Networking Essentials
Chapter 17 –Network
Security
RVCC - CISY 219 - Fall 2004 - TWE 1
Some of the Problems
Networks have become vital corporate
and national assets
Loss of network or connectivity to a
network can cripple many businesses
Increased dependence on the Internet for
VPN service dramatically increases
vulnerability
Attacks can be physical or service
affecting
It is virtually impossible to eliminate all
network security problems
RVCC - CISY 219 - Fall 2004 - TWE 2
Where Are The
Threats?
Terrorists White Collar Insider/Espionage Open
Crime Source
Disasters Theft Scripts ID Theft
RVCC - CISY 219 - Fall 2004 - TWE 3
Increase in Security Incidents
CERTCC Reported Vulnerabilities 1988-2003
Total Number of
140000 Incidents Reported from
120000 1988-2003 is 319,992
100000
80000
Average Yearly
CERTCC Reported
Vulnerabilities
Increase of 40%
60000
40000
20000
0
RVCC - CISY 219 - Fall 2004 - TWE 4
Security Risks Rising
900M 120,000
Network Intrusion Attempts
800M Blended Threats
Infection Attempts
(CodeRed, Nimda, Slammer) 100,000
700M
Denial of Service 80,000
600M (Yahoo!, eBay)
500M
Mass Mailer Viruses 60,000
(Love Letter/Melissa)
400M
Malicious Code
300M Zombies 40,000
Infection
200M Attempts* Network
Polymorphic Viruses
(Tequila)
Intrusion 20,000
100M Attempts**
0 0
1995 1996 1997 1998 1999 2000 2001 2002
*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated
**Source: CERT
RVCC - CISY 219 - Fall 2004 - TWE 5
Threats Evolution (Version A)
1988-1990 1991-1992 1994-1995 1998-2000 2000-2001 2001 & Beyond
RVCC - CISY 219 - Fall 2004 - TWE 6
Information Security
OrganizationsAssociation
Information Systems Security
198 ISSA
4
198 CERT/CC CERT Coordination Center
8
198 SANS SysAdmin, Audit, Network, Security
9
198 ISC2 International Information Systems Security
9 Certification Consortium
199 FIRST Forum of Incident Response and Security Teams
3
199 EPIC Electronic Privacy Information Center
4
199 FS-ISAC Financial Services - Information Sharing and
RVCC - CISY 219 - Fall 2004 - TWE 7
Privacy Regulations’ Environment
CA-1386, GLB, HIPAA, FCRA,
• Restrictive regulatory / Compliance COPPA, Privacy Act, Patriot Act,
environment Electronic Communication Act
Personal Information Protection
and Electronics Document Act
Multinational Laws & Regulations
crossing multiple borders UK Data Protection Act
National Laws & Regulations at
federal levels & supersede state & EU Privacy Directive
provincial laws
The Privacy Act
Privacy Amendment Act
State & Provincial Laws with limited
boundaries Guidelines for the Protection of
Computer Processed Personal Data
• Complex third party relationships
Privacy Ordinance
• Increased use of E-commerce, web
based applications
Federal Data Protection Act
RVCC - CISY 219 - Fall 2004 - TWE 8
U.S. Privacy Regulations
1974 US Privacy Act - 1987 Computer Security 1999 GLB – Requires
Helps citizens gain access to Act – Requires improving financial institutions to disclose
government records privacy policies & allow client
information security & privacy in
government agencies opt-out of information sharing
1978 RFPA - Provides 1996 HIPAA - 2001 US Patriot Act –
confidentiality to financial Prohibits sharing of health Enhances law enforcement
records & their transfer information for non-health investigative tools to deter &
care reasons punish terrorists
1978 FCRA - Promotes 1997 CFR part 11 – Creates 2002 Sarbanes-Oxley –
accuracy in consumer reporting criteria for electronic record Requires certification of corporate
& ensures their privacy keeping in promoting public health financial accounting
1986 Electronic 1998 COPPA - Gives 2003 CA 1386 – Requires
Communication Act – parents control over personal information protection &
Guards against unlawful access to information collected from notification in case of compromise
RVCC - CISY 219 - Fall 2004 - TWE 9
stored communications their children on the Internet
Information Security Policy
Control Areas
Information Security Policies
Information Security Organization
Asset Classification and Handling
Personal Security
Physical Security
System and Operations Management Controls
General Access Controls
System Development Life Cycle
Business Continuity
Compliance, Legal and Regulatory
RVCC - CISY 219 - Fall 2004 - TWE 10
Management Responsibility
Senior Management must lead the way
An adequate security management
system requires:
Network Security Policy
Clearly defined roles and responsibilities
Security Implementation Plan
Acquisition of hardware/software
Plan for dealing with security breaches
Management review process (ongoing)
RVCC - CISY 219 - Fall 2004 - TWE 11
Management Responsibilities
Network Security Policy – management’s
statement of the importance of security at
all levels and of their commitment to
enforcement
Security Policy must define critical assets
that are to be protected
Policy must allow for rapid technological
change
RVCC - CISY 219 - Fall 2004 - TWE 12
Management Responsibilities
There must be frequent follow through with
employees to stress the importance of the
Security Policy
The IT and Network staff must be thoroughly
trained in security measures
Some companies may appoint a Security
Officer and a Privacy officer
Management Review may require a periodic,
outside audit to test the implementation plan
RVCC - CISY 219 - Fall 2004 - TWE 13
Types of Threats
Passive Security Attacks, usually non-
malicious
Eavesdropping – monitoring network
traffic
Inserting agents to listen and gather
intelligence
Difficult to detect – no “bread crumbs”
Active Security Attacks – disruptive
and/or destructive
Altering messages, masquerading, denial
of service, virus planting
RVCC - CISY 219 - Fall 2004 - TWE 14
Types of Threats
Altering Message Content –
to misinform;
to alter for personal gain
Masquerading – pretending to be someone
else on the network (session hi-jacking)
Denial of Service (DoS) – flooding with
useless or ICMP messages to ruin network
performance
Planting viruses – email, Trojan horses,
JAVA applets,…; usually spreads quickly
RVCC - CISY 219 - Fall 2004 - TWE 15
Types of Threats
Physical damage to networking
equipment or control centers
Non-malicious interruptions – power
failures, hardware/software outages,
human error
Natural Disaster – floods, bomb, …
RVCC - CISY 219 - Fall 2004 - TWE 16
Encryption
Problems:
Wireless transmissions easy to intercept
Wired transmissions easily tapped
WAN’s particularly susceptible to attack
Solution – encrypt all data
transmissions
Encryption – the transformation of
data into a meaningless form
Decryption – restoration of encrypted
data to its original form
RVCC - CISY 219 - Fall 2004 - TWE 17
Encryption
Unencrypted data is called plaintext
Encrypted data is called cipher text
Cipher, as a verb, means “to compute
arithmetically”
Encryption technology usually has
two main parts:
Mathematical encryption algorithm
User provided keys (public/private)
Algorithm can be public domain since
keys can be private
RVCC - CISY 219 - Fall 2004 - TWE 18
Encryption
Symmetric Encryption – decryption is
simply a reverse of the encryption (using
the same key)
Asymmetric Encryption – decryption
process is different from encryption and
usually done with different keys
RVCC - CISY 219 - Fall 2004 - TWE 19
Monoalphabetic Ciphers
One plaintext character is substituted for
another
The same cipher text character is always
used for the each plaintext character
So simple, a child can break this code
Can be done with table lookup, simple
addition or subtraction, Boolean
functions,…
Frequency of characters makes
deciphering easier
Word lengths are preserved
RVCC - CISY 219 - Fall 2004 - TWE 20
Figure 17-1 Adding a binary 3 (DII) to each ASCII character yields a new character.
RVCC - CISY 219 - Fall 2004 - TWE 21
Figure 17-2 An encrypted message using the “13” algorithm.
RVCC - CISY 219 - Fall 2004 - TWE 22
Polyalphabetic Cipher
Substitution, but uses a different
cipher text character each time
Vigenere cipher
Place keyword phrase over the
message
Letter of keyword above plaintext is
row of Vigenere Square to find
substitute character
RVCC - CISY 219 - Fall 2004 - TWE 23
Polyalphabetic Cipher
Example on pages 496-497
Only 26 permutations of letters –
Frequency of characters may render an
easy break
Transmission of keyword phrase an
issue
RVCC - CISY 219 - Fall 2004 - TWE 24
Figure 17-3 A Vigenère square.
RVCC - CISY 219 - Fall 2004 - TWE 25
Transposition Cipher
Rearrange the letters in plaintext; no
substitutions
Arrange message in a table and read
out in a different manner (column
instead of row)
Frequency of Letters still a problem
Computer can try all column and row
permutations quite quickly
Can use diagonal or spiral readout; and
can do a double or triple transposition
RVCC - CISY 219 - Fall 2004 - TWE 26
Bit Level Encryption
Most common method today
Apply a key (bit string) to the plaintext
bits ignoring character meanings
The bigger the key the better
XOR commonly used since it is
reversible
How do you securely communicate the
key?
RVCC - CISY 219 - Fall 2004 - TWE 27
Figure 17-4 Bit-level encryption/Decryption using
the XOR operation. For simplicity, only a 16-bit
substring of text and a 16-bit encryption key are used.
RVCC - CISY 219 - Fall 2004 - TWE 28
DES and Triple DES
Data Encryption Standard (DES) was
developed by IBM in the 1970s
User 56 bit key applied for each 64 bit block
Uses a 19 step process of substitutions and
transpositions to produce cipher text which
must be reversed
Triple DES uses 112 bit key; first 56 bits
applied; repeat with second 56 bit key; repeat
again with first 56 bit key
Key management is still a problem
RVCC - CISY 219 - Fall 2004 - TWE 29
Asymmetric Key Encryption
Encryption with public key; decryption
with private key known only to receiver
Public Key Encryption (PKE) developed
by MIT and marketed by RSA (Rivest,
Shamir, & Adelman Security)
Asymmetric key solves the key
management problem
Public key is the product of two very
large prime numbers
Private key is one of the prime numbers
RVCC - CISY 219 - Fall 2004 - TWE 30
Pretty Good Privacy (PGP)
Asymmetric Encryption for voice or
data
Widely used on the Internet
Many programs are free for the
downloading
RVCC - CISY 219 - Fall 2004 - TWE 31
Digital Signatures
Electronic method to ensure:
Data is from who it says it is from
Data has NOT been altered
Important for e-commerce transactions
Works whether or not the document
itself is encrypted
RVCC - CISY 219 - Fall 2004 - TWE 32
Digital Signatures
Sender builds the signature using a
private key
Recipient decodes the signature using
the sender’s public key
To ensure no changes to data,
messages can be hashed
Hashing calculates a unique value for
the document
Receiver re-calculates the hash and
compares to the received hash
RVCC - CISY 219 - Fall 2004 - TWE 33
Figure 17-6 The digital signature process.
RVCC - CISY 219 - Fall 2004 - TWE 34
Digital Certificates
A password protected, encrypted file that
identifies a sender and certifies their identity
Contains
Name of sender
A serial number
Expiration date
Sender’s public key
Sender’s digital signature
Allows both sender and receiver to
authenticate each other
RVCC - CISY 219 - Fall 2004 - TWE 35
Digital Certificates
Certificates are obtained from a
Certification Authority (CA)
CA does all the checking needed to
verify the information about the
certificate requester, including the
public key
CA establishes expiration date and has
the power to revoke a certification it
has issued
RVCC - CISY 219 - Fall 2004 - TWE 36
IP Security (IPSec)
Supports the secure exchange of
packets at the IP Layer (OSI 3)
Sending and receiving devices using
IPSec must share a public key
Internet Security Association and
Key Management Protocol/Oakley
(ISAKMP/Oakley) allows the receiver
to obtain the public key of the sender
RVCC - CISY 219 - Fall 2004 - TWE 37
IP Security (IPSec)
IPSec offers the following optional
services:
Data confidentiality (encryption end to
end)
Data integrity (authentication using a
public key)
Data origin authentication
Anti-replay (rejects duplicate packets
received)
RVCC - CISY 219 - Fall 2004 - TWE 38
IP Security (IPSec)
Three areas of concern: authentication, encryption
algo and key mgt
IPSec sets up a secure tunnel between peer nodes
Transport mode – encrypts payload portion
Tunnel mode – encrypts both header & payload
User defines which packets should use the secure
tunnel
Multiple IPSec tunnels can exist between two peers
to secure different data streams with different
parameters
E.g. using RSA in one and DES in another tunnel
Common use: VPN to corporate firewall; second
tunnel to server
RVCC - CISY 219 - Fall 2004 - TWE 39
Secure Socket Layer (SSL)
Establish a secure connection and
data transfer between Web Browser
and Web Server on a public network
Netscape developed SSL for session
authentication and negotiation of
security between point to point
clients or servers
Each authenticates the other and
then establishes an encrypted tunnel
RVCC - CISY 219 - Fall 2004 - TWE 40
Secure Socket Layer (SSL)
PKE used for authentication
Two sub-protocols:
SSL Handshake protocol – exchange
messages when establishing a connection
for authentication and parameter setting
SSL Record protocol –
defines the format for exchanging data.
Handles encapsulation of data from one layer
to another
Supported by Netscape and MS IE
RVCC - CISY 219 - Fall 2004 - TWE 41
Definitions
A virus attaches itself to, and becomes part
of, another executable program;
Viruses are often designed to exploit the file
transmission capabilities found on many
computers
A computer worm is a self-replicating
computer program, similar to a computer
virus
A worm is self-contained and does not need
to be part of another program to propagate
itself
RVCC - CISY 219 - Fall 2004 - TWE 42
Viruses
Usually transported to PC’s/Servers
over the network
Virus code causes the damage when
the program is executed
Program files with viruses are said to
be infected
RVCC - CISY 219 - Fall 2004 - TWE 43
Viruses
Some viruses become RAM resident
They change OS Service Table to
point to themselves
They execute and then branch to the
real service routine
Viruses spread in files downloaded,
attachments to email, or removable
media
RVCC - CISY 219 - Fall 2004 - TWE 44
Viruses
Some viruses send themselves to
everyone in your email address book
and thus spread rapidly
Anti virus programs find infected
files and either quarantine them or
fix them
Infected code is called a virus
signature
RVCC - CISY 219 - Fall 2004 - TWE 45
Viruses
Signatures or signature files are
downloaded to your PC’s antivirus
program from the vendor over the
Internet
This may require a subscription
Antivirus programs on all PC’s is a
must!
RVCC - CISY 219 - Fall 2004 - TWE 46
Network Access Control
People access data from remote
terminals
Questions that arise:
Who is really at that terminal
Is that person authorized to access data
on net?
What operations can the terminal user
perform
Could the comm. line be tapped into or
hijacked?
RVCC - CISY 219 - Fall 2004 - TWE 47
Network Access Control
People who try to gain unauthorized
access include:
Professional Hackers with malicious intent
Amateur Hackers just proving they can get in
Inside, disgruntled employees with a grudge
Once on net, a remote user has all the
privileges of a LAN connected
workstation
RVCC - CISY 219 - Fall 2004 - TWE 48
Network Access Control
Network Access Control begins with
the userid and password
Userid should be unique and meet
security standards
Passwords should change every 60
days or less and should be strong
passwords
RVCC - CISY 219 - Fall 2004 - TWE 49
Strong Passwords
At least seven characters in length
Use of upper and lower case
characters
One symbol inside the password
At least four different characters
Should appear like a completely
random string of characters
RVCC - CISY 219 - Fall 2004 - TWE 50
Network Access Control
Server software should record userid and
password (encrypted) with the date of
issuance and workstation id
More than 3 unsuccessful attempts to
login should disable the account and log
the incident for action
Callback can be used for dial in users who
remain at one phone number
Terminal handshaking could be used, but
it only authenticates the terminal
RVCC - CISY 219 - Fall 2004 - TWE 51
Firewalls
A combination of hardware and
software that enforces a boundary
between two or more networks
Typically used to separate the
Internet from an in-house network
Firewall provides a single point of
entry or exit where all internetwork
traffic can be checked
RVCC - CISY 219 - Fall 2004 - TWE 52
Figure 17-7 A firewall at the boundary of two networks.
RVCC - CISY 219 - Fall 2004 - TWE 53
Firewalls
Firewall is often rule based and can
permit or deny access to specific
types of traffic
A router usually has some firewall
capabilities
A router running packet-level firewall
software can examine Layer 3 traffic
(and some aspects of Layer 4)
RVCC - CISY 219 - Fall 2004 - TWE 54
Firewalls
Packet filtering software permits or
denies access based on source and
destination addresses in packets
Servers can act as an application
firewall by examining data at the
application layer and permitting or
denying it
RVCC - CISY 219 - Fall 2004 - TWE 55
Firewalls
Proxy servers change the addresses so
that users on one network can not know
the real address of users on the other
network (e.g., NAT)
Firewalls log all activity for possible later
analysis
Firewalls in the corporate environment
should be duplicated and run in tandem
for continuous protection
RVCC - CISY 219 - Fall 2004 - TWE 56
Physical Security
Mostly involves using Common
Sense
Lock down all rooms with network
equipment or servers
Use smart cards for access and
tracking
Take special precautions to protect
laptops
PDA think about them?
RVCC - CISY 219 - Fall 2004 - TWE 57
Personnel Security
Train all employees on the Security
Policy and make them aware of their
individual responsibility
Screen all new hires carefully
Use id badges or smart cards for
identification and building access
Run periodic security awareness
programs
RVCC - CISY 219 - Fall 2004 - TWE 58
Disaster Recovery Planning
Disaster – any long term outage that
cannot be quickly remedied (flood,
fire, earthquake,…)
Backup site with ability to cut over
the network is an ideal solution
Where do the people go? IT Staff?
Disaster Plan must be developed,
tested, refined, etc.
Needs strong backing from Mgmt.
RVCC - CISY 219 - Fall 2004 - TWE 59
Figure 17-8 A checklist for disaster recovery planning.
RVCC - CISY 219 - Fall 2004 - TWE 60
Wireless Network Security
Huge problem that requires much
more R&D
Radio signals can be intercepted by
anyone near premises
As wireless increases in popularity,
the chances for session hijacking
increases
RVCC - CISY 219 - Fall 2004 - TWE 61
Wireless Security – Steps to
Take
Place WAP’s away from exterior walls and
adjust signal strength to the maximum
needed within the building
Protect WAP access with strong
passwords
Use 128 bit WEP security if available
Limit access – not everyone needs it
Require wireless users to use VPN
Encrypt all transmissions
RVCC - CISY 219 - Fall 2004 - TWE 62
So far
Team work
Case studies and presentations
Presentation skills
Learned material in book
2 tests
Homework
Tools that we used
Vision
Power point
Front page
Individual Case Studies
Network designs
Cable making exercise
Guest lecturer
Paper for extra credit
RVCC - CISY 219 - Fall 2004 - TWE 63
Class Exercise
Research 5 free network scanning tools and
provide references for their location and the
configuration requirements
Research 5 digital forensics tools and
provide description, location and use
Research information security job salaries
Research virus trend and history for the past
10 years
Give brief description of virus/worm
Page 519
RVCC - CISY 219 - Fall 2004 - TWE 64