Css security in Networks-css-ps2 1 Computer Systems Security Security in Networks (Security Controls) Topic 2 Pirooz Saeidi Source: Pfleeger, Chapter 7

css security in Networks-css-ps2 1

Computer Systems Computer Systems SecuritySecurity

Security in NetworksSecurity in Networks (Security Controls) (Security Controls) Topic 2Topic 2

Pirooz Saeidi Pirooz Saeidi

Source: Pfleeger, Chapter 7Source: Pfleeger, Chapter 7

2css security in Networks-css-ps2

Network Security Controls Network Security Controls Agenda:- Agenda:-

Security Threat AnalysisSecurity Threat Analysis Design, Implementation and Design, Implementation and

ArchitectureArchitecture Control typesControl types FirewallsFirewalls Intrusion Detection SystemsIntrusion Detection Systems Secure EmailSecure Email Summary and ConclusionSummary and Conclusion


Network Security Network Security ControlsControls We introduce a number of defence We introduce a number of defence

strategies available to network strategies available to network security engineer.security engineer.

With details of three important With details of three important controls:controls:

1.1. Firewalls,Firewalls,

2.2. Intrusion Detection Systems, andIntrusion Detection Systems, and

3.3. Encrypted e-mail.Encrypted e-mail.


Security Threat AnalysisSecurity Threat Analysis

– The three steps of security threat The three steps of security threat analysis are:analysis are:

1.1. Scrutinise all parts of the systemScrutinise all parts of the system

2.2. Consider possible damage to Consider possible damage to confidentiality, integrity and confidentiality, integrity and availability.availability.

3.3. Speculate the kind of attack.Speculate the kind of attack.



– The individual parts of a network:The individual parts of a network: Local nodes connected through Local nodes connected through Local communication links to a Local communication links to a LAN which also contains LAN which also contains Local processes, storage and devicesLocal processes, storage and devices



– LAN is also connected to a gateway LAN is also connected to a gateway that that

– provides access through Network provides access through Network communications links to communications links to

– Network control resources, routers, Network control resources, routers, databases, etc.databases, etc.



– Possible threats and damage:Possible threats and damage: Intercepting data in trafficIntercepting data in traffic Accessing or modifying Accessing or modifying

data/programmes in remote hosts.data/programmes in remote hosts. Modifying data in transitModifying data in transit Blocking trafficBlocking traffic Impersonating a userImpersonating a user and more…and more…



– The network security engineer The network security engineer speculates these threats and uses speculates these threats and uses the defence available. the defence available.

– Such defence varies from design and Such defence varies from design and architecture to different types of architecture to different types of controls controls

– We will have a close look at these We will have a close look at these defences.defences.


Design, Implementation Design, Implementation and Architectureand Architecture– In previous lectures we elaborated on In previous lectures we elaborated on

design and implementation issues.design and implementation issues.– Similarly a network architecture and Similarly a network architecture and

design can have a considerable effect design can have a considerable effect on its security.on its security.

– In this context we will consider:In this context we will consider: SegmentationSegmentation Redundancy andRedundancy and Single Points of FailureSingle Points of Failure


Segmented ArchitectureSegmented Architecture

Reduces the number of threats and Reduces the number of threats and limits damage. limits damage.

Consider an e-commerce application Consider an e-commerce application with the following parts:with the following parts: A web serverA web server Application codeApplication code Database of productsDatabase of products Database of orders Database of orders


Segmented ArchitectureSegmented Architecture

– We don’t want to We don’t want to compromise the compromise the entire application entire application by putting all of by putting all of these activities in these activities in one machine. one machine. Instead we can use Instead we can use multiple segments.multiple segments. Pfleeger&Pfleeger


Other Architectural Other Architectural ControlsControls

RedundancyRedundancy Example: provide more than one server Example: provide more than one server

and useand use failoverfailover mode: mode: Servers communicate periodically with each Servers communicate periodically with each

other. other. If one fails the other takes over processing If one fails the other takes over processing

for both.for both.

Avoid Single Point of FailureAvoid Single Point of Failure Example: distribute parts of a database Example: distribute parts of a database

in different segmentsin different segments


Controls: EncryptionControls: Encryption

– Two forms:Two forms: Link EncryptionLink Encryption

– Between hostsBetween hosts End-to-end EncryptionEnd-to-end Encryption

– Between applicationsBetween applications


Link EncryptionLink Encryption

– Data encrypted Data encrypted just before it is just before it is placed in physical placed in physical link.link.

– Takes place in Takes place in layer 1 & 2 of OSIlayer 1 & 2 of OSI

– Appropriate when Appropriate when transmission line is transmission line is vulnerable.vulnerable.

