Network Security 635.413.31 Summer 2007 - PowerPoint PPT Presentation

Loading...

PPT – Network Security 635.413.31 Summer 2007 PowerPoint presentation | free to view - id: 271db-ZDA4M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Network Security 635.413.31 Summer 2007

Description:

Application proxies can be configured to provide very granular filtering (don't ... Most of the time application proxies are not transparent to users ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 36
Provided by: Audrey92
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Network Security 635.413.31 Summer 2007


1
Network Security 635.413.31 Summer 2007
2
Introduction to Network Security
  • Network Security is becoming more and more
    important as the internet becomes a critical part
    of our communications infrastructure
  • Applications such as online banking and
    e-commerce demand a secure network infrastructure
  • What is network security?
  • Your specific definition depends on who you are
    the first step in network security is to define
    your organizations security policy
  • Because each organization has different
    requirements and expectations their security
    policies will be different
  • A security policy does not define implementation
    it should cover the following
  • What systems, resources, and data need to be
    protected
  • To what level each system, resource, or data
    should be protected
  • Who is responsible for that protection
  • Risk Assessment is an important part of
    developing the policy
  • Also remember that people are the key to proper
    security!

3
Introduction to Network Security
  • There are two main parts to network security
  • Transmission network security and host security
  • These two areas are intimately related and
    without an effective policy in each the others
    security can be compromised
  • Example stealing encryption key file from an
    unprotected host
  • Note I use network security interchangeably
    with computer security some folks consider them
    different disciplines
  • Network security breaches can impact an
    organization in many ways
  • Direct costs stolen assets, money, or property
    and unavailable resources
  • Indirect costs liability for attackers actions,
    damage to reputation, release of sensitive
    information to the public
  • Depending on what industry you are in, prison is
    a possibility in serious breaches!

4
Introduction to Network Security
  • Key Principles of Network Security
  • Convenience and security have an inverse
    relationship
  • Enforcing a security policy typically puts the
    administrator at odds with the users he or she
    is trying to protect!
  • Example long, complex passwords
  • Defense in depth
  • Using multiple layers of protective security
  • Layers should provide backup/redundancy to ensure
    no single failure exposes vulnerable
    systems/resources
  • Example network host-based firewalls
  • Least Privilege
  • Users/sysadmins have just the level of access
    necessary to perform their duties
  • Example limited administrator accounts
  • Need to Know
  • Limiting access to systems/resources based on
    need
  • Example formal approvals process before
    accounts are granted

5
Introduction to Network Security
  • Active vs. Passive Attacks
  • Passive attacks seek to uncover information
    without interrupting the system
  • Information Disclosure (e.g. snooping or
    eavesdropping)
  • Traffic Analysis
  • Primary Defense preventive measures such as
    encryption and traffic padding
  • Active attacks seek to disrupt or damage
    systems/data
  • Masquerade
  • Replay
  • Information Modification
  • Denial of Service (DoS)
  • Primary Defense detection of attacks rapid
    recovery such as logging and (anti-DoS) rate
    limiting

6
Components of Network Security
  • The Four Fundamental aspects of Network Security
  • Data Integrity
  • Authentication
  • Data Privacy
  • Nonrepudiation
  • In addition two other aspects of security are
    important, especially in the realm of host
    security
  • Authorization
  • Accountability

7
Data Integrity
  • Mechanisms for Data Integrity
  • For protection against transmission errors most
    network protocols include error detection (and
    some times correction) schemes such as parity
    checking, checksums, and Cyclic Redundancy Checks
  • Unfortunately these are not useful for network
    security where the integrity of the data is
    intentionally violated
  • The attacker can easily recalculate a valid
    checksum, parity, or CRC for the altered data
    because the process does not rely on a secret
  • Even if the transmission was not intentionally
    altered error correction/detection schemes
    provide no absolute protection there are
    combinations of bit errors in the data and
    integrity check fields that could result in a
    valid combination
  • A very common way to provide data integrity on
    networks is to use a Message Authentication Code
    (MAC)

