Network Security Introduction - PowerPoint PPT Presentation

1 / 119
About This Presentation
Title:

Network Security Introduction

Description:

... signatures, finger prints, face scans, other biometric means, and passwords. ... Effective antivirus policies and procedures must first focus on use and checking ... – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 120
Provided by: clem1
Category:

less

Transcript and Presenter's Notes

Title: Network Security Introduction


1
Network Security - Introduction


While computer systems today have good security
systems, they are also vulnerable. Vulnerability
stems from world-wide access to computer systems
via Internet. Computer and network security comes
in many forms including encryption algorithms,
access to facilities, digital signatures, finger
prints, face scans, other biometric means, and
passwords.
2
Network Security, contd
  • Companies are reluctant to publicly admit that
    they have suffered losses due to failed network
    security.
  • Security goals must be set by IT, BUT SUPPORTED
    BY HIGHEST LEVELS OF MANAGEMENT.

3
Basic Security Measures


Basic security measures for computer systems fall
into eight categories External
security Operational security Surveillance Pas
swords Auditing Access rights Standard system
attacks Viruses
4
External Security


Protection from environmental damage such as
floods, earthquakes, and heat. Physical security
such as locking rooms, locking down computers,
keyboards, and other devices. Electrical
protection from power surges. Electromagnetic
noise protection from placing computers away from
devices that generate electromagnetic
interference.
5
Operational Security


Deciding who has access to what. Limiting time of
day access. Limiting day of week access. Limiting
access from a location, such as not allowing user
to use a remote login during certain periods or
any time.
6
Passwords and ID Systems

  • Passwords - common form of security and most
    abused.
  • Rules for safe passwords include
  • Change your password often.
  • Password - minimum 8 characters, mixed symbols.
  • Dont share passwords or write them down.
  • Dont select names and familiar objects as
    passwords.

7
Passwords and ID Systems

  • Many new forms of passwords are emerging
    (biometrics)
  • Fingerprints
  • Face prints
  • Retina scans and iris scans
  • Voice prints
  • Ear prints

8
Auditing as Security


Creating computer or paper audit can help detect
wrongdoing. Auditing can also be used as a
deterrent. Many network operating systems allow
administrator to audit most types of transactions.
9
Auditing as Security, contd
  • Manual audits can be done by either internal or
    external personnel.
  • Manual audits severe to verify effectiveness of
    policy development and implementation, and extent
    of security in overall corporate security policy.
  • Automated audits depend on software able to
    assess weaknesses of network security and
    security standards.

10
Auditing as Security, contd
  • Some automated audit tools are able to analyze
    network for vulnerabilities and make
    recommendations
  • Other tools merely capture events so that
    security people can figure out who did what and
    when after security breach has occurred.

11
Auditing as Security, contd
  • Security probes test various aspects of
    enterprise network security and report results
    and suggest improvements.
  • Intrusion detection systems test perimeter of
    enterprise network through dial modems, remote
    access servers, web servers, or Internet access.
  • Network based intrusion detection systems use
    network traffic probes distributed throughout
    network to identify traffic patterns that may
    indicate some type of attack may be underway

12
Access Rights as Security

Two basic questions to access rights who and
how? Who do you give access rights to? No one,
group of users, entire set of users? What level
of access does a user or group of users get?
Read, write, delete, print, copy,
execute? Procedures set to remove people who
leave or transfer. Most network OS have method
system for assigning access rights.

13
SECURITY POLICY DEVELOPMENT LIFE CYCLE
  • SPDLC is depicted as cycle since evaluation
    processes validate the effectiveness of original
    analysis stages.
  • Next slide shows SDLC.
  • Look at this slide as management tool of steps
    that have to be taken.

14
Security Policy Development Life Cycle
15
Security Requirements Assessment
  • Start research by finding out if your friends in
    field can give you manuals of what they have
    done.
  • Define needs requirements for users in
    organization.
  • Security refers to restrictions of information
    upon users, and responsibilities of users for
    implementation and enforcement.

