Network Security 635.413.31 Summer 2007 - PowerPoint PPT Presentation


PPT – Network Security 635.413.31 Summer 2007 PowerPoint presentation | free to view - id: 271db-ZDA4M


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Network Security 635.413.31 Summer 2007


Application proxies can be configured to provide very granular filtering (don't ... Most of the time application proxies are not transparent to users ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 36
Provided by: Audrey92


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Network Security 635.413.31 Summer 2007

Network Security 635.413.31 Summer 2007
Introduction to Network Security
  • Network Security is becoming more and more
    important as the internet becomes a critical part
    of our communications infrastructure
  • Applications such as online banking and
    e-commerce demand a secure network infrastructure
  • What is network security?
  • Your specific definition depends on who you are
    the first step in network security is to define
    your organizations security policy
  • Because each organization has different
    requirements and expectations their security
    policies will be different
  • A security policy does not define implementation
    it should cover the following
  • What systems, resources, and data need to be
  • To what level each system, resource, or data
    should be protected
  • Who is responsible for that protection
  • Risk Assessment is an important part of
    developing the policy
  • Also remember that people are the key to proper

Introduction to Network Security
  • There are two main parts to network security
  • Transmission network security and host security
  • These two areas are intimately related and
    without an effective policy in each the others
    security can be compromised
  • Example stealing encryption key file from an
    unprotected host
  • Note I use network security interchangeably
    with computer security some folks consider them
    different disciplines
  • Network security breaches can impact an
    organization in many ways
  • Direct costs stolen assets, money, or property
    and unavailable resources
  • Indirect costs liability for attackers actions,
    damage to reputation, release of sensitive
    information to the public
  • Depending on what industry you are in, prison is
    a possibility in serious breaches!

Introduction to Network Security
  • Key Principles of Network Security
  • Convenience and security have an inverse
  • Enforcing a security policy typically puts the
    administrator at odds with the users he or she
    is trying to protect!
  • Example long, complex passwords
  • Defense in depth
  • Using multiple layers of protective security
  • Layers should provide backup/redundancy to ensure
    no single failure exposes vulnerable
  • Example network host-based firewalls
  • Least Privilege
  • Users/sysadmins have just the level of access
    necessary to perform their duties
  • Example limited administrator accounts
  • Need to Know
  • Limiting access to systems/resources based on
  • Example formal approvals process before
    accounts are granted

Introduction to Network Security
  • Active vs. Passive Attacks
  • Passive attacks seek to uncover information
    without interrupting the system
  • Information Disclosure (e.g. snooping or
  • Traffic Analysis
  • Primary Defense preventive measures such as
    encryption and traffic padding
  • Active attacks seek to disrupt or damage
  • Masquerade
  • Replay
  • Information Modification
  • Denial of Service (DoS)
  • Primary Defense detection of attacks rapid
    recovery such as logging and (anti-DoS) rate

Components of Network Security
  • The Four Fundamental aspects of Network Security
  • Data Integrity
  • Authentication
  • Data Privacy
  • Nonrepudiation
  • In addition two other aspects of security are
    important, especially in the realm of host
  • Authorization
  • Accountability

Data Integrity
  • Mechanisms for Data Integrity
  • For protection against transmission errors most
    network protocols include error detection (and
    some times correction) schemes such as parity
    checking, checksums, and Cyclic Redundancy Checks
  • Unfortunately these are not useful for network
    security where the integrity of the data is
    intentionally violated
  • The attacker can easily recalculate a valid
    checksum, parity, or CRC for the altered data
    because the process does not rely on a secret
  • Even if the transmission was not intentionally
    altered error correction/detection schemes
    provide no absolute protection there are
    combinations of bit errors in the data and
    integrity check fields that could result in a
    valid combination
  • A very common way to provide data integrity on
    networks is to use a Message Authentication Code

Data Integrity
  • MAC Operation (1)
  • Using a MAC requires two things
  • A shared secret key for the sender and recipient
  • A one-way hashing algorithm
  • Important characteristics of a hashing algorithm
  • Can be applied to any size block of data
  • Produces a fixed-length output
  • Relatively easy to compute (hopefully
    implementable in either software or hardware)
  • For any hash, it is truly one-way (not easily
    reversible mathematically)
  • For any message Mx with hash H(Mx) it is very
    hard to find a message My Mx where H(Mx)
  • It is very hard to find a pair of messages Ma and
    Mb where H(Ma)H(Mb)

Data Integrity
  • MAC Operation (2)
  • How a MAC is used
  • The sender takes the message generates the
    checksum for the message(optional)
  • The checksum and shared secret key are run
    through the hashing algorithm which generates the
  • The MAC is appended to the message and the
    message is sent
  • The receiver gets the message, pulls the MAC off
    and stores it, and then takes the message and
    generates the checksum for the message (same as
  • The checksum shared secret key are run through
    the MAC algorithm
  • The receiver generated MAC is compared to the one
    sent with the message if they match the message
    was delivered without error or tampering