Pfleeger&Pfleeger


Link EncryptionLink Encryption

– Example of a typical Example of a typical Link Encrypted Link Encrypted message.message.

– Some of Some of header/trailer header/trailer information may be information may be applied before applied before encryption takes encryption takes place.place.


End-to-end EncryptionEnd-to-end Encryption

Encryption can be Encryption can be applied by applied by hardware as well hardware as well as software at as software at highest layers.highest layers.

Pfleeger&Pfleeger



Example: An Example: An encrypted messageencrypted message

Pfleeger&Pfleeger



Messages sent to Messages sent to several hosts are several hosts are protected and the protected and the data content is still data content is still encrypted while in encrypted while in transit even if it transit even if it passes through passes through potentially potentially insecure nodes.insecure nodes.


Virtual Private Networks Virtual Private Networks (VPN)(VPN)

With link encryption the users may think With link encryption the users may think they are on a private network. Hence they are on a private network. Hence the word VPN.the word VPN.

The greatest exposure for a user is The greatest exposure for a user is between his/her machine and the between his/her machine and the perimeter of the host network.perimeter of the host network.

A VPN can deploy firewalls to implement A VPN can deploy firewalls to implement an encrypted connection between a an encrypted connection between a user's distributed sites over a public user's distributed sites over a public network.network.



Communication Communication passes through an passes through an encrypted tunnel.encrypted tunnel.

VPN is created when VPN is created when the firewall interacts the firewall interacts with an with an authentication authentication service inside the service inside the perimeter.perimeter.

Any communication Any communication is done through the is done through the encrypted tunnelencrypted tunnel

Pfleeger&Pfleeger



Firewall Firewall implements Access implements Access control on the control on the basis of VPN.basis of VPN.

Example of a VPN Example of a VPN with privileged with privileged accessaccess The firewall passes The firewall passes

to internal server to internal server the privileged the privileged identity of User2identity of User2

Pfleeger&Pfleeger


Public Key Infrastructure Public Key Infrastructure (PKI) and Certificates(PKI) and Certificates

PKI is used to implement public key PKI is used to implement public key cryptography. cryptography.

Offers each user a set of services on access Offers each user a set of services on access control and identification.control and identification.

Integrate digital certificates, public-key Integrate digital certificates, public-key cryptography, and certificate authorities into a cryptography, and certificate authorities into a total, enterprise-wide network security total, enterprise-wide network security architecture.architecture.

Involves registration authority to act as an Involves registration authority to act as an interface between user and certificate authorityinterface between user and certificate authority

More information from:More information from:http://csrc.nist.gov/pki/


Secure Shell (SSH) Encryption Secure Shell (SSH) Encryption

SSH is a pair of protocols originally for Unix SSH is a pair of protocols originally for Unix but now available in Windows 2000but now available in Windows 2000

Provides authenticated and encrypted path to Provides authenticated and encrypted path to shell or command line interpretershell or command line interpreter

Replaces utilities such as Replaces utilities such as Telnet, rlogin and Telnet, rlogin and rshrsh for remote access for remote access

Protects against spoofing attacks and Protects against spoofing attacks and modification of data in communication.modification of data in communication.


Secure Socket Layer (SSL) Secure Socket Layer (SSL) EncryptionEncryption

SSL designed to protect SSL designed to protect communication between a web communication between a web browser and a server.browser and a server.

Interfaces between applications and Interfaces between applications and the TCP/IP protocols to provide the TCP/IP protocols to provide server authentication.server authentication.

Client and server negotiate a Client and server negotiate a mutually supported set of encryption mutually supported set of encryption for session encryption and hashing for session encryption and hashing


Secure Socket Layer (SSL) Secure Socket Layer (SSL) EncryptionEncryption

To use SSL,To use SSL, The client requests an SSL sessionThe client requests an SSL session The server responds with its public key The server responds with its public key

certificate with which the client certificate with which the client authenticates the serverauthenticates the server

Client returns part of a symmetric session Client returns part of a symmetric session key encrypted under the server’s public keykey encrypted under the server’s public key

Client and server both compute the session Client and server both compute the session key, and switch to encrypted communication, key, and switch to encrypted communication, using the shared session keyusing the shared session key


Encryption-IP Security Encryption-IP Security Protocol (IPSec) Protocol (IPSec)

Adopted by IPv6, addresses many Adopted by IPv6, addresses many shortcomings of conventional IP such as shortcomings of conventional IP such as spoofing, session hijacking, …spoofing, session hijacking, …

Implemented at IP layer so it effects all Implemented at IP layer so it effects all layers above it, including TCP and UDP.layers above it, including TCP and UDP.

