Chap 7 Security in Networks This Chapter Examines Threats against networked applications including denial of service web site defacements malicious mobile code and protocol attacks Controls against network attacks physical security policies procedures and other technical controls ID: 796721
Download The PPT/PDF document "SE571 Security in Computing" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
SE571Security in Computing
Chap 7: Security in Networks
Slide2This Chapter Examines…
Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks
Controls against network attacks: physical security, policies, procedures, and other technical controls
SE571 Security in Computing Dr. Ogara
2
Slide3This Chapter Examines…
Firewalls: design, capabilities, limitations
Intrusion detection systems
Private e-mail: PGP and S/MIME
SE571 Security in Computing Dr. Ogara
3
Slide4Research: Top 5 Network Security Threats for 2011
Users
Managed users
Employees/staffManaged and unmanaged devices – Laptops, Smartphone
Unmanaged usersGuests
Contractors
Consultants
Business partners
(Source: Bradford Network, 2011)
SE571 Security in Computing Dr. Ogara
4
Slide5Research: Top 5 Network Security Threats for 2011
Mobile device proliferation
Smartphone – different models/different companies
Tablets/
iPadsEBookIP everything – exponential growth in IP devices
Surveillance camera
Card readers
(
Source: Bradford Network, 2011)
SE571 Security in Computing Dr. Ogara
5
Slide6Research: Top 5 Network Security Threats for 2011
Consumerization
of IT
Consumer markets driving ITPersonal devices growing rapidly and must be supported by IT
VirtualizationServer applications in private cloudVirtual desktop in virtual environment
(Source: Bradford Network, 2011)
SE571 Security in Computing Dr. Ogara
6
Slide7Research: Consumerization of IT Survey 2011
Study sponsored by Dell KACE
741 IT professionals participated
Employees using personal devices (87%)
EmailCalendarCRM/ERP
Employees using Smartphone (80%)
Employees using personal PCs (69%)
https
://www.kace.com/resources/Consumerization-of-IT-Survey-2011
SE571 Security in Computing Dr. Ogara
7
Slide8Network Security
What are we protecting?
Why are we protecting ?
What are assets?What are threats?What are the controls?
SE571 Security in Computing Dr. Ogara
8
Slide9Network Assets
Network infrastructure
Applications programs
Data
SE571 Security in Computing Dr. Ogara
9
Slide10Network Threats
Interception
Eavesdropping
Passive wiretappingModificationActive wiretapping
FalsificationCompromise of authenticityDenial of service
SE571 Security in Computing Dr. Ogara
10
Slide11Network Controls
Firewalls
Intrusion detection systems
Secure email
SE571 Security in Computing Dr. Ogara
11
Slide12Terminologies
Network – a collection of communicating hosts
Node – single computing system in a network
Link – connection between two hostsHost – single computer in a network
A workstation - an end-user computing device, usually designed for a single user at a time
SE571 Security in Computing Dr. Ogara
12
Slide13Terminologies
Topology - the way a network is configured, in terms of nodes and connections
Protocol – standard method for transmitting data and/or establishing communications between different devices
Protocol stack – is
a layered architecture for communications
SE571 Security in Computing Dr. Ogara
13
Slide14Network
SE571 Security in Computing Dr. Ogara
14
Slide15Protocols
Two popular protocol stacks
for implementing networks
Open Systems Interconnection (OSI)
Transmission Control Protocol and Internet Protocol (TCP/IP)
SE571 Security in Computing Dr. Ogara
15
Slide16OSI Model
Contains 7 layers
Layers represent the different activities that must be performed for actual transmission of a message
SE571 Security in Computing Dr. Ogara
16
Slide17OSI Network Model
SE571 Security in Computing Dr. Ogara
17
Slide18OSI Protocol Layer Levels
SE571 Security in Computing Dr. Ogara
18
Slide19OSI Protocol Layer Levels
SE571 Security in Computing Dr. Ogara
19
What happens
when
you send message to yourfriend@somewhere.net?