8
Data Integrity
  • MAC Operation (1)
  • Using a MAC requires two things
  • A shared secret key for the sender and recipient
  • A one-way hashing algorithm
  • Important characteristics of a hashing algorithm
  • Can be applied to any size block of data
  • Produces a fixed-length output
  • Relatively easy to compute (hopefully
    implementable in either software or hardware)
  • For any hash, it is truly one-way (not easily
    reversible mathematically)
  • For any message Mx with hash H(Mx) it is very
    hard to find a message My Mx where H(Mx)
    H(My)
  • It is very hard to find a pair of messages Ma and
    Mb where H(Ma)H(Mb)

9
Data Integrity
  • MAC Operation (2)
  • How a MAC is used
  • The sender takes the message generates the
    checksum for the message(optional)
  • The checksum and shared secret key are run
    through the hashing algorithm which generates the
    MAC
  • The MAC is appended to the message and the
    message is sent
  • The receiver gets the message, pulls the MAC off
    and stores it, and then takes the message and
    generates the checksum for the message (same as
    sender)
  • The checksum shared secret key are run through
    the MAC algorithm
  • The receiver generated MAC is compared to the one
    sent with the message if they match the message
    was delivered without error or tampering

10
Data Integrity
  • Common MAC Algorithms
  • Secure Hash Algorithm (SHA)
  • Developed by NIST now a federal standard
  • 2nd generation (SHA-1 or FIPS-180-1) in common
    use - creates a 160-bit hash
  • Third generation (FIPS-180-2) has three options
    SHA-256, SHA-384, and SHA-512 (denotes the size
    of the hash)
  • For SHA-512 the probability of finding the
    message for a given hash is on the order of 1 in
    2512 and the probability of finding two messages
    with the same hash on the order of 1 in 2256
  • MD4 and MD5 (Message Digests)
  • Are often used as a basic integrity check on
    files but can also serve as a MAC with the use of
    a shared secret or PKI
  • Specified in RFC 1320 (MD4) and RFC 1321 (MD5)
  • Designed to output a 128-bit hash (sometimes
    called a fingerprint)
  • Designed for speed on 32-bit systems MD5 slower
    than MD4 in a given computation but potentially
    more secure

11
Authentication
  • Passwords
  • Play a key role in network and host security
    because they are commonly used to authenticate
    users and control access to resources.
  • A common way for an intruder to compromise a
    network and its associated hosts is to steal
    the passwords of users on those hosts
  • This was a bit more difficult in earlier years
    where networks didnt exist and all access was
    via hardwired terminal getting passwords meant
    duping a user or doing some very low level
    wiretapping
  • With the widespread use of shared packet switched
    technologies eavesdropping is easy
  • Allows easy theft of passwords
  • In shared networks like ethernet any user can
    potentially monitor all other users traffic
    (snooping or sniffing) this is not impossible
    to do in switched networks!!
  • Passwords can be supplemented (two-factor
    authentication) or replaced by biometric
    authentication like fingerprints or retina scans

12
Authentication
  • Key Authentication Protocols
  • IEEE 802.1X
  • A very flexible link-layer protocol for
    authenticating a host
  • PAP Password Authentication Protocol (RFC 1334)
  • A simple companion to PPP to allow client
    password-based authentication to a server (in
    cleartext)
  • CHAP Challenge Handshake Authentication
    Protocol (RFC 1994)
  • Secure replacement to PAP for authentication
    without revealing passwords
  • Microsoft has also standardized a variant
  • EAP Extensible Authentication Protocol (RFC
    3748)
  • Defines an authentication protocol framework
    that allows negotiation of a specific
    authentication mechanism
  • RADIUS (RFC 2865)
  • Protocol supporting a centralized authentication
    infrastructure
  • TACACS/TACACS (RFC 1492)
  • Originally developed by BBN enhanced version
    developed by Cisco
  • Functionality similar to RADIUS

13
Data Privacy
  • Data Privacy through Encryption
  • One way to combat eavesdropping or snooping is to
    encrypt data (including passwords) as it travels
    across the network or when it resides in files on
    networked hosts
  • Encryption is the process of scrambling (or
    randomizing) information so only a person knowing
    the appropriate secret can unscramble it and
    obtain the original information
  • There are two basic methods for encryption
  • Symmetric key
  • Public key

