View
229
Download
0
Tags:
Embed Size (px)
Citation preview
7: Network Security 1
Chapter 7: Network security –Author?Foundations: what is security? cryptography authentication message integrity key distribution and certification
Security in practice: application layer: secure e-mail transport layer: Internet commerce, SSL, SET network layer: IP security
7: Network Security 2
Importance of Network Security? Think about…
The most private, embarrassing or valuable piece of information you’ve ever stored on a computer
How much you rely on computer systems to be available when you need them
The degree to which you question whether a piece of email really came from the person listed in the From field
How convenient it is to be able to access private information online (e.g. buy without entering all data, look up your transcript without requesting a copy,…)
7: Network Security 3
Importance of Network Security Society is becoming increasingly reliant
on the correct and secure functioning of computer systems Medical records, financial transactions, etc.
It is our jobs as professional computer scientists: To evaluate the systems we use to
understand their weaknesses To educate ourselves and others to be wise
network consumers To design networked systems that are
secure
7: Network Security 4
Overview of Attacks and responses
Probably from: James Kurose & Keith Ross; Computer Networking: A Top-Down Approach Featuring the Internet, 3rd Edition, Addison Wesley, 2005, ISBN: 0-321- 22735-2. Copyright 1996-2005 J.F Kurose and K.W. Ross, All Rights Reserved Acknowledgments
7: Network Security 5
Taxonomy of Attacks (1)
Process based model to classify methods of attack
Passive: Interception: attacks confidentiality.
a.k.a., eavesdropping, “man-in-the-middle” attacks. Traffic Analysis: attacks confidentiality, or
anonymity.Can include traceback on a network, CRT radiation.
Active: Interruption: attacks availability.
(a.k.a., denial-of-service attacks Modification: attacks integrity. Fabrication: attacks authenticity.
7: Network Security 6
Taxonomy of Attacks (2)
‘Result of the attack’ taxonomy Increased Access the quest for root Disclosure of Information credit card numbers Corruption of Information changing grades, etc Denial of Service self explanatory Theft of Resources stealing accounts,
bandwidth
7: Network Security 7
Fundamentals of Defense
Cryptography Restricted Access
Restrict physical access, close network ports, isolate from the Internet, firewalls, NAT gateways, switched networks
Monitoring Know what normal is and watch for
deviations Heterogeneity/Randomness
Variety of Implementations, Random sequence numbers, Random port numbers
7: Network Security 8
Fundamentals of Defense
Cryptography: the study of mathematical techniques related to information security that have the following objectives:IntegrityNon-repudiationConfidentialityAuthentication
7: Network Security 9
Objectives of Cryptography
Integrity : ensuring information has not been altered by unauthorized or unknown means Integrity makes it difficult for a third party to
substitute one message for another. It allows the recipient of a message to verify it
has not been modified in transit. Nonrepudiation : preventing the denial of
previous commitments or actions makes it difficult for the originator of a
message to falsely deny later that they were the party that sent the message.
E.g., your signature on a document.
7: Network Security 10
Objectives of Cryptography
Secrecy/Confidentiality : ensuring information is accessible only by authorized persons Traditionally, the primary objective of cryptography. E.g. encrypting a message
Authentication : corroboration of the identity of an entity allows receivers of a message to identify its origin makes it difficult for third parties to masquerade as
someone else e.g., your driver’s license and photo authenticates
your image to a name, address, and birth date.
7: Network Security 11
Security Services
Authorization Access Control Availability Anonymity Privacy Certification Revocation
7: Network Security 12
Security Services
Authorization: conveyance of official sanction to do or be something to another entity. Allows only entities that have been authenticated
and who appear on an access list to utilize a service. E.g., your date of birth on your driver’s license
authorizes you to drink as someone who is over 21.
Access Control: restricting access to resources to privileged entities. ensures that specific entities may perform specific
operations on a secure object. E.g. Unix access control for files (read, write, execute
for owner, group, world)
7: Network Security 13
Security Services
Availability: ensuring a system is available to authorized entities when needed ensures that a service or information is
available to an (authorized) user upon demand and without delay.
Denial-of-service attacks seek to interrupt a service or make some information unavailable to legitimate users.
7: Network Security 14
Security Services
Anonymity : concealing the identity of an entity involved in some process Concealing the originator of a message
within a set of possible entities.• The degree of anonymity of an entity is the sum
chance that everyone else in the set is the originator of the message.
• Anonymity is a technical means to privacy.
Privacy: concealing personal information, a form of confidentiality.
7: Network Security 15
Security Services
Certification: endorsement of information by a trusted entity.
Revocation: retraction of certification or authorization
Certification and Revocation Just as important as certifying an entity, we
need to be able to take those rights away, in case the system is compromised, we change policy, or the safety that comes from a “refresh”.
7: Network Security 16
Friends and enemies: Alice, Bob, Trudy
well-known in network security world Bob, Alice want to communicate “securely” Trudy, the “intruder” may intercept, delete, add
messages
Figure 7.1 goes here
7: Network Security 17
What is network security?
Secrecy: only sender, intended receiver should “understand” msg contents sender encrypts msg receiver decrypts msg
Authentication: sender, receiver want to confirm identity of each other
Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
7: Network Security 18
Internet security threatsPacket sniffing:
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets
A
B
C
src:B dest:A payload
7: Network Security 19
Internet security threatsIP Spoofing:
can generate “raw” IP packets directly from application, putting any value into IP source address field
receiver can’t tell if source is spoofed e.g.: C pretends to be B
A
B
C
src:B dest:A payload
7: Network Security 20
Internet security threatsDenial of service (DOS):
flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp
receiver e.g., C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN