8/3/2019 networksecurity (2)
1/35
Overview of Network SecurityOverview of Network Security
8/3/2019 networksecurity (2)
2/35
Presentation ContentPresentation Content
WhatWhat isis Internet?Internet?
WhatWhat dodo wewe needneed toto protect?protect?
ThreatThreat MotivationMotivation
AttackAttack TypesTypes
SecuritySecurity ObjectivesObjectives SecuritySecurity mechanismsmechanisms
ReferencesReferences
8/3/2019 networksecurity (2)
3/35
What is Internet?What is Internet?
TheThe InternetInternet isis aa worldwideworldwide IPIP network,network,
thatthat linkslinks collectioncollection ofof differentdifferentnetworksnetworks fromfrom variousvarious sources,sources,
governmental,governmental, educationaleducational andand
commercialcommercial..
8/3/2019 networksecurity (2)
4/35
What do we need to protectWhat do we need to protect
DataData
ResourcesResources
ReputationReputation
8/3/2019 networksecurity (2)
5/35
Threat MotivationThreat Motivation
SpySpy
JoyrideJoyride
IgnoranceIgnorance
ScoreScore KeeperKeeper
RevengeRevenge GreedGreed
TerroristTerrorist
8/3/2019 networksecurity (2)
6/35
Types of AttacksTypes of Attacks
PassivePassive
ActiveActive DenialDenial ofof ServicesServices
SocialSocial EngineeringEngineering
8/3/2019 networksecurity (2)
7/35
TCP 3 way handshakeTCP 3 way handshake
ServerServer
SYN(X)SYN(X)
SYN(Y), ACK(X)SYN(Y), ACK(X)
ACK(Y)ACK(Y)
ClientClient
X, Y are sequence numbersX, Y are sequence numbers
Half openHalf open
Full openFull open
8/3/2019 networksecurity (2)
8/35
TCP Session HijackTCP Session Hijack
ServerServer
SYN(X)SYN(X)
SYN(Y), ACK(X)SYN(Y), ACK(X)
AttackerAttacker
Client, 146.135.12.1Client, 146.135.12.1
Half openHalf open
Valid TCP ConnectionValid TCP Connection
Initiate TCP with 146.135.12.1 as sourceInitiate TCP with 146.135.12.1 as source
Complete TCP ConnectionComplete TCP Connection
8/3/2019 networksecurity (2)
9/35
Security ObjectivesSecurity Objectives
IdentificationIdentification
AuthenticationAuthentication
AuthorizationAuthorization AccessAccess ControlControl
DataData IntegrityIntegrity
ConfidentialityConfidentiality NonNon--repudiationrepudiation
8/3/2019 networksecurity (2)
10/35
IdentificationIdentification
SomethingSomething whichwhich uniquelyuniquely identifiesidentifies aa
useruser andand isis calledcalled UserIDUserID..
SometimeSometime usersusers cancan selectselect theirtheir IDID asas
longlong asas itit isis givengiven tootoo anotheranother useruser..
UserIDUserID cancan bebe oneone oror combinationcombination ofof
thethe followingfollowing::
UserUser NameName UserUser StudentStudent NumberNumber
UserUser SSNSSN
8/3/2019 networksecurity (2)
11/35
AuthenticationAuthentication
TheThe processprocess ofof verifyingverifying thethe identityidentity ofof
aa useruser
TypicallyTypically basedbased onon
SomethingSomething useruser knowsknows PasswordPassword
SomethingSomething useruser havehave
Key,Key, smartsmart card,card, disk,disk, oror otherother devicedevice SomethingSomething useruser isis
fingerprint,fingerprint, voice,voice, oror retinalretinal scansscans
8/3/2019 networksecurity (2)
12/35
Authentication Cont.Authentication Cont.
AuthenticationAuthentication procedureprocedure
TwoTwo--PartyParty AuthenticationAuthentication
OneOne--WayWay AuthenticationAuthentication
TwoTwo--WayWay AuthenticationAuthentication ThirdThird--PartyParty AuthenticationAuthentication
KerberosKerberos
XX..509509
SingleSingle SignSign ONON
UserUser cancan accessaccess severalseveral networknetwork resourcesresources
byby logginglogging onon onceonce toto aa securitysecurity systemsystem..
