything more than minimal
    security precautions--if even that--hackers
    relying on these programs could easily have a
    field day employing ordinary users' systems to
    mount sophisticated hacking attacks. However,
    there are now automated investigation tools that
    can counter the hacking programs, such as
    Coroners Toolkit, which speeds up and
    standardizes the digital-forensic examination
    process. A group of anti-hacking experts have
    even set up a network of "honeypots," vulnerable
    but unimportant computers designed to lure
    hackers so that the experts can study their
    habits and techniques.
  • http//www.economist.com/science/displaySto
    ry.cfm?Story_ID550004

91
Entrapment - Honey-Pot
  • A server that contains highly interesting fake
    information available only through illegal
    intrusion to bait or "entrap" the intruder and
    also possibly divert the hacker's attention from
    the real network assets.
  • The honey pot server has sophisticated tracking
    software to monitor access to this information
    that allows the organization and law enforcement
    officials to trace and document the intruders
    actions. If the hacker is subsequently found to
    be in possession of information from the honey
    pot, that fact can be used in prosecution.
View by Category
About This Presentation
Title:

Topic 10: Network Security Management

Description:

Loss from Hack Attacks ... A True Story of Linux Hacking. From: roger rick [mailto:h4ker_at_hotmail.com] ... g. Modification, Hacking, Software bombing, ... – PowerPoint PPT presentation

Number of Views:3400
Avg rating:3.0/5.0
Slides: 92
Provided by: ElizabethL171
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Topic 10: Network Security Management


1
Topic 10 Network Security Management
  • References
  • FD Chapter 10
  • WS Chapter 18 20

2
Outline
  • An introduction to network security
  • Preventing unauthorized access
  • Data encryption/decryption
  • Securing e-commerce transactions
  • Protecting network from the intrusion

3
An introduction to network security
4
Why Networks Need Security
  • In recent years, organizations have become
    increasingly dependent on the data communication
    networks for their daily business communications,
    database retrieval, distributed data processing,
    and the internetworking of LANs.
  • The losses associated with security failures can
    be huge.
  • More important than direct theft losses are the
    potential losses from the disruption of
    applications systems that run on computer
    networks.

5
Figure 10-2 Number of Incidents Reported to CERT
(Computer Emergency Response Team)
Source CERT Statistics, www.cert.org/stats/cert_s
tats.html
6
Percent of organizations reporting security
problems due to this cause in the last 12 months
Figure 10-5 Common Threats
7
Crime Is Soaring in Cyberspace
  • New York Times (01/27/03) P. C4 Tedeschi, Bob
    Cybersecurity consultants such as Ponemon
    Institute Chairman Larry Ponemon report that
    cybercrimes are increasing exponentially, yet
    quantifying losses is difficult because
    victimized companies are reluctant to publicly
    disclose electronic theft for a variety of
    reasons, including fear that it will inspire
    other hackers to attack them, shake the
    confidence of their customers and investors, or
    make them the target of rival businesses'
    ridicule. Ponemon adds that companies often hide
    these losses in their balance sheets, a practice
    that does not allow for "a clean picture of how
    expensive it is to have to deal with fraudulent
    or criminal activities." Mi2g estimates that the
    number of successful, confirmed worldwide hacker
    intrusions this month will probably exceed
    20,000, compared to 16,000 in October. Last year,
    the FBI and the Computer Security Institute held
    a survey of 500 computer security practitioners,
    and found that 80 percent of respondents admitted
    that their companies sustained financial losses
    from hack attacks the average loss was 2
    million, according to 223 respondents who
    quantified the damage. Deloitte Touche Tohmasu's
    Richard Power reports that the increase in
    cybercrime is partly attributable to the economic
    downturn, while cutbacks in corporate budgets and
    personnel only increase the difficulty businesses
    face in securing their computer systems. Law
    enforcement officials acknowledge that tracing
    cybercrime is hard, because hackers can use
    technology to remain anonymous--plus they have an
    advantage over the authorities in terms of skill
    and numbers. Complicating matters is the fact
    that perpetrators are often corporate insiders
    in fact, Gartner analyst John Pescatore
    attributes 70 percent of cyber-intrusions to
    employees who sold information to competitors in
    hopes of getting better jobs or building a
    financial cushion to sustain them if they are let
    go.http//www.nytimes.com/2003/01/27/technology/2
    7ECOM.html

