SE571 Security in Computing - PowerPoint Presentation

Slide1

SE571Security in Computing

Chap 7: Security in Networks

Slide2

This Chapter Examines…

Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks

Controls against network attacks: physical security, policies, procedures, and other technical controls

SE571 Security in Computing Dr. Ogara

2

Slide3

This Chapter Examines…

Firewalls: design, capabilities, limitations

Intrusion detection systems

Private e-mail: PGP and S/MIME

SE571 Security in Computing Dr. Ogara

3

Slide4

Research: Top 5 Network Security Threats for 2011

Users

Managed users

Employees/staffManaged and unmanaged devices – Laptops, Smartphone

Unmanaged usersGuests

Contractors

Consultants

Business partners

(Source: Bradford Network, 2011)

SE571 Security in Computing Dr. Ogara

4

Slide5

Research: Top 5 Network Security Threats for 2011

Mobile device proliferation

Smartphone – different models/different companies

Tablets/

iPadsEBookIP everything – exponential growth in IP devices

Surveillance camera

Card readers

(

Source: Bradford Network, 2011)

SE571 Security in Computing Dr. Ogara

5

Slide6

Research: Top 5 Network Security Threats for 2011

Consumerization

of IT

Consumer markets driving ITPersonal devices growing rapidly and must be supported by IT

VirtualizationServer applications in private cloudVirtual desktop in virtual environment

(Source: Bradford Network, 2011)

SE571 Security in Computing Dr. Ogara

6

Slide7

Research: Consumerization of IT Survey 2011

Study sponsored by Dell KACE

741 IT professionals participated

Employees using personal devices (87%)

EmailCalendarCRM/ERP

Employees using Smartphone (80%)

Employees using personal PCs (69%)

https

://www.kace.com/resources/Consumerization-of-IT-Survey-2011

SE571 Security in Computing Dr. Ogara

7

Slide8

Network Security

What are we protecting?

Why are we protecting ?

What are assets?What are threats?What are the controls?

SE571 Security in Computing Dr. Ogara

8

Slide9

Network Assets

Network infrastructure

Applications programs

Data

SE571 Security in Computing Dr. Ogara

9

Slide10

Network Threats

Interception

Eavesdropping

Passive wiretappingModificationActive wiretapping

FalsificationCompromise of authenticityDenial of service

SE571 Security in Computing Dr. Ogara

10

Slide11

Network Controls

Firewalls

Intrusion detection systems

Secure email

SE571 Security in Computing Dr. Ogara

11

Slide12

Terminologies

Network – a collection of communicating hosts

Node – single computing system in a network

Link – connection between two hostsHost – single computer in a network

A workstation - an end-user computing device, usually designed for a single user at a time

SE571 Security in Computing Dr. Ogara

12

Slide13

Terminologies

Topology - the way a network is configured, in terms of nodes and connections

Protocol – standard method for transmitting data and/or establishing communications between different devices

Protocol stack – is

a layered architecture for communications

SE571 Security in Computing Dr. Ogara

13

Slide14

Network

SE571 Security in Computing Dr. Ogara

14

Slide15

Protocols

Two popular protocol stacks

for implementing networks

Open Systems Interconnection (OSI)

Transmission Control Protocol and Internet Protocol (TCP/IP)

SE571 Security in Computing Dr. Ogara

15

Slide16

OSI Model

Contains 7 layers

Layers represent the different activities that must be performed for actual transmission of a message

SE571 Security in Computing Dr. Ogara

16

Slide17

OSI Network Model

SE571 Security in Computing Dr. Ogara

17

Slide18

OSI Protocol Layer Levels

SE571 Security in Computing Dr. Ogara

18

Slide19

OSI Protocol Layer Levels

SE571 Security in Computing Dr. Ogara

19

What happens

when

you send message to yourfriend@somewhere.net?

Physical Layer

Data link

Network layer

Router sends message to destination router

Adds 2 headers (source and destination IP address)

Slide20

OSI Protocol Layer Levels

SE571 Security in Computing Dr. Ogara

20

Data link

Network Interface Card (NIC) provides physical address called MAC (Media Access Control) address

Two more headers added (source computer and router NIC address)

Structure is called

frame

and contains destination MAC, source MAC and data

Slide21

OSI Protocol Layer Levels

SE571 Security in Computing Dr. Ogara

21

Data link

Slide22

OSI Protocol Layer Levels

SE571 Security in Computing Dr. Ogara

22

Network layer

Router sends message to destination router

Adds 2 headers (source and destination IP address) to data

These are called

packets

Slide23

TCP/IP Model

Common in most wide area network communications

Defined by protocols not layers although it is seen as 4 layers

Application

Transport

Internet

Physical

SE571 Security in Computing Dr. Ogara

23

Slide24

TCP/IP Model

It denotes two models although used as a single acronym

TCP implements a connected communications session on top of the more basic IP transport protocol

SE571 Security in Computing Dr. Ogara

24

Slide25

TCP/IP Model

SE571 Security in Computing Dr. Ogara

25

Slide26

TCP Protocol

Records and checks correct sequencing of packets

Retransmits missing or faulty packets

Provides a stream of correct data in proper order to the invoking application

Problem - retransmissions of faulty or missing packets take time and induce overhead

SE571 Security in Computing Dr. Ogara

26

Slide27

TCP Packet

Data structure

Includes a sequence number, an acknowledgment number for connecting the packets of a communication session, flags, and source and destination

port

numbersPort - unique channel number by which computers can route their respective packets to each of them

SE571 Security in Computing Dr. Ogara

27

Slide28

Internet Services

SE571 Security in Computing Dr. Ogara

28

Slide29

Local Area Networks (LAN)

Covers a small distance typically within a single building

Connects several small computers, such as personal computers, as well as printers and perhaps some dedicated file storage devices

SE571 Security in Computing Dr. Ogara

29

Slide30

Local Area Networks (LAN)

SE571 Security in Computing Dr. Ogara

30

Slide31

Wide Area Networks (WAN)

Single control – usually controlled by one organization

Covers a significant distance

Physically exposedExamples, campus area networks, metropolitan area networks

SE571 Security in Computing Dr. Ogara

31

Slide32

What Makes a Network Vulnerable?

Anonymity

Anonymous attackers

Many points of attack—both targets and origins

Less rigorous security Sharing Complexity of system Unknown perimeter -

untrusted

hosts in networks

SE571 Security in Computing Dr. Ogara

32

Slide33

Why do people attack networks

Fame or recognition

Money and espionage

Organized crimeAdvance an ideology

SE571 Security in Computing Dr. Ogara

33

Slide34

Network Vulnerabilities, Targets and Controls

What are the targets?

What are the vulnerabilities?

What are the controls?

SE571 Security in Computing Dr. Ogara

34

Slide35

Vulnerabilities that target precursors to attack

Port scan

Gives external picture – open doors

Standard ports or services running?Social engineering

Use of social skills and personal interaction to get someone to reveal security-relevant informationReconnaissance OS and application fingerprinting

SE571 Security in Computing Dr. Ogara

35

Slide36

Control of vulnerabilities

Firewall

“Hardened” (self-defensive) applications

Programs that reply with only what is necessary Intrusion detection system

Run few services as possible

SE571 Security in Computing Dr. Ogara

36

Slide37

Control of vulnerabilities

Education

, user awareness

Policies and procedures Systems in which two people must agree to perform certain security-critical functions

SE571 Security in Computing Dr. Ogara

37

Slide38

Network vulnerabilities that target authentication failures

Impersonation

Guessing

EavesdroppingSession hijacking Spoofing

Man-in-the-middle attack

SE571 Security in Computing Dr. Ogara

38

Slide39

Control of vulnerabilities

Strong, one-time authentication

Virtual private network

Encrypted authentication channel Education, user awareness

Virtual private network Protocol analysis

SE571 Security in Computing Dr. Ogara

39

Slide40

Network vulnerabilities that target programming flaws

Buffer overflow

Addressing errors

Parameter modification, time-of-check to time-of-use errors Server-side include

CookiesMalicious active code: Java, ActiveX Malicious code: virus, worm, Trojan horse

SE571 Security in Computing Dr. Ogara

40

Slide41

Control of vulnerabilities

Programming

controls Intrusion detection system Personal firewall

Two-way authentication Controlled execution environment

Signed code

SE571 Security in Computing Dr. Ogara

41

Slide42

Network vulnerabilities that target confidentiality

Protocol flaw

Malicious code: virus, worm, Trojan horse

EavesdroppingPassive wiretap

MisdeliveryExposure within networkTraffic flow analysis

Cookie

SE571 Security in Computing Dr. Ogara

42

Slide43

Control of vulnerabilities

Firewall

Encryption

Intrusion detection system Controlled execution environment Programming controls

SE571 Security in Computing Dr. Ogara

43

Slide44

Network vulnerabilities that target integrity

Protocol flaw

Impersonation

Active wiretapFalsification of message

NoiseWebsite defacementDNS attack

SE571 Security in Computing Dr. Ogara

44

Slide45

Control of vulnerabilities

Firewall

Encryption

Intrusion detection system Controlled execution environment Audit

Protocol analysisStrong authenticationError detection codeHoney pot

SE571 Security in Computing Dr. Ogara

45

Slide46

Network vulnerabilities that target availability

Protocol flaw

Transmission of component failure

DNS attackTraffic redirection

Distributed denial of serviceConnection flooding

SE571 Security in Computing Dr. Ogara

46

Slide47

Control of vulnerabilities

Encryption

Firewall

Intrusion detection system Honey pot

SE571 Security in Computing Dr. Ogara

47

Slide48

Encryption

Most important and versatile tool for network security expert

Important

PrivacyAuthenticityIntegrity

Limited access to dataNot a silver bulletProtects encrypted data only

SE571 Security in Computing Dr. Ogara

48

Slide49

Encryption

Can be applied in two ways

Link encryption

End-to-end encryption

SE571 Security in Computing Dr. Ogara

49

Slide50

Link Encryption

Data is encrypted before the system places them on the physical communications link

Encryption

takes place in layer 1 or 2 of

the OSI modelEncryption protects message during

transit

Message is

plaintext

inside the

hosts

SE571 Security in Computing Dr. Ogara

50

Slide51

Link Encryption

Data exposed in sending host

Data exposed in intermediate nodes

Applied by sending hostInvisible to userHost maintains encryption

Encryption done in hardwareProvides node authenticationAll or no data encrypted

SE571 Security in Computing Dr. Ogara

51

Slide52

Link Encryption

SE571 Security in Computing Dr. Ogara

52

Slide53

Link Encryption

SE571 Security in Computing Dr. Ogara

53

Slide54

End-to-End Encryption

SE571 Security in Computing Dr. Ogara

54

Security

available from

one end of transmission to the other

Encryption can be applied by either hardware or software running on the computer

Encryption

takes place at the highest level of OSI model –

application and presentation

Slide55

End-to-End Encryption

SE571 Security in Computing Dr. Ogara

55

Data encrypted in sending host

Data encrypted in intermediate nodes

User applies encryption

User selects encryption

Either software or hardware implementation

User chooses to encrypt or not

Provides user authentication

Slide56

End-to-End Encryption

SE571 Security in Computing Dr. Ogara

56

Slide57

End-to-End Encryption

SE571 Security in Computing Dr. Ogara

57

Slide58

Virtual Private Networks

Communication passes through an encrypted tunnel

User’s client establishes communication with network firewall

User and firewall negotiate a session encryption key

SE571 Security in Computing Dr. Ogara

58

Slide59

Virtual Private Networks

Firewall and user encrypt all traffic between them

Firewall authenticates user through authentication server

Firewall implements access control (provide appropriate security privileges)

SE571 Security in Computing Dr. Ogara

59

Slide60

Virtual Private Networks

SE571 Security in Computing Dr. Ogara

60

Slide61

PKI and Certificates

SE571 Security in Computing Dr. Ogara

61

PKI

is a process created to

enable users

to

implement public key cryptography

Provides

identification

and

access control

information to

users

Create certificates associating user’s identity with cryptographic key

Give out certificates from its database

Sign certificates thus adding credibility to authenticity of certificates

Confirm or deny that certificate is valid

Invalidate certificates for users who are no longer allowed to access or whose private key has been exposed

Slide62

PKI and Certificates

SE571 Security in Computing Dr. Ogara

62

PKI sets up entities called

certificate authorities

that implement PKI policy

Assumption is certificate authorities are

trusted

Functions of certificate authorities

Manage public key certificates for their whole life cycle

Issue certificates by binding a user’s or system identity to a public key with a digital signature

Schedule expiry dates for certificates

Ensure that certificates are revoked by publishing certificate revocation list

Slide63

SSH Encryption

SE571 Security in Computing Dr. Ogara

63

SSH stands for secure shell is a pair of protocols (V1 and V2)

Provides an authenticated and encrypted path to a shell or operating system command interpreter

Protects against spoofing attacks and modification of data in communications

Protocol involves negotiation between local and remote sites for encryption algorithm (e.g. DES, IDEA, AES) and authentication

Slide64

SSL Encryption

SE571 Security in Computing Dr. Ogara

64

SSL

stands for

Secure Socket Layer

Also known as

TLS

–

Transport Layer Security

Protocol was originally designed by Netscape to protect communication between web browser and server

It interfaces between apps(e.g. browser) and TCP/IP protocols to provide server authentication, client authentication and encrypted communication channel between client and server

Slide65

SSL Encryption

SE571 Security in Computing Dr. Ogara

65

SSL

protocol is the most widely used secure communication protocol in the Internet

Only protects data between client’s browser and server

Slide66

IPSec

SE571 Security in Computing Dr. Ogara

66

Stands for

IP Security Protocol

Similar to SSL i.e. supports

authentication and confidentiality

Defines standard means for handling encrypted data

Designed to handle shortcomings of IPv6 such as:

Spoofing

Eavesdropping

Session hijacking

Slide67

IPSec

SE571 Security in Computing Dr. Ogara

67

Fundamental data structures are

AH – authenticated header

ESP – Encapsulated Security Payload

Contains both authenticated and encrypted portion

Packets

: (a) Conventional Packet; (b) IPSec Packet

Slide68

Wireless security

SSID – Service Set Identifier

Authenticate remote computer

WEP – Wired Equivalent PrivacyUses encryption to prevent eavesdropping and impersonation

Uses encryption key for authenticationIEEE standard 802.11Uses 64 and 128 bit encryption

Not effective against brute force attack

SE571 Security in Computing Dr. Ogara

68

Slide69

Wireless security

WPA and WPA2– WIFI Protected Access

Addresses known security deficiencies in WEP

IEEE standard 802.11iUses encryption key that is unchanged until user enters new key at the client and access point

Encryption key is changed automatically at each packet (Temporal Key Integrity Program)

SE571 Security in Computing Dr. Ogara

69

Slide70

Honeypots

Computer system open to attackers

Goal

Watch what attackers doLure attackers in order to study their habits

Divert attackers attention so as to leave your system alone

SE571 Security in Computing Dr. Ogara

70

Slide71

Firewalls

Device that filters traffic between protected/inside network and less trustworthy/outside network

Purpose

Keep bad things outside the protected environmentUse security policies to limit access from outside

SE571 Security in Computing Dr. Ogara

71

Slide72

Types of Firewalls

Packet filtering gateways or screening routers

Stateful

inspection firewalls Application proxies Guards

Personal firewalls

SE571 Security in Computing Dr. Ogara

72

Slide73

Packet Filtering Gateway

Most effective

Control access based on packet address or transport protocol such as HTTP

SE571 Security in Computing Dr. Ogara

73

Slide74

Stateful Inspection Firewall

Maintains state information from one packet to another in the input stream

SE571 Security in Computing Dr. Ogara

74

Slide75

Application Proxy

Firewall

Packet filters look only at the headers of packets, not at the data

inside

the packetsSE571 Security in Computing Dr. Ogara

75

Slide76

Guard

Firewall

Receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result

SE571 Security in Computing Dr. Ogara

76

Slide77

Personal

Firewall

A

pplication program that runs on a workstation to block unwanted traffic, usually from the network

Protect a (sub)network of multiple hosts resultMay complement the work of a conventional firewall by screening the kind of data a single host will accept

SE571 Security in Computing Dr. Ogara

77

Slide78

Denial of Service

Connection flooding

Echo-

Chargen Chargen

is protocol used to generate packetsAttacker makes host A to generate echo packets to host B and host B replies to the echos

Host A and B generates endless loop

Ping of Death

Attacker sends flood of pings to intended host

Pings saturate victim’s bandwidth

SE571 Security in Computing Dr. Ogara

78

Slide79

Denial of Service

Connection flooding

Smurf – Attacker sends broadcast echo requests to the network with victim’s return address

Syn flood – Attacker sends many SYN requests and never responds with ACKs thereby filling the victim’s SYN_RECV queue

Teardrop – Attacker sends series of data grams that can not be reassembled properly

SE571 Security in Computing Dr. Ogara

79

Slide80

Denial of Service

Traffic redirection

Attackers disrupt routers traffic redirection

DNS attacksAttackers redirect routing of traffic by overtaking domain server or causing it to cache spurious entries (DNS cache poisoning)

E.g. An attack in 2005 used a flaw in a Symantec firewall to allow a change in DNS records used by Windows machines. The poisoned DNS cache redirected users to advertising sites

SE571 Security in Computing Dr. Ogara

80

Slide81

Distributed Denial of Service

Also called

DDoS

Attacker discretely plants Trojan horse into machine e.g. through email attachmentAttacker repeats process using many targets (Zombie)

Attacker sends a signal to all Zombies to launch an attack against a victim (n attacks from n Zombies)

SE571 Security in Computing Dr. Ogara

81

Slide82

Distributed Denial of Service

SE571 Security in Computing Dr. Ogara

82

Slide83

Intrusion Detection Systems

Also called IDS

Device that monitors activities to identify malicious and suspicious events

Functions

Monitor users and system activityauditing system configuration for vulnerabilities and misconfigurations assessing the integrity of critical system and data files

recognizing known attack patterns in system activity

identifying abnormal activity through statistical analysis

managing audit trails and highlighting user violation of policy or normal activity

correcting system configuration errors

SE571 Security in Computing Dr. Ogara

83

Slide84

Intrusion Detection Systems

SE571 Security in Computing Dr. Ogara

84

Slide85

Types of IDS

Signature based

perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type

Heuristic/Anomaly based

build a model of acceptable behavior and flag exceptions to that modelA

network-based

IDS is a stand-alone device attached to the network to monitor traffic throughout that network while a

host-based

IDS runs on a single workstation or client to protect that one host

SE571 Security in Computing Dr. Ogara

85

Slide86

Goals of IDS

Filter on packet headers

Filter on packet content

Maintain connection state Use complex, multipacket

signatures Use minimal number of signatures with maximum effect

SE571 Security in Computing Dr. Ogara

86

Slide87

Goals of IDS

Filter in real time, online

Hide its presence

Use optimal sliding time window size to match signatures

SE571 Security in Computing Dr. Ogara

87

Slide88

Strengths of IDS

IDSs detect an ever-growing number of serious problems

Adding their signatures to the IDS model helps them to improve over time

Easier and cheaper to manage

SE571 Security in Computing Dr. Ogara

88

Slide89

Limitations of IDS

Similar IDS may have identical vulnerabilities

Difficult to measure and adjust its sensitivity

Must be monitored and alarms responded to otherwise it is useless

SE571 Security in Computing Dr. Ogara

89

Slide90

Secure Email

Email is important in ecommerce

Email is a medium of communications

SE571 Security in Computing Dr. Ogara

90

Slide91

Email Requirements

Message confidentiality (the message is not exposed en route to the receiver)

Message integrity (what the receiver sees is what was sent)

Sender authenticity (the receiver is confident who the sender was)

Nonrepudiation (the sender cannot deny having sent the message)

SE571 Security in Computing Dr. Ogara

91

Slide92

Threats to Email

message interception (confidentiality)

message interception (blocked delivery)

message interception and subsequent replay message content modification

message origin modification message content forgery by outsider message origin forgery by outsider

message content forgery by recipient

message origin forgery by recipient

denial of message transmission

SE571 Security in Computing Dr. Ogara

92

Slide93

Design for Encrypted Email

Developed by Internet Society

Allows for security enhanced messages

Works for both asymmetric and symmetric encryptionsStandard supports multiple encryption algorithms

DES, 3DES and AES for confidentialityRSA and Diffe

-Hellman for key exchange

SE571 Security in Computing Dr. Ogara

93

Slide94

Overview encrypted email processing

SE571 Security in Computing Dr. Ogara

94

Slide95

Encrypted Email-Secured Message

SE571 Security in Computing Dr. Ogara

95