95
SE571 Security in Computing Chap 7: Security in Networks

SE571 Security in Computing

  • Upload
    shakti

  • View
    30

  • Download
    1

Embed Size (px)

DESCRIPTION

SE571 Security in Computing. Chap 7: Security in Networks. This Chapter Examines…. Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks - PowerPoint PPT Presentation

Citation preview

Page 1: SE571 Security in Computing

SE571Security in Computing

Chap 7: Security in Networks

Page 2: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 2

This Chapter Examines… Threats against networked

applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks

Controls against network attacks: physical security, policies, procedures, and other technical controls

Page 3: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 3

This Chapter Examines… Firewalls: design, capabilities,

limitations Intrusion detection systems Private e-mail: PGP and S/MIME

Page 4: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 4

Research: Top 5 Network Security Threats for 2011

Users• Managed users

Employees/staff Managed and unmanaged devices – Laptops,

Smartphone• Unmanaged users

Guests Contractors Consultants Business partners

(Source: Bradford Network, 2011)

Page 5: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 5

Research: Top 5 Network Security Threats for 2011

Mobile device proliferation• Smartphone – different models/different

companies• Tablets/iPads• EBook

IP everything – exponential growth in IP devices• Surveillance camera• Card readers

(Source: Bradford Network, 2011)

Page 6: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 6

Research: Top 5 Network Security Threats for 2011

Consumerization of IT• Consumer markets driving IT• Personal devices growing rapidly and must

be supported by IT Virtualization

• Server applications in private cloud• Virtual desktop in virtual environment

(Source: Bradford Network, 2011)

Page 7: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 7

Research: Consumerization of IT Survey 2011

Study sponsored by Dell KACE 741 IT professionals participated Employees using personal devices

(87%)• Email• Calendar• CRM/ERP

Employees using Smartphone (80%) Employees using personal PCs (69%) https://www.kace.com/resources/Consumerization-of-IT-Survey-2011

Page 8: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 8

Network Security What are we protecting? Why are we protecting ? What are assets? What are threats? What are the controls?

Page 9: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 9

Network Assets Network infrastructure Applications programs Data

Page 10: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 10

Network Threats Interception

• Eavesdropping• Passive wiretapping

Modification• Active wiretapping• Falsification• Compromise of authenticity

Denial of service

Page 11: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 11

Network Controls Firewalls Intrusion detection systems Secure email

Page 12: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 12

Terminologies Network – a collection of

communicating hosts Node – single computing system in a

network Link – connection between two hosts Host – single computer in a network A workstation - an end-user

computing device, usually designed for a single user at a time

Page 13: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 13

Terminologies Topology - the way a network is

configured, in terms of nodes and connections

Protocol – standard method for transmitting data and/or establishing communications between different devices

Protocol stack – is a layered architecture for communications

Page 14: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 14

Network

Page 15: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 15

Protocols Two popular protocol stacks for

implementing networks

I. Open Systems Interconnection (OSI)II. Transmission Control Protocol and

Internet Protocol (TCP/IP)

Page 16: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 16

OSI Model Contains 7 layers Layers represent the different

activities that must be performed for actual transmission of a message

Page 17: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 17

OSI Network Model

Page 18: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 18

OSI Protocol Layer Levels

Page 19: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 19

OSI Protocol Layer Levels What happens when you send

message to [email protected]?

Physical Layer Data link Network layer

• Router sends message to destination router • Adds 2 headers (source and destination IP

address)

Page 20: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 20

OSI Protocol Layer Levels Data link

• Network Interface Card (NIC) provides physical address called MAC (Media Access Control) address

• Two more headers added (source computer and router NIC address)

• Structure is called frame and contains destination MAC, source MAC and data

Page 21: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 21

OSI Protocol Layer Levels Data link

Page 22: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 22

OSI Protocol Layer Levels Network layer

• Router sends message to destination router • Adds 2 headers (source and destination IP

address) to data• These are called packets

Page 23: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 23

TCP/IP Model Common in most wide area network

communications Defined by protocols not layers

although it is seen as 4 layers

1. Application2. Transport3. Internet4. Physical

Page 24: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 24

TCP/IP Model It denotes two models although used

as a single acronym TCP implements a connected

communications session on top of the more basic IP transport protocol

Page 25: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 25

TCP/IP Model

Page 26: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 26

TCP Protocol Records and checks correct

sequencing of packets Retransmits missing or faulty packets Provides a stream of correct data in

proper order to the invoking application

Problem - retransmissions of faulty or missing packets take time and induce overhead