Physical Layer
Data link
Network layer
Router sends message to destination router
Adds 2 headers (source and destination IP address)
Slide20OSI Protocol Layer Levels
SE571 Security in Computing Dr. Ogara
20
Data link
Network Interface Card (NIC) provides physical address called MAC (Media Access Control) address
Two more headers added (source computer and router NIC address)
Structure is called
frame
and contains destination MAC, source MAC and data
Slide21OSI Protocol Layer Levels
SE571 Security in Computing Dr. Ogara
21
Data link
Slide22OSI Protocol Layer Levels
SE571 Security in Computing Dr. Ogara
22
Network layer
Router sends message to destination router
Adds 2 headers (source and destination IP address) to data
These are called
packets
Slide23TCP/IP Model
Common in most wide area network communications
Defined by protocols not layers although it is seen as 4 layers
Application
Transport
Internet
Physical
SE571 Security in Computing Dr. Ogara
23
Slide24TCP/IP Model
It denotes two models although used as a single acronym
TCP implements a connected communications session on top of the more basic IP transport protocol
SE571 Security in Computing Dr. Ogara
24
Slide25TCP/IP Model
SE571 Security in Computing Dr. Ogara
25
Slide26TCP Protocol
Records and checks correct sequencing of packets
Retransmits missing or faulty packets
Provides a stream of correct data in proper order to the invoking application
Problem - retransmissions of faulty or missing packets take time and induce overhead
SE571 Security in Computing Dr. Ogara
26
Slide27TCP Packet
Data structure
Includes a sequence number, an acknowledgment number for connecting the packets of a communication session, flags, and source and destination
port
numbersPort - unique channel number by which computers can route their respective packets to each of them
SE571 Security in Computing Dr. Ogara
27
Slide28Internet Services
SE571 Security in Computing Dr. Ogara
28
Slide29Local Area Networks (LAN)
Covers a small distance typically within a single building
Connects several small computers, such as personal computers, as well as printers and perhaps some dedicated file storage devices
SE571 Security in Computing Dr. Ogara
29
Slide30Local Area Networks (LAN)
SE571 Security in Computing Dr. Ogara
30
Slide31Wide Area Networks (WAN)
Single control – usually controlled by one organization
Covers a significant distance
Physically exposedExamples, campus area networks, metropolitan area networks
SE571 Security in Computing Dr. Ogara
31
Slide32What Makes a Network Vulnerable?
Anonymity
Anonymous attackers
Many points of attack—both targets and origins
Less rigorous security Sharing Complexity of system Unknown perimeter -
untrusted
hosts in networks
SE571 Security in Computing Dr. Ogara
32
Slide33Why do people attack networks
Fame or recognition
Money and espionage
Organized crimeAdvance an ideology
SE571 Security in Computing Dr. Ogara
33
Slide34Network Vulnerabilities, Targets and Controls
What are the targets?
What are the vulnerabilities?
What are the controls?
SE571 Security in Computing Dr. Ogara
34
Slide35Vulnerabilities that target precursors to attack
Port scan
Gives external picture – open doors
Standard ports or services running?Social engineering
Use of social skills and personal interaction to get someone to reveal security-relevant informationReconnaissance OS and application fingerprinting
SE571 Security in Computing Dr. Ogara
35
Slide36Control of vulnerabilities
Firewall
“Hardened” (self-defensive) applications
Programs that reply with only what is necessary Intrusion detection system
Run few services as possible
SE571 Security in Computing Dr. Ogara
36
Slide37Control of vulnerabilities
Education
, user awareness
Policies and procedures Systems in which two people must agree to perform certain security-critical functions
SE571 Security in Computing Dr. Ogara
37
Slide38Network vulnerabilities that target authentication failures
Impersonation
Guessing
EavesdroppingSession hijacking Spoofing
Man-in-the-middle attack
SE571 Security in Computing Dr. Ogara
38
Slide39Control of vulnerabilities
Strong, one-time authentication
Virtual private network
Encrypted authentication channel Education, user awareness
Virtual private network Protocol analysis
SE571 Security in Computing Dr. Ogara
39
Slide40Network vulnerabilities that target programming flaws
Buffer overflow
Addressing errors
Parameter modification, time-of-check to time-of-use errors Server-side include
CookiesMalicious active code: Java, ActiveX Malicious code: virus, worm, Trojan horse