16
Scope and Feasibility of Studies
  • Define scope of security study.
  • Realize that there is a balance between security
    and productivity.
  • Optimal balance will protect resources while not
    impacting on worker productivity.

17
Security vs. Productivity Balance
18
Assets, Threats, and Risks
  • Security methodologies have major steps
  • Identify assets includes hardware, software,
    and media used to store data.
  • Identify threats anything that can pose a
    danger to assets.
  • Identify vulnerabilities potential problems in
    security system

19
Assets, Threats, and Risks
  • Security methodologies- continued
  • Consider risks probability of successfully
    attacking particular asset
  • Identify risk domains groups of network systems
    sharing common functions and common elements of
    exposure.
  • Take protective measures Virus protection,
    firewalls, authentication, encryption

20
Firewalls, contd


System or combination of systems that supports an
access control policy between two
networks. Firewall can limit types of
transactions that enter system, as well as types
of transactions that leave system. Firewalls can
be programmed to stop certain types or ranges of
IP addresses, as well as certain types of TCP
port numbers (applications).
21
Firewalls


22
Firewalls, contd


Packet filter firewall - essentially router that
has been programmed to filter out or allow in
certain IP addresses or TCP port numbers. Proxy
server - more advanced firewall that acts as
doorman into corporate network. Any external
transaction that requests something from
corporate network must enter through proxy
server. Proxy servers are more advanced but make
external accesses slower.
23
Proxy Server


24
Attack Strategies
  • Attack strategies concentrate on weaknesses of
    specific systems.
  • Two servers communicating with TCP set up three
    step exchange of address and confirmation.

25
Attack Strategies, contd
  • Following attack strategies take negative
    advantage of three step exchange
  • Denial of service attack hacker floods server
    with request to connect to non-existent servers
  • Land attack hacker substitutes targeted
    servers own address as address of server
    requesting connection

26
Guarding Against Viruses


Signature-based scanners look for particular
virus patterns or signatures and alert
user. Terminate-and-stay-resident programs run in
background constantly watching for viruses and
their actions. Multi-level generic scanning is
combination of antivirus techniques including
intelligent checksum analysis and expert system
analysis.
27
Standard System Attacks, contd


Denial of service attacks - bombard computer site
with many messages site is incapable of answering
valid requests. e-mail bombing - user sends an
excessive amount of unwanted e-mail. Smurfing -
technique in which program attacks network by
exploiting IP broadcast addressing
operations. Ping storm - Internet Ping program is
used to send flood of packets to server.
28
Standard System Attacks, contd


Spoofing - user creates packet that appears to be
something else or from someone else. Trojan Horse
- malicious piece of code hidden inside seemingly
harmless piece of code. Stealing, guessing, and
intercepting passwords is also tried and true
form of attack.
29
Web Specific Attack Strategies
  • Minimizing web attacks requires using following
    techniques
  • Eliminate unused user accounts and default
    accounts (Guest)
  • Remove/disable unused services such as FTP,
    Telnet, etc.
  • Remove unused Unix command shells and interpreters

30
Web Specific Attack Strategies contd
  • Properly set permission levels on files and
    directories
  • Stay up to date with current attack strategies,
    and defenses.
  • Beware of Common Gateway Interface programs
    extracting web server password files. Take
    corrective measures.

31
Management Role and Responsibility
  • Executive responsibilities
  • Set Security Policy of the Organization
  • Allocate sufficient resources staff, funding,
    etc.
  • Information is corporate resource
  • Assign responsibility for protecting information
    resources
  • Require computer security training for staff

32
Management Role and Responsibility, contd
  • Hold employees responsibility for corporate
    resources in their care
  • Audit (internal and external) corporate security
  • Follow through with penalties for violations of
    corporate security

33
Management Role and Responsibility, contd
  • Management responsibility
  • Assess responsibilities in your corporate
    security area
  • Assess balance between security and productivity
  • Assess vulnerabilities with your area of
    responsibility
  • Adhere and enforce corporate policies

34
Policy Development Process
  • Establish processes and policies
  • Be sure affected user groups are represented on
    policy development task force.
  • Emphasis should be on corporate wide awareness
    relating to importance of protecting corporate
    information and network access.

