Chapter13-Network Security 1
While computer systems today have good security systems, they are also vulnerable.
Vulnerability stems from world-wide access to computer systems via Internet.
Computer and network security comes in many forms including encryption algorithms, access to facilities, digital signatures, finger prints, face scans, other biometric means, and passwords.
Network Security - Introduction
Chapter13-Network Security 2
Network Security, cont’d
Companies are reluctant to publicly admit that they have suffered losses due to failed network security.Security goals must be set by IT, BUT SUPPORTED BY HIGHEST LEVELS OF MANAGEMENT.
Chapter13-Network Security 3
Basic security measures for computer systems fall into eight categories:
External security Operational security
Surveillance Passwords
Auditing Access rights
Standard system attacks Viruses
Basic Security Measures
Chapter13-Network Security 4
Protection from environmental damage such as floods, earthquakes, and heat.
Physical security such as locking rooms, locking down computers, keyboards, and other devices.
Electrical protection from power surges.
Electromagnetic noise protection from placing computers away from devices that generate electromagnetic interference.
External Security
Chapter13-Network Security 5
Deciding who has access to what.
Limiting time of day access.
Limiting day of week access.
Limiting access from a location, such as not allowing user to use a remote login during certain periods or any time.
Operational Security
Chapter13-Network Security 6
Passwords - common form of security and most abused.
Rules for safe passwords include:
• Change your password often.
• Password - minimum 8 characters, mixed symbols.
• Don’t share passwords or write them down.
• Don’t select names and familiar objects as passwords.
Passwords and ID Systems
Chapter13-Network Security 7
Many new forms of “passwords” are emerging (biometrics):
• Fingerprints
• Face prints
• Retina scans and iris scans
• Voice prints
• Ear prints
Passwords and ID Systems
Chapter13-Network Security 8
Creating computer or paper audit can help detect wrongdoing.
Auditing can also be used as a deterrent.
Many network operating systems allow administrator to audit most types of transactions.
Auditing as Security
Chapter13-Network Security 9
Auditing as Security, cont’d
Manual audits can be done by either internal or external personnel. Manual audits severe to verify effectiveness of policy development and implementation, and extent of security in overall corporate security policy. Automated audits depend on software able to assess weaknesses of network security and security standards.
Chapter13-Network Security 10
Auditing as Security, cont’d
Some automated audit tools are able to analyze network for vulnerabilities and make recommendationsOther tools merely capture events so that security people can figure out who did what and when after security breach has occurred.
Chapter13-Network Security 11
Auditing as Security, cont’d
Security probes test various aspects of enterprise network security and report results and suggest improvements.Intrusion detection systems test perimeter of enterprise network through dial modems, remote access servers, web servers, or Internet access.Network based intrusion detection systems use network traffic probes distributed throughout network to identify traffic patterns that may indicate some type of attack may be underway
Chapter13-Network Security 12
Two basic questions to access rights: who and how?
Who do you give access rights to? No one, group of users, entire set of users?
What level of access does a user or group of users get? Read, write, delete, print, copy, execute?
Procedures set to remove people who leave or transfer.
Most network OS have method system for assigning access rights.
Access Rights as Security
Chapter13-Network Security 13
SECURITY POLICY DEVELOPMENT LIFE CYCLE
SPDLC is depicted as cycle since evaluation processes validate the effectiveness of original analysis stages.Next slide shows SDLC.Look at this slide as management tool of steps that have to be taken.
Chapter13-Network Security 14
Identify business related security issues
Analyze security risks, threats, and
vulnerabilities
Design the security architecture and the
associated processes
Implement security technology and
processes
Audit impact of security technology and
processes
Evaluate effectiveness of current architectures
and policies
GOLDMAN & RAWLES: ADC3e FIG. 13-01
Security Policy Development Life Cycle
Chapter13-Network Security 15
Security Requirements Assessment
Start research by finding out if your friends in field can give you manuals of what they have done.Define needs requirements for users in organization.Security refers to restrictions of information upon users, and responsibilities of users for implementation and enforcement.
Chapter13-Network Security 16
Scope and Feasibility of Studies
Define scope of security study.Realize that there is a balance between security and productivity.Optimal balance will protect resources while not impacting on worker productivity.
Chapter13-Network Security 17
High risk Low cost Open access No productivity loss Open access may lead to data loss or data integrity problems which may lead to productivity loss.
High cost Low risk Restrictive access Productivity loss Overly restrictive security may lead to noncompliance with security processes which may lead to loss of security
Balanced risk and costs Restrictiveness of security policy balanced by people's acceptance of those policies
Lack of security may ultimately have
negative impact on productivity
No productivity loss occurs from access
restrictions
SECURITYPRODUCTIVITY
SECURITYPRODUCTIVITY
Overly restrictive security casues
productivity decline
Security needs take priority over user
access
SECURITYPRODUCTIVITY
Minimize negative impact on
productivity
Maximize security processes
BALANCE
Optimal Balance of Security and Productivity
Overly Restrictive Security
Lack of Security
GOLDMAN & RAWLES: ADC3e FIG. 13-04
Security vs. Productivity Balance
Chapter13-Network Security 18
Assets, Threats, and Risks
Security methodologies have major steps; Identify assets – includes hardware,
software, and media used to store data.