8
Ex-Officials Urge U.S. to Boost Cybersecurity
  • Washington Post (04/09/03) P. E5 Krebs, Brian
    Former White House cybersecurity advisor Richard
    A. Clarke told a House Government Reform
    subcommittee yesterday that the Homeland Security
    Department is ill-equipped to effectively
    implement the White House's National Strategy to
    Secure Cyberspace, which he co-authored. He
    warned that legislators should not dismiss the
    ramifications of an assault on U.S. computer
    networks, arguing that such thinking is similar
    to the now-defunct assumption that a major
    foreign terrorist attack could never take place
    on American soil. Former National Infrastructure
    Protection Center (NIPC) director Michael Vatis,
    who also testified before the House panel, agreed
    with Clarke. He added that many positions in the
    Homeland Security Department's cybersecurity
    division are still unfilled, because most FBI
    cybersecurity specialists assigned to the NIPC
    were not transferred to the new department. The
    Homeland Security Department's David Wray
    admitted that over 200 positions are still
    vacant, but supported the Bush administration's
    decision to have all cybersecurity efforts
    coordinated by a single officer.Click Here to
    View Full Article

9
SETI_at_home Flaw Could Let Invaders In
  • CNet (04/07/03) Lemos, Robert Gray, Patrick The
    SETI_at_home project released a new version of its
    distributed client software on April 4 in order
    to close a buffer overflow flaw that could allow
    hackers to commandeer the computer systems of
    SETI_at_home volunteers. SETI_at_home is a distributed
    computing project in which PC users donate idle
    processing time to scan radio-telescope data for
    signs of intelligent extraterrestrial
    transmissions. Three vulnerabilities
  • The first one is the buffer overflow problem, to
    SETI_at_home in December, which were not disclosed
    to the public until this past weekend.
  • Another flaw resides in the project servers that
    could allow a hacker to breach the main servers
    and take advantage of all SETI_at_home clients.
  • The third flaw Wever alerted SETI_at_home to lies in
    the unencrypted data the client sends to the
    server--such information revolves around the
    computer that is running the client.http//news.c
    om.com/2100-1002-995801.html

10
Loss from Hack Attacks
  • The cost of cyberattacks to U.S. businesses
    doubled to 10 billion in 1999, according to
    estimates from the Computer Security Institute
    (CSI). The research group today is releasing the
    results of its survey of 643 large organizations,
    showing estimated losses of 266 million in 1999
    from cybercrime, which is more than twice the
    amount lost in 1998.
  • - Los Angeles Times (03/22/00) P. C1 Piller,
    Charles

11
A Hackers Story
  • Kevin Mitnick - a famous hacker
  • arrested At 130 a.m., February 15, 1995
  • released on January 21, 2000
  • What has he done?
  • Broke into LA Unified School Districts main
    computers when he was in high school.
  • Accessed North American Air Defense Command
    computers
  • He is referred to as electronic terrorist for
    many computer break-ins he has committed.
  • More stories

12
A True Story of Linux Hacking
  • How the hacker did?
  • Got the login for admin account
  • Delete netlog directory to prevent discovery
  • Load a DoS software bomb
  • Attack other computers using the bomb
  • How it is discovered?
  • When it attacks someone caught it
  • A complaint is sent to Tech

13
A True Story of Linux Hacking
  • From roger rick mailtoh4ker_at_hotmail.com
  • Sent Sunday, February 04, 2001 232 PM
  • To J.Stalcup_at_ttu.edu webmaster_at_ba.ttu.edu
  • Subject Compromised Box?
  • I believe on of your systems on your subnet has
    been compromised and is
  • now running a eggdrop on IRC EFnet. A eggdrop is
    a client that is always
  • connected to the EFnet server and allows a user
    to get Operator status.
  • This eggdrop could result in DoS attacks on your
    server if the user makes
  • the right people angry.
  • ÚÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -
  • H20B0NG ( bong_at_geek.ba.ttu.edu
    )
  • ³ ircname real eyes realize real lies
  • channels shells
  • ³ server irc.stanford.edu
  • ÀÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -
  • There is the bot and system information. If you
    are not concerned about
  • this, sorry for wasting your time. But it could
    result in downtime in
  • the long run. Look for a connection to a irc
    server on port 6667, It might

14
Security Threats - Type 1
  • Non-technical based threats and can be prevent
    and protected using managerial approaches.
    Typically, they are from disasters.
  • Nature disasters flood, fire, earthquake, etc
  • Terror attacks
  • Criminal cases
  • Accidents by human error
  • Direct consequences
  • Destroying host computers or large sections of
    the network.
  • Damaging data storages

15
How to prevent the losses from type 1 threats?
  • Discussion focus If you were CIO for a large
    company what you should do to prevent the losses
    from a disaster from a managerial point of view?

16
Security Threats - Type 2
  • These are technical attacks. Need both technical
    and managerial approaches to prevent and protect
    the attacks.
  • Destruction Virus/Worm attacks
  • Disruption DoS (Denial of Service) and DDoS
    (Distributed DoS) attack
  • Unauthorized access often viewed as hackers
    gaining access to organizational data files and
    resources.
  • Most unauthorized access incidents involve
    employees. Serious intruders could change files
    to commit fraud or theft, or destroy information
    to injure the organization.
  • Story Microsoft network was hacked in Oct. 2000

17
Attacks Passive vs. Active
  • Passive Attacks
  • Eavesdropping and Monitoring
  • Targets Electronic mail, file transfers, and
    client/server exchanges
  • Active Attacks
  • Modification of transmitted data
  • Attempts to gain unauthorized access to computer
    systems
  • E.g. Modification, Hacking, Software bombing,
    Disrupting

18
Worm vs. Virus
19
Red Alert Worm
  • "'Code Red' Unleashed on Web"Los Angeles Times
    (08/01/01) P. C3 Piller, Charles
  • A malicious computer worm is spreading over the
    Internet, causing infected computers to search
    the Web to find more victims. Eventually the Code
    Red worm, which only recently began its spread,
    will cause its host computers to deluge the White
    House Web site with a barrage of data. However, a
    previous version of the worm was released earlier
    last month against the same White House target.
    That version also defaced the Web sites hosted on
    the servers it infected with a message claiming
    "Hacked by Chinese," though the Chinese
    government has denied the worm originated in that
    country. Officials at the White House have since
    used an address-change technique to divert the
    data flow from Code Red computers, and the site
    will also remain safe from the current version.
    Code Red, however, will continue to spread,
    reaching its peak within 36 hours of its August
    1st release date, according to Internet Security
    Systems researcher Chris Rouland. The worm is
    programmed to go dormant on August 28th.

20
A True Story of Red Alert Attack
  • When July 20, 2001
  • Where Dr. Lins Office
  • What computer 129.118.49.94, Windows 2000
    Advanced Server
  • How Not known yet
  • Who discovered the attack someone using
    DShield.org reported and sent BACS an email
  • Symptoms
  • When using asp scripts, the page displays
    Hacked by Chinese
  • A malicious program scans ports of other computer

21
Security Attacks
Normal flow
Interruption
Interception
Modification
Fabrication
22
How to protect your network
  • Managerial approaches
  • Technical approaches

23
Preventing unauthorized access
24
Preventing Unauthorized Access
  • Approaches to preventing unauthorized access
  • Developing a security policy
  • Developing user profiles
  • Strengthen physical security and software
    security
  • Securing dial-in service system
  • Fix security holes
  • Using firewall
  • Using encryption
  • A combination of all techniques is best to ensure
    strong security.

25
Securing Network Access Points
  • What is a firewall A router, gateway, or special
    purpose computer that examines packets flowing
    into and out of a network and restricts access to
    the organizations network.
  • Why using firewall With the increasing use of
    the Internet, it becomes important to prevent
    unauthorized access to your network from
    intruders on other networks.
  • Case Study Attack to a firewall

26
Securing Network Access Points
  • Packet-level firewall
  • Examines the source and destination address of
    every network packet that passes through it and
    only allows packets that have acceptable source
    and destination addresses to pass.
  • Vulnerable to IP-level spoofing, accomplished by
    changing the source address on incoming packets
    from their real address to an address inside the
    organizations network.
  • Many firewalls have had their security
    strengthened since the first documented case of
    IP spoofing in December 1994.

27
Spoof
  • "Spoof" was a game invented in 1933 by an English
    comedian, Arthur Roberts. Webster's defines the
    verb to mean (1) to deceive or hoax, and (2) to
    make good-natured fun of. On the Internet, "to
    spoof" can mean
  • To deceive for the purpose of gaining access to
    someone else's resources (for example, to fake an
    Internet address so that one looks like a certain
    kind of Internet user)
  • To simulate a communications protocol by a
    program that is interjected into a normal
    sequence of processes for the purpose of adding
    some useful function
  • To playfully satirize a Web site.

28
Application-level Firewall
  • Application-level firewall
  • Acts as an intermediate host computer or gateway
    between the Internet and the rest of the
    organizations network.
  • In many cases, needs special programming codes to
    permit the use of application software unique to
    the organization.
  • Difference
  • packet-level firewalling - prohibits only
    disabled accesses
  • application-level firewalling - permits only
    authorized accesses

29
Proxy Server
  • Proxy server - the technology for firewalls
  • Uses an address table to translate network
    addresses inside the organizations into fake
    addresses for use on the Internet (network
    address translation or address mapping). This
    way systems outside the organization never see
    the actual internal IP addresses.
  • Is becoming the application-level firewall of
    choice.
  • Many organizations use a combination of
    packet-level and application-level firewalls.

30
Network Address Translation (NAT)
  • The process of translating between one set of
    private addresses inside a network and a set of
    public address outside the network.
  • Transparent
  • A NAT proxy server uses an address table to
    translate the private IP addresses used inside
    the organization into proxy IP address used on
    the Internet. It uses the source port number in
    the TCP packet to a unique number that it uses as
    an index into its address table to find the IP
    address of the actual sending computer in the
    internal network.

31
Proxy Server Features
  • Reverse hosting.
  • Reverse proxy.
  • Multi-protocol support.
  • Virtual private networking ability.
  • Application-level proxy
  • Circuit level proxy with SOCKS 4 client support
    and SOCKS 5 logic policy support.
  • Secure Sockets Layer (SSL) tunneling.
  • Authentication.
  • Enterprise security management such as LDAP based
    user/group/password management for proxy
    authentication, Simple Network Management
    Protocol (SNMP) support, etc.

32
(Demilitarized Zone)
33
DMZ
  • Features
  • Allows limited accesses to DMZ from the outside
    (Using a packet level firewall)
  • Prevent unauthorized accesses to departmental
    networks from the Internet (using a proxy server)
  • Allows full accesses to DMZ and the Internet from
    internal networks
  • Limits inter-departmental accesses (using the
    proxy server for each department)

34
Network Eavesdropping
  • Another way to gain unauthorized access, where
    the intruder inserts a listening device or
    computer into the organizations network to
    record messages.
  • Targets
  • Network cables,
  • Network devices such as controllers, hubs, and
    bridges
  • Certain types of cable can impair or increase
    security by making eavesdropping easier (i.e.
    wireless) or more difficult (i.e. fiber optic).
  • Physical security of the networks local loop and
    interexchange telephone circuits is the
    responsibility of the common carrier.

35
Trojan Horse - A Malicious Sniffer
A tiny program that runs on a workstation (PC or
Macintosh). In its simplest form, it simply
records every key pressed, including your
username and password when logging onto any
computer network. Trojan Horse may steal the
important security information without awareness.
36
Data encryption/decryption
37
Outline of Encryption
  • Symmetric key encryption
  • Public-key encryption
  • Key management
  • Digital signature
  • Digital certificate
  • Certificate authority

38
Encryption
  • Encryption A means of disguising information by
    the use of mathematical rules known as algorithms
    to prevent unauthorized access.
  • Five components to the algorithm
  • Plaintext The original readable message or data
  • Ciphertext encrypted message produced as output.
  • Encryption algorithm Performs various
    substitutions and transformations on the
    plaintext.
  • Secret key Input to the encryption algorithm.
    Substitutions and transformations performed
    depend on this key
  • Decryption algorithm Encryption algorithm run in
    reverse. Uses ciphertext and the secret key to
    produce the original plaintext.

39
Using Encryption
  • Today, the U.S. government considers encryption
    to be a weapon, and regulates its export in the
    same way it regulates the export of machine guns
    or bombs. The government is also trying to
    develop a policy called key escrow (key
    recovery), requiring key registration with the
    government.