14
Data Privacy
  • Symmetric Key Encryption
  • This encryption method uses a shared secret key
    (like the MAC process)
  • The encryption function is two-way either the
    encryption function also serves as the decryption
    function or there is a matched pair of encryption
    and decryption functions using the same key
  • The beauty of these algorithms is that the key is
    really the key everyone knows the algorithm used
    but each key turns the algorithm into a different
    encryption system
  • Important characteristics of symmetric key
    encryption systems
  • A good algorithm turns a message into a
    completely random set of data
  • The strength of a key-based encryption
    algorithm increases (most of the time
    exponentially ) as the key length increases
  • There are typically two ways to crack an
    encrypted message
  • Brute Force
  • Finding a weakness in the algorithm itself
    (cryptanalysis)

15
Data Privacy
  • Examples of symmetric key encryption algorithms
  • DES (Data Encryption Standard)
  • NIST standard (FIPS 46-3) block (64-bit)
    encryption algorithm
  • 56 bit key (now considered weak broken in hours
    by brute force)
  • Cipher Block Chaining (CBC) mode used for further
    protection of data
  • Triple DES or 3-DES
  • Uses multiple rounds of DES, typically two
    (112-bit key) or three (168-bit key) still on
    64-bit block
  • 168-bit 3-DES still considered secure if properly
    implemented
  • IDEA (International Data Encryption Algorithm)
  • Developed internationally to circumvent U.S.
    Export Controls
  • 128-bit key operates on 64-bit data blocks
  • AES (Advanced Encryption Standard)
  • The new government standard (FIPS 197) that is
    replacing DES/3-DES
  • Uses 128, 192, or 256-bit key on a 128-bit data
    block
  • Designed to be computationally efficient and more
    easily implementable in software low-power
    hardware than DES/3-DES
  • Common operational mode is CBC

16
Data Privacy
  • Public Key Encryption
  • An alternative to symmetric key encryption which
    also has other security uses (authentication and
    nonrepudiation)
  • With Public Key encryption each user has two
    keys
  • A public key given to anyone who wishes to
    communicate securely with that user
  • A private key kept secret so no one but the user
    has knowledge of it
  • The public and private keys have a special
    relationship when used with a particular
    encryption algorithm anything encrypted with the
    public key can be decrypted with the private key
    and vise versa
  • This process is not reversible once the data is
    encrypted with either the public or private key
    that key is of no use in decrypting the data
  • Example algorithm RSA

17
Data Privacy
  • Using Public Key Encryption for data privacy
  • Sender gets public key of user they wish to send
    a message to
  • Sender encrypts message using the public
    key EFe(Kpub,M)
  • Encrypted message sent to recipient
  • Recipient finds appropriate private key
  • Receiver decrypts message using the private key
    MFd(Kpriv,E)
  • Another very useful role for public key
    encryption is to provide authentication
  • The private key, since it is known only to one
    person, can act as a digital signature for that
    person
  • Using Public Key Encryption for authentication
  • Sender encrypts message using his or her private
    key EFe(Kpriv,M)
  • Encrypted message sent to recipient
  • Recipient finds appropriate public key for the
    sender
  • Receiver decrypts message using the senders
    public key MFd(Kpub,E)

18
Data Privacy
  • Using Public Key encryption
  • Many systems use Public Key encryption to provide
    both data integrity and authentication to the
    same message using the processes described above
  • First the message is signed using the senders
    private key
  • Then the sender encrypts the message using the
    recipients public key
  • The message is delivered
  • The recipient decrypts the message using his or
    hers private key
  • The recipient verifies the identity of the sender
    by decrypting the message with the senders
    public key
  • An example of Public Key encryption in use is the
    email privacy and authentication package called
    PGP (Pretty Good Privacy)
  • Digital certificates and the Public Key
    Infrastructure (PKI) concept rely on public key
    encryption