8/3/2019 networksecurity (2)
13/35
Client
UserID & Password
ServerID &
Password
Authenticated
Authenticated
Server
One-way Authentication
Two-way Authentication
Two-Party Authentications
8/3/2019 networksecurity (2)
14/35
Authen
ticated
ClientID
,Pas
sword
Serve
rID,Passw
ord
Authentica
ted
Exchange Keys
Exchange Data
Client Server
Security Server
Third-Party Authentications
8/3/2019 networksecurity (2)
15/35
AuthorizationAuthorization
TheThe processprocess ofof assigningassigning accessaccess rightright
toto useruser
8/3/2019 networksecurity (2)
16/35
Access ControlAccess Control
TheThe processprocess ofof enforcingenforcing accessaccess rightright
andand isis basedbased onon followingfollowing threethree entitiesentities
SubjectSubject
isis entityentity thatthat cancan accessaccess anan objectobject
ObjectObject
isis entityentity toto whichwhich accessaccess cancan bebe controlledcontrolled
AccessAccess RightRight definesdefines thethe waysways inin whichwhich aa subjectsubject cancanaccessaccess anan objectobject..
8/3/2019 networksecurity (2)
17/35
Access ControlAccess Control
AccessAccess ControlControl isis divideddivided intointo twotwo
DiscretionaryDiscretionary AccessAccess ControlControl (DAC)(DAC)
TheThe ownerowner ofof thethe objectobject isis responsibleresponsible forfor
settingsetting thethe accessaccess rightright.. MandatoryMandatory AccessAccess ControlControl (MAC)(MAC)
TheThe systemsystem definesdefines accessaccess rightright basedbased onon
howhow thethe subjectsubject andand objectobject areare classifiedclassified..
8/3/2019 networksecurity (2)
18/35
Data Integrity.Data Integrity.
Assurance Assurance thatthat thethe datadata thatthat
arrivesarrives isis thethe samesame asas whenwhen itit waswas
sentsent..
8/3/2019 networksecurity (2)
19/35
ConfidentialityConfidentiality
Assurance Assurance thatthat sensitivesensitive
informationinformation isis notnot visiblevisible toto anan
eavesdroppereavesdropper.. ThisThis isis usuallyusuallyachievedachieved usingusing encryptionencryption..
8/3/2019 networksecurity (2)
20/35
NonNon--repudiationrepudiation
Assurance Assurance thatthat anyany transactiontransaction
thatthat takestakes placeplace cancan subsequentlysubsequently
bebe provedproved toto havehave takentaken placeplace..
BothBoth thethe sendersender andand thethe receiverreceiver
agreeagree thatthat thethe exchangeexchange tooktook
placeplace..
8/3/2019 networksecurity (2)
21/35
Security MechanismsSecurity Mechanisms
WebWeb SecuritySecurity
CryptographicCryptographic techniquestechniques
InternetInternet FirewallsFirewalls
8/3/2019 networksecurity (2)
22/35
Web SecurityWeb Security
BasicBasic AuthenticationAuthentication
SecureSecure SocketSocket LayerLayer (SSL)(SSL)
8/3/2019 networksecurity (2)
23/35
Basic AuthenticationBasic Authentication
A A simplesimple useruser IDID andand passwordpassword--basedbased
authenticationauthentication scheme,scheme, andand providesprovides thethe
followingfollowing::
ToTo identifyidentify whichwhich useruser isis accessingaccessing thethe serverserver
ToTo limitlimit usersusers toto accessingaccessing specificspecific pagespages
(identified(identified asas UniversalUniversal ResourceResource Locators,Locators, URLsURLs
8/3/2019 networksecurity (2)
24/35
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
NetscapeNetscape IncInc.. originallyoriginally createdcreated thethe SSLSSL protocol,protocol, butbutnownow itit isis implementedimplemented inin WorldWorld WideWide WebWeb browsersbrowsers andandserversservers fromfrom manymany vendorsvendors.. SSLSSL providesprovides thethe followingfollowing-- ConfidentialityConfidentiality throughthrough anan encryptedencrypted connectionconnection basedbased onon
symmetricsymmetric keyskeys-- AuthenticationAuthentication usingusing publicpublic keykey identificationidentification andand verificationverification
-- ConnectionConnection reliabilityreliability throughthrough integrityintegrity checkingchecking
ThereThere areare twotwo partsparts toto SSLSSL standard,standard, asas followsfollows::
TheThe SSLSSL HandshakeHandshake isis aa protocolprotocol forfor initialinitial authenticationauthentication andandtransfertransfer ofof encryptionencryption keyskeys..
TheThe SSLSSL RecordRecord protocolprotocol isis aa protocolprotocol forfor transferringtransferring encryptedencrypteddatadata
8/3/2019 networksecurity (2)
25/35
yy TheThe clientclient sendssends aa "hello""hello" messagemessage toto thethe WebWeb server,server, andand
thethe serverserver respondsresponds withwith aa copycopy ofof itsits digitaldigital certificatecertificate..
yy TheThe clientclient decryptsdecrypts thethe server'sserver's publicpublic keykey usingusing thethe wellwell--
knownknown publicpublic keykey ofof thethe CertificateCertificate AuthorityAuthority suchsuch asas VeriSignVeriSign..
8/3/2019 networksecurity (2)
26/35
Cryptographic TechniquesCryptographic Techniques
SecretSecret KeyKey AlgorithmAlgorithm
PublicPublic KeyKey AlgorithmAlgorithm
SecureSecure HashHash FunctionFunction
DigitalDigital SignatureSignature
CertificateCertificate AuthorityAuthority
8/3/2019 networksecurity (2)
27/35
Secret Key AlgorithmSecret Key Algorithm
Clear Text
Secret Key
Bob Alice
Encryption
Secret Key
Decryption
Clear TextCipher Text
8/3/2019 networksecurity (2)
28/35
Public Key AlgorithmPublic Key Algorithm
Clear Text
Alice's Public
Key
Bob Alice
Encryption
Alice's
Private Key
Decryption
Clear TextCipher Text
8/3/2019 networksecurity (2)
29/35
Secure Hash FunctionSecure Hash Function
Clear
Text
Key
Bob Alice
Original
Clear
Text
Original
Clear
Text
Hash
Function
Messag
Digest
Hash
Function
Computed
MessagDigestKey
OriginalMessage
Digest
OriginalMessage
Digest
Compare
?
Non-
Secure
Network
8/3/2019 networksecurity (2)
30/35
Digital SignatureDigital Signature
Clear Text
Alice's
Private Key
Alice Bob
Encryption
Alice's
Pu
blic Key
Decryption &
AuthenticationClear TextCipher Text
8/3/2019 networksecurity (2)
31/35
CertificateAuthorityCertificateAuthority
Alice Bob
Certificate
Authority Publish Public
Key
Request Bob's
Public Key
Bob's Public
Key
Cipher Text
8/3/2019 networksecurity (2)
32/35
Internet FirewallInternet Firewall
A A firewallfirewall isis toto controlcontrol traffictraffic flowflow betweenbetween
networksnetworks..
FirewallFirewall usesuses thethe followingfollowing techniquestechniques::
PacketPacket FiltersFilters ApplicationApplication ProxyProxy
SocksSocks serversservers
SecureSecure TunnelTunnel
ScreenedScreened SubnetSubnet ArchitectureArchitecture
8/3/2019 networksecurity (2)
33/35
Packet FilteringPacket Filtering
MostMost commonlycommonly usedused firewallfirewall techniquetechnique
OperatesOperates atat IPIP levellevel
ChecksChecks eacheach IPIP packetpacket againstagainst thethe filterfilter rulesrules
beforebefore passingpassing (or(or notnot passing)passing) itit onon toto itsits
destinationdestination..
VeryVery fastfast thanthan otherother firewallfirewall techniquestechniques
HardHard toto configureconfigure
8/3/2019 networksecurity (2)
34/35
Packet FilterPacket Filter
Packet
Filtering
Server
Non-Secure
Network
Secure
Network
8/3/2019 networksecurity (2)
35/35
Firewall Conclusion;Firewall Conclusion;--
NotNot thethe completecomplete answeranswer TheThe foxfox isis insideinside thethe henhousehenhouse
HostHost securitysecurity ++ UserUser educationeducation
CannotCannot controlcontrol backback doordoor traffictraffic
anyany dialdial--inin accessaccess ManagementManagement problemsproblems
CannotCannot fullyfully protectprotect againstagainst newnew virusesviruses AntivirusAntivirus onon eacheach hosthost MachineMachine
NeedsNeeds toto bebe correctlycorrectly configuredconfigured
TheThe securitysecurity policypolicy mustmust bebe enforcedenforced