Works similar to SSL in terms of Works similar to SSL in terms of authentication and confidentiality and is authentication and confidentiality and is independent of cryptographic protocols.independent of cryptographic protocols.


IP Security Protocol IP Security Protocol (IPSec) (IPSec)

IPSEc is based on IPSEc is based on security security association, association, a set of security a set of security parameters for a secured parameters for a secured communication channel. communication channel.

The main data structures of IPSEc The main data structures of IPSEc are are AHAH ( (Authentication headerAuthentication header) ) and and ESPESP ( (Encapsulated Security Encapsulated Security PayloadPayload))


IP Security Protocol IP Security Protocol (IPSec)(IPSec)

ESP replaces the ESP replaces the TCP header and TCP header and data portion of a data portion of a packetpacket

Packets: (a) Conventional Packet; (b) IPSec Packet.

Pfleeger&Pfleeger


IP Security Protocol IP Security Protocol (IPSec)(IPSec)

ESP replaces the ESP replaces the conventional TCP conventional TCP header and data header and data portion of a portion of a packet andpacket and

contains both of contains both of an authenticated an authenticated portion and an portion and an encrypted encrypted portionportion

The Encapsulated Security Packet

Pfleeger&Pfleeger


Content Integrity Content Integrity ControlsControls

Guarding against modification in Guarding against modification in transmission. We can use methods transmission. We can use methods such as:such as:

Error Correcting CodesError Correcting Codes Cryptographic checksumsCryptographic checksums


Error Correcting CodesError Correcting Codes Error Detection CodesError Detection Codes

Parity checking (odd or even parity bit) Parity checking (odd or even parity bit) Usually used to detect non-malicious changes (e.g. Usually used to detect non-malicious changes (e.g.

noise)noise) Hash code: a unique signed number returned by Hash code: a unique signed number returned by

a hash functiona hash function Huffman codeHuffman code

A data compression method that changes the length of A data compression method that changes the length of the encoded token in proportion to its information the encoded token in proportion to its information content, that is the more frequently a token is used, the content, that is the more frequently a token is used, the shorter the binary string used to represent it in the shorter the binary string used to represent it in the compressed stream compressed stream

Error CorrectionError Correction Correct without retransmissionCorrect without retransmission


Cryptographic ChecksumCryptographic Checksum

Also called message digest is a Also called message digest is a cryptographic function that cryptographic function that produces a checksum.produces a checksum.

The checksum is assigned to a file The checksum is assigned to a file and used to "test" the file at a later and used to "test" the file at a later stage to verify that the data stage to verify that the data contained in the file has not been contained in the file has not been maliciously changed. maliciously changed.


Strong Authentication Strong Authentication ControlsControls

Networked environments as well as Networked environments as well as both ends of communication need both ends of communication need authentication.authentication.

We will consider the following We will consider the following methods:methods: One-Time PasswordOne-Time Password Challenge-Response SystemsChallenge-Response Systems Digital Distributed AuthenticationDigital Distributed Authentication KerberosKerberos


One-Time PasswordOne-Time Password Guards against wiretapping and spoofingGuards against wiretapping and spoofing Password is effective only oncePassword is effective only once Uses a secretly maintained password list, Uses a secretly maintained password list,

oror each user can use a device to randomly each user can use a device to randomly

generate new passwords every minute generate new passwords every minute (computation is based on the value of (computation is based on the value of current “time” interval). current “time” interval).

Within the same “minute” the receiving Within the same “minute” the receiving computer should be able to compute the computer should be able to compute the same password to match.same password to match.


Challenge_Response Challenge_Response SystemsSystems

The user authenticates to a simple The user authenticates to a simple device by means of say a PIN.device by means of say a PIN.

The system prompts the user with a The system prompts the user with a new challenge for each use:new challenge for each use: The remote system sends a random The remote system sends a random

number (the “challenge”) which the user number (the “challenge”) which the user enters into the device.enters into the device.

The device responds to that number with The device responds to that number with another number, which the user another number, which the user transmits to the system and so on.transmits to the system and so on.


Authentication in Distributed Authentication in Distributed Systems –KerberosSystems –Kerberos

Designed at MIT.Designed at MIT. Used for authentication between clients Used for authentication between clients

and servers. and servers. Based on the idea that a central server Based on the idea that a central server

provides authenticated tokens called provides authenticated tokens called ticketstickets to requesting applications. to requesting applications. A ticket is non-forgeable and non-replayable.A ticket is non-forgeable and non-replayable.



