Addressing Network Security Issues - PowerPoint PPT Presentation

Loading...

PPT – Addressing Network Security Issues PowerPoint presentation | free to download - id: 5777b-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Addressing Network Security Issues

Description:

Unauthorized access using UNIX /bin/mail -d to steal others' mailboxes or ... in Microsoft's Outlook & Outlook Express 98 and Netscape Mail (Communicator 4.05) ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 31
Provided by: felixwufe
Learn more at: http://www.oit.umd.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Addressing Network Security Issues


1
Addressing Network Security Issues
  • Not A Second Too Early

Fengmin Gong Advanced Networking
Research MCNC www.mcnc.org/HTML/ITD/ANR/ANR.html
January 12, 1999
2
The Message...
  • Security issues can no longer be ignored
  • Network security issues are critical to every
    information infrastructure
  • There are short-term and long-term solutions, but
    all are important
  • Integrated approaches must be taken in order to
    be successful

3
Security Security Attacks
  • Security is a state of well-being of information
    and infrastructures in which the possibility of
    successful yet un-detected theft, tamper-with,
    and disruption of information and services is
    kept low
  • A security attack is any action that threatens
    this state of well-being

4
Where Is Our Network Going?
  • More bandwidth - DWDM, 128xOC-192
  • More sophisticated services - guaranteed QoS,
    RSVP/DiffServ, UNI4.0/PNNI
  • More integrated service capabilities -
    E-commerce, voice/video over IP and/or ATM
  • More ubiquitous access - ADSL, Cable modem, WLAN,
    LEOS constellations
  • Better (killer?) application-enabling
    technologies - WWW

5
Security Implications?
  • Abundant vulnerabilities - weak design,
    feature-rich implementation, compromised
    components
  • Heterogeneous networking technologies adds to
    security complexity
  • Higher-speed communication puts more info at risk
    in a given time period
  • Ubiquitous access increases risk exposure

6
Consequence of Attacks
  • Theft of confidential information
  • Unauthorized use of
  • network bandwidth
  • computing resource
  • Spread of false information
  • Disruption of legitimate services
  • All attacks are related and dangerous!

7
Close-Knit Attack Family
Active Attacks
Passive attacks
re-target
jam/cut it
sniff for content
capture modify
re-target
traffic analysis - who is talking
pretend
who to impersonate
I need to be Bill
8
Security Mechanisms
  • Security mechanisms implement functions that help
    prevent, detect, and respond to security attacks
  • Security functions are typically made available
    to users as a set of security services through
    APIs or integrated interfaces
  • Cryptography underlies all security mechanisms

9
Type Of Security Services
  • Confidentiality protection of any information
    from being exposed to un-intended entities
  • information content
  • identity of parties involved
  • where they are, how they communicate, how often
    etc.

10
Security Services - contd
  • Authentication assurance that an entity of
    concern or the origin of a communication is
    authentic - its what it claims to be or from
  • Integrity assurance that the information has not
    been tampered with
  • Nonrepudiation offer of evidence that a party is
    indeed the sender or a receiver of certain
    information

11
Security Services - contd
  • Access control facilities to determine and
    enforce who is allowed access to what resources,
    hosts, software, network connections etc.
  • Detection Response facilities for detecting
    security attacks, generating indications/warning,
    and recovering from attacks

12
Security Services - contd
  • Security management facilities for coordinating
    service requirements, mechanism implementations,
    and operation, throughout enterprises and across
    the internetwork
  • security policy
  • trust model - representation communication
  • trust management - trust relationship risk
    assessment

13
Known vulnerabilities are too many and new
vulnerabilities are being discovered every day!
14
Mail-Related Vulnerabilities
  • Anonymous email via UNIX sendmail program talking
    SMTP (mail gateway hijack)
  • Unauthorized access using UNIX /bin/mail -d to
    steal others' mailboxes or gain root privilege
  • Long named attachment exploit in Microsofts
    Outlook Outlook Express 98 and Netscape Mail
    (Communicator 4.05)

15
IP Spoofing SYN Flood
  • X establishes a TCP connection with B assuming
    As IP address

(4) SYN(seqn)ACK(seqm1)
A
B
(2) predict Bs TCP seq. behavior
SYN(seqm),srcA
(1) SYN Flood
(3)
(5) ACK(seqn1)
X
16
Smurf Attack
  • Generate ping stream (ICMP Echo Req) to a network
    broadcast address with a spoofed source IP set to
    a victim host
  • Every host on the ping target network will
    generate a ping reply (ICMP Echo Reply) stream,
    all towards the victim host
  • Amplified ping reply stream can easily overwhelm
    the victims network connection