35
Policy Implementation Process
  • Having been included in policy development
    process, users are expected to support policies
  • User responsibilities
  • Protect data you have
  • Corporate resources are property of company

36
Policy Implementation Process
  • Continued
  • Inform supervisor of suspicious actions, or
    people
  • Never share your passwords
  • Choose password that is impossible to discover
  • Log off before leaving your computer
  • Lock up sensitive material backups
  • Backup important data

37
Policy Implementation Process, contd
  • Policy implementation should force changes in
    peoples behaviors, which can cause resistance
  • Use appropriate technology and associated
    processes to execute policy.
  • Security architectures imply security solutions
    have been predefined for given corporations
    variety of computing and network platforms.

38
Policy Implementation Process, contd
  • If users involvement was substantial during
    policy development stage and if buy-in was
    assured at each stage of policy development,
    then process stands better chance of succeeding.

39
VIRUS PROTECTION
  • Comprehensive protection plan must combine
    policy, people, processes, and technology to be
    effective.
  • Virus - describes computer program that gains
    access to computer system or network with
    potential to disrupt normal activity of that
    system or network.

40
VIRUS PROTECTION, contd
  • Viruses triggered by passing of certain date or
    time is referred to as time bombs whereas viruses
    that require certain event to transpire are known
    as logic bombs.
  • Trojan horse - actual virus is hidden inside
    program and delivered to target system or network
    to be infected.

41
ANTIVIRUS STRATEGIES
  • Effective antivirus policies and procedures must
    first focus on use and checking of
    diskettes/files.
  • Antivirus strategies
  • Identify vulnerabilities
  • Keep antivirus updated

42
ANTIVIRUS STRATEGIES, contd
  • Antivirus strategies, continued
  • Install virus scanning software
  • Non employees should be prohibited from
    installing laptops to system.
  • Install virus scanning software on commonly used
    laptops
  • Write protect diskettes with .exe, .com files

43
Collaborative Software Infection/Reinfection Cycle
44
ANTIVIRUS TECHNOLOGIES
  • Virus scanning is primary method for successful
    detection and removal.
  • Emulation technology - detect unknown viruses by
    running programs with software emulation program
    known as a virtual PC. Execution program can be
    examined in environment for symptoms of viruses.
  • Advantage of such programs is they identify
    potentially unknown viruses based on behavior
    rather than by relying on natures of known
    viruses.

45
ANTIVIRUS TECHNOLOGIES, contd
  • CRC checkers or hashing checkers creates and
    saves unique cyclical redundancy check character
    each file to be monitored. Each time that file
    is subsequently saved, new CRC is checked against
    the reference CRC.
  • If CRCs do not match, then file has been changed.
    Shortcoming of technology - only able to detect
    viruses after infection.
  • Active control monitors is able to examine
    transmissions from Internet in real time and
    identify known malicious content based on
    contents of definition libraries.

46
Virus Infection Points of Attack and Protective
Measures
47
FIREWALLS
  • To prevent unauthorized access from Internet into
    companys confidential data, specialized software
    known as firewall is often deployed.
  • Firewall software usually runs on dedicated
    server that is connected to, but outside of,
    corporate network.
  • All network packets entering firewall are
    filtered, or examined, to determine whether or
    not those users have authority to access
    requested files.

48
Firewall Architecture
  • Difficulty with firewalls is there are no
    standards for firewall functionality,
    architectures, or interoperability.
  • Firewall architecture
  • 1. Packet filtering
  • 2. Application gateway
  • 3. Internet firewalls

49
PACKET FILTERING
  • Packets of data on Internet are identified by
    source address of computer that issued message
    and destination address of Internet server.
  • Filter - program that examines source address and
    destination address of incoming packet to
    firewall server.
  • Filter tables - lists of addresses whose data
    packets and embedded messages are either allowed
    or prohibited from proceeding through the
    firewall.
  • Filter tables can limit access of certain IP
    addresses to certain directories.

50
PACKET FILTERING, contd
  • Filtering time introduces latency to overall
    transmission time.
  • Packet filter gateways can be implemented on
    routers. Existing piece of technology can be used
    for dual purposes.
  • Packet filters can be breached by hackers in
    technique known as IP spoofing.
  • If hacker can make packet appear to come from an
    unauthorized or trusted IP address, then it can
    pass through firewall.

51
Application Gateways
  • Also called application level filters
  • Port level filters determine legitimacy of party
    asking for information, application level filters
    assures validity of what they are asking for.
  • Application level filters examine entire request
    for data rather than source and destination
    addresses.

52
Application Gateways, contd
  • Application gateways are concerned with what
    services or applications message is requesting in
    addition to who is making request.
  • Once legitimacy of request has been established,
    only proxy clients and servers actually
    communicate with each other.

53
Packet Filters and Application Gateways
54
Proxies, Trusted Gateways, and Dual-Homed Gateways
55
INTERNET FIREWALLS
  • Category of software known as internal firewalls
    has begun to emerge.
  • Internal firewalls include filters that work on
    data link, network, and application layers to
    examine communications that occur only on a
    corporations internal network, inside reach of
    traditional firewall.
  • Internal firewalls act as access control
    mechanisms, denying access to applications user
    does not have specific access approval.

56
Authentication and Access Control
  • Authentication products break down into three
    overall categories
  • What you know - single sign-on (SSO) access to
    multiple network attached servers and resources
    via passwords.
  • What you have - requires user to posses type of
    smart card or token authentication device to
    generate single use passwords.
  • What you are - validates users based on physical
    characteristic, i.e. fingerprints, hand geometry,
    or retinal scans.

57
Token Authentication
  • Provides one-time use session passwords
    authenticated by associated server software.
  • Hardware based smart cards are about size of
    credit card with or without numeric keypad.
  • In-line token authentication devices connect to
    serial port of computer for dial-in
    authentication through modem.
  • Software tokens are installed on the client PC
    and authenticated with server portion of token
    authentication product transparently to end user.

58
Challenge-response token authentication
  • Challenge-response token authentication involves
    following steps
  • User enters an assigned user ID and password at
    client.
  • Token authentication server software returns
    numeric string known as challenge.
  • Challenge number and PIN are entered on smart
    card.

59
Challenge-response token authentication, contd
  • Smart card displays response number on LCD
    screen.
  • Response number is entered on client workstation
    and transmitted back to token authentication
    server.
  • Token authentication server validates response
    against expected response from user and this
    particular smart card.

60
Challange-Response vs. Time-Synchronous Token
Authentication
61
Biometric Authentication
  • Biometric authentication can authenticate users
    based on fingerprints, palm prints, retinal
    patterns, voice recognition, or other physical
    characteristics.
  • Biometric authentication devices require valid
    users first register by storing copies of
    fingerprints, voice, or retinal patterns in
    validation database.

62
Authorization vs. Authentication
  • Authorization is concerned with assuring that
    properly authorized uses are able to access
    particular network resources.
  • Authentication - ensures that only legitimate
    users are able to log into network.

63
KERBEROS
  • Kerberos combination of authentication and
    authorization software.
  • Kerberos architecture consists of three key
    components
  • Kerberos client software
  • Kerberos authentication server software
  • Kerberos application server software

64
Kerberos Architecture
65
KERBEROS, contd
  • Kerberos must communicate directly with
    application.
  • Kerberos enforces authentication and
    authorization through use of ticket based system.
    Encrypted ticket is issued for sever to client
    session and is valid for preset amount of time.
  • From network analysts perspective, concern is
    centered on amount of network bandwidth consumed
    by addition of Kerberos security.

66
Basic Encryption and Decryption Techniques


Cryptography - creating and using encryption and
decryption techniques. Plaintext - data before
any encryption has been performed. Ciphertext -
data after encryption has been performed. Key is
unique piece of information used to create
ciphertext and decrypt ciphertext back into
plaintext.
67
Encryption/Decryption


68
Ciphers
  • A few ciphers to be examined
  • Monoalphabetic Substitution-based Ciphers
  • Polyalphabetic Substitution-based Ciphers
  • Transposition-based Ciphers

69
Monoalphabetic Substitution-based Ciphers


Monoalphabetic substitution-based ciphers replace
character or characters with different character
or characters, based upon some key. Replacing abc
defghijklmnopqrstuvwxyz With POIUYTREWQLKJHGFDSA
MNBVCXZ The message how about lunch at
noon encodes into EGVPO GNMKN HIEPM HGGH
70
Polyalphabetic Substitution-based Ciphers


Similar to monoalphabetic ciphers except multiple
alphabetic strings are used to encode the
plaintext. For example, matrix of strings, 26
rows by 26 characters or columns can be used. Key
such as COMPUTERSCIENCE is placed repeatedly over
the plaintext. COMPUTERSCIENCECOMPUTERSCIENCECOMPU
TER thisclassondatacommunicationsisthebest
71
Polyalphabetic Substitution-based Ciphers


To encode the message, take the first letter of
the plaintext, t, and the corresponding key
character immediately above it, C. Go to row C
column t in the 26x26 matrix and retrieve the
cipher text character V. See next slide for 26 x
26 matrix. Continue with other characters in
plaintext.
72
26 x 26 Cipher Character Matrix


73
Transposition-based Ciphers


In transposition-based cipher, order of plaintext
is not preserved. As simple example, select key
such as COMPUTER. Number letters of word COMPUTER
in order they appear in alphabet. 1 4 3 5 8 7 2
6 C O M P U T E R
74
Transposition-based Ciphers, contd


Transposition-based Ciphers Now take the
plaintext message and write it under the key. 1 4
3 5 8 7 2 6 C O M P U T E R t h i s i s t h e b e
s t c l a s s i h a v e e v e r t a k e n
75
Transposition-based Ciphers, contd


Then read ciphertext down the columns, starting
with the column numbered 1, followed by column
number 2. TESVTLEEIEIRHBSESSHTHAENSCVKITAA
76
Public Key Cryptography and Secure Sockets Layer

Powerful encryption technique in which two keys
are used first key (public key) encrypts message
while second key (private key) decrypts
message. Not possible to deduce one key from
other. Not possible to break code given public
key. If you want someone to send you secure data,
give them your public key, you keep private
key. Secure sockets layer on Internet is common
example of public key cryptography.

77
Public Key Infrastructure


Combination of encryption techniques, software,
and services that involves all necessary pieces
to support digital certificates, certificate
authorities, and public key generation, storage,
and management. Digital certificate is an
electronic document, similar to passport, that
establishes your credentials when you are
performing transactions.
78
Public Key Infrastructure, contd


Digital certificate contains your name, serial
number, expiration dates, copy of your public
key, and digital signature of certificate-issuing
authority. Certificates are usually kept in
registry so other users may check them for
authenticity.
79
Public Key Infrastructure, contd


Certificates are issued by certificate authority
(CA). CA is either specialized software on
company network or trusted third party. Lets say
you want to order something over Internet. Web
site wants to make sure you are legitimate, so
web server requests your browser to sign order
with your private key (obtained from your
certificate).
80
Public Key Infrastructure, contd


Web server then requests your certificate from
third party CA, validates that certificate by
verifying third partys signature, then uses that
certificate to validate signature on your
order. User can do same procedure to make sure
web server is not bogus operation. Certificate
revocation list is used to deactivate users
certificate.
81
Public Key Infrastructure, contd

  • Applications that could benefit from PKI
  • World Wide Web transactions
  • Virtual private networks
  • Electronic mail
  • Client-server applications
  • Banking transactions

82
Triple-DES


More powerful data encryption standard. Data is
encrypted using DES three times the first time
by first key, second time by second key, and
third time by first key again. (Can also have 3
unique keys.) While virtually unbreakable,
triple-DES is CPU intensive. With more smart
cards, cell phones, and PDAs, a faster (and
smaller) piece of code is highly desirable.
83
Advanced Encryption Standard (AES)


Selected by U.S. government to replace
DES. National Institute of Standards and
Technology selected the algorithm Rijndael
(pronounced rain-doll) in October 2000 as basis
for AES. AES has more elegant mathematical
formulas, requires only one pass, and was
designed to be fast, unbreakable, and able to
support even smallest computing device.
84
Advanced Encryption Standard (AES)


Key size of AES 128, 192, or 256 bits. Estimated
time to crack (assuming a machine could crack a
DES key in 1 second) 149 trillion years. Very
fast execution with very good use of
resources. AES should be widely implemented by
2004.
85
ENCRYPTION
  • Encryption - changing of data into indecipherable
    form before transmission.
  • Decryption - changing unreadable text back into
    its original form.
  • Types of encryption
  • DES-Private Key
  • RSA Public key
  • Digital signature
  • Key Management Alternatives

86
DES Private Key Encryption
  • Decrypting device must use same algorithm to
    decode or decrypt data as encrypting device used
    to encrypt data.
  • DES allows encryption devices manufactured by
    different firms to interoperate successfully.
  • Encryption key customizes commonly known
    algorithm to prevent anyone without private key
    from decrypting documents.

87
RSA Public Key Encryption
  • Public key - combines usage of both public and
    private keys.
  • In public key encryption, sensing encryption
    device encrypts document using intended
    recipients public key and originating partys
    private key.
  • To decrypt the document, receiving
    encryption/decryption device must be programmed
    with intended recipients own private key and
    sending partys public key.

88
Digital Signature Encryption
  • Digital signature encryption - electronic means
    of guaranteeing authenticity of sending party and
    assurance that encrypted documents have not been
    altered during transmission.
  • Original document is processed by hashing program
    to produce a mathematical string unique to exact
    content of original document.
  • Unique mathematical string is encrypted using
    originators private key.
  • Encrypted digital signature is appended to and
    transmitted with encrypted original document.

89
Digital Signature Encryption, contd
  • To validate authenticity of received document,
    recipient uses public key associated with
    apparent sender to regenerate digital signature
    from received encrypted document.
  • Transmitted digital signature is compared by
    recipient to regenerated digital signature
    produced by using public key and received
    document.

90
Private, Public, and Digital Signature
Encryption
91
Key Management Alternatives
  • Key Management - Before computers can communicate
    in secure manner, they must be able to agree on
    encryption and authentication algorithms and
    establish keys.
  • Standards for key management
  • ISAKMP (Internal Security Association and Key
    Management Protocol) from IETF. Largely replaced
    by IKE (Internet Key Exchange).
  • SKIP (Simple Key Management for IP)

92
Key Management Alternatives, contd
  • Public key dissemination must be managed so users
    are assured public keys received are actually
    public keys of companies or organizations they
    are alleged to be.
  • Public key infrastructures that link user to are
    implemented through use of server based software
    known as certificate services.
  • Certificate server software supports encryption
    and digital signatures while flexibility
    supporting directory integration, multiple
    certificate types, and variety of request
    fulfillment options.

93
Digital Signatures


Document to be signed is sent through complex
mathematical computation that generates
hash. Hash is encoded with owners private
key. To prove future ownership, hash is decoded
using owners public key and hash is compared
with current hash of document. If two hashes
agree, document belongs to owner. U.S. has just
approved legislation to accept digitally signed
documents as legal proof.
94
Applied Security Scenarios
  • Install only software/hardware need.
  • Allow only essential traffic into/out of network.
    Eliminate other traffic by blocking with routers
    or firewalls.
  • Investigate outsourcing web-hosting services so
    corporate web server is not physically on same
    network as rest of corporate information assets.
  • Use routers to filter traffic by IP addresses.