SE571 Security in Computing Dr. Ogara
40
Slide41Control of vulnerabilities
Programming
controls Intrusion detection system Personal firewall
Two-way authentication Controlled execution environment
Signed code
SE571 Security in Computing Dr. Ogara
41
Slide42Network vulnerabilities that target confidentiality
Protocol flaw
Malicious code: virus, worm, Trojan horse
EavesdroppingPassive wiretap
MisdeliveryExposure within networkTraffic flow analysis
Cookie
SE571 Security in Computing Dr. Ogara
42
Slide43Control of vulnerabilities
Firewall
Encryption
Intrusion detection system Controlled execution environment Programming controls
SE571 Security in Computing Dr. Ogara
43
Slide44Network vulnerabilities that target integrity
Protocol flaw
Impersonation
Active wiretapFalsification of message
NoiseWebsite defacementDNS attack
SE571 Security in Computing Dr. Ogara
44
Slide45Control of vulnerabilities
Firewall
Encryption
Intrusion detection system Controlled execution environment Audit
Protocol analysisStrong authenticationError detection codeHoney pot
SE571 Security in Computing Dr. Ogara
45
Slide46Network vulnerabilities that target availability
Protocol flaw
Transmission of component failure
DNS attackTraffic redirection
Distributed denial of serviceConnection flooding
SE571 Security in Computing Dr. Ogara
46
Slide47Control of vulnerabilities
Encryption
Firewall
Intrusion detection system Honey pot
SE571 Security in Computing Dr. Ogara
47
Slide48Encryption
Most important and versatile tool for network security expert
Important
PrivacyAuthenticityIntegrity
Limited access to dataNot a silver bulletProtects encrypted data only
SE571 Security in Computing Dr. Ogara
48
Slide49Encryption
Can be applied in two ways
Link encryption
End-to-end encryption
SE571 Security in Computing Dr. Ogara
49
Slide50Link Encryption
Data is encrypted before the system places them on the physical communications link
Encryption
takes place in layer 1 or 2 of
the OSI modelEncryption protects message during
transit
Message is
plaintext
inside the
hosts
SE571 Security in Computing Dr. Ogara
50
Slide51Link Encryption
Data exposed in sending host
Data exposed in intermediate nodes
Applied by sending hostInvisible to userHost maintains encryption
Encryption done in hardwareProvides node authenticationAll or no data encrypted
SE571 Security in Computing Dr. Ogara
51
Slide52Link Encryption
SE571 Security in Computing Dr. Ogara
52
Slide53Link Encryption
SE571 Security in Computing Dr. Ogara
53
Slide54End-to-End Encryption
SE571 Security in Computing Dr. Ogara
54
Security
available from
one end of transmission to the other
Encryption can be applied by either hardware or software running on the computer
Encryption
takes place at the highest level of OSI model –
application and presentation
Slide55End-to-End Encryption
SE571 Security in Computing Dr. Ogara
55
Data encrypted in sending host
Data encrypted in intermediate nodes
User applies encryption
User selects encryption
Either software or hardware implementation
User chooses to encrypt or not
Provides user authentication
Slide56End-to-End Encryption
SE571 Security in Computing Dr. Ogara
56
Slide57End-to-End Encryption
SE571 Security in Computing Dr. Ogara
57
Slide58Virtual Private Networks
Communication passes through an encrypted tunnel
User’s client establishes communication with network firewall
User and firewall negotiate a session encryption key
SE571 Security in Computing Dr. Ogara
58
Slide59Virtual Private Networks
Firewall and user encrypt all traffic between them
Firewall authenticates user through authentication server
Firewall implements access control (provide appropriate security privileges)
SE571 Security in Computing Dr. Ogara
59
Slide60Virtual Private Networks
SE571 Security in Computing Dr. Ogara
60
Slide61PKI and Certificates
SE571 Security in Computing Dr. Ogara
61
PKI
is a process created to
enable users
to
implement public key cryptography
Provides
identification
and
access control
information to
users
Create certificates associating user’s identity with cryptographic key
Give out certificates from its database
Sign certificates thus adding credibility to authenticity of certificates
Confirm or deny that certificate is valid
Invalidate certificates for users who are no longer allowed to access or whose private key has been exposed
Slide62PKI and Certificates
SE571 Security in Computing Dr. Ogara
62
PKI sets up entities called
certificate authorities
that implement PKI policy
Assumption is certificate authorities are
trusted
Functions of certificate authorities
Manage public key certificates for their whole life cycle
Issue certificates by binding a user’s or system identity to a public key with a digital signature
Schedule expiry dates for certificates
Ensure that certificates are revoked by publishing certificate revocation list
Slide63SSH Encryption
SE571 Security in Computing Dr. Ogara
63
SSH stands for secure shell is a pair of protocols (V1 and V2)
Provides an authenticated and encrypted path to a shell or operating system command interpreter
Protects against spoofing attacks and modification of data in communications
Protocol involves negotiation between local and remote sites for encryption algorithm (e.g. DES, IDEA, AES) and authentication
Slide64SSL Encryption
SE571 Security in Computing Dr. Ogara
64
SSL
stands for
Secure Socket Layer
Also known as
TLS
–
Transport Layer Security
Protocol was originally designed by Netscape to protect communication between web browser and server
It interfaces between apps(e.g. browser) and TCP/IP protocols to provide server authentication, client authentication and encrypted communication channel between client and server
Slide65SSL Encryption
SE571 Security in Computing Dr. Ogara
65
SSL
protocol is the most widely used secure communication protocol in the Internet
Only protects data between client’s browser and server
Slide66IPSec
SE571 Security in Computing Dr. Ogara
66
Stands for
IP Security Protocol
Similar to SSL i.e. supports
authentication and confidentiality
Defines standard means for handling encrypted data
Designed to handle shortcomings of IPv6 such as:
Spoofing
Eavesdropping
Session hijacking
Slide67IPSec
SE571 Security in Computing Dr. Ogara
67
Fundamental data structures are
AH – authenticated header
ESP – Encapsulated Security Payload
Contains both authenticated and encrypted portion
Packets
: (a) Conventional Packet; (b) IPSec Packet
Slide68Wireless security
SSID – Service Set Identifier
Authenticate remote computer
WEP – Wired Equivalent PrivacyUses encryption to prevent eavesdropping and impersonation
Uses encryption key for authenticationIEEE standard 802.11Uses 64 and 128 bit encryption
Not effective against brute force attack
SE571 Security in Computing Dr. Ogara
68
Slide69Wireless security
WPA and WPA2– WIFI Protected Access
Addresses known security deficiencies in WEP
IEEE standard 802.11iUses encryption key that is unchanged until user enters new key at the client and access point
Encryption key is changed automatically at each packet (Temporal Key Integrity Program)
SE571 Security in Computing Dr. Ogara
69
Slide70Honeypots
Computer system open to attackers
Goal
Watch what attackers doLure attackers in order to study their habits
Divert attackers attention so as to leave your system alone
SE571 Security in Computing Dr. Ogara
70
Slide71Firewalls
Device that filters traffic between protected/inside network and less trustworthy/outside network
Purpose
Keep bad things outside the protected environmentUse security policies to limit access from outside
SE571 Security in Computing Dr. Ogara
71
Slide72Types of Firewalls
Packet filtering gateways or screening routers
Stateful
inspection firewalls Application proxies Guards
Personal firewalls
SE571 Security in Computing Dr. Ogara
72
Slide73Packet Filtering Gateway
Most effective
Control access based on packet address or transport protocol such as HTTP
SE571 Security in Computing Dr. Ogara
73
Slide74Stateful Inspection Firewall
Maintains state information from one packet to another in the input stream
SE571 Security in Computing Dr. Ogara
74
Slide75Application Proxy
Firewall
Packet filters look only at the headers of packets, not at the data
inside
the packetsSE571 Security in Computing Dr. Ogara
75
Slide76Guard
Firewall
Receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result
SE571 Security in Computing Dr. Ogara
76
Slide77Personal
Firewall
A
pplication program that runs on a workstation to block unwanted traffic, usually from the network
Protect a (sub)network of multiple hosts resultMay complement the work of a conventional firewall by screening the kind of data a single host will accept
SE571 Security in Computing Dr. Ogara
77
Slide78Denial of Service
Connection flooding
Echo-
Chargen Chargen
is protocol used to generate packetsAttacker makes host A to generate echo packets to host B and host B replies to the echos
Host A and B generates endless loop
Ping of Death
Attacker sends flood of pings to intended host
Pings saturate victim’s bandwidth