40
Location of Encryption Devices
  • Link encryption
  • Each vulnerable communications link is equipped
    on both ends with an encryption device.
  • All traffic over all communications links is
    secured.
  • Vulnerable at each switch
  • End-to-end encryption
  • the encryption process is carried out at the two
    end systems.
  • Encrypted data are transmitted unaltered across
    the network to the destination, which shares a
    key with the source to decrypt the data
  • Packet headers cannot be secured

41
Encryption Methods
  • The essential technology underlying virtually all
    automated network and computer security
    applications is cryptography
  • Two fundamental approaches are in use
  • conventional encryption, also known as symmetric
    encryption
  • public-key encryption, also known as asymmetric
    encryption

42
Conventional Encryption Operation
43
Conventional Encryption Requirements Weaknesses
  • Requirements
  • A strong encryption algorithm
  • Secure process for sender receiver to obtain
    secret keys
  • Methods of Attack
  • Cryptanalysis
  • Brute force

44
Symmetric Key Encryption - DES
  • Data encryption standard (DES)
  • A commonly used encryption algorithm.
  • Symmetric (the key used to decrypt a particular
    bit stream is the same one used to encrypt it)
  • Symmetric algorithms can cause problem with key
    management keys must be dispersed and stored
    carefully.
  • A 56-bit version of DES is the most commonly used
    encryption technique today.

45
Data Encryption Standard (DES)
  • Adopted in 1977, reaffirmed for 5 years in 1994,
    by NBS/NIST
  • Plaintext is 64 bits (or blocks of 64 bits), key
    is 56 bits
  • Plaintext goes through 16 iterations, each
    producing an intermediate value that is used in
    the next iteration.
  • DES is now too easy to crack to be a useful
    encryption method

46
Triple DEA (TDEA)
  • Alternative to DES, uses multiple encryption with
    DES and multiple keys
  • With three distinct keys, TDEA has an effective
    key length of 168 bits, so is essentially immune
    to brute force attacks
  • Principal drawback of TDEA is that the algorithm
    is relatively sluggish in software

47
Public-Key Encryption
  • Based on mathematical functions rather than on
    simple operations on bit patterns
  • Asymmetric, involving the use of two separate
    keys
  • Misconceptions about public key encryption
  • it is more secure from cryptanalysis
  • it is a general-purpose technique that has made
    conventional encryption obsolete

48
Public-Key Encryption Operation
49
Public-Key Signature Operation
50
Characteristics of Public-Key
  • Infeasible to determine the decryption key given
    knowledge of the cryptographic algorithm and the
    encryption key.
  • Either of the two related keys can be used for
    encryption, with the other used for decryption.
  • Slow, but provides tremendous flexibility to
    perform a number of security-related functions
  • Most widely used algorithm is RSA, invented by
    Ron Rivest, Adi Shamir and Len Adleman at MIT in
    1977.

51
Conventional EncryptionKey Distribution
  • Both parties must have the secret key
  • Key is changed frequently
  • Requires either manual delivery of keys, or a
    third-party encrypted channel
  • Most effective method is a Key Distribution
    Center (e.g. Kerberos)

52
Public-Key EncryptionKey Distribution
  • Parties create a pair of keys public key is
    broadly distributed, private key is not
  • To reduce computational overhead, the following
    process is then used
  • 1. Prepare a message.
  • 2. Encrypt that message using conventional
    encryption with a one-time conventional session
    key.
  • 3. Encrypt the session key using public-key
    encryption with recipients public key.
  • 4. Attach the encrypted session key to the
    message and send it.

53
Digital Signature
  • An electronic message that can be used by someone
    to authenticate the identity of the sender of a
    message or of the signer of a document.
  • Can also be used to ensure that the original
    content of the message or document that has been
    conveyed is unchanged.
  • Additional benefits
  • Easy transportation, not easily repudiated, not
    imitated by someone else, and automatically
    time-stamped.

54
Digital Signature Process
55
Level 2 Encryption
Alice
Bob
Alice encrypts with Bobs public key
Bob decrypts with his private key
56
Public Key Certificates
  • 1. A public key is generated by the user and
    submitted to Agency X for certification.
  • 2. X determines by some procedure, such as a
    face-to-face meeting, that this is authentically
    the users public key.
  • 3. X appends a timestamp to the public key,
    generates the hash code of the result, and
    encrypts that result with Xs private key forming
    the signature.
  • 4. The signature is attached to the public key.

57
Certificate Authority
  • A certificate authority is a trusted organization
    that can vouch for the authenticity of the person
    or organization using authentication.
  • A person wanting to use a CA registers with the
    CA and must provide some proof of identify.
  • The CA issues a digital certificate that is the
    requestor's public key encrypted using the CA's
    private key as proof of identify.
  • This certificate is then attached to the user's
    email or Web transactions in addition to the
    authentication information.
  • The receiver then verifies the certificate by
    decrypting it with the CA's public key -- and
    must also contact the CA to ensure that the
    user's certificate has not been revoked by the
    CA.
  • For higher level security certification, the CA
    requires that a unique fingerprint (key) be
    issued by the CA for each message sent by the
    user.

