Document Sample
Commerce Powered By Docstoc

 Network Systems and Technologies
                          Lecture 10
                       Network Security

Version 1.0 Nov 2009                      Slide 1
considers the important aspect of network
describes types of crime that have been
 perpetrated over the Internet
discusses key aspects of security
explains technologies used to increase
 network security

 Version 1.0 Nov 2009                        Slide 2

Version 1.0 Nov 2009   Slide 3
NST            Techniques used in security attacks

Version 1.0 Nov 2009                                 Slide 4
 Security Policy
 What is a secure network?
    Networks cannot be classified simply as secure or not secure
    The term is not absolute
         each organization defines the level of access that is permitted or
 An organization must take precautions to achieve a secure system is to
  define the organization's security policy
    The policy does not specify how to achieve protection
    It states clearly and unambiguously the items that are to be protected
 Security policies are complex
    They involve human behavior as well as computer/network facilities
    Assessing the costs and benefits of various security policies also
      adds complexity

  Version 1.0 Nov 2009                                           Slide 5
 Security Policy
 Integrity
     refers to protection from change
     Is the data that arrives at a receiver identical to the data that was
 Availability
     refers to protection against disruption of service
     Does data remain accessible for legitimate uses?
 Confidentiality
     refers to protection against unauthorized data access
     Is data protected against unauthorized access?
 Privacy
     refers to the ability of a sender to remain anonymous
     Is the sender's identity revealed?

 Version 1.0 Nov 2009                                               Slide 6
Items That All Security Policies Should
                 Item                            Explanation

Identification & Authentication   Employ passwords or other methods to
                                  ensure that users are authorised.
Access Control                    Stop users reaching what they are not
                                  permitted to access, unless this is expressly
Accountability                    Make all activity on the network linked to a
                                  user identity.
Audit Trails                      Keep an audit trail to help find out where
                                  and when there has been a breach of
Object Reuse                      Make secure any resource that can be
                                  accessed by more than one user.
Accuracy                          Prevent security breaches happening by
Reliability                       Prevent users monopolising resources.

Data Exchange                     Ensure that all communications are secure.
Security Technologies

   Technique                        Purpose

   Hashing/Encryption               Data Integrity and privacy

   Digital Signatures               Message authentication

   Digital Certificates             Sender authentication

   Firewalls                        Site integrity

   Intrusion Detection Systems      Site integrity

   Virtual Private Networks (VPN)   Data privacy

Version 1.0 Nov 2009                                             Slide 8
 Cryptography is used to guarantee data confidentiality
 A sender applies encryption to scramble the bits
      in such a way that only the intended recipient can unscramble
 Someone who intercepts a copy of an encrypted
  message will not be able to extract information
 The terminology used with encryption defines following:
      Plaintext    original message before it has been encrypted
      Cyphertext  a message after it has been encrypted
      Encryption key  a short bit string used to encrypt a message
      Decryption key  a short bit string used to decrypt a message

Version 1.0 Nov 2009                                           Slide 9
               Private/Public Key Encryption
 In a private key system
     The name arises because the key must be kept secret (private)
     Each pair of communicating entities share a single key
         that serves as both an encryption key and decryption key
     Private key systems are symmetric
         each side can send/receive messages using the same key
 A public key system assigns each entity a pair of keys
     The private key, is kept secret
     The public key, published along with the name of the user
         A message encrypted with the public key cannot be decrypted
           except with the private key
         and a plaintext message encrypted with the private key cannot be
           decrypted except with the public key

   Version 1.0 Nov 2009                                         Slide 10
Public Key Encryption

Public key can be used to guarantee confidentiality
   Obtaining a copy of the cyphertext as it passes across the network
   does not enable someone to read the contents
       because decryption requires the receiver's private key

Version 1.0 Nov 2009                                         Slide 11
   Digital Signatures
 An encryption mechanism can also be used to authenticate the sender of
  a message
 To sign a message
     Sender encrypts the message using a key known only to the sender
     The recipient uses the inverse function to decrypt the message
     The recipient knows who sent the message
          because only the sender has the key needed to perform the
     To ensure that encrypted messages are not copied and resent later
          the message can contain the time and date that the message
           was created
 If a meaningful message results from decryption
     it must be true that the message was confidential and authentic
     the message must have reached its intended recipient
          because only the intended recipient has the correct private key
    Version 1.0 Nov 2009                                         Slide 12
Digital Certificates
 Digital certificates allow a third party to vouch for a
  digital signature – like a passport as such
 The third party does the work to verify the identity of
  the sender
 Certificates bind an identity to a public key
     a data part and a signature part.
     The data: the name of an entity, the public key
      corresponding to that entity
     The signature part consists of the signature of CA over the
      data part.
 Certification Authorities
     The third parties that verify and certify the identity of a sender
     Two of the most common CAs are VeriSign (acquired
      Thawte) and Comodo
Version 1.0 Nov 2009                                               Slide 13
Public Key Encryption
                                                 Certificate Authority

