View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Security in Networks— Their design, development, usage…
Barbara Endicott-PopovskyCSSE592/491
In collaboration with:
Deborah Frincke, Ph.D.
Director, Center for Secure and Dependable Systems
University of Idaho
Both broad survey and focused Chapters 1-2 lay groundwork Chapters 3 –7 Software
• Chapter 7 – Contrast to standalone environments– Threats– Controls– Tools: Firewalls, Intrusion detection, Secure e-mail
Chapter 9 Privacy, ethics, the law Chapter 10 Cryptography – the how
Text Book
In this section of the course we will look at…
Networks—their design, development, usage• The Basics• Threats• Controls• Tools
• Firewalls• Intrusion Detection• Secure e-mail
Source: Pfleeger & Pfleeger
Terms• Topology• Media• Analog/digital• Protocols• LAN/WAN• Internet• Distributed System• API’s
I. The Basics
Source: Pfleeger & Pfleeger
ISO/OSI Model
Source: Pfleeger & Pfleeger
OSI Layer
Name Activity
7 Application User-level data
6 Presentation Standardized data appearance
5 Session Logical connection among parts
4 Transport Flow control
3 Network Routing
2 Data Link Reliable data deliver6y
1 Physical Actual communication across physical medium
TCP/IP vs. OSI
Source: Pfleeger & Pfleeger
OSI Layer
Name Activity
7 Application User-level data
6 Presentation Standardized data appearance
5 Session Logical connection among parts
4 Transport Flow control
3 Network Routing
2 Data Link Reliable data deliver6y
1 Physical Actual communication across physical medium
TCP/IP
Source: Pfleeger & Pfleeger
Layer Action Responsibilities
Application Prepare messages
User interaction, addressing
Transport Convert messages to packets
Sequencing, reliability, error connection
Internet Convert messages to datagrams
Flow control, routing
Physical Transmit datagrams as bits
Data communication
Issues
ISO/OSI: Slows things down
TCP/IP: More efficientOpen
Results: TCP/IP used over InternetIntroduces security issues
Source: Pfleeger & Pfleeger
NOTE:Study this part of the Chapter
II. Threats Vulnerabilities Attackers Threats
• Precursors• In transit• Protocol flaws• Impersonation• Spoofing• Message Confidentiality / Integrity threats• Web Site Defacement• Denial of Service (DOS)• Distributed Denial of Service (DDOS)• Active or Mobile Code Threats• Complex Attacks
Source: Pfleeger & Pfleeger
Vulnerabilities Anonymity
Many points of attacks—targets and origins
Sharing
Complexity of system
Unknown perimeter
Unknown path
Source: Pfleeger & Pfleeger
Attackers
Kiddiescripters Industrial spies Information warfare Cyber terrorists “Hactivists” Wardrivers, etc.
Profile—see Mittnick
Source: Pfleeger & Pfleeger
From CSI/FBI Report 2002• 90% detected computer security breaches
• 80% acknowledged financial losses
• 44% (223) were willing / able to quantify losses: $455M
• Most serious losses: theft of proprietary information and fraud• 26 respondents: $170M• 25 respondents: $115M
• 74% cited Internet connection as a frequent point of attack • 33% cited internal systems as a frequent point of attack
• 34% reported intrusions to law enforcement. (up from 16%-1996)
Source: Deb Frincke
More from CSI/FBI 2002 40% detected external penetration
40% detected DOS attacks.
78% detected employee abuse of Internet
85% detected computer viruses.
38% suffered unauthorized access on Web sites
21% didn’t know.
12% reported theft of information.
6% reported financial fraud (up from 3%-- 2000).
Source: Deb Frincke
Threats: Precursors
Port Scan Social Engineering Reconnaissance OS Fingerprinting Bulletin Boards / Chats Available Documentation
Source: Pfleeger & Pfleeger
Threats: In Transit
Packet Sniffing Eavesdropping Wiretapping
Microwaves Satellites Fiber Wireless
Source: Pfleeger & Pfleeger
Threats: Impersonation
Source: Pfleeger & Pfleeger
Guessing Stealing
Wiretapping Eavesdropping
Avoid authentication Nonexistent authentication Known authentication Trusted authentication
Delegation MSN Passport
Threats: Message Confidentiality/Integrity
Source: Pfleeger & Pfleeger
Misdelivery
Exposure
Traffic flow analysis
Falsification of messages
Noise
Threats: Web Site Defacement
Source: Pfleeger & Pfleeger
Buffer overflows
Dot-Dot and address problems
Server-Side include
Threats: Denial of Service (DOS)
Source: Pfleeger & Pfleeger
Transmission failure
Connection floodingEcho-chargen
Ping of death
Smurf attack
Syn flood
Traffic redirection
DNS attackBIND
Service
Threats: Distributed Denial of Service (DDOS)
Source: Pfleeger & Pfleeger
Trojan horses planted
Zombies attack
Threats: Active/Mobile Code (Code Pushed to the Client)
Source: Pfleeger & Pfleeger
CookiesPer-session
Persistent
Scripts
Active codeHostile applet
Auto Exec by type
III. Controls
Design Architecture
• Segmentation• Redundancy• Single points of failure
Encryptions• Link encryption• End-to-end encryption• VPN’s• PKI and Certificates• SSH and SSL encryption• IPSec• Signed code• Encrypted e-mail
Source: Pfleeger & Pfleeger
Controls (cont’d.) Content Integrity
• Error correcting codes• Cryptographic Checksum
Strong Authentication• One-time password• Challenge-Response systems• Digital distributed authentication• Kerberos
Access controls• ACL’s on routers• Firewalls
Alarms and Alerts Honeypots Traffic Flow Security
• Onion routing
Source: Pfleeger & Pfleeger
Firewalls
Packet filtering gateway Stateful inspection firewall Application proxy gateway Guard Personal firewalls
Source: Pfleeger & Pfleeger
Intrusion Detection Systems Signature-based IDS
Heuristic IDS
Stealth mode
Source: Pfleeger & Pfleeger
IDS Characteristics
Goals• Detect all attacks
• Little performance impacts
Alarm response• Monitor and collect data
• Protect
• Call administrator
Limitations• Avoidance strategies
• Sensitivity
• Only as good as the process/people
Source: Pfleeger & Pfleeger