SE571 Security in Computing Dr. Ogara
78
Slide79Denial of Service
Connection flooding
Smurf – Attacker sends broadcast echo requests to the network with victim’s return address
Syn flood – Attacker sends many SYN requests and never responds with ACKs thereby filling the victim’s SYN_RECV queue
Teardrop – Attacker sends series of data grams that can not be reassembled properly
SE571 Security in Computing Dr. Ogara
79
Slide80Denial of Service
Traffic redirection
Attackers disrupt routers traffic redirection
DNS attacksAttackers redirect routing of traffic by overtaking domain server or causing it to cache spurious entries (DNS cache poisoning)
E.g. An attack in 2005 used a flaw in a Symantec firewall to allow a change in DNS records used by Windows machines. The poisoned DNS cache redirected users to advertising sites
SE571 Security in Computing Dr. Ogara
80
Slide81Distributed Denial of Service
Also called
DDoS
Attacker discretely plants Trojan horse into machine e.g. through email attachmentAttacker repeats process using many targets (Zombie)
Attacker sends a signal to all Zombies to launch an attack against a victim (n attacks from n Zombies)
SE571 Security in Computing Dr. Ogara
81
Slide82Distributed Denial of Service
SE571 Security in Computing Dr. Ogara
82
Slide83Intrusion Detection Systems
Also called IDS
Device that monitors activities to identify malicious and suspicious events
Functions
Monitor users and system activityauditing system configuration for vulnerabilities and misconfigurations assessing the integrity of critical system and data files
recognizing known attack patterns in system activity
identifying abnormal activity through statistical analysis
managing audit trails and highlighting user violation of policy or normal activity
correcting system configuration errors
SE571 Security in Computing Dr. Ogara
83
Slide84Intrusion Detection Systems
SE571 Security in Computing Dr. Ogara
84
Slide85Types of IDS
Signature based
perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type
Heuristic/Anomaly based
build a model of acceptable behavior and flag exceptions to that modelA
network-based
IDS is a stand-alone device attached to the network to monitor traffic throughout that network while a
host-based
IDS runs on a single workstation or client to protect that one host
SE571 Security in Computing Dr. Ogara
85
Slide86Goals of IDS
Filter on packet headers
Filter on packet content
Maintain connection state Use complex, multipacket
signatures Use minimal number of signatures with maximum effect
SE571 Security in Computing Dr. Ogara
86
Slide87Goals of IDS
Filter in real time, online
Hide its presence
Use optimal sliding time window size to match signatures
SE571 Security in Computing Dr. Ogara
87
Slide88Strengths of IDS
IDSs detect an ever-growing number of serious problems
Adding their signatures to the IDS model helps them to improve over time
Easier and cheaper to manage
SE571 Security in Computing Dr. Ogara
88
Slide89Limitations of IDS
Similar IDS may have identical vulnerabilities
Difficult to measure and adjust its sensitivity
Must be monitored and alarms responded to otherwise it is useless
SE571 Security in Computing Dr. Ogara
89
Slide90Secure Email
Email is important in ecommerce
Email is a medium of communications
SE571 Security in Computing Dr. Ogara
90
Slide91Email Requirements
Message confidentiality (the message is not exposed en route to the receiver)
Message integrity (what the receiver sees is what was sent)
Sender authenticity (the receiver is confident who the sender was)
Nonrepudiation (the sender cannot deny having sent the message)
SE571 Security in Computing Dr. Ogara
91
Slide92Threats to Email
message interception (confidentiality)
message interception (blocked delivery)
message interception and subsequent replay message content modification
message origin modification message content forgery by outsider message origin forgery by outsider
message content forgery by recipient
message origin forgery by recipient
denial of message transmission
SE571 Security in Computing Dr. Ogara
92
Slide93Design for Encrypted Email
Developed by Internet Society
Allows for security enhanced messages
Works for both asymmetric and symmetric encryptionsStandard supports multiple encryption algorithms
DES, 3DES and AES for confidentialityRSA and Diffe
-Hellman for key exchange
SE571 Security in Computing Dr. Ogara
93
Slide94Overview encrypted email processing
SE571 Security in Computing Dr. Ogara
94
Slide95Encrypted Email-Secured Message
SE571 Security in Computing Dr. Ogara
95