17
DNS-Related Vulnerabilities
  • Reverse query buffer overrun in BIND Releases 4.9
    (4.9.7 prior) and Releases 8 (8.1.2 prior)
  • gain root access
  • abort DNS service
  • MS DNS for NT 4.0 (service pack 3 and prior)
  • crashes on chargen stream
  • telnet ntbox 19 telnet ntbox 53

18
Cryptographic Issues
  • Secure efficient cryptographic algorithms
  • RC4, IDEA
  • RSA, DSA
  • Secure cryptographic key storage usage
  • Crypto token / smart card
  • Secure efficient key distribution
  • RSA based
  • Diffie-Hellman phonebook mode
  • Public key infrastructure

19
Design Issues - Positioning
  • How/where should security services be
    implemented?
  • Embedding in network protocols only e.g., IPSEC,
    SSL/TLS, or DNS-SEC
  • Integrating into every applications e.g., SSH,
    PGP or PEM
  • Implemented in a separate service API, GSS-API or
    Crypto API
  • Combinations of all above

20
Design Issues - Trust
  • Authentication underlies any trust
  • You have certain level of trust and expectation
    for a given entity (person, organization)
  • Authenticity gives assurance for the relationship
    between the object of concern and an entity
  • Authenticity also serves as legal evidence of
    such relationship between the object and the
    entity

21
Design Issues - Third-Party Mediation
  • Mediator helps to reduce the complexity of
    cold-start trust relationship from order n2 to
    n
  • Third-party reference - CA or KDC
  • Trusted by all as a witness
  • Issues certificate/ticket for object/entity/capabi
    lity bindings

22
Specific Roadblocks
  • Fast efficient algorithms
  • Security vs. speed tradeoff
  • RSA ltsecure, flexible, slowgt vs. DES ltless
    secure, less flexible, fastgt
  • Fine granularity authentication is not affordable
    (protection vs. speed tradeoff)
  • Integrity protection for multi-part structured
    messages?
  • Ubiquitous service availability
  • Dynamic key distribution requires
    authenticity/integrity services

23
Network Specific Security Issues
  • Attack channel - network-borne!
  • Attack targets - network management/control
    information
  • Steal of service
  • Steal of user data
  • Injection of disrupting data/control packets
  • Interception and modification of data/control
    packets
  • Compromising network entities, routers switches

24
Best Approaches to Protect Information
Infrastructure?
  • Prevention - the best medicine
  • System and protocol designs contain no security
    vulnerabilities
  • Implementations verifiably secure with respect to
    the design spec
  • No bugs in either hardware or software
  • All systems are properly configured to avoid any
    security holes
  • Everyone practice secure networking...

25
Best Approaches to Protect Information
Infrastructure...
  • Effective prevention remains a nice dream
  • Detection - the first step to protection when a
    security breach happens
  • breaches due to hardware and software failures
    (faults and bugs)
  • breaches due to user error (system administrator
    and end user etc.)
  • breaches caused by malicious attackers

26
Best Approaches to Protect Information
Infrastructure...
  • Response - Yes, weve got to do something!
  • source isolation
  • intrusion containment
  • damage control
  • system reconstitution
  • intention and trend analysis
  • system security (re)assessment
  • detection response reconfiguration
  • system hardening

27
Circle of Security Continues...
28
Network Security Areas...
There are many security attacks that will not be
detectable without coordination involving end
applications and network nodes - global
coordination and integrated mechanisms!
29
State-Of-The-Art
  • Virus detection - very good success
  • Application with integrated privacy protection
  • PGP, SSH, Netscape browser, sftp
  • Access or boundary control
  • Firewalls of all trade - effective mostly at
    stopping the ignorant the novice, also annoying
    the innocent

30
State-Of-The-Art ...
  • Security infrastructure
  • Kerberos - effective for many enterprise needs
  • SNMPv3, GSS-API, DNS-SEC
  • IPSEC/ISAKMP/IPKI - far-reaching impact, very
    promising
  • Intrusion detection systems
  • Commercial systems - very good at detecting
    replayed known attacks but hopeless with new
    attacks
  • Standards (format/protocol) are lacking
  • Many active research effort underway - DARPA/ITO,
    CIDF, IETF IDWG
About PowerShow.com