Kerberos design goals was to enable Kerberos design goals was to enable systems to withstand attacks in distributed systems to withstand attacks in distributed systems. The main characteristics are:systems. The main characteristics are:

1.1. No passwords are communicated on the network.No passwords are communicated on the network. User’s password is stored only at the Kerberos server. User’s password is stored only at the Kerberos server. It is not sent from the user’s workstation when it It is not sent from the user’s workstation when it

initiates a session.initiates a session.

2.2. Provides cryptographic protection against Provides cryptographic protection against spoofing.spoofing.

Each access is mediated by a ticket-granting serverEach access is mediated by a ticket-granting server Which knows the identity of the user based on the Which knows the identity of the user based on the

authentication performed initially by the server.authentication performed initially by the server.



3.3. Limited period of validity (of tickets)Limited period of validity (of tickets) Tickets contain timestamps with which the server will Tickets contain timestamps with which the server will

determine the ticket’s validity. determine the ticket’s validity. The attacker therefore will not have time to complete a The attacker therefore will not have time to complete a

long term attack.long term attack. Timestamps prevent replay attacksTimestamps prevent replay attacks

In a In a replay attackreplay attack a valid data transmission is maliciously or a valid data transmission is maliciously or fraudulently repeated or delayed. fraudulently repeated or delayed.

The server compares the timestamps of requests with current The server compares the timestamps of requests with current time. And accepts requests only if they are reasonably close time. And accepts requests only if they are reasonably close to current time.to current time.

This time-checking prevents most replay attacks, since the This time-checking prevents most replay attacks, since the attacker’s presentation of tickets will be delayed!attacker’s presentation of tickets will be delayed!

4.4. Mutual authenticationMutual authentication The user of a service can be assured of any server’s The user of a service can be assured of any server’s

authenticity by requesting an authenticating response from authenticity by requesting an authenticating response from the server.the server.


Authentication in Authentication in Distributed Systems -Distributed Systems -

KerberosKerberos Uses public key technology for key Uses public key technology for key

exchange.exchange. A central server provides A central server provides

authenticated tokens, called authenticated tokens, called ticketstickets to requesting applications.to requesting applications.

Ticket is an encrypted data structure Ticket is an encrypted data structure naming a user and a service the user naming a user and a service the user has permission to access.has permission to access.


KerberosKerberos

The user first establishes a session The user first establishes a session with Kerberos server as follows:with Kerberos server as follows:

The user’s workstation sends user’s The user’s workstation sends user’s identity to Kerberos server.identity to Kerberos server.

The Kerberos server verifies that the The Kerberos server verifies that the user is authorised by sending two user is authorised by sending two messages. One to the user and the messages. One to the user and the other to the ticket-granting server.other to the ticket-granting server.


KerberosKerberos

User’s message contains:User’s message contains: A session key A session key SSGG to communicate with to communicate with

ticket granting server G; and a ticket ticket granting server G; and a ticket TTGG. .

SSGG Is encrypted under user’s password: Is encrypted under user’s password: E(SE(SG+ G+ TTGG, PW), PW)

Ticket granting server’s message Ticket granting server’s message contains:contains: A copy of the session key A copy of the session key SSG G and the and the

encrypted identity of the userencrypted identity of the user


KerberosKerberos

If the workstation can If the workstation can decrypt decrypt E(SE(SG+ G+ TTGG, , PW) PW) using using pwpw, then , then the user has been the user has been successful in successful in authentication.authentication.

Diagram show how a Diagram show how a Kerberos session is Kerberos session is initiatedinitiated

Pfleeger&Pfleeger


KerberosKerberos

Now the user (U) wants to access Now the user (U) wants to access the services of the distributed the services of the distributed system (say access file F)system (say access file F) Using key Using key SSG G the user requests a ticket the user requests a ticket

from ticket granting server to access from ticket granting server to access file F.file F.

The ticket granting server verifies U’s The ticket granting server verifies U’s access permission and returns a ticket access permission and returns a ticket and a session key.and a session key.


KerberosKerberos The ticket contains The ticket contains

the following:the following: U’s authenticated U’s authenticated

identityidentity An identification of FAn identification of F Access rightsAccess rights A session key SA session key SFF (with (with

file server)file server) Ticket expiry dateTicket expiry date Diagram shows how a Diagram shows how a

Ticket can be Ticket can be obtained to access a obtained to access a filefile Pfleeger&Pfleeger


Access ControlAccess Control

Access control enforce Access control enforce whatwhat and and HowHow of security control policies. of security control policies.

Mechanisms such as:Mechanisms such as: ACLs on RoutersACLs on Routers FirewallsFirewalls

We will look at them laterWe will look at them later


ACLs on RoutersACLs on Routers

Routers can be configured with ACLs to deny Routers can be configured with ACLs to deny access to particular hosts from particular access to particular hosts from particular hosts.hosts.

This is very expensive. Brings a large load to This is very expensive. Brings a large load to routers.routers.

Routers inspect the source and destination Routers inspect the source and destination addresses. But with UDP datagrams, attackers addresses. But with UDP datagrams, attackers can forge source address so that their attack can forge source address so that their attack can not be blocked by router’s ACL..can not be blocked by router’s ACL..

Limited and restricted use of ACLs is a more Limited and restricted use of ACLs is a more viable option.viable option.


HoneypotsHoneypots Controls Controls

Like catching a mouse we can set a Like catching a mouse we can set a trap with an attractive bait!trap with an attractive bait!

A A honeypot honeypot is a computer system or a is a computer system or a network segment open to attackers tonetwork segment open to attackers to See what the attackers doSee what the attackers do tempt the attacker to a place so that you tempt the attacker to a place so that you

can learn its habits and stop future can learn its habits and stop future attacksattacks

Make a playground to divert him/her Make a playground to divert him/her from the real system from the real system


FirewallsFirewalls

A firewall is a device or, software, or a A firewall is a device or, software, or a combination of both designed to prevent combination of both designed to prevent unauthorised users from accessing a network unauthorised users from accessing a network and/or a single workstation.and/or a single workstation.

Networks usually use hardware firewalls Networks usually use hardware firewalls which are implemented on the router level. which are implemented on the router level. These firewalls are expensive, and it is These firewalls are expensive, and it is difficult to configure them. difficult to configure them.

Software Firewalls are used in single Software Firewalls are used in single workstations and are usually less expensive workstations and are usually less expensive and it is easier to configure themand it is easier to configure them


FirewallsFirewalls

Inspect each individual inbound or Inspect each individual inbound or outbound packet of data to or from outbound packet of data to or from the systemthe system

Check if it should be allowed to Check if it should be allowed to enter or otherwise it should be enter or otherwise it should be blockedblocked


Types of firewallsTypes of firewalls

Packet filtering gateways or Packet filtering gateways or screening routersscreening routers

Stateful inspection firewallsStateful inspection firewalls Application proxiesApplication proxies GuardsGuards Personal firewallsPersonal firewalls


Packet filtering gatewaysPacket filtering gateways

Control is based on packet address Control is based on packet address or a specific transport protocol (e.g. or a specific transport protocol (e.g. HTTP).HTTP).

Example: a packet filter can block Example: a packet filter can block traffic using Telnet protocol but traffic using Telnet protocol but allows HTTP traffic.allows HTTP traffic.


Stateful inspection Stateful inspection firewallsfirewalls

Keeps a history of Keeps a history of previously seen packetspreviously seen packets to to make better decisions about current and future make better decisions about current and future packets.packets.

Useful to counter attacks which force very Useful to counter attacks which force very short length packets into, say a TCP packet short length packets into, say a TCP packet stream.stream. Remember TCP packets arrive in different order Remember TCP packets arrive in different order

and firewall will not be able to detect the signature and firewall will not be able to detect the signature of an attack split across 2 or more packets.of an attack split across 2 or more packets.


Application ProxiesApplication Proxies

Packet filters deal with header information but Packet filters deal with header information but not data inside the message. So the SMTP not data inside the message. So the SMTP example we sow in the tutorial last week example we sow in the tutorial last week leaves a back door open to anything inbound leaves a back door open to anything inbound to port 25.to port 25.

Also a flawed applications that acts on behalf Also a flawed applications that acts on behalf of the user (e.g. an e-mail agent), with all of the user (e.g. an e-mail agent), with all user’s privileges can cause damage.user’s privileges can cause damage.


Application ProxiesApplication Proxies

Application Proxies have access to Application Proxies have access to the entire range of information in the entire range of information in the network stack. They can also the network stack. They can also filter harmful or disqualified filter harmful or disqualified commands in the data stream. commands in the data stream.

The proxy controls actions through the firewall The proxy controls actions through the firewall on the basis of the data visible on the basis of the data visible insideinside the the protocol, and not just on external header protocol, and not just on external header informationinformation


Next lectureNext lecture

Will conclude network security buy looking at Will conclude network security buy looking at two more controls:two more controls: Email and Email and Intrusion Detection Systems Intrusion Detection Systems

Documents

Css security in Networks-css-ps2 1 Computer Systems Security Security in Networks (Security Controls) Topic 2 Pirooz Saeidi Source: Pfleeger, Chapter 7