Chapter 19:Computer and Network Security

TechniquesBusiness Data Communications, 6e

IPSec Functions

• Authentication Header (AH)

• Encapsulating Security Payload (ESP)

• Key exchange

2

ESP Transport and Tunnel Mode

• Transport mode: provides protection primarily for upper-layer protocols. Typically used for end-to-end communications between two hosts. Payload is encrytped but not the header.

• Tunnel mode: provides protection for the entire IP packet. The entire packet is placed within a new outer IP packet. Used when one destination is a security gateway.

3

Scope of ESP Encryption and Authentication

4

Key Management

• Manual: system administrator manually configures each system with its own keys and with the keys of other communicating systems.

• Automatic: An automated system enables the on-demand creation of keys and facilitates the use of keys. Used in large system configurations.

5

Advantages of IPSec

• Provides managers with a standard means of implementing security for VPNs.

• Encryption and authentication algorithms and security protocols are well studied.

• Users can be confident that IPSec provides strong security.

• Can be implemented in firewalls and routers owned by the organization, giving network managers control over security.

6

SSL Architecture

• Provides reliable end-to-end secure service.• Uses two layers of protocols.• SSL Record Protocol provides basic security

services to higher layer protocols such as HTTP• SSL includes:

-Handshake Protocol-Change Cipher Spec Protocol-Alert Protocol

7

SSL Protocol Stack

8

Key SSL Concepts

• Connection: a transport that provides a suitable type of service. Every connection is associated with one session.

• Session: an association between client and server. Defien a set of sryptographic security parameters which can be sharedby multiple connections.

9

SSL Record Protocol Operation

10

SSL Protocols

• Change Cipher Spec Protocol: simplest protocol, consists of a single byte with a value of 1; causes the pending state to be copied into the current state.

• Alert Protocol: used to convey SSL related alerts to the peer entity. Each message consisst of 2 bytes; the first denotes a warning or fatal error.

11

Handshake Protocol

• The most complex part of SSL.

• Allows for servers and clients to authenticate each other, negotiate an encryption and MAC algorithm and cryptographic keys to protect data.

• Used before any application data is transmitted.

12

Handshake Protocol Phases

• Phase 1: Initiates logical connection• Phase 2: passes certificate, additional key

information and request for client certificate. Also passes server-done message.

• Phase 3: client sends message to server depending on underlying public-key scheme.

• Phase 4: completes setting up the secure connection.

13

802.11i Operational Phases

14

802.11i Architecture

• Authentication: protocol used to define an exchange between a user and an AS

• Access control: function that enforces the use of the authentication function, routes messages properly and facilitates key exchange.

• Privacy with message integrity: MAC-level data are encrypted along with a message integrity code that ensures that the data have not been altered.

15

802.11i Access Control

16

Intrusion Detection

• Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

• Intrusion Detection: A security service that monitors and analyzes system events for the purpose of finding and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner.

• Intrusion Detection System Classification:-Host-based IDS-Network-based IDS

17

IDS Logical Components

• Sensors

• Analyzers

• User Interface

18

Approaches to Host-Based IDSs

• Anomaly Detection: involves the collection of data relating to the behavior of legitimate users over time.-Threshold Detection-Profile based

• Signature Detection: involves an attempt to define a set of rules or attack patterns that can be used to decide an intruders behavior.

19

Firewalls

• Provides an additional layer of defense between internal systems and external networks

• Firewalls use four techniques:-Service Control-Direction Control-User Control-Behavior Control

20

Firewall Capabilities

• Defines a single choke point that keeps unauthorized users out of the protected network.

• Provides a location for monitoring security-related events.

• Provides a platform for several Internet functions.

• Serves as a platform for IPSec. 21

Firewall Limitations

• Cannot protect against attacks that bypass the firewall.

• May not protect against all internal threats.

• A wireless LAN may be accessed from outside.

• A client (Laptop, PDA, portable storage device, etc) may be infected outside and then attached internally

22

Firewall Types

23

Antivirus Approaches

• Prevention: Do not all the virus to get into the system.

• Detection: Once infection has occurred, determine that it has occurred and locate the virus.

• Identification: Once detection has been achieved, identify the specific virus that has infected a program.

• Removal: Remove all traces of the virus and restore the program to its original state.

24

Generic Decryption

• Enables antivirus programs to detect complex polymorphic viruses.

• Generic Decryption elements:-CPU emulator-Virus signature scanner-Emulation control module

• The most difficult design issue is to determine how long to run the scanner.

25

Digital Immune System

• Developed first by IBM, then refined by Symantec.

• Provides a general purpose emulation and virus detection system.

• Detects new viruses, analyze them, adds detection and shielding for it, removes it and passes information on about that virus to other systems.

26

Digital Immune System

27

Behavior Backbone Software

• Integrates with the operating system and monitors program behavior in real-time for malicious actions.

• Blocks potentially malicious actions.

• Suspicious software is also blocked.

28

Behavior-Blocking Software Operation

29

Requirements for Worm Countermeasures

• Generality

• Timeliness

• Resiliency

• Minimal denial-of-service costs

• Transparency

• Global and local coverage

30

Classes of Worm Defense

• Signature-based worm scan filtering

• Filter-based worm containment

• Payload-classification-based worm containment

• Threshold random walk (TRW) scan detection

• Rate limiting

• Rate halting31