NST
Network Systems and Technologies
(NST)
Lecture 10
Network Security
Version 1.0 Nov 2009 Slide 1
NST
Content
considers the important aspect of network
security
describes types of crime that have been
perpetrated over the Internet
discusses key aspects of security
explains technologies used to increase
network security
Version 1.0 Nov 2009 Slide 2
NST
Version 1.0 Nov 2009 Slide 3
NST Techniques used in security attacks
Version 1.0 Nov 2009 Slide 4
NST
Security Policy
What is a secure network?
Networks cannot be classified simply as secure or not secure
The term is not absolute
each organization defines the level of access that is permitted or
denied
An organization must take precautions to achieve a secure system is to
define the organization's security policy
The policy does not specify how to achieve protection
It states clearly and unambiguously the items that are to be protected
Security policies are complex
They involve human behavior as well as computer/network facilities
Assessing the costs and benefits of various security policies also
adds complexity
Version 1.0 Nov 2009 Slide 5
NST
Security Policy
Integrity
refers to protection from change
Is the data that arrives at a receiver identical to the data that was
sent?
Availability
refers to protection against disruption of service
Does data remain accessible for legitimate uses?
Confidentiality
refers to protection against unauthorized data access
Is data protected against unauthorized access?
Privacy
refers to the ability of a sender to remain anonymous
Is the sender's identity revealed?
Version 1.0 Nov 2009 Slide 6
NST
Items That All Security Policies Should
Cover
Item Explanation
Identification & Authentication Employ passwords or other methods to
ensure that users are authorised.
Access Control Stop users reaching what they are not
permitted to access, unless this is expressly
allowed.
Accountability Make all activity on the network linked to a
user identity.
Audit Trails Keep an audit trail to help find out where
and when there has been a breach of
security.
Object Reuse Make secure any resource that can be
accessed by more than one user.
Accuracy Prevent security breaches happening by
accident.
Reliability Prevent users monopolising resources.
Data Exchange Ensure that all communications are secure.
7
NST
Security Technologies
Technique Purpose
Hashing/Encryption Data Integrity and privacy
Digital Signatures Message authentication
Digital Certificates Sender authentication
Firewalls Site integrity
Intrusion Detection Systems Site integrity
Virtual Private Networks (VPN) Data privacy
Version 1.0 Nov 2009 Slide 8
NST
Encryption
Cryptography is used to guarantee data confidentiality
A sender applies encryption to scramble the bits
in such a way that only the intended recipient can unscramble
them
Someone who intercepts a copy of an encrypted
message will not be able to extract information
The terminology used with encryption defines following:
Plaintext original message before it has been encrypted
Cyphertext a message after it has been encrypted
Encryption key a short bit string used to encrypt a message
Decryption key a short bit string used to decrypt a message
Version 1.0 Nov 2009 Slide 9
NST
Private/Public Key Encryption
In a private key system
The name arises because the key must be kept secret (private)
Each pair of communicating entities share a single key
that serves as both an encryption key and decryption key
Private key systems are symmetric
each side can send/receive messages using the same key
A public key system assigns each entity a pair of keys
The private key, is kept secret
The public key, published along with the name of the user
A message encrypted with the public key cannot be decrypted
except with the private key
and a plaintext message encrypted with the private key cannot be
decrypted except with the public key
Version 1.0 Nov 2009 Slide 10
NST
Public Key Encryption
Public key can be used to guarantee confidentiality
Obtaining a copy of the cyphertext as it passes across the network
does not enable someone to read the contents
because decryption requires the receiver's private key
Version 1.0 Nov 2009 Slide 11
NST
Digital Signatures
An encryption mechanism can also be used to authenticate the sender of
a message
To sign a message
Sender encrypts the message using a key known only to the sender
The recipient uses the inverse function to decrypt the message
The recipient knows who sent the message
because only the sender has the key needed to perform the
encryption
To ensure that encrypted messages are not copied and resent later
the message can contain the time and date that the message
was created
If a meaningful message results from decryption
it must be true that the message was confidential and authentic
the message must have reached its intended recipient
because only the intended recipient has the correct private key
Version 1.0 Nov 2009 Slide 12
NST
Digital Certificates
Digital certificates allow a third party to vouch for a
digital signature – like a passport as such
The third party does the work to verify the identity of
the sender
Certificates bind an identity to a public key
a data part and a signature part.