58
VeriSign, Inc
  • Headquartered in Mountain View, California, a
    leading provider of Internet trust services
    authentication, validation and payment - needed
    by Web sites, enterprises, and e-commerce service
    providers to conduct trusted and secure
    electronic commerce and communications over IP
    networks.
  • To date, VeriSign has issued over 215,000 Web
    site digital certificates and over 3.9 million
    digital certificates for individuals.

59
VeriSign
  • "Group Approves VeriSign's Control Over Web
    Addresses Wall Street Journal (04/03/01) P. B4
    Bridis, Ted
  • In a 12-3 vote, ICANN's board approved its
    new deal with VeriSign, allowing the company to
    retain control of the .com domain without
    divesting portions of its business. By Dec. 2002,
    VeriSign will give up the .org domain, and the
    .net domain will be surrendered at a later date,
    although VeriSign will have a chance to bid for
    control of the .net domain. There were a few
    changes made to the agreement. The 10,000 fee
    that registrars pay to VeriSign was dropped and
    VeriSign now has to spend 200 million toward the
    research necessary to create a directory of all
    domain names. Further, VeriSign must keep the
    registrar and registry portions of its business
    separate or it will face fines. The U.S. Commerce
    Department still has to approve the deal, and
    four members of Congress have suggested that the
    Commerce Department "fully analyze" competitive
    concerns stemming from the new deal. These
    suggestions, which were made by Reps.
  • (http//www.washingtonpost.com/wp-dyn/articles/A35
    085-2001Apr3.html)

60
Securing e-commerce transactions
61
Secure Transactions for E-Payment
Secure transactions must have at least the
following characteristics Confidentiality
others cannot eavesdrop on an exchange.
Integrity the messages received are identical
to the messages sent. Authenticity you are
assured of the persons with whom you are making
an exchange. Non-Repudiation none of the
involved parties can deny that the exchange took
place.
62
Confidentiality
  • The protection of transmitted data from passive
    attacks release of message contents, and traffic
    analysis.
  • With respect to the release of message contents,
    several levels of protection can be identified.
    The broadest service protects all user data
    transmitted between two users over a period of
    time.

63
Authentication
  • Authentication service is concerned with assuring
    that a communication is authentic.
  • In the case of a single message, to assure the
    recipient that the message is from the source
    that it claims to be from
  • In the case of an ongoing interaction, to assure
    that the two entities are authentic
  • To assure that the connection is not interfered
    with in such a way that a third party can
    masquerade as one of the two legitimate parties
    for the purpose of unauthorized transmission and
    reception.

64
Integrity
  • The integrity service is applied particularly to
    total stream protection.
  • In connection-oriented service, to assure
    messages are received as sent, without
    duplication, insertion, modification, recording,
    or replays.
  • In connectionless service, generally provides
    protection against message modification.

65
Non-repudiation
  • To prevent either sender or receiver from denying
    a transmitted message.
  • The receiver can prove that the message was in
    fact sent by the alleged sender.
  • The sender can prove that the message was in fact
    received by the alleged receiver.

66
How to prevent repudiation?
  • What is repudiation Denial of the message
    previously sent
  • Idea keep the original message encrypted using
    senders private key
  • How using digital signature

67
Internet Security Architecture
PGP S/MIME
Application oriented
SET
HTTP S-HTTP
FTP
SMTP
Transport oriented
SSL or TLS
TCP
Network oriented
IP/IPSec
68
IPSec
  • Why IPSec?
  • In 1994, IAB (Internet Architecture Board) issued
    Security in the Internet Architecture (RFC
    1636)
  • In 1996, CERTs annual report listed 8000
    reported security incidents affecting 4 million
    hosts, identifying IP spoofing attacks.
  • IAB proposed security features for IPv6, which
    are applicable to IPv4. So came IPSec.
  • IP Sec can secure communications across a LAN,
    WANs, and/or the Internet
  • Examples of use
  • Secure branch office connectivity over the
    Internet
  • Secure remote access over the Internet
  • Establishing extranet and intranet connectivity
    with partners
  • Enhancing electronic commerce security