Data Integrity
  • Common MAC Algorithms
  • Secure Hash Algorithm (SHA)
  • Developed by NIST now a federal standard
  • 2nd generation (SHA-1 or FIPS-180-1) in common
    use - creates a 160-bit hash
  • Third generation (FIPS-180-2) has three options
    SHA-256, SHA-384, and SHA-512 (denotes the size
    of the hash)
  • For SHA-512 the probability of finding the
    message for a given hash is on the order of 1 in
    2512 and the probability of finding two messages
    with the same hash on the order of 1 in 2256
  • MD4 and MD5 (Message Digests)
  • Are often used as a basic integrity check on
    files but can also serve as a MAC with the use of
    a shared secret or PKI
  • Specified in RFC 1320 (MD4) and RFC 1321 (MD5)
  • Designed to output a 128-bit hash (sometimes
    called a fingerprint)
  • Designed for speed on 32-bit systems MD5 slower
    than MD4 in a given computation but potentially
    more secure

  • Passwords
  • Play a key role in network and host security
    because they are commonly used to authenticate
    users and control access to resources.
  • A common way for an intruder to compromise a
    network and its associated hosts is to steal
    the passwords of users on those hosts
  • This was a bit more difficult in earlier years
    where networks didnt exist and all access was
    via hardwired terminal getting passwords meant
    duping a user or doing some very low level
  • With the widespread use of shared packet switched
    technologies eavesdropping is easy
  • Allows easy theft of passwords
  • In shared networks like ethernet any user can
    potentially monitor all other users traffic
    (snooping or sniffing) this is not impossible
    to do in switched networks!!
  • Passwords can be supplemented (two-factor
    authentication) or replaced by biometric
    authentication like fingerprints or retina scans

  • Key Authentication Protocols
  • IEEE 802.1X
  • A very flexible link-layer protocol for
    authenticating a host
  • PAP Password Authentication Protocol (RFC 1334)
  • A simple companion to PPP to allow client
    password-based authentication to a server (in
  • CHAP Challenge Handshake Authentication
    Protocol (RFC 1994)
  • Secure replacement to PAP for authentication
    without revealing passwords
  • Microsoft has also standardized a variant
  • EAP Extensible Authentication Protocol (RFC
  • Defines an authentication protocol framework
    that allows negotiation of a specific
    authentication mechanism
  • RADIUS (RFC 2865)
  • Protocol supporting a centralized authentication
  • Originally developed by BBN enhanced version
    developed by Cisco
  • Functionality similar to RADIUS

Data Privacy
  • Data Privacy through Encryption
  • One way to combat eavesdropping or snooping is to
    encrypt data (including passwords) as it travels
    across the network or when it resides in files on
    networked hosts
  • Encryption is the process of scrambling (or
    randomizing) information so only a person knowing
    the appropriate secret can unscramble it and
    obtain the original information
  • There are two basic methods for encryption
  • Symmetric key
  • Public key

Data Privacy
  • Symmetric Key Encryption
  • This encryption method uses a shared secret key
    (like the MAC process)
  • The encryption function is two-way either the
    encryption function also serves as the decryption
    function or there is a matched pair of encryption
    and decryption functions using the same key
  • The beauty of these algorithms is that the key is
    really the key everyone knows the algorithm used
    but each key turns the algorithm into a different
    encryption system
  • Important characteristics of symmetric key
    encryption systems
  • A good algorithm turns a message into a
    completely random set of data
  • The strength of a key-based encryption
    algorithm increases (most of the time
    exponentially ) as the key length increases
  • There are typically two ways to crack an
    encrypted message
  • Brute Force
  • Finding a weakness in the algorithm itself

Data Privacy
  • Examples of symmetric key encryption algorithms
  • DES (Data Encryption Standard)
  • NIST standard (FIPS 46-3) block (64-bit)
    encryption algorithm
  • 56 bit key (now considered weak broken in hours
    by brute force)
  • Cipher Block Chaining (CBC) mode used for further
    protection of data
  • Triple DES or 3-DES
  • Uses multiple rounds of DES, typically two
    (112-bit key) or three (168-bit key) still on
    64-bit block
  • 168-bit 3-DES still considered secure if properly
  • IDEA (International Data Encryption Algorithm)
  • Developed internationally to circumvent U.S.
    Export Controls
  • 128-bit key operates on 64-bit data blocks
  • AES (Advanced Encryption Standard)
  • The new government standard (FIPS 197) that is
    replacing DES/3-DES
  • Uses 128, 192, or 256-bit key on a 128-bit data
  • Designed to be computationally efficient and more
    easily implementable in software low-power
    hardware than DES/3-DES
  • Common operational mode is CBC