The data: the name of an entity, the public key
corresponding to that entity
The signature part consists of the signature of CA over the
data part.
Certification Authorities
The third parties that verify and certify the identity of a sender
Two of the most common CAs are VeriSign (acquired
Thawte) and Comodo
Version 1.0 Nov 2009 Slide 13
NST
Public Key Encryption
Certificate Authority
CERTIFICATE CERTIFICATE
Name:------------ Name:------------
Address:--------- Address:---------
Bob’s Public Cert. No:----------- Cert. No:----------- Alice’s Public
Key Key
Bob’s Certificate Alice’s Certificate
To: Bob To: Bob
CC: CC:
From: Alice From: Alice
Date: Date:
Re: Re:
Alice encrypts message with Bob decrypts message with his
Bob’s public key private key
Version 1.0 Nov 2009 Slide 14
NST
Public Key Infrastructure
Certificate Authority
CERTIFICATE CERTIFICATE
Name:------------ Name:------------
Address:--------- Address:---------
Bob’s Public Cert. No:----------- Cert. No:----------- Alice’s Public
Key Key
Bob’s Certificate Alice’s Certificate
To: Bob To: Bob
CC: CC:
From: Alice From: Alice
Date: Date:
Re: Re:
Alice signs message with her Bob verifies signature with Alice’s
private key public key
Version 1.0 Nov 2009 Slide 15
NST
Security Technologies
PGP (Pretty Good Privacy)
applications can use to encrypt data before transmission
SSH (Secure Shell)
an application-layer protocol for remote login that guarantees
confidentiality
by encrypting data before transmission across the Internet
SSL (Secure Socket Layer)
uses encryption to provide authentication and confidentiality
SSL software fits between an application and the socket API
and encrypts data before transmitting over the Internet
TLS (Transport Layer Security)
designed by the IETF as a successor to SSL
both SSL and TLS are available for use with HTTPS
Version 1.0 Nov 2009 Slide 16
NST
Security Technologies
HTTPS (HTTP Security)
combines HTTP with either SSL or TLS and a certificate mechanism
provides users with authenticated, confidential communication
IPsec (IP security)
a security standard used with IP datagrams
uses cryptographic techniques
and allows the sender to choose authentication or confidentiality
RADIUS (Remote Authentication Dial-In User Service)
used to provide centralized authentication, authorization, and
accounting
RADIUS is popular with ISPs that have dialup users and with VPN
systems that provide access to remote users
WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access)
It used for Wi-Fi wireless
Version 1.0 Nov 2009 Slide 17
NST
IP Security Protocol (IPSec)
Allows data to be transmitted securely over public IP-based
networks such as the Internet
Protects IP datagrams that are being sent between network
devices such as PCs, routers and firewalls
IPSec can run on a router, a firewall or a VPN client machine,
depending on the particular situation
It uses two optional IP packet headers
Authentication Header (AH)
authentication only service
Encapsulated Security Payload (ESP)
combined authentication & encryption service
generally used for VPNs
key exchange
both manual and automated
Why security mechanisms at higher layers?
Version 1.0 Nov 2009 Slide 18
NST
Firewall
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed
Auditing and controlling access
can implement alarms for abnormal behavior
Itself immune to penetration
Provides perimeter defence
Classification
Packet filtering
Circuit gateways
Application gateways
Combination of above is dynamic packet filter
Version 1.0 Nov 2009 Slide 19
NST
Firewalls – Packet Filters
Simplest of components
IP Source Address, Destination Address
Protocol/Next Header (TCP, UDP, ICMP, etc)
TCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
ICMP message type
Filtering with incoming or outgoing interfaces
E.g., Ingress filtering of spoofed IP addresses
Egress filtering
Permits or denies certain services
Requires intimate knowledge of TCP and UDP port utilization on a
number of operating systems
Examples
DNS uses port 53
No incoming port 53 packets except known trusted servers
Version 1.0 Nov 2009 Slide 20
NST
How to Configure a Packet Filter
Start with a security policy
Specify allowable packets in terms of logical
expressions on packet fields
Rewrite expressions in syntax supported by your
vendor
General rules - least privilege
All that is not expressly permitted is prohibited
If you do not need it, eliminate it
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
Version 1.0 Nov 2009 Slide 21
NST
Firewall Gateways
Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall
Policy embedded in proxy programs
Two kinds of proxies
Application-level gateways/proxies
Tailored to http, ftp, smtp, etc.