69
Benefits of IPSec
  • When implemented in a firewall or router,
    provides strong security for all traffic crossing
    the perimeter
  • IPSec in a firewall is resistant to bypass
  • Runs below the transport layer (TCP, UDP) and so
    is transparent to applications
  • Can be transparent to end users because it is
    under transport layer
  • Can provide security for individual users if
    needed, e.g. a remote access VPN for mobile users

70
IPSec Functions
  • IPSec provides three main facilities
  • authentication-only function referred to as
    Authentication Header (AH)
  • combined authentication/encryption function
    called Encapsulating Security Payload (ESP)
  • Transport mode protects upper-layer protocols,
    and is for end-end communications good for small
    networks
  • Tunnel mode protects entire IP packet, and is
    used between two security gateways more
    efficient for VPNs
  • a key exchange function
  • Supports DES or other algorithms HMAC, a new
    scheme, is required for authentication.

71
ESP Encryption Authentication
72
IPSec Key Management
  • Manual
  • System administrator (SA) manually configures
    each system with its own keys and with the keys
    of other communicating systems
  • Practical for small, relatively static
    environments
  • Automated
  • Enables the on-demand creation of keys for SAs
    and facilitates the use of keys in a large
    distributed system
  • Most flexible but requires more effort to
    configure and requires more software

73
Web Security
  • Web Vulnerabilities
  • Unauthorized alteration of data at the Web site
  • Unauthorized access to the underlying operating
    system at the Web server
  • Eavesdropping on messages passed between a Web
    server and a Web browser
  • Impersonation
  • Securing the Web site itself
  • install all operating system security patches
  • install the Web server software with minimal
    system privileges
  • use a more secure platform
  • Securing the Web application
  • Secure HyperText Transfer Protocol (S-HTTP)
  • Secure Sockets Layer (SSL)

74
SSL TLS
  • Protocols that sit between the underlying
    transport protocol (TCP) and the application
  • Provides security at the socket level, just
    above the basic TCP/IP service
  • Can provide security for a variety of Internet
    services, not just the WWW
  • Secure Socket Layer (SSL)
  • Originated by Netscape
  • Transport Layer Security (TLS)
  • TLS has been developed by a working group of the
    IETF, and is essentially SSLv3.1

75
SSL Implementation
  • Focused on the initialization/handshaking to set
    up a secure channel
  • to negotiate on an acceptable protocol version.
    i.e., v2 or v3,
  • to select the appropriate set of cryptographic
    algorithms, i.e., cipher and hash methods,
  • to authenticate uni- or bi-directionally, and
  • to securely distribute shared secrets.
  • Digital signatures used in initialization are
    based on RSA after initialization, single key
    encryption systems like DES can be used

76
Simplified SSL Handshake
  • Client sends request to connect
  • Server sends signed certificate
  • Client verifies certificate signer is in its
    acceptable Certificate Authority (CA) list.
  • Client generates session key to be used for
    encryption and sends it to the server encrypted
    with the server's public key (from certificate
    received in step 2.)
  • Server uses private key to decrypt client
    generated session key.
  • (Client HTTP Request and Server HTTP Response)
  • (References 1 2)

77
Recited from http//www.ececs.uc.edu/
78
Secure Hypertext Transfer Protocol (S-HTTP)
  • The logical extension of HTTP.
  • A method that is used to support the encryption
    and decryption of specific WWW documents sent
    over the Internet.
  • Uses RSA public-key encryption. A main use is
    expected to be for online payments.
  • Supported by America Online, CompuServe, IBM,
    Netscape, Prodigy, SPRY (at http//www.spry.com,
    and now owned by CompuServe), and Spyglass.
  • Designed by Allan Schiffman, then at EIT (which
    is now working with Terisa Systems).

79
PGP
  • Pretty Good Privacy
  • A freeware public key encryption package
    developed by Philip Zimmermann that is often used
    to encrypt e-mail.
  • User post their public key on web pages, for
    example, and anyone wishing to send them an
    encrypted message simply cuts and pastes the key
    off the web page in to PGP software, which
    encrypts and sends the message.

80
Secure Electronic Transactions
  • SET is a payment protocol supporting the use of
    bank/credit cards for transactions
  • Supported by MasterCard, Visa, and many companies
    selling goods and services online
  • SET is an open industry standard, using RSA
    public-key and DES single-key encryption

81
Features of SET
  • 1. Establishes industry standards to keep your
    order and payment information confidential.
  • 2. Increases integrity for all transmitted data
    through encryption.
  • 3. Provides authentication that a cardholder is a
    legitimate user of a branded payment card
    account.
  • 4. Provides authentication that a merchant can
    accept branded payment card transactions through
    its relationship with an acquiring financial
    institution.
  • 5. Allows the use of the best security practices
    and system design techniques to protect all

82
E-Cash
  • Created by David Chaum in Amsterdam in 1990
  • Maintains the anonymity of cash transactions
  • Users maintain an account with a participating
    financial institution, and also have a wallet
    on their computers hard drive
  • Digital coins, or tokens, are stored in the wallet

83
Digital Wallet (SET)
  • In the physical world, your wallet stores your
    credit cards and cash. In the online world, your
    digital wallet is installed as a plug-in to your
    web browser. Like your real wallet, your digital
    wallet stores your credit card number and your
    shipping information. Unlike your real wallet,
    you need to the know the secret "password" to use
    what's inside. Your wallet implements the
    "encryption" that makes SET secure.
  • See Digital Wallet Demo

84
Public Key Infrastructure (PKI)
  • Enables users of a public network to securely and
    privately exchange data and money through the use
    of a public and a private cryptographic key pair
    that is obtained and shared through a trusted
    authority.
  • Provides for a digital certificate that can
    identify an individual or an organization and
    directory services that can store and, when
    necessary, revoke the certificates.
  • Different vendors may adopt different approaches
    and services. An Internet standard for PKI is
    being worked on.

85
PKI
  • A public key infrastructure consists of
  • A certificate authority (CA) that issues and
    verifies digital certificate. A certificate
    includes the public key or information about the
    public key
  • A registration authority (RA) that acts as the
    verifier for the certificate authority before a
    digital certificate is issued to a requestor
  • One or more directories where the certificates
    (with their public keys) are held
  • A certificate management system

86
Protecting the network from the intrusion
87
Intrusion Detection System
Internet
Internal Subnet
NAT Proxy Server with network-based IDS
Router
Router
Network-based IDS Sensor
Firewall
Web Server with host-based IDS and
application-based IDS
Switch
Internal Subnet
Router
Switch
Mail Server with host-based IDS
DMZ
Network-based IDS Sensor
DNS Server with host-based IDS
Internal Subnet
IDS Management Console
88
Detecting Unauthorized Access
  • Using Intruder Detection System (IDS). There are
    three type of IDS
  • Network-based
  • Host-based
  • Application-based
  • Two techniques for IDS
  • Misuse detection
  • Anomaly detection

89
Computer forensics
  • The use of computer analysis techniques to gather
    evidence for criminal and/or civil trials
  • Includes the following steps
  • Identify potential evidence.
  • Preserve evidence by making backup copies and use
    those copies for all analysis.
  • Analyze the evidence.
  • Prepare a detailed legal report for use in
    prosecutions.

90
Computer Forensics
  • "Whodunnit? Economist (03/31/01) Vol. 358, No.
    8215, P. 73
  • Computer forensics--the tools and
    techniques used to find, keep, and analyze the
    digital evidence from cybercrimes--is a field
    that is becoming more commercially viable by the
    day. Computer forensics experts must search
    through data that is often encrypted or put in
    graphics files in order to establish an "audit
    trail." Such experts are needed to combat the
    growing popularity of programs on the Internet
    that enable a hacker to gain control of a
    computer's operating system. With more and more
    computers attached to large networks, and
    with few users taking anything more than minimal
    security precautions--if even that--hackers
    relying on these programs could easily have a
    field day employing ordinary users' systems to
    mount sophisticated hacking attacks. However,
    there are now automated investigation tools that
    can counter the hacking programs, such as
    Coroners Toolkit, which speeds up and
    standardizes the digital-forensic examination
    process. A group of anti-hacking experts have
    even set up a network of "honeypots," vulnerable
    but unimportant computers designed to lure
    hackers so that the experts can study their
    habits and techniques.
  • http//www.economist.com/science/displaySto
    ry.cfm?Story_ID550004

91
Entrapment - Honey-Pot
  • A server that contains highly interesting fake
    information available only through illegal
    intrusion to bait or "entrap" the intruder and
    also possibly divert the hacker's attention from
    the real network assets.
  • The honey pot server has sophisticated tracking
    software to monitor access to this information
    that allows the organization and law enforcement
    officials to trace and document the intruders
    actions. If the hacker is subsequently found to
    be in possession of information from the honey
    pot, that fact can be used in prosecution.
About PowerShow.com