Page 27: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 27

TCP Packet Data structure

• Includes a sequence number, an acknowledgment number for connecting the packets of a communication session, flags, and source and destination port numbers

Port - unique channel number by which computers can route their respective packets to each of them

Page 28: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 28

Internet Services

Page 29: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 29

Local Area Networks (LAN) Covers a small distance typically

within a single building Connects several small computers,

such as personal computers, as well as printers and perhaps some dedicated file storage devices

Page 30: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 30

Local Area Networks (LAN)

Page 31: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 31

Wide Area Networks (WAN) Single control – usually controlled by

one organization Covers a significant distance Physically exposed

Examples, campus area networks, metropolitan area networks

Page 32: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 32

What Makes a Network Vulnerable? Anonymity

• Anonymous attackers Many points of attack—both targets

and origins • Less rigorous security

Sharing Complexity of system Unknown perimeter - untrusted

hosts in networks

Page 33: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 33

Why do people attack networks Fame or recognition Money and espionage Organized crime Advance an ideology

Page 34: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 34

Network Vulnerabilities, Targets and Controls

What are the targets? What are the vulnerabilities? What are the controls?

Page 35: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 35

Vulnerabilities that target precursors to attack

Port scan• Gives external picture – open doors• Standard ports or services running?

Social engineering• Use of social skills and personal interaction

to get someone to reveal security-relevant information

Reconnaissance OS and application fingerprinting

Page 36: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 36

Control of vulnerabilities Firewall “Hardened” (self-defensive)

applications Programs that reply with only what is

necessary Intrusion detection system Run few services as possible

Page 37: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 37

Control of vulnerabilities Education, user awareness Policies and procedures Systems in which two people must

agree to perform certain security-critical functions

Page 38: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 38

Network vulnerabilities that target authentication failures

Impersonation Guessing Eavesdropping Session hijacking Spoofing Man-in-the-middle attack

Page 39: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 39

Control of vulnerabilities Strong, one-time authentication Virtual private network Encrypted authentication channel Education, user awareness Virtual private network Protocol analysis

Page 40: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 40

Network vulnerabilities that target programming flaws

Buffer overflow Addressing errors Parameter modification, time-of-

check to time-of-use errors Server-side include

• Cookies• Malicious active code: Java, ActiveX • Malicious code: virus, worm, Trojan horse

Page 41: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 41

Control of vulnerabilities Programming controls Intrusion detection system Personal firewall Two-way authentication Controlled execution environment Signed code

Page 42: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 42

Network vulnerabilities that target confidentiality

Protocol flaw Malicious code: virus, worm, Trojan

horse Eavesdropping Passive wiretap Misdelivery Exposure within network Traffic flow analysis Cookie

Page 43: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 43

Control of vulnerabilities Firewall Encryption Intrusion detection system Controlled execution environment Programming controls

Page 44: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 44

Network vulnerabilities that target integrity

Protocol flaw Impersonation Active wiretap Falsification of message Noise Website defacement DNS attack

Page 45: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 45

Control of vulnerabilities Firewall Encryption Intrusion detection system Controlled execution environment Audit Protocol analysis Strong authentication Error detection code Honey pot

Page 46: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 46

Network vulnerabilities that target availability

Protocol flaw Transmission of component failure DNS attack Traffic redirection Distributed denial of service Connection flooding

Page 47: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 47

Control of vulnerabilities Encryption Firewall Intrusion detection system Honey pot

Page 48: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 48

Encryption Most important and versatile tool for

network security expert Important

• Privacy• Authenticity• Integrity• Limited access to data

Not a silver bullet Protects encrypted data only

Page 49: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 49

Encryption Can be applied in two ways

• Link encryption • End-to-end encryption

Page 50: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 50

Link Encryption Data is encrypted before the system

places them on the physical communications link

Encryption takes place in layer 1 or 2 of the OSI model

Encryption protects message during transit

Message is plaintext inside the hosts

Page 51: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 51

Link Encryption Data exposed in sending host Data exposed in intermediate nodes Applied by sending host Invisible to user Host maintains encryption Encryption done in hardware Provides node authentication All or no data encrypted

Page 52: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 52

Link Encryption

Page 53: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 53

Link Encryption

Page 54: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 54

End-to-End Encryption Security available from one end of

transmission to the other Encryption can be applied by either

hardware or software running on the computer

Encryption takes place at the highest level of OSI model – application and presentation

Page 55: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 55

End-to-End Encryption Data encrypted in sending host Data encrypted in intermediate

nodes User applies encryption User selects encryption Either software or hardware

implementation User chooses to encrypt or not Provides user authentication

Page 56: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 56

End-to-End Encryption

Page 57: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 57

End-to-End Encryption

Page 58: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 58

Virtual Private Networks Communication passes through an

encrypted tunnel User’s client establishes

communication with network firewall User and firewall negotiate a session

encryption key

Page 59: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 59

Virtual Private Networks Firewall and user encrypt all traffic

between them Firewall authenticates user through

authentication server Firewall implements access control

(provide appropriate security privileges)

Page 60: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 60

Virtual Private Networks

Page 61: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 61

PKI and Certificates PKI is a process created to enable users to

implement public key cryptography Provides identification and access control

information to users• Create certificates associating user’s identity with

cryptographic key• Give out certificates from its database• Sign certificates thus adding credibility to authenticity of

certificates• Confirm or deny that certificate is valid• Invalidate certificates for users who are no longer allowed

to access or whose private key has been exposed

Page 62: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 62

PKI and Certificates PKI sets up entities called certificate

authorities that implement PKI policy Assumption is certificate authorities are

trusted Functions of certificate authorities

• Manage public key certificates for their whole life cycle• Issue certificates by binding a user’s or system identity

to a public key with a digital signature• Schedule expiry dates for certificates• Ensure that certificates are revoked by publishing

certificate revocation list

Page 63: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 63

SSH Encryption SSH stands for secure shell is a pair of

protocols (V1 and V2) Provides an authenticated and encrypted

path to a shell or operating system command interpreter

Protects against spoofing attacks and modification of data in communications

Protocol involves negotiation between local and remote sites for encryption algorithm (e.g. DES, IDEA, AES) and authentication

Page 64: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 64

SSL Encryption SSL stands for Secure Socket Layer Also known as TLS – Transport Layer Security Protocol was originally designed by Netscape

to protect communication between web browser and server

It interfaces between apps(e.g. browser) and TCP/IP protocols to provide server authentication, client authentication and encrypted communication channel between client and server

Page 65: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 65

SSL Encryption SSL protocol is the most widely used

secure communication protocol in the Internet

Only protects data between client’s browser and server

Page 66: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 66

IPSec Stands for IP Security Protocol Similar to SSL i.e. supports

authentication and confidentiality Defines standard means for handling

encrypted data Designed to handle shortcomings of

IPv6 such as:• Spoofing• Eavesdropping• Session hijacking

Page 67: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 67

IPSec Fundamental data structures are

• AH – authenticated header• ESP – Encapsulated Security Payload

Contains both authenticated and encrypted portion

Packets: (a) Conventional Packet; (b) IPSec Packet

Page 68: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 68

Wireless security SSID – Service Set Identifier

• Authenticate remote computer WEP – Wired Equivalent Privacy

• Uses encryption to prevent eavesdropping and impersonation

• Uses encryption key for authentication• IEEE standard 802.11• Uses 64 and 128 bit encryption• Not effective against brute force attack

Page 69: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 69

Wireless security WPA and WPA2– WIFI Protected Access

• Addresses known security deficiencies in WEP• IEEE standard 802.11i• Uses encryption key that is unchanged until

user enters new key at the client and access point

• Encryption key is changed automatically at each packet (Temporal Key Integrity Program)

Page 70: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 70

Honeypots Computer system open to attackers Goal

• Watch what attackers do• Lure attackers in order to study their habits• Divert attackers attention so as to leave

your system alone

Page 71: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 71

Firewalls Device that filters traffic between

protected/inside network and less trustworthy/outside network

Purpose• Keep bad things outside the protected

environment• Use security policies to limit access from

outside

Page 72: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 72

Types of Firewalls Packet filtering gateways or

screening routers Stateful inspection firewalls Application proxies Guards Personal firewalls