19
Virtual Private Networking
  • Introduction
  • Virtual Private Networking, or VPNs, are systems
    that allow the secure transmission of private
    data over a public network infrastructure by
    simulating a private network
  • VPNs are usually implemented to build secure
    networks without having to invest in wide area
    leased circuits
  • There are usually two main uses for VPNs
  • To securely connect two or more LANs together
  • To connect remote users into a secure Local Area
    Network
  • Important VPN Protocols
  • IPsec
  • PPTP (Microsoft Point-to-Point Tunneling
    Protocol)
  • L2F (Layer 2 Forwarding)
  • L2TP (Layer 2 Tunneling Protocol)

20
Virtual Private Networking
  • The IPsec Protocol
  • The IPsec Protocol was developed to provide a
    standard set of network layer security services
    for IP networks that offered privacy, data
    integrity, authentication, and access control
  • Standard outlined in RFC 2401 first developed
    for IPv6 and then retrofitted to IPv4
  • Like other VPN technologies IPsec works through
    the use of encapsulation (or tunneling)
  • IPsec consists of two traffic security protocols
    called the Authentication Header (AH) the
    Encapsulating Security Payload (ESP)
  • IPsec allows the negotiation of many different
    standard encryption and authentication protocols
    through a standard procedure
  • An IPsec session can take place between two
    hosts, a host and a VPN gateway, or between two
    VPN routers/gateways
  • Two connection modes are available tunnel
    transport mode

21
Virtual Private Networking
  • The IPsec Protocol (2) AH ESP Diagrams

22
Virtual Private Networking
  • The IPsec Protocol (3)
  • IPsec provides service based on an abstraction
    called a Security Association (SA)
  • A one-way relationship uniquely identified by the
    SPI, Destination IP address, and security header
    (AH or ESP) in use
  • Defined by the following parameters
  • Sequence number counter
  • Sequence counter overflow
  • Anti-replay window
  • AH or ESP information (algorithms, keys, IVs,
    etc.)
  • SA Lifetime
  • IPsec protocol mode (tunnel or transport)
  • Path MTU
  • Parameters are usually negotiated when IPsec
    session is set up

23
Virtual Private Networking
  • IPsec Tunnel Mode Example
  • IPsec Transport Mode Example

24
Firewalls
  • Introduction
  • In many cases a good way to enforce parts of a
    security policy is to erect a barrier to
    protect a network of trusted hosts from the
    untrusted world (perimeter security)
  • The devices used to provide this barrier are
    usually called network firewalls
  • Firewalls can provide a first line of defense
    between the Internet and an organizations
    network in addition they can be used internally
    to protect particularly sensitive networks
  • Varieties of Firewalls
  • Packet Filters
  • Application Transport Proxies
  • Stateful Inspection Firewalls

25
Firewalls
  • Packet Filtering Firewalls
  • Packet filters are the most rudimentary form of
    firewalls, acting at the network and transport
    layers
  • Almost all routers can be configured as packet
    filters
  • Packet filters decide whether IP packets can be
    routed or should be discarded by comparing
    certain fields in the packet to a set of
    filtering rules
  • Important Networks and Transport layer field for
    packet filtering
  • Source and Destination IP Addresses
  • Source and Destination Transport Layer Addresses
    (port numbers)
  • IP Payload protocol type
  • Connection establishment flags for TCP
    connections (SYN and ACK bits)

26
Firewalls
  • Packet Filtering Firewalls
  • Important Note!! Packet filters do not look at
    the transport or application layer payload. The
    only way a packet filtering firewall knows what
    application it is dealing with is by taking a
    guess based on the transport layer addresses
    (ports) used.
  • Packet filtering examples
  • Setting up a packet filter for inbound mail
    news access while permitting all outbound TCP
    access

27
Firewalls
  • Packet Filtering Firewall Example (continued)
  • Resulting access list required in the Firewall
  • Interface serial0 The interface to the ISP
  • Ip access-group 101 in
  • access-list 101 deny ip 128.220.0.0 0.0.255.255
    any
  • access-list 101 permit tcp any 128.220.10.10
    0.0.0.0 eq smtp
  • access-list 101 permit tcp 192.100.10.10
    0.0.0.0 128.220.10.11 0.0.0.0 eq 119
  • access-list 101 permit tcp any any established
    Remember the implicit deny all!