Circuit-level gateways/proxies
Working on TCP level
Version 1.0 Nov 2009 Slide 22
NST
Zones
Popularly known as Demilitarized Zone (DMZ)
A buffer area between the internal network and the
outside world
The role of a DMZ?
A place for systems which need less protection than
other systems – really a network within a network
Operates in conjunction with Firewall
reading
Further reading for this week
Version 1.0 Nov 2009 Slide 23
Network Architectures
NST
Internet Data Centre architectures – higher levels
High level network architecture, like the one below, is first
designed.
This is refined into more detailed design in one or more
architecture like the one on the right.
Version 1.0 Nov 2009 Slide 24
NST
Bastion Host
Highly secure host system
Potentially exposed to "hostile" elements
Hence is secured to withstand this
Disable all non-required services; keep it simple
Trusted to enforce trusted separation between network connections
Runs circuit / application level gateways
Install/modify services you want
Or provides externally accessible services
Version 1.0 Nov 2009 Slide 25
NST
Firewalls Aren’t Perfect?
Useless against attacks from the inside
Evildoer exists on inside
Malicious code is executed on an internal machine
Organisations with greater insider threat
Banks, Military
Protection must exist at each layer
Assess risks of threats at every layer
It only examines fields in a packet header
That is, a firewall cannot test the payload of a packet
Contents of packets are important, considering viruses
One of the most common ways a virus is introduced into an
organization is through an email attachment
How can a site prevent problems such as the installation of a virus?
The answer lies in content analysis
Version 1.0 Nov 2009 Slide 26
NST
Intrusion Detection Systems (IDS)
An IDS monitors all packets arriving at a site
and notifies the site administrator if a security violation is
detected
An IDS provides an extra layer of security awareness
even if a firewall prevents an attack
an IDS can notify the site administrator that a problem is
occurring
IDSs can be configured to watch for specific types of attacks
For example, an IDS can be configured to detect a port
scanning
The chief difference between an IDS and a firewall is that
an IDS includes state information
an IDS can keep a history of packets
Version 1.0 Nov 2009 Slide 27
NST
What can IDS Realistically do?
Monitor and analyse user and system activities
Auditing of system and configuration vulnerabilities
Assess integrity of critical system and data files
Recognition of pattern reflecting known attacks
Statistical analysis for abnormal activities
Data trail, tracing activities from point of entry up to the
point of exit
Installation of decoy servers (honey pots)
Installation of vendor patches (some IDS)
Version 1.0 Nov 2009 Slide 28
NST
Dealing with Intruders
Intruders can be external or internal
External intruders are hackers or crackers
Internal intruders are equally dangerous and
surprisingly common
An organisation’s security policy should state what
steps will be taken to handle intrusions and include
Block and ignore
Simplest tactic for handling intrusions
Block the intruder and address the vulnerability
Don’t take any further action
Version 1.0 Nov 2009 Slide 29
NST
Dealing with Intruders
Block and investigate
Block the intruder and address the vulnerability
Collect evidence and try to determine the intruder’s identity
Although this may result in finding and stopping the intruder, it
can be costly and time-consuming
“Honeypot” (bait the intruder)
Allow the intruder to access a part of your network
Try to catch the intruder while he/she explores
This is a potentially dangerous approach
The intruder does have at least partial access
Crackers may become interested in your site
Version 1.0 Nov 2009 Slide 30
NST
Detecting Intruders
An IDS monitors system activity in some way
When it detects suspicious activity, it performs an
action
The action is usually an alert of some type
E-mail, cell phone, audible alert , etc. to
a person or process
All IDS systems continuously sample system activity and
compare the samples to a database
E.g. BASE (Basic Analysis and Security Engine) used by SNORT
perform analysis of intrusions that snort has detected on your
network
Version 1.0 Nov 2009 Slide 31
NST
Types of IDS
Two basic types of intrusions
Misuse intrusion: an attack against a known
vulnerability
Relatively easy to detect because the actions required for the
exploit are known (called the attack signature)
IDS knows what an attack looks like and looks for it.