Identify threats – anything that can pose a danger to assets.
Identify vulnerabilities – potential problems in security system
Chapter13-Network Security 19
Assets, Threats, and Risks
Security methodologies- continued Consider risks – probability of
successfully attacking particular asset Identify risk domains – groups of
network systems sharing common functions and common elements of exposure.
Take protective measures – Virus protection, firewalls, authentication, encryption
Chapter13-Network Security 20
System or combination of systems that supports an access control policy between two networks.
Firewall can limit types of transactions that enter system, as well as types of transactions that leave system.
Firewalls can be programmed to stop certain types or ranges of IP addresses, as well as certain types of TCP port numbers (applications).
Firewalls, cont’d
Chapter13-Network Security 21
Firewalls
Chapter13-Network Security 22
Packet filter firewall - essentially router that has been programmed to filter out or allow in certain IP addresses or TCP port numbers.
Proxy server - more advanced firewall that acts as doorman into corporate network. Any external transaction that requests something from corporate network must enter through proxy server.
Proxy servers are more advanced but make external accesses slower.
Firewalls, cont’d
Chapter13-Network Security 23
Proxy Server
Chapter13-Network Security 24
Attack Strategies
Attack strategies concentrate on weaknesses of specific systems.Two servers communicating with TCP set up three step exchange of address and confirmation.
Chapter13-Network Security 25
Attack Strategies, cont’d
Following attack strategies take negative advantage of three step exchange Denial of service attack – hacker
floods server with request to connect to non-existent servers
Land attack – hacker substitutes targeted server’s own address as address of server requesting connection
Chapter13-Network Security 26
Signature-based scanners look for particular virus patterns or signatures and alert user.
Terminate-and-stay-resident programs run in background constantly watching for viruses and their actions.
Multi-level generic scanning is combination of antivirus techniques including intelligent checksum analysis and expert system analysis.
Guarding Against Viruses
Chapter13-Network Security 27
Denial of service attacks - bombard computer site with many messages site is incapable of answering valid requests.
e-mail bombing - user sends an excessive amount of unwanted e-mail.
Smurfing - technique in which program attacks network by exploiting IP broadcast addressing operations.
Ping storm - Internet Ping program is used to send flood of packets to server.
Standard System Attacks, cont’d
Chapter13-Network Security 28
Spoofing - user creates packet that appears to be something else or from someone else.
Trojan Horse - malicious piece of code hidden inside seemingly harmless piece of code.
Stealing, guessing, and intercepting passwords is also tried and true form of attack.
Standard System Attacks, cont’d
Chapter13-Network Security 29
Web Specific Attack Strategies
Minimizing web attacks requires using following techniques: Eliminate unused user accounts and
default accounts (Guest) Remove/disable unused services such
as FTP, Telnet, etc. Remove unused Unix command shells
and interpreters
Chapter13-Network Security 30
Web Specific Attack Strategies cont’d
Properly set permission levels on files and directoriesStay up to date with current attack strategies, and defenses.Beware of Common Gateway Interface programs extracting web server password files. Take corrective measures.
Chapter13-Network Security 31
Management Role and Responsibility
Executive responsibilities Set Security Policy of the Organization Allocate sufficient resources – staff,
funding, etc. Information is corporate resource Assign responsibility for protecting
information resources Require computer security training for
staff
Chapter13-Network Security 32
Management Role and Responsibility, cont’d
Hold employees responsibility for corporate resources in their care
Audit (internal and external) corporate security
Follow through with penalties for violations of corporate security
Chapter13-Network Security 33
Management Role and Responsibility, cont’d
Management responsibility Assess responsibilities in your
corporate security area Assess balance between security and
productivity Assess vulnerabilities with your area
of responsibility Adhere and enforce corporate policies
Chapter13-Network Security 34
Policy Development Process
Establish processes and policiesBe sure affected user groups are represented on policy development task force. Emphasis should be on corporate wide awareness relating to importance of protecting corporate information and network access.
Chapter13-Network Security 35
Policy Implementation Process
Having been included in policy development process, users are expected to support policiesUser responsibilities Protect data you have Corporate resources are property of
company
Chapter13-Network Security 36
Policy Implementation Process
Continued Inform supervisor of suspicious
actions, or people Never share your passwords Choose password that is impossible to
discover Log off before leaving your computer Lock up sensitive material backups Backup important data
Chapter13-Network Security 37
Policy Implementation Process, cont’d
Policy implementation should force changes in people’s behaviors, which can cause resistance Use appropriate technology and associated processes to execute policy.Security architectures imply security solutions have been predefined for given corporation’s variety of computing and network platforms.
Chapter13-Network Security 38
Policy Implementation Process, cont’d
If users involvement was substantial during policy development stage and if buy-in was assured at each stage of policy development, then process stands better chance of succeeding.
Chapter13-Network Security 39
VIRUS PROTECTIONComprehensive protection plan must combine policy, people, processes, and technology to be effective.Virus - describes computer program that gains access to computer system or network with potential to disrupt normal activity of that system or network.
Chapter13-Network Security 40
VIRUS PROTECTION, cont’d
Viruses triggered by passing of certain date or time is referred to as time bombs whereas viruses that require certain event to transpire are known as logic bombs.Trojan horse - actual virus is hidden inside program and delivered to target system or network to be infected.
Chapter13-Network Security 41
ANTIVIRUS STRATEGIESEffective antivirus policies and procedures must first focus on use and checking of diskettes/files. Antivirus strategies Identify vulnerabilities Keep antivirus updated
Chapter13-Network Security 42
ANTIVIRUS STRATEGIES, cont’d
Antivirus strategies, continued Install virus scanning software Non employees should be prohibited
from installing laptops to system. Install virus scanning software on
commonly used laptops Write protect diskettes
with .exe, .com files
Chapter13-Network Security 43
Client PC ServerHub
Router
INFECTION
Infected file is spread through database replication
and/or Infected file is spread by being attached to multiclient conference
Infected
Client PC ServerHub
Router
RE-INFECTION
Modification of infected document on any client or server will cause replication and reinfection of other servers Inclusion of infected documents in multiclient conference will reinfect all clients
Disinfected
Client PC with original infected
document
re-infection
GOLDMAN & RAWLES: ADC3e FIG. 13-18
Collaborative Software Infection/Reinfection Cycle
Chapter13-Network Security 44
ANTIVIRUS TECHNOLOGIES
Virus scanning is primary method for successful detection and removal. Emulation technology - detect unknown viruses by running programs with software emulation program known as a virtual PC. Execution program can be examined in environment for symptoms of viruses. Advantage of such programs is they identify potentially unknown viruses based on behavior rather than by relying on natures of known viruses.
Chapter13-Network Security 45
ANTIVIRUS TECHNOLOGIES, cont’d
CRC checkers or hashing checkers creates and saves unique cyclical redundancy check character each file to be monitored. Each time that file is subsequently saved, new CRC is checked against the reference CRC.If CRCs do not match, then file has been changed. Shortcoming of technology - only able to detect viruses after infection.Active control monitors is able to examine transmissions from Internet in real time and identify known malicious content based on contents of definition libraries.
Chapter13-Network Security 46
Router
Point of Attack: Client PC Vulnerabilities
Infected diskettes Groupware conferences with infected documents
Protective Measures Strict diskette scanning policy Autoscan at system start-up
Point of Attack: Internet Access Vulnerabilities
Downloaded viruses Downloaded hostile agents
Protective Measures Firewalls User education about the dangers of downloading
Point of Attack: Server Vulnerabilities
Infected documents stored by attached clients Infected documents replicated from other groupware servers
Protective Measures Autoscan run at least once a day Consider active monitoring virus checking before allowing programs to be loaded onto server Rigorous backup in case of major outbreak Audit logs to track down sources
Point of Attack: Remote Access Users Vulnerabilities
Frequent up/downloading of data and use of diskettes increase risk Linking to customer sites increases risk
Protective Measures Strict diskette scanning policy Strict policy about the connection to corporate networks after linking to other sites.
INTERNET
hub
Client PC
Remote Access Users
Server
GOLDMAN & RAWLES: ADC3e FIG. 13-19
Virus Infection Points of Attack and Protective
Measures
Chapter13-Network Security 47
FIREWALLSTo prevent unauthorized access from Internet into company’s confidential data, specialized software known as firewall is often deployed.Firewall software usually runs on dedicated server that is connected to, but outside of, corporate network. All network packets entering firewall are filtered, or examined, to determine whether or not those users have authority to access requested files.
Chapter13-Network Security 48
Firewall Architecture Difficulty with firewalls is there are no standards for firewall functionality, architectures, or interoperability.Firewall architecture 1. Packet filtering 2. Application gateway 3. Internet firewalls
Chapter13-Network Security 49
PACKET FILTERINGPackets of data on Internet are identified by source address of computer that issued message and destination address of Internet server.Filter - program that examines source address and destination address of incoming packet to firewall server. Filter tables - lists of addresses whose data packets and embedded messages are either allowed or prohibited from proceeding through the firewall.Filter tables can limit access of certain IP addresses to certain directories.
Chapter13-Network Security 50
PACKET FILTERING, cont’dFiltering time introduces latency to overall transmission time. Packet filter gateways can be implemented on routers. Existing piece of technology can be used for dual purposes. Packet filters can be breached by hackers in technique known as IP spoofing.If hacker can make packet appear to come from an unauthorized or trusted IP address, then it can pass through firewall.
Chapter13-Network Security 51
Application GatewaysAlso called application level filtersPort level filters determine legitimacy of party asking for information, application level filters assures validity of what they are asking for.Application level filters examine entire request for data rather than source and destination addresses.
Chapter13-Network Security 52
Application Gateways, cont’d
Application gateways are concerned with what services or applications message is requesting in addition to who is making request.Once legitimacy of request has been established, only proxy clients and servers actually communicate with each other.
Chapter13-Network Security 53
INTERNET or nonsecure
network
Protected Network
Packet-filtering firewall (router)
Incoming IP packets examined Incoming IP source and destination addresses compared to filter tables Outgoing packets have direct access to Internet
Packet Filter Firewall
INTERNET or nonsecure
network
Protected Network
Trusted Gateway
Proxy application 2
Client Server
Packet-filtering firewall (router)
Trusted applications establish connections directly Applications gateway is single-homed
Information servers WWW servers
Proxy application 1
Client Server
Application Gateway
trusted application
INTERNET or nonsecure
network
Protected Network
Application Gateway
Proxy application: FTP
Proxy FTP
Client
Proxy FTP
Server
Proxy application: TELNET
Proxy TELNET Server
Proxy TELNET
Client
Other proxy applicationsclient
server
server
client
INTERNET or nonsecure
network
Protected Network
Dual-Homed Gateway
Proxy application 2
Client Server
Packet-filtering firewall (router)
All traffic goes through application gateway
Information servers WWW servers
Proxy application 1
ClientServer
Dual-Homed Application
Gateway
WWW requestScreened
Subnet
GOLDMAN & RAWLES: ADC3e FIG. 13-20
Packet Filters and Application Gateways
Chapter13-Network Security 54
INTERNET or nonsecure
network
Protected Network
Packet-filtering firewall (router)
Incoming IP packets examined Incoming IP source and destination addresses compared to filter tables Outgoing packets have direct access to Internet
Packet Filter Firewall
INTERNET or nonsecure
network
Protected Network
Trusted Gateway
Proxy application 2
Client Server
Packet-filtering firewall (router)
Trusted applications establish connections directly Applications gateway is single-homed
Information servers WWW servers
Proxy application 1
Client Server
Application Gateway
trusted application
INTERNET or nonsecure
network
Protected Network
Application Gateway
Proxy application: FTP
Proxy FTP
Client
Proxy FTP
Server
Proxy application: TELNET
Proxy TELNET Server
Proxy TELNET
Client
Other proxy applicationsclient
server
server
client
INTERNET or nonsecure
network
Protected Network
Dual-Homed Gateway
Proxy application 2
Client Server
Packet-filtering firewall (router)
All traffic goes through application gateway
Information servers WWW servers
Proxy application 1
ClientServer
Dual-Homed Application
Gateway
WWW requestScreened
Subnet
GOLDMAN & RAWLES: ADC3e FIG. 13-20
Proxies, Trusted Gateways, and Dual-Homed Gateways
Chapter13-Network Security 55
INTERNET FIREWALLSCategory of software known as internal firewalls has begun to emerge.Internal firewalls include filters that work on data link, network, and application layers to examine communications that occur only on a corporation’s internal network, inside reach of traditional firewall.Internal firewalls act as access control mechanisms, denying access to applications user does not have specific access approval.
Chapter13-Network Security 56
Authentication and Access Control
Authentication products break down into three overall categories: What you know - single sign-on (SSO)
access to multiple network attached servers and resources via passwords.
What you have - requires user to posses type of smart card or token authentication device to generate single use passwords.
What you are - validates users based on physical characteristic, i.e. fingerprints, hand geometry, or retinal scans.
Chapter13-Network Security 57
Token Authentication Provides one-time use session passwords authenticated by associated server software. Hardware based smart cards are
about size of credit card with or without numeric keypad.
In-line token authentication devices connect to serial port of computer for dial-in authentication through modem.
Software tokens are installed on the client PC and authenticated with server portion of token authentication product transparently to end user.
Chapter13-Network Security 58
Challenge-response token authentication
Challenge-response token authentication involves following steps: User enters an assigned user ID and
password at client. Token authentication server software
returns numeric string known as challenge.
Challenge number and PIN are entered on smart card.
Chapter13-Network Security 59
Challenge-response token authentication, cont’d
Smart card displays response number on LCD screen.
Response number is entered on client workstation and transmitted back to token authentication server.
Token authentication server validates response against expected response from user and this particular smart card.
Chapter13-Network Security 60
Smart Card
76731270
Client
PSTN
Authentication Server
Personal ID and smart card display are entered
into client PC
Authentication server compares received smart card generated
number to current time-synchronous server-generated number. If they match, the user is authenticated.
Personal ID and current number displayed on smart card (ie. 76731270)
Time Synchronous
Smart Card
11266542
Client
PSTN
Authentication Server
Response number from smart card display is entered into client PC and transmitted to authentication server
Authentication server compares received response number to
expected response number. If they match, the user is authenticated.
Response number displayed on smart card (ie. 11266542)
Challenge - Response
Smart Card
76731270
Client
PSTN
Authentication Server
Smart card ID is entered into
client PC
User ID and personal smart card ID number (ie. 76731270)
modem modem
Challenge number is returned to client (ie. 65490873)
Smart Card
65490873 Returned challenge number is entered into
smart card keypad
GOLDMAN & RAWLES: ADC3e FIG. 13-24
Challange-Response vs. Time-Synchronous Token
Authentication
Chapter13-Network Security 61
Biometric Authentication Biometric authentication can authenticate users based on fingerprints, palm prints, retinal patterns, voice recognition, or other physical characteristics.Biometric authentication devices require valid users first register by storing copies of fingerprints, voice, or retinal patterns in validation database.
Chapter13-Network Security 62
Authorization vs. Authentication
Authorization is concerned with assuring that properly authorized uses are able to access particular network resources.Authentication - ensures that only legitimate users are able to log into network.
Chapter13-Network Security 63
KERBEROSKerberos – combination of authentication and authorization software.Kerberos architecture consists of three key components: Kerberos client software Kerberos authentication server
software Kerberos application server software
Chapter13-Network Security 64
Personal computers running Kerberos client
software
Applications servers with at least one running Kerberos server software
Kerberos Server
Kerberos Realm A
router
Kerberos Realm C
Kerberos Realm DKerberos Realm B
Authentication Server
Ticket-Granting Server
Kerberos Database
Personal computers running Kerberos client
software
Applications servers with at least one running Kerberos server software
Kerberos server
router
Authentication Server
Ticket-Granting Server
Kerberos Database
Personal computers running Kerberos client
software
Applications servers with at least one running Kerberos server software
Kerberos server
router
Authentication Server
Ticket-Granting Server
Kerberos Database
Personal computers running Kerberos client
software
Applications servers with at least one running Kerberos server software
Kerberos server
router
Authentication Server
Ticket-Granting Server
Kerberos Database
Enterprise Network
GOLDMAN & RAWLES: ADC3e FIG. 13-25
Kerberos Architecture
Chapter13-Network Security 65
KERBEROS, cont’dKerberos must communicate directly with application.Kerberos enforces authentication and authorization through use of ticket based system. Encrypted ticket is issued for sever to client session and is valid for preset amount of time. From network analyst’s perspective, concern is centered on amount of network bandwidth consumed by addition of Kerberos security.
Chapter13-Network Security 66
Cryptography - creating and using encryption and decryption techniques.
Plaintext - data before any encryption has been performed.
Ciphertext - data after encryption has been performed.
Key is unique piece of information used to create ciphertext and decrypt ciphertext back into plaintext.
Basic Encryption and Decryption Techniques
Chapter13-Network Security 67
Encryption/Decryption
Chapter13-Network Security 68
CiphersA few ciphers to be examined: Monoalphabetic Substitution-based
Ciphers Polyalphabetic Substitution-based
Ciphers Transposition-based Ciphers
Chapter13-Network Security 69
Monoalphabetic substitution-based ciphers replace character or characters with different character or characters, based upon some key.
Replacing: abcdefghijklmnopqrstuvwxyz
With: POIUYTREWQLKJHGFDSAMNBVCXZ
The message: how about lunch at noon
encodes into EGVPO GNMKN HIEPM HGGH
Monoalphabetic Substitution-based Ciphers
Chapter13-Network Security 70
Similar to monoalphabetic ciphers except multiple alphabetic strings are used to encode the plaintext.
For example, matrix of strings, 26 rows by 26 characters or columns can be used.
Key such as COMPUTERSCIENCE is placed repeatedly over the plaintext.
COMPUTERSCIENCECOMPUTERSCIENCECOMPUTER
thisclassondatacommunicationsisthebest
Polyalphabetic Substitution-based Ciphers
Chapter13-Network Security 71
To encode the message, take the first letter of the plaintext, t, and the corresponding key character immediately above it, C. Go to row C column t in the 26x26 matrix and retrieve the cipher text character V. See next slide for 26 x 26 matrix.
Continue with other characters in plaintext.
Polyalphabetic Substitution-based Ciphers
Chapter13-Network Security 72
26 x 26 Cipher Character Matrix
Chapter13-Network Security 73
In transposition-based cipher, order of plaintext is not preserved.
As simple example, select key such as COMPUTER.
Number letters of word COMPUTER in order they appear in alphabet.
1 4 3 5 8 7 2 6
C O M P U T E R
Transposition-based Ciphers
Chapter13-Network Security 74
Transposition-based Ciphers
Now take the plaintext message and write it under the key.
1 4 3 5 8 7 2 6
C O M P U T E R
t h i s i s t h
e b e s t c l a
s s i h a v e e
v e r t a k e n
Transposition-based Ciphers, cont’d
Chapter13-Network Security 75
Then read ciphertext down the columns, starting with the column numbered 1, followed by column number 2.
TESVTLEEIEIRHBSESSHTHAENSCVKITAA
Transposition-based Ciphers, cont’d
Chapter13-Network Security 76
Powerful encryption technique in which two keys are used: first key (public key) encrypts message while second key (private key) decrypts message.
Not possible to deduce one key from other.
Not possible to break code given public key.
If you want someone to send you secure data, give them your public key, you keep private key.
Secure sockets layer on Internet is common example of public key cryptography.
Public Key Cryptography and Secure Sockets Layer
Chapter13-Network Security 77
Combination of encryption techniques, software, and services that involves all necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management.
Digital certificate is an electronic document, similar to passport, that establishes your credentials when you are performing transactions.
Public Key Infrastructure
Chapter13-Network Security 78
Digital certificate contains your name, serial number, expiration dates, copy of your public key, and digital signature of certificate-issuing authority.
Certificates are usually kept in registry so other users may check them for authenticity.
Public Key Infrastructure, cont’d
Chapter13-Network Security 79
Certificates are issued by certificate authority (CA). CA is either specialized software on company network or trusted third party.
Let’s say you want to order something over Internet. Web site wants to make sure you are legitimate, so web server requests your browser to sign order with your private key (obtained from your certificate).
Public Key Infrastructure, cont’d
Chapter13-Network Security 80
Web server then requests your certificate from third party CA, validates that certificate by verifying third party’s signature, then uses that certificate to validate signature on your order.
User can do same procedure to make sure web server is not bogus operation.
Certificate revocation list is used to “deactivate” user’s certificate.
Public Key Infrastructure, cont’d
Chapter13-Network Security 81
Applications that could benefit from PKI:
• World Wide Web transactions
• Virtual private networks
• Electronic mail
• Client-server applications
• Banking transactions
Public Key Infrastructure, cont’d
Chapter13-Network Security 82
More powerful data encryption standard.
Data is encrypted using DES three times: the first time by first key, second time by second key, and third time by first key again. (Can also have 3 unique keys.)
While virtually unbreakable, triple-DES is CPU intensive.
With more smart cards, cell phones, and PDAs, a faster (and smaller) piece of code is highly desirable.
Triple-DES
Chapter13-Network Security 83
Selected by U.S. government to replace DES.
National Institute of Standards and Technology selected the algorithm Rijndael (pronounced rain-doll) in October 2000 as basis for AES.
AES has more elegant mathematical formulas, requires only one pass, and was designed to be fast, unbreakable, and able to support even smallest computing device.
Advanced Encryption Standard (AES)
Chapter13-Network Security 84
Key size of AES: 128, 192, or 256 bits.
Estimated time to crack (assuming a machine could crack a DES key in 1 second) : 149 trillion years.
Very fast execution with very good use of resources.
AES should be widely implemented by 2004.
Advanced Encryption Standard (AES)
Chapter13-Network Security 85
ENCRYPTION
Encryption - changing of data into indecipherable form before transmission.Decryption - changing unreadable text back into its original form. Types of encryption DES-Private Key RSA – Public key Digital signature Key Management Alternatives
Chapter13-Network Security 86
DES – Private Key Encryption
Decrypting device must use same algorithm to decode or decrypt data as encrypting device used to encrypt data. DES allows encryption devices manufactured by different firms to interoperate successfully. Encryption key customizes commonly known algorithm to prevent anyone without private key from decrypting documents.
Chapter13-Network Security 87
RSA – Public Key Encryption
Public key - combines usage of both public and private keys.In public key encryption, sensing encryption device encrypts document using intended recipient’s public key and originating party’s private key. To decrypt the document, receiving encryption/decryption device must be programmed with intended recipient’s own private key and sending party’s public key.
Chapter13-Network Security 88
Digital Signature Encryption
Digital signature encryption - electronic means of guaranteeing authenticity of sending party and assurance that encrypted documents have not been altered during transmission.Original document is processed by hashing program to produce a mathematical string unique to exact content of original document.Unique mathematical string is encrypted using originator’s private key.Encrypted digital signature is appended to and transmitted with encrypted original document.
Chapter13-Network Security 89
Digital Signature Encryption, cont’d
To validate authenticity of received document, recipient uses public key associated with apparent sender to regenerate digital signature from received encrypted document.Transmitted digital signature is compared by recipient to regenerated digital signature produced by using public key and received document.
Chapter13-Network Security 90
Company A client
INTERNET -or-
nonsecure network
Company B client
The private key must be distributed across nonsecure network.
Private Key -or- Symmetric
Original document
Private key
Encrypted document
Original documentPrivate
key
Encryption Decryption
Private key
Company A client
INTERNET -or-
nonsecure network
Company B client
Company B gets Company A's public key from Company A or from certificate authority.
Public Key
Original document
Private key
Encrypted document
Original document
encryption Decryption
Public key
A B+
Public key
Private key
A B+
Company A gets Company B's public key from Company B or from certificate authority.
Company A client
INTERNET -or-
nonsecure network
Company B client
Digital Signature
Original document
Private key
Encrypted document
Original document
Encryption decryption
Public key
A B+
Public key
Private key
A B+
Locally regenerated digital signature is compared to original
transmitted digital signature
A private
Digital signature encrypted OriginalA
publicdigital signature digital signatures
Regenerated
=
GOLDMAN & RAWLES: ADC3e FIG. 13-26
Private, & Public, and Digital Signature Encryption
Chapter13-Network Security 91
Key Management Alternatives
Key Management - Before computers can communicate in secure manner, they must be able to agree on encryption and authentication algorithms and establish keys.Standards for key management: ISAKMP (Internal Security Association and
Key Management Protocol) from IETF. Largely replaced by IKE (Internet Key Exchange).
SKIP (Simple Key Management for IP)
Chapter13-Network Security 92
Key Management Alternatives, cont’d
Public key dissemination must be managed so users are assured public keys received are actually public keys of companies or organizations they are alleged to be.Public key infrastructures that link user to are implemented through use of server based software known as certificate services.Certificate server software supports encryption and digital signatures while flexibility supporting directory integration, multiple certificate types, and variety of request fulfillment options.
Chapter13-Network Security 93
Document to be signed is sent through complex mathematical computation that generates hash.
Hash is encoded with owner’s private key.
To prove future ownership, hash is decoded using owner’s public key and hash is compared with current hash of document.
If two hashes agree, document belongs to owner.
U.S. has just approved legislation to accept digitally signed documents as legal proof.
Digital Signatures
Chapter13-Network Security 94
Applied Security Scenarios Install only software/hardware need. Allow only essential traffic into/out of
network. Eliminate other traffic by blocking with routers or firewalls.
Investigate outsourcing web-hosting services so corporate web server is not physically on same network as rest of corporate information assets.
Use routers to filter traffic by IP addresses.
Chapter13-Network Security 95
Applied Security Scenarios, cont’d
Make sure router OS software has been patched to prevent attacks by exploiting TCP vulnerabilities.
Identify information assets most critical to corporation, and protect those servers first.
Implement physical security constraints to hinder physical access to critical resources such as servers.
Chapter13-Network Security 96
Applied Security Scenarios, cont’d
Develop effective, and enforceable security policy. Monitor its implementation and effectiveness.
Consider installing proxy server or application layer firewall.
Block incoming DNS queries and requests for zone transfers.
Disable all TCP ports and services not essential so hackers are not able to exploit and use services.
Chapter13-Network Security 97
Integration with Information Systems and Application
Development Authentication products must be integrated with existing information systems and applications development efforts.APIs (Application Program Interfaces) are means by which authentication products are able to integrate with client/server applications.Application development fits combine an application development language with supported APIs.
Chapter13-Network Security 98
Remote Access Security Protocol and associated architecture known as remote authentication dial-in user (RADIUS) offers potential to enable centralized management of remote access users and technology.RADIUS enables communication between following three tiers of technology: Remote access devices such as remote
access servers and token authentication technology from variety of vendors.
Enterprise databases that contain authentication and access control information.
RADIUS authentication server.
Chapter13-Network Security 99
Remote access server BRAND B
Remote access server BRAND A
Remote access server BRAND C
RADIUS server
RADIUS management
console
Remote user
Remote user
Modem
Modem
INTERNET or nonsecure network users
PC
PC Modem
Modem
modem
User authentication
database
Accounting and authentication
information
Secure network
Firewall
A wide variety of remote access servers and firewalls from numerous vendors can all be managed by RADIUS Large numbers of remote access users accessing the network from numerous different points and using different authentication techniques can all be managed by RADIUS
GOLDMAN & RAWLES: ADC3e FIG. 13-28
RADIUS
Chapter13-Network Security 100
Remote Access Security, cont’d
RADIUS allows network managers to centrally manage remote access users, access methods, and logon restrictions.RADIUS allows centralized auditing capabilities such as keeping track of volume of traffic sent and amount of time on-line.For authentication, it supports password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), and SecurID token authentication.
Chapter13-Network Security 101
Password Authentication Protocol (PAP),
PAP is designed for dial in communication.PAP repeatedly sends user ID and password to authenticating system in clear text pairs until it is acknowledged or connection is dropped.
Chapter13-Network Security 102
Challenge Handshake Authentication Protocol
(CHAP)CHAP provides secure means for establishing dial in communication.CHAP uses three-way challenge or handshake that includes user ID, password, and key encryption for ID and password. Problem with system is some mechanism must be in place for both receiver and sender to know and have access to key.
Chapter13-Network Security 103
E-Mail, Web, and Internet/Intranet Security
Two primary standards for encrypting traffic on the WWW S-HTTP (Secure Hypertext Transport
Protocol) – secure version of HTTP requires both client and server S-HTTP versions to be installed for secure end-to-end encrypted transmission.
SSL – SSL is described as wrapping an encrypted envelope around HTTP transmissions. SSL is connection-level encryption method providing security to network link itself.