95
Applied Security Scenarios, contd
  • Make sure router OS software has been patched to
    prevent attacks by exploiting TCP
    vulnerabilities.
  • Identify information assets most critical to
    corporation, and protect those servers first.
  • Implement physical security constraints to hinder
    physical access to critical resources such as
    servers.

96
Applied Security Scenarios, contd
  • Develop effective, and enforceable security
    policy. Monitor its implementation and
    effectiveness.
  • Consider installing proxy server or application
    layer firewall.
  • Block incoming DNS queries and requests for zone
    transfers.
  • Disable all TCP ports and services not essential
    so hackers are not able to exploit and use
    services.

97
Integration with Information Systems and
Application Development
  • Authentication products must be integrated with
    existing information systems and applications
    development efforts.
  • APIs (Application Program Interfaces) are means
    by which authentication products are able to
    integrate with client/server applications.
  • Application development fits combine an
    application development language with supported
    APIs.

98
Remote Access Security
  • Protocol and associated architecture known as
    remote authentication dial-in user (RADIUS)
    offers potential to enable centralized management
    of remote access users and technology.
  • RADIUS enables communication between following
    three tiers of technology
  • Remote access devices such as remote access
    servers and token authentication technology from
    variety of vendors.
  • Enterprise databases that contain authentication
    and access control information.
  • RADIUS authentication server.

99
RADIUS
100
Remote Access Security, contd
  • RADIUS allows network managers to centrally
    manage remote access users, access methods, and
    logon restrictions.
  • RADIUS allows centralized auditing capabilities
    such as keeping track of volume of traffic sent
    and amount of time on-line.
  • For authentication, it supports password
    authentication protocol (PAP), challenge
    handshake authentication protocol (CHAP), and
    SecurID token authentication.

101
Password Authentication Protocol (PAP),
  • PAP is designed for dial in communication.
  • PAP repeatedly sends user ID and password to
    authenticating system in clear text pairs until
    it is acknowledged or connection is dropped.

102
Challenge Handshake Authentication Protocol (CHAP)
  • CHAP provides secure means for establishing dial
    in communication.
  • CHAP uses three-way challenge or handshake that
    includes user ID, password, and key encryption
    for ID and password.
  • Problem with system is some mechanism must be in
    place for both receiver and sender to know and
    have access to key.

103
E-Mail, Web, and Internet/Intranet Security
  • Two primary standards for encrypting traffic on
    the WWW
  • S-HTTP (Secure Hypertext Transport Protocol)
    secure version of HTTP requires both client and
    server S-HTTP versions to be installed for secure
    end-to-end encrypted transmission.
  • SSL SSL is described as wrapping an encrypted
    envelope around HTTP transmissions. SSL is
    connection-level encryption method providing
    security to network link itself.

104
E-Mail, Web, and Internet/Intranet Security,
contd
  • Secure Courier and is offered by Netscape.
  • Secure Courier is based on SSL and allows users
    to create a secure digital envelope for
    transmission of financial transactions over
    Internet.

105
E-Mail, Web, and Internet/Intranet Security,
contd
  • Additional forms of security are
  • PCT
  • PEM
  • PGP
  • SET
  • S/MIME
  • Virtual Private Network Security

106
Private Communications Technology (PCT)
  • Microsofts version of SSL
  • PCT supports secure transmissions across
    unreliable (UDP rather TCP based) connections by
    allowing decryption of transmitted records
    independently from each other, as transmitted in
    individual datagrams.
  • Targeted primarily toward on-line commerce and
    financial transactions

107
Privacy Enhanced Mail (PEM)
  • PEM - encryption technique for e-mail use on
    Internet used in association with SMTP (Single
    Mail Transport Protocol).
  • PEM was designed to use both DES and RSA
    encryption techniques, but it would work with
    other encryption algorithms as well.