Data Privacy
  • Public Key Encryption
  • An alternative to symmetric key encryption which
    also has other security uses (authentication and
  • With Public Key encryption each user has two
  • A public key given to anyone who wishes to
    communicate securely with that user
  • A private key kept secret so no one but the user
    has knowledge of it
  • The public and private keys have a special
    relationship when used with a particular
    encryption algorithm anything encrypted with the
    public key can be decrypted with the private key
    and vise versa
  • This process is not reversible once the data is
    encrypted with either the public or private key
    that key is of no use in decrypting the data
  • Example algorithm RSA

Data Privacy
  • Using Public Key Encryption for data privacy
  • Sender gets public key of user they wish to send
    a message to
  • Sender encrypts message using the public
    key EFe(Kpub,M)
  • Encrypted message sent to recipient
  • Recipient finds appropriate private key
  • Receiver decrypts message using the private key
  • Another very useful role for public key
    encryption is to provide authentication
  • The private key, since it is known only to one
    person, can act as a digital signature for that
  • Using Public Key Encryption for authentication
  • Sender encrypts message using his or her private
    key EFe(Kpriv,M)
  • Encrypted message sent to recipient
  • Recipient finds appropriate public key for the
  • Receiver decrypts message using the senders
    public key MFd(Kpub,E)

Data Privacy
  • Using Public Key encryption
  • Many systems use Public Key encryption to provide
    both data integrity and authentication to the
    same message using the processes described above
  • First the message is signed using the senders
    private key
  • Then the sender encrypts the message using the
    recipients public key
  • The message is delivered
  • The recipient decrypts the message using his or
    hers private key
  • The recipient verifies the identity of the sender
    by decrypting the message with the senders
    public key
  • An example of Public Key encryption in use is the
    email privacy and authentication package called
    PGP (Pretty Good Privacy)
  • Digital certificates and the Public Key
    Infrastructure (PKI) concept rely on public key

Virtual Private Networking
  • Introduction
  • Virtual Private Networking, or VPNs, are systems
    that allow the secure transmission of private
    data over a public network infrastructure by
    simulating a private network
  • VPNs are usually implemented to build secure
    networks without having to invest in wide area
    leased circuits
  • There are usually two main uses for VPNs
  • To securely connect two or more LANs together
  • To connect remote users into a secure Local Area
  • Important VPN Protocols
  • IPsec
  • PPTP (Microsoft Point-to-Point Tunneling
  • L2F (Layer 2 Forwarding)
  • L2TP (Layer 2 Tunneling Protocol)

Virtual Private Networking
  • The IPsec Protocol
  • The IPsec Protocol was developed to provide a
    standard set of network layer security services
    for IP networks that offered privacy, data
    integrity, authentication, and access control
  • Standard outlined in RFC 2401 first developed
    for IPv6 and then retrofitted to IPv4
  • Like other VPN technologies IPsec works through
    the use of encapsulation (or tunneling)
  • IPsec consists of two traffic security protocols
    called the Authentication Header (AH) the
    Encapsulating Security Payload (ESP)
  • IPsec allows the negotiation of many different
    standard encryption and authentication protocols
    through a standard procedure
  • An IPsec session can take place between two
    hosts, a host and a VPN gateway, or between two
    VPN routers/gateways
  • Two connection modes are available tunnel
    transport mode

Virtual Private Networking
  • The IPsec Protocol (2) AH ESP Diagrams

Virtual Private Networking
  • The IPsec Protocol (3)
  • IPsec provides service based on an abstraction
    called a Security Association (SA)
  • A one-way relationship uniquely identified by the
    SPI, Destination IP address, and security header
    (AH or ESP) in use
  • Defined by the following parameters
  • Sequence number counter
  • Sequence counter overflow
  • Anti-replay window
  • AH or ESP information (algorithms, keys, IVs,
  • SA Lifetime
  • IPsec protocol mode (tunnel or transport)
  • Path MTU
  • Parameters are usually negotiated when IPsec
    session is set up

Virtual Private Networking
  • IPsec Tunnel Mode Example
  • IPsec Transport Mode Example

  • Introduction
  • In many cases a good way to enforce parts of a
    security policy is to erect a barrier to
    protect a network of trusted hosts from the
    untrusted world (perimeter security)
  • The devices used to provide this barrier are
    usually called network firewalls
  • Firewalls can provide a first line of defense
    between the Internet and an organizations
    network in addition they can be used internally
    to protect particularly sensitive networks
  • Varieties of Firewalls
  • Packet Filters
  • Application Transport Proxies
  • Stateful Inspection Firewalls

  • Packet Filtering Firewalls
  • Packet filters are the most rudimentary form of
    firewalls, acting at the network and transport
  • Almost all routers can be configured as packet
  • Packet filters decide whether IP packets can be
    routed or should be discarded by comparing
    certain fields in the packet to a set of
    filtering rules
  • Important Networks and Transport layer field for
    packet filtering
  • Source and Destination IP Addresses
  • Source and Destination Transport Layer Addresses
    (port numbers)
  • IP Payload protocol type
  • Connection establishment flags for TCP
    connections (SYN and ACK bits)

  • Packet Filtering Firewalls
  • Important Note!! Packet filters do not look at
    the transport or application layer payload. The
    only way a packet filtering firewall knows what
    application it is dealing with is by taking a
    guess based on the transport layer addresses
    (ports) used.
  • Packet filtering examples
  • Setting up a packet filter for inbound mail
    news access while permitting all outbound TCP

  • Packet Filtering Firewall Example (continued)
  • Resulting access list required in the Firewall
  • Interface serial0 The interface to the ISP
  • Ip access-group 101 in
  • access-list 101 deny ip
  • access-list 101 permit tcp any eq smtp
  • access-list 101 permit tcp eq 119
  • access-list 101 permit tcp any any established
    Remember the implicit deny all!

  • Application Transport Proxies
  • Proxies are security gateways that separate
    trusted untrusted networks by intercepting and
    examining traffic above the network layer and
    permitting or denying traffic based on transport
    or application layer criteria
  • Application Layer Proxies
  • Application layer proxies are application
  • Application proxies can be configured to provide
    very granular filtering (dont allow this user to
    connect to this web page, etc.) and protection
    (email viruses)
  • Most of the time application proxies are not
    transparent to users
  • Running proxies usually require hardware with
    lots of power and lots of administrator time
    (upgrades, bug fixes, etc.)
  • Examples
  • Web Proxies (e.g. squid)
  • Mail Proxies (aka mail gateways)

  • Transport or Circuit Level Proxies
  • Applications using TCP can use a secure transport
    proxy such as SOCKs
  • Requires less horsepower on the proxy system
  • Requires less user modifications to applications
  • Requires less work on the part of the network
    administrator all TCP-based applications run
    through one proxy
  • Less granular control than application proxies
    still need a way to control applications based on
    connectionless UDP transport

  • Stateful Inspection Firewalls
  • A relatively recent variation on firewall
    technology where the firewall provides the
    combined functionality of a packet filter and a
    high-level proxy
  • All packets are inspected and state information
    is tracked on all connections and UDP flows
    through the firewall
  • Allows very granular filtering and blocking of
    content (blocking of Active-X controls or Java
    applets removal of executable e-mail
    attachments, etc.)
  • Usually transparent to end users (unless
    something is blocked)
  • Dynamic access filters can open up holes for
    media flows (e.g. VoIP calls) and close them as
    soon as the session ends
  • While most stateful inspection firewalls provide
    well thought out GUIs they typically need to run
    on high powered systems.

  • Firewall Examples
  • Packet Filtering Firewalls
  • Practically any Router!! You see Cisco examples
    here in class
  • Stateful Inspection Firewalls
  • Software
  • Checkpoint Firewall-1
  • Microsoft ISA 2006
  • Hardware/Appliances
  • Cisco PIX/ASA
  • Nokia IP-Series Firewall (e.g IP2255)
  • Juniper Netscreen
  • Application Proxies
  • Microsoft ISA 2006
  • TCP Wrappers

Beyond Firewalls
  • Other Security Devices of Note
  • VPN Concentrator
  • Intrusion Detection System (IDS)
  • Intrusion Prevention System (IPS)
  • Honeypot/Honeynet
  • Vulnerability Assessment System
  • Penetration Testing System
  • Mail Security (SMTP) Gateways/Appliances
  • Network Access Control (NAC)
  • Data Policy Compliance Engines

Network Attacks
  • Common Network Attacks
  • Denial of Service
  • Distributed Denial of Service
  • Spoofing
  • Ping-of-Death
  • Buffer Overflow
  • Port Scanning
  • Social Engineering/Phishing/Spear-Phishing
  • Trojan Horses
  • Bounce Attacks
  • Good Sources for Network Security information
  • SANS
  • ICSA
  • Security Focus

Tips for Network Security
  • Ten Practical tips for Network Security
  • Develop a written, well distributed security
  • Always assume you know less than your adversary
  • Put yourself in a hackers shoes
  • Implement multi-layered security defenses
    (defense in depth)
  • Limit privileges and permissions to what is
    needed for mission
  • Log, Log, Log! Know what is happening in your
  • Make your users your allies
  • Stay current
  • Make sure you are doing the simple things!
  • Remain calm and logical

Reading Homework
  • Reading
  • Chapter 30 Network Security
  • One week until the Final Exam! Final Assignment
    is due by next Monday.
  • Please make sure you review the mid-term and we
    discuss any questions/concerns you have.