Chapter13-Network Security 104
E-Mail, Web, and Internet/Intranet Security,
cont’d
Secure Courier and is offered by Netscape.Secure Courier is based on SSL and allows users to create a secure digital envelope for transmission of financial transactions over Internet.
Chapter13-Network Security 105
E-Mail, Web, and Internet/Intranet Security,
cont’d
Additional forms of security are: PCT PEM PGP SET S/MIME Virtual Private Network Security
Chapter13-Network Security 106
Private Communications Technology (PCT)
Microsoft’s version of SSLPCT supports secure transmissions across unreliable (UDP rather TCP based) connections by allowing decryption of transmitted records independently from each other, as transmitted in individual datagrams. Targeted primarily toward on-line commerce and financial transactions
Chapter13-Network Security 107
Privacy Enhanced Mail (PEM)
PEM - encryption technique for e-mail use on Internet used in association with SMTP (Single Mail Transport Protocol).PEM was designed to use both DES and RSA encryption techniques, but it would work with other encryption algorithms as well.
Chapter13-Network Security 108
Pretty Good Privacy (PGP)
An Internet e-mail specific encryption standard that also uses digital signature encryption to guarantee the authenticity, security, and message integrity PGP over-comes inherent security loopholes with public/private key security schemes by implementing Web of trust in which e-mail users electronically sign each other’s public keys to create an interconnected group of key users.
Chapter13-Network Security 109
Secure Electronic Transactions (SET)
SET - series of standards to assure confidentiality of electronic commerce transactions.Standards are becoming promoted by credit card giants VISA and MasterCard.A single SET compliant electronic transaction could require as many as six cryptographic functions, taking from one-third to one-half of second on high-powered UNIX workstation.An important aspect of SET standards is incorporation of digital certificates or DIgital IDs
Chapter13-Network Security 110
Secure Multipurpose Internet Mail Extension (S/MIME)
S/MEME secures e-mail in e-mail applications that have been S/MEME enabled.S/MEME enables different e-mail systems to exchange encrypted messages and encrypt multimedia as well as text based e-mail.
Chapter13-Network Security 111
Virtual Private Network (VPN) Security
To provide virtual private networking capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols needed to be developed that could establish private, secure channels between connected systems.Two rival standards are examples of such tunneling protocols: Microsoft’s point-to-point tunneling protocol
(PPTP) Cisco’s layer two forwarding (L2F)
Chapter13-Network Security 112
Virtual Private Network (VPN) Security, cont’d
Unification of two rival standards is known as layer 2 tunneling protocol (L2TP). One shortcoming of proposed specification is that it does not deal with security issues such as encryption and authentication.Next slide illustrates use of tunneling protocols to build VPN using Internet as enterprise network backbone.
Chapter13-Network Security 113
VIRTUAL PRIVATE NETWORK
INTERNET
Tunneling protocol:PPTP L2F L2TP
CORPORATE HEADQUARTERS
REMOTE CLIENT
ADSL, ISDN, or modem connection
ROUTER at corporate headquarters strips off tunneling protocols and forwards transmission to corporate LAN
Local Internet Service Provider creates a virtual private tunnel using tunneling protocol.
GOLDMAN & RAWLES: ADC3e FIG. 13-29
Tunneling Protocols Enable Virtual Private Networks
Chapter13-Network Security 114
Virtual Private Network (VPN) Security, cont’d
IPsec - protocol that ensures encrypted communications across Internet via VPN through use of manually exchange.IPsec supports only IP-based communications.IPsec is standard that should enable interoperability between firewalls supporting protocol.
Chapter13-Network Security 115
PPTP
PPTP is essentially tunneling protocol that allows managers to choose whatever encryption or authentication technology they wish to hang off either end of the established tunnel.PPTP Microsoft tunneling protocol specific to Windows NT and remote access servers.PPTP concerned with secure remote access in that PPP-enabled clients would be able to dial into corporate network by Internet.
Chapter13-Network Security 116
Enterprise Network Security
To maintain proper security over widely distributed enterprise network, it is essential to be able to conduct certain security-related processes from single, centralized security management location.
Chapter13-Network Security 117
Enterprise Network Security, cont’d
Among these processes or functions are Single point of registration (SPR) allows
network security manager to enter new user (or delete terminated user) from single centralized location and assign all associated rights, privileges, etc.
Single sign-on (SSO) also sometimes known as secure single sign-on (SSSO), allows users to log into enterprise network and be authenticated from client PC location.
Chapter13-Network Security 118
Enterprise Network Security, cont’d
Single access control view allows users access from client workstation to only display resources user actually has access too.
Security auditing and intrusion detection is able to track and identify suspicious behaviors from both internal employees and potential intruders. Detection and response to such events must be controlled from centralized security management location.
Chapter13-Network Security 119
Government Impact
Government agencies play major role in area of network security. Two primary functions of government agencies are: Standards making organizations that set
standards for the design, implementation, and certification of security technology and systems.
Regulatory agencies that control export of security technology to company’s international locations.