108
Pretty Good Privacy (PGP)
  • An Internet e-mail specific encryption standard
    that also uses digital signature encryption to
    guarantee the authenticity, security, and message
    integrity
  • PGP over-comes inherent security loopholes with
    public/private key security schemes by
    implementing Web of trust in which e-mail users
    electronically sign each others public keys to
    create an interconnected group of key users.

109
Secure Electronic Transactions (SET)
  • SET - series of standards to assure
    confidentiality of electronic commerce
    transactions.
  • Standards are becoming promoted by credit card
    giants VISA and MasterCard.
  • A single SET compliant electronic transaction
    could require as many as six cryptographic
    functions, taking from one-third to one-half of
    second on high-powered UNIX workstation.
  • An important aspect of SET standards is
    incorporation of digital certificates or DIgital
    IDs

110
Secure Multipurpose Internet Mail Extension
(S/MIME)
  • S/MEME secures e-mail in e-mail applications that
    have been S/MEME enabled.
  • S/MEME enables different e-mail systems to
    exchange encrypted messages and encrypt
    multimedia as well as text based e-mail.

111
Virtual Private Network (VPN) Security
  • To provide virtual private networking
    capabilities using the Internet as an enterprise
    network backbone, specialized tunneling protocols
    needed to be developed that could establish
    private, secure channels between connected
    systems.
  • Two rival standards are examples of such
    tunneling protocols
  • Microsofts point-to-point tunneling protocol
    (PPTP)
  • Ciscos layer two forwarding (L2F)

112
Virtual Private Network (VPN) Security, contd
  • Unification of two rival standards is known as
    layer 2 tunneling protocol (L2TP).
  • One shortcoming of proposed specification is that
    it does not deal with security issues such as
    encryption and authentication.
  • Next slide illustrates use of tunneling protocols
    to build VPN using Internet as enterprise network
    backbone.

113
Tunneling Protocols Enable Virtual Private
Networks
114
Virtual Private Network (VPN) Security, contd
  • IPsec - protocol that ensures encrypted
    communications across Internet via VPN through
    use of manually exchange.
  • IPsec supports only IP-based communications.
  • IPsec is standard that should enable
    interoperability between firewalls supporting
    protocol.

115
PPTP
  • PPTP is essentially tunneling protocol that
    allows managers to choose whatever encryption or
    authentication technology they wish to hang off
    either end of the established tunnel.
  • PPTP Microsoft tunneling protocol specific to
    Windows NT and remote access servers.
  • PPTP concerned with secure remote access in that
    PPP-enabled clients would be able to dial into
    corporate network by Internet.

116
Enterprise Network Security
  • To maintain proper security over widely
    distributed enterprise network, it is essential
    to be able to conduct certain security-related
    processes from single, centralized security
    management location.

117
Enterprise Network Security, contd
  • Among these processes or functions are
  • Single point of registration (SPR) allows
    network security manager to enter new user (or
    delete terminated user) from single centralized
    location and assign all associated rights,
    privileges, etc.
  • Single sign-on (SSO) also sometimes known as
    secure single sign-on (SSSO), allows users to log
    into enterprise network and be authenticated from
    client PC location.

118
Enterprise Network Security, contd
  • Single access control view allows users access
    from client workstation to only display resources
    user actually has access too.
  • Security auditing and intrusion detection is able
    to track and identify suspicious behaviors from
    both internal employees and potential intruders.
    Detection and response to such events must be
    controlled from centralized security management
    location.

119
Government Impact
  • Government agencies play major role in area of
    network security.
  • Two primary functions of government agencies are
  • Standards making organizations that set standards
    for the design, implementation, and certification
    of security technology and systems.
  • Regulatory agencies that control export of
    security technology to companys international
    locations.
Write a Comment
User Comments (0)
About PowerShow.com