Page 73: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 73

Packet Filtering Gateway Most effective Control access based on packet

address or transport protocol such as HTTP

Page 74: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 74

Stateful Inspection Firewall Maintains state information from one

packet to another in the input stream

Page 75: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 75

Application Proxy Firewall

Packet filters look only at the headers of packets, not at the data inside the packets

Page 76: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 76

Guard Firewall

Receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result

Page 77: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 77

Personal Firewall

Application program that runs on a workstation to block unwanted traffic, usually from the network

Protect a (sub)network of multiple hosts result

May complement the work of a conventional firewall by screening the kind of data a single host will accept

Page 78: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 78

Denial of Service Connection flooding

• Echo-Chargen Chargen is protocol used to generate packets Attacker makes host A to generate echo packets

to host B and host B replies to the echos Host A and B generates endless loop

• Ping of Death Attacker sends flood of pings to intended host Pings saturate victim’s bandwidth

Page 79: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 79

Denial of Service Connection flooding

• Smurf – Attacker sends broadcast echo requests to the network with victim’s return address

• Syn flood – Attacker sends many SYN requests and never responds with ACKs thereby filling the victim’s SYN_RECV queue

• Teardrop – Attacker sends series of data grams that can not be reassembled properly

Page 80: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 80

Denial of Service Traffic redirection

Attackers disrupt routers traffic redirection DNS attacks

Attackers redirect routing of traffic by overtaking domain server or causing it to cache spurious entries (DNS cache poisoning)

E.g. An attack in 2005 used a flaw in a Symantec firewall to allow a change in DNS records used by Windows machines. The poisoned DNS cache redirected users to advertising sites

Page 81: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 81

Distributed Denial of Service Also called DDoS Attacker discretely plants Trojan

horse into machine e.g. through email attachment

Attacker repeats process using many targets (Zombie)

Attacker sends a signal to all Zombies to launch an attack against a victim (n attacks from n Zombies)

Page 82: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 82

Distributed Denial of Service

Page 83: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 83

Intrusion Detection Systems Also called IDS Device that monitors activities to identify

malicious and suspicious events Functions

• Monitor users and system activity• auditing system configuration for vulnerabilities and

misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity • identifying abnormal activity through statistical analysis • managing audit trails and highlighting user violation of

policy or normal activity • correcting system configuration errors

Page 84: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 84

Intrusion Detection Systems

Page 85: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 85

Types of IDS Signature based

• perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type

Heuristic/Anomaly based• build a model of acceptable behavior and flag exceptions to

that model

A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network while a host-based IDS runs on a single workstation or client to protect that one host

Page 86: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 86

Goals of IDS Filter on packet headers Filter on packet content Maintain connection state Use complex, multipacket signatures Use minimal number of signatures

with maximum effect

Page 87: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 87

Goals of IDS Filter in real time, online Hide its presence Use optimal sliding time window size

to match signatures

Page 88: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 88

Strengths of IDS IDSs detect an ever-growing number

of serious problems Adding their signatures to the IDS

model helps them to improve over time

Easier and cheaper to manage

Page 89: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 89

Limitations of IDS Similar IDS may have identical

vulnerabilities Difficult to measure and adjust its

sensitivity Must be monitored and alarms

responded to otherwise it is useless

Page 90: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 90

Secure Email Email is important in ecommerce Email is a medium of

communications

Page 91: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 91

Email Requirements Message confidentiality (the message

is not exposed en route to the receiver)

Message integrity (what the receiver sees is what was sent)

Sender authenticity (the receiver is confident who the sender was)

Nonrepudiation (the sender cannot deny having sent the message)

Page 92: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 92

Threats to Email message interception (confidentiality) message interception (blocked delivery) message interception and subsequent replay message content modification message origin modification message content forgery by outsider message origin forgery by outsider message content forgery by recipient message origin forgery by recipient denial of message transmission

Page 93: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 93

Design for Encrypted Email Developed by Internet Society Allows for security enhanced

messages Works for both asymmetric and

symmetric encryptions Standard supports multiple

encryption algorithms• DES, 3DES and AES for confidentiality• RSA and Diffe-Hellman for key exchange

Page 94: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 94

Overview encrypted email processing

Page 95: SE571 Security in Computing

SE571 Security in Computing Dr. Ogara 95

Encrypted Email-Secured Message