28
Firewalls
  • Application Transport Proxies
  • Proxies are security gateways that separate
    trusted untrusted networks by intercepting and
    examining traffic above the network layer and
    permitting or denying traffic based on transport
    or application layer criteria
  • Application Layer Proxies
  • Application layer proxies are application
    specific
  • Application proxies can be configured to provide
    very granular filtering (dont allow this user to
    connect to this web page, etc.) and protection
    (email viruses)
  • Most of the time application proxies are not
    transparent to users
  • Running proxies usually require hardware with
    lots of power and lots of administrator time
    (upgrades, bug fixes, etc.)
  • Examples
  • Web Proxies (e.g. squid)
  • Mail Proxies (aka mail gateways)

29
Firewalls
  • Transport or Circuit Level Proxies
  • Applications using TCP can use a secure transport
    proxy such as SOCKs
  • Requires less horsepower on the proxy system
  • Requires less user modifications to applications
  • Requires less work on the part of the network
    administrator all TCP-based applications run
    through one proxy
  • Less granular control than application proxies
    still need a way to control applications based on
    connectionless UDP transport

30
Firewalls
  • Stateful Inspection Firewalls
  • A relatively recent variation on firewall
    technology where the firewall provides the
    combined functionality of a packet filter and a
    high-level proxy
  • All packets are inspected and state information
    is tracked on all connections and UDP flows
    through the firewall
  • Allows very granular filtering and blocking of
    content (blocking of Active-X controls or Java
    applets removal of executable e-mail
    attachments, etc.)
  • Usually transparent to end users (unless
    something is blocked)
  • Dynamic access filters can open up holes for
    media flows (e.g. VoIP calls) and close them as
    soon as the session ends
  • While most stateful inspection firewalls provide
    well thought out GUIs they typically need to run
    on high powered systems.

31
Firewalls
  • Firewall Examples
  • Packet Filtering Firewalls
  • Practically any Router!! You see Cisco examples
    here in class
  • Stateful Inspection Firewalls
  • Software
  • Checkpoint Firewall-1
  • Microsoft ISA 2006
  • Hardware/Appliances
  • Cisco PIX/ASA
  • Nokia IP-Series Firewall (e.g IP2255)
  • Juniper Netscreen
  • Application Proxies
  • Microsoft ISA 2006
  • TCP Wrappers

32
Beyond Firewalls
  • Other Security Devices of Note
  • VPN Concentrator
  • Intrusion Detection System (IDS)
  • Intrusion Prevention System (IPS)
  • Honeypot/Honeynet
  • Vulnerability Assessment System
  • Penetration Testing System
  • Mail Security (SMTP) Gateways/Appliances
  • Network Access Control (NAC)
  • Data Policy Compliance Engines

33
Network Attacks
  • Common Network Attacks
  • Denial of Service
  • Distributed Denial of Service
  • Spoofing
  • Ping-of-Death
  • Buffer Overflow
  • Port Scanning
  • Social Engineering/Phishing/Spear-Phishing
  • Trojan Horses
  • Bounce Attacks
  • Good Sources for Network Security information
  • US-CERT/CVE
  • SANS
  • ICSA
  • Security Focus

34
Tips for Network Security
  • Ten Practical tips for Network Security
  • Develop a written, well distributed security
    policy
  • Always assume you know less than your adversary
  • Put yourself in a hackers shoes
  • Implement multi-layered security defenses
    (defense in depth)
  • Limit privileges and permissions to what is
    needed for mission
  • Log, Log, Log! Know what is happening in your
    network
  • Make your users your allies
  • Stay current
  • Make sure you are doing the simple things!
  • Remain calm and logical

35
Reading Homework
  • Reading
  • Chapter 30 Network Security
  • One week until the Final Exam! Final Assignment
    is due by next Monday.
  • Please make sure you review the mid-term and we
    discuss any questions/concerns you have.
About PowerShow.com