Anomaly intrusion: an attack against a new
vulnerability or one using an unknown set of actions
Relatively difficult to detect, must compare current system
activity with some normal baseline of activity
Two types of IDS that correspond to the two intrusion
types
Signature based – most popular
Knowledge based
Version 1.0 Nov 2009 Slide 32
NST
Network-Based Vs Host-Based IDS
IDS systems are also classified by their intended locations
A network-based IDS monitors all traffic on a network
segment
Can detect intrusions that cross a specific network segment
Administrators sometimes place one inside and one outside
of a firewall
Will not see traffic that passes between LAN computers
Host-based IDS monitors activities on hosts for
Known attacks or
Suspicious behavior
Designed to detect attacks such as
Buffer overflow
Escalation of privilege
Little or no view of network activities
Version 1.0 Nov 2009 Slide 33
NST
Intrusion Prevention Systems (IPSs)
IDS detects and reports without preventing.
A promising new model of intrusion is developing and
picking up momentum. It is the intrusion prevention
system (IPS) which, is to prevent attacks.
IPSs fall into two categories: network-based and host-
based.
Version 1.0 Nov 2009 Slide 34
NST
Network-Based IPS
NIDSs passively detect intrusions into the network
without preventing them from entering the networks
many organizations in recent times have been
bundling up IDS and firewalls to create a model that
can detect and then prevent
The IDS fronts the network with a firewall behind it.
On the detection of an attack, the IDS then goes
into the prevention mode by altering the firewall
access control rules on the firewall. The action
may result in the attack being blocked based on all
the access control regimes administered by the
firewall.
Version 1.0 Nov 2009 Slide 35
NST
Host-Based IPS
Host-based IPSs reside on servers and workstations;
they examine application actions and calls to the
system to look for anything prohibited or out of the
ordinary
HIPS blocks suspicious executables or processes
from running by default.
can be effective at detecting viruses attempting to
infect files and Trojan horses attempting to replace
files, as well as the use of attacker tools, such as
rootkits, that often are delivered by malware
Version 1.0 Nov 2009 Slide 36
NST
Wireless LAN Security
Securing such networks is especially
problematic. Since wireless transmissions are
not confined inside a cable, it is very easy for an
eavesdropper to listen in to them
The eavesdropper may even perpetrate a man-
in-the-middle attack, in which the user’s
messages can be modified without his or her
realising this
The man-in-the-middle attack is not limited to
wireless networks only, but these networks are
particularly vulnerable to such attacks
Version 1.0 Nov 2009 Slide 37
NST
Wireless LAN Security
The first security protocol that was used with WLANs
was Wired Equivalent Privacy (WEP)
WEP used 40-bit static encryption keys that were too
easy to break
Replaced by Wi-Fi Protected Access (WPA)
WPA uses a different key for every packet of data that
is transmitted
It also checks for integrity and offers authentication of
clients
WPA2, the second version of WPA uses AES
encryption and is part of IEEE 802.11i, the official
WLAN security standard which was agreed after
WPA2
802.11i uses the Extensible Authentication Protocol
(EAP), which offers several different types of
authentication
Version 1.0 Nov 2009 Slide 38
NST
Summary
A security strategy implicit in the design
Combination of techniques
On a wider scale Network Access Control (NAC)
is the terminology being used
The choices come down to £, type of filtering and
how easy to apply updates to security
Version 1.0 Nov 2009 Slide 39
NST
NAC
controls access to network resources
users are authenticated and authorized based on
client’s identity and compliance with corporate
governance policy
endpoint security assessment
check of the user's access device
access control
granting - or restricting - admission to the network
according to set policy
define granular levels of network access based on
who a client is
Slide 40
Version 1.0 Nov 2009 Slide 40
NST
NAC
Network Access Control
NAC infrastructure using NAC technology/boxes
DHCP is one way of doing NAC
Enforce where someone can use the network
Vendors (links provided to relevant info):
Cisco NAC appliance
Microsoft NAP may be part of new MS operating system
Juniper UAC
Symantec NAC
Recent news
Computing or Computing Weekly
Do a search yourself
Nevisnetworks – interesting
The case for NAC based on DHCP flaws with Microsoft?
Version 1.0 Nov 2009 Slide 41