                              CERTIFICATE                                CERTIFICATE
                          Name:------------                        Name:------------
                          Address:---------                        Address:---------
      Bob’s Public        Cert. No:-----------                     Cert. No:-----------          Alice’s Public
         Key                                                                                          Key

                          Bob’s Certificate                        Alice’s Certificate

                     To: Bob                                                       To: Bob
                     CC:                                                           CC:
                     From: Alice                                                   From: Alice
                     Date:                                                         Date:
                     Re:                                                           Re:

          Alice encrypts message with                              Bob decrypts message with his
                Bob’s public key                                            private key
Version 1.0 Nov 2009                                                                                          Slide 14
Public Key Infrastructure
                                              Certificate Authority

                           CERTIFICATE                                CERTIFICATE
                       Name:------------                        Name:------------
                       Address:---------                        Address:---------
   Bob’s Public        Cert. No:-----------                     Cert. No:-----------          Alice’s Public
      Key                                                                                          Key

                       Bob’s Certificate                        Alice’s Certificate

                  To: Bob                                                       To: Bob
                  CC:                                                           CC:
                  From: Alice                                                   From: Alice
                  Date:                                                         Date:
                  Re:                                                           Re:

       Alice signs message with her                            Bob verifies signature with Alice’s
                 private key                                               public key
Version 1.0 Nov 2009                                                                                           Slide 15
 Security Technologies
 PGP (Pretty Good Privacy)
    applications can use to encrypt data before transmission
 SSH (Secure Shell)
    an application-layer protocol for remote login that guarantees
        by encrypting data before transmission across the Internet
 SSL (Secure Socket Layer)
    uses encryption to provide authentication and confidentiality
    SSL software fits between an application and the socket API
        and encrypts data before transmitting over the Internet
 TLS (Transport Layer Security)
    designed by the IETF as a successor to SSL
    both SSL and TLS are available for use with HTTPS

 Version 1.0 Nov 2009                                         Slide 16
 Security Technologies
 HTTPS (HTTP Security)
     combines HTTP with either SSL or TLS and a certificate mechanism
     provides users with authenticated, confidential communication
 IPsec (IP security)
     a security standard used with IP datagrams
     uses cryptographic techniques
          and allows the sender to choose authentication or confidentiality
 RADIUS (Remote Authentication Dial-In User Service)
     used to provide centralized authentication, authorization, and
     RADIUS is popular with ISPs that have dialup users and with VPN
      systems that provide access to remote users
 WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access)
     It used for Wi-Fi wireless

  Version 1.0 Nov 2009                                            Slide 17
IP Security Protocol (IPSec)
 Allows data to be transmitted securely over public IP-based
  networks such as the Internet
 Protects IP datagrams that are being sent between network
  devices such as PCs, routers and firewalls
 IPSec can run on a router, a firewall or a VPN client machine,
  depending on the particular situation
 It uses two optional IP packet headers
     Authentication Header (AH)
         authentication only service
     Encapsulated Security Payload (ESP)
         combined authentication & encryption service
         generally used for VPNs
 key exchange
     both manual and automated
    Why security mechanisms at higher layers?
Version 1.0 Nov 2009                                          Slide 18
 A choke point of control and monitoring
 Interconnects networks with differing trust
 Imposes restrictions on network services
    only authorized traffic is allowed
 Auditing and controlling access
    can implement alarms for abnormal behavior
 Itself immune to penetration
 Provides perimeter defence
 Classification
      Packet filtering
      Circuit gateways
      Application gateways
      Combination of above is dynamic packet filter
Version 1.0 Nov 2009                                   Slide 19
 Firewalls – Packet Filters
 Simplest of components
    IP Source Address, Destination Address
    Protocol/Next Header (TCP, UDP, ICMP, etc)
    TCP or UDP source & destination ports
    TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
    ICMP message type
 Filtering with incoming or outgoing interfaces
    E.g., Ingress filtering of spoofed IP addresses
    Egress filtering
 Permits or denies certain services
    Requires intimate knowledge of TCP and UDP port utilization on a
      number of operating systems
 Examples
    DNS uses port 53
          No incoming port 53 packets except known trusted servers
  Version 1.0 Nov 2009                                       Slide 20
  How to Configure a Packet Filter
Start with a security policy
Specify allowable packets in terms of logical
 expressions on packet fields
Rewrite expressions in syntax supported by your
General rules - least privilege
  All that is not expressly permitted is prohibited
  If you do not need it, eliminate it

  access-list 101 permit tcp any eq 80

  Version 1.0 Nov 2009                                 Slide 21
Firewall Gateways
Firewall runs set of proxy programs
    Proxies filter incoming, outgoing packets
    All incoming traffic directed to firewall
    All outgoing traffic appears to come from firewall
Policy embedded in proxy programs
Two kinds of proxies
    Application-level gateways/proxies
          Tailored to http, ftp, smtp, etc.
    Circuit-level gateways/proxies
          Working on TCP level

Version 1.0 Nov 2009                                  Slide 22
Popularly known as Demilitarized Zone (DMZ)
     A buffer area between the internal network and the
      outside world
     The role of a DMZ?
           A place for systems which need less protection than
            other systems – really a network within a network
           Operates in conjunction with Firewall
           reading
           Further reading for this week

Version 1.0 Nov 2009                                              Slide 23
                                                 Network Architectures
Internet Data Centre architectures – higher levels

 High level network architecture, like the one below, is first

 This is refined into more detailed design in one or more
 architecture like the one on the right.

        Version 1.0 Nov 2009                                             Slide 24
 Bastion Host
 Highly secure host system
 Potentially exposed to "hostile" elements
 Hence is secured to withstand this
    Disable all non-required services; keep it simple
 Trusted to enforce trusted separation between network connections
 Runs circuit / application level gateways
    Install/modify services you want
 Or provides externally accessible services

  Version 1.0 Nov 2009                                       Slide 25
 Firewalls Aren’t Perfect?
 Useless against attacks from the inside
     Evildoer exists on inside
     Malicious code is executed on an internal machine
 Organisations with greater insider threat
     Banks, Military
 Protection must exist at each layer
     Assess risks of threats at every layer
 It only examines fields in a packet header
     That is, a firewall cannot test the payload of a packet
 Contents of packets are important, considering viruses
     One of the most common ways a virus is introduced into an
      organization is through an email attachment
 How can a site prevent problems such as the installation of a virus?
     The answer lies in content analysis

 Version 1.0 Nov 2009                                           Slide 26
Intrusion Detection Systems (IDS)
 An IDS monitors all packets arriving at a site
   and notifies the site administrator if a security violation is
 An IDS provides an extra layer of security awareness
   even if a firewall prevents an attack
   an IDS can notify the site administrator that a problem is
 IDSs can be configured to watch for specific types of attacks
   For example, an IDS can be configured to detect a port
 The chief difference between an IDS and a firewall is that
   an IDS includes state information
   an IDS can keep a history of packets
 Version 1.0 Nov 2009                                   Slide 27

        What can IDS Realistically do?
    Monitor and analyse user and system activities
    Auditing of system and configuration vulnerabilities
    Assess integrity of critical system and data files
    Recognition of pattern reflecting known attacks
    Statistical analysis for abnormal activities
    Data trail, tracing activities from point of entry up to the
     point of exit
    Installation of decoy servers (honey pots)
    Installation of vendor patches (some IDS)

Version 1.0 Nov 2009                                     Slide 28
Dealing with Intruders
 Intruders can be external or internal
    External intruders are hackers or crackers
    Internal intruders are equally dangerous and
      surprisingly common
 An organisation’s security policy should state what
  steps will be taken to handle intrusions and include
 Block and ignore
    Simplest tactic for handling intrusions
    Block the intruder and address the vulnerability
    Don’t take any further action

Version 1.0 Nov 2009                                 Slide 29
 Dealing with Intruders
 Block and investigate
     Block the intruder and address the vulnerability
     Collect evidence and try to determine the intruder’s identity
     Although this may result in finding and stopping the intruder, it
      can be costly and time-consuming
 “Honeypot” (bait the intruder) <see this link>
     Allow the intruder to access a part of your network
     Try to catch the intruder while he/she explores
     This is a potentially dangerous approach
         The intruder does have at least partial access
         Crackers may become interested in your site

Version 1.0 Nov 2009                                              Slide 30
Detecting Intruders
 An IDS monitors system activity in some way
   When it detects suspicious activity, it performs an
 The action is usually an alert of some type
   E-mail, cell phone, audible alert <Attacker 3.0>, etc. to
      a person or process
 All IDS systems continuously sample system activity and
  compare the samples to a database
      E.g. BASE (Basic Analysis and Security Engine) used by SNORT
      perform analysis of intrusions that snort has detected on your

Version 1.0 Nov 2009                                        Slide 31
 Types of IDS
 Two basic types of intrusions
   Misuse intrusion: an attack against a known
          Relatively easy to detect because the actions required for the
           exploit are known (called the attack signature)
          IDS knows what an attack looks like and looks for it.
   Anomaly intrusion: an attack against a new
    vulnerability or one using an unknown set of actions
          Relatively difficult to detect, must compare current system
           activity with some normal baseline of activity
 Two types of IDS that correspond to the two intrusion
    Signature based – most popular
    Knowledge based

 Version 1.0 Nov 2009                                             Slide 32
 Network-Based Vs Host-Based IDS
 IDS systems are also classified by their intended locations
 A network-based IDS monitors all traffic on a network
     Can detect intrusions that cross a specific network segment
     Administrators sometimes place one inside and one outside
      of a firewall
     Will not see traffic that passes between LAN computers
 Host-based IDS monitors activities on hosts for
   Known attacks or
   Suspicious behavior
     Designed to detect attacks such as
         Buffer overflow
         Escalation of privilege
     Little or no view of network activities
Version 1.0 Nov 2009                                          Slide 33
 Intrusion Prevention Systems (IPSs)
 IDS detects and reports without preventing.
 A promising new model of intrusion is developing and
  picking up momentum. It is the intrusion prevention
  system (IPS) which, is to prevent attacks.
 IPSs fall into two categories: network-based and host-

 Version 1.0 Nov 2009                                Slide 34
    Network-Based IPS
  NIDSs passively detect intrusions into the network
   without preventing them from entering the networks
  many organizations in recent times have been
   bundling up IDS and firewalls to create a model that
   can detect and then prevent
    The IDS fronts the network with a firewall behind it.
       On the detection of an attack, the IDS then goes
       into the prevention mode by altering the firewall
       access control rules on the firewall. The action
       may result in the attack being blocked based on all
       the access control regimes administered by the

Version 1.0 Nov 2009                                Slide 35

      Host-Based IPS
  Host-based IPSs reside on servers and workstations;
   they examine application actions and calls to the
   system to look for anything prohibited or out of the
  HIPS blocks suspicious executables or processes
   from running by default.
  can be effective at detecting viruses attempting to
   infect files and Trojan horses attempting to replace
   files, as well as the use of attacker tools, such as
   rootkits, that often are delivered by malware

Version 1.0 Nov 2009                              Slide 36
Wireless LAN Security
Securing such networks is especially
 problematic. Since wireless transmissions are
 not confined inside a cable, it is very easy for an
 eavesdropper to listen in to them
The eavesdropper may even perpetrate a man-
 in-the-middle attack, in which the user’s
 messages can be modified without his or her
 realising this
The man-in-the-middle attack is not limited to
 wireless networks only, but these networks are
 particularly vulnerable to such attacks
  Version 1.0 Nov 2009                          Slide 37
Wireless LAN Security
 The first security protocol that was used with WLANs
   was Wired Equivalent Privacy (WEP)
 WEP used 40-bit static encryption keys that were too
   easy to break
 Replaced by Wi-Fi Protected Access (WPA)
 WPA uses a different key for every packet of data that
   is transmitted
 It also checks for integrity and offers authentication of
 WPA2, the second version of WPA uses AES
   encryption and is part of IEEE 802.11i, the official
   WLAN security standard which was agreed after
 802.11i uses the Extensible Authentication Protocol
   (EAP), which offers several different types of
Version 1.0 Nov 2009                                    Slide 38
A security strategy implicit in the design
Combination of techniques
On a wider scale Network Access Control (NAC)
 is the terminology being used
The choices come down to £, type of filtering and
 how easy to apply updates to security

 Version 1.0 Nov 2009                       Slide 39
 controls access to network resources
 users are authenticated and authorized based on
  client’s identity and compliance with corporate
  governance policy
 endpoint security assessment
   check of the user's access device
 access control
   granting - or restricting - admission to the network
      according to set policy
   define granular levels of network access based on
      who a client is

                                                    Slide 40
Version 1.0 Nov 2009                                 Slide 40
 Network Access Control
    NAC infrastructure using NAC technology/boxes
        DHCP is one way of doing NAC
    Enforce where someone can use the network
 Vendors (links provided to relevant info):
    Cisco NAC appliance
    Microsoft NAP may be part of new MS operating system
    Juniper UAC
    Symantec NAC
 Recent news
    Computing or Computing Weekly
        Do a search yourself
    Nevisnetworks – interesting
    The case for NAC based on DHCP flaws with Microsoft?
Version 1.0 Nov 2009                                        Slide 41

Shared By: