View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Network Security - Introduction While computer systems today have good security systems, they are also vulnerable. Vulnerability stems from world-wide access to computer systems via Internet. Computer and network security comes in many forms including encryption algorithms, access to facilities, digital signatures, finger prints, face scans, other biometric means, and passwords.
Companies are reluctant to publicly admit that they have suffered losses due to failed network security.
Security goals must be set by IT, BUT SUPPORTED BY HIGHEST LEVELS OF MANAGEMENT .
Basic Security Measures Basic security measures for computer systems fall into eight categories: External security Operational security Surveillance Passwords Auditing Access rights Standard system attacks Viruses
External Security Protection from environmental damage such as floods, earthquakes, and heat. Physical security such as locking rooms, locking down computers, keyboards, and other devices. Electrical protection from power surges. Electromagnetic noise protection from placing computers away from devices that generate electromagnetic interference.
Operational Security Deciding who has access to what. Limiting time of day access. Limiting day of week access. Limiting access from a location, such as not allowing user to use a remote login during certain periods or any time.
Many new forms of “passwords” are emerging (biometrics):
Retina scans and iris scans
Auditing as Security Creating computer or paper audit can help detect wrongdoing. Auditing can also be used as a deterrent. Many network operating systems allow administrator to audit most types of transactions.
Security probes test various aspects of enterprise network security and report results and suggest improvements.
Intrusion detection systems test perimeter of enterprise network through dial modems, remote access servers, web servers, or Internet access.
Network based intrusion detection systems use network traffic probes distributed throughout network to identify traffic patterns that may indicate some type of attack may be underway
Access Rights as Security Two basic questions to access rights: who and how? Who do you give access rights to? No one, group of users, entire set of users? What level of access does a user or group of users get? Read, write, delete, print, copy, execute? Procedures set to remove people who leave or transfer. Most network OS have method system for assigning access rights.
Consider risks – probability of successfully attacking particular asset
Identify risk domains – groups of network systems sharing common functions and common elements of exposure.
Take protective measures – Virus protection, firewalls, authentication, encryption
Firewalls, cont’d System or combination of systems that supports an access control policy between two networks. Firewall can limit types of transactions that enter system, as well as types of transactions that leave system. Firewalls can be programmed to stop certain types or ranges of IP addresses, as well as certain types of TCP port numbers (applications).
Firewalls, cont’d Packet filter firewall - essentially router that has been programmed to filter out or allow in certain IP addresses or TCP port numbers. Proxy server - more advanced firewall that acts as doorman into corporate network. Any external transaction that requests something from corporate network must enter through proxy server. Proxy servers are more advanced but make external accesses slower.
Following attack strategies take negative advantage of three step exchange
Denial of service attack – hacker floods server with request to connect to non-existent servers
Land attack – hacker substitutes targeted server’s own address as address of server requesting connection
Guarding Against Viruses Signature-based scanners look for particular virus patterns or signatures and alert user. Terminate-and-stay-resident programs run in background constantly watching for viruses and their actions. Multi-level generic scanning is combination of antivirus techniques including intelligent checksum analysis and expert system analysis.
Standard System Attacks, cont’d Denial of service attacks - bombard computer site with many messages site is incapable of answering valid requests. e-mail bombing - user sends an excessive amount of unwanted e-mail. Smurfing - technique in which program attacks network by exploiting IP broadcast addressing operations. Ping storm - Internet Ping program is used to send flood of packets to server.
Standard System Attacks, cont’d Spoofing - user creates packet that appears to be something else or from someone else. Trojan Horse - malicious piece of code hidden inside seemingly harmless piece of code. Stealing, guessing, and intercepting passwords is also tried and true form of attack.
CRC checkers or hashing checkers creates and saves unique cyclical redundancy check character each file to be monitored. Each time that file is subsequently saved, new CRC is checked against the reference CRC.
If CRCs do not match, then file has been changed. Shortcoming of technology - only able to detect viruses after infection.
Active control monitors is able to examine transmissions from Internet in real time and identify known malicious content based on contents of definition libraries.
Virus Infection Points of Attack and Protective Measures
Category of software known as internal firewalls has begun to emerge.
Internal firewalls include filters that work on data link, network, and application layers to examine communications that occur only on a corporation’s internal network, inside reach of traditional firewall.
Internal firewalls act as access control mechanisms, denying access to applications user does not have specific access approval.
Kerberos must communicate directly with application.
Kerberos enforces authentication and authorization through use of ticket based system. Encrypted ticket is issued for sever to client session and is valid for preset amount of time.
From network analyst’s perspective, concern is centered on amount of network bandwidth consumed by addition of Kerberos security.
Basic Encryption and Decryption Techniques Cryptography - creating and using encryption and decryption techniques. Plaintext - data before any encryption has been performed. Ciphertext - data after encryption has been performed. Key is unique piece of information used to create ciphertext and decrypt ciphertext back into plaintext .
Monoalphabetic Substitution-based Ciphers Monoalphabetic substitution-based ciphers replace character or characters with different character or characters, based upon some key. Replacing: abcdefghijklmnopqrstuvwxyz With: POIUYTREWQLKJHGFDSAMNBVCXZ The message: how about lunch at noon encodes into EGVPO GNMKN HIEPM HGGH
Polyalphabetic Substitution-based Ciphers Similar to monoalphabetic ciphers except multiple alphabetic strings are used to encode the plaintext. For example, matrix of strings, 26 rows by 26 characters or columns can be used. Key such as COMPUTERSCIENCE is placed repeatedly over the plaintext. COMPUTERSCIENCECOMPUTERSCIENCECOMPUTER thisclassondatacommunicationsisthebest
Polyalphabetic Substitution-based Ciphers To encode the message, take the first letter of the plaintext, t, and the corresponding key character immediately above it, C. Go to row C column t in the 26x26 matrix and retrieve the cipher text character V. See next slide for 26 x 26 matrix. Continue with other characters in plaintext.
Transposition-based Ciphers In transposition-based cipher, order of plaintext is not preserved. As simple example, select key such as COMPUTER. Number letters of word COMPUTER in order they appear in alphabet. 1 4 3 5 8 7 2 6 C O M P U T E R
Transposition-based Ciphers, cont’d Transposition-based Ciphers Now take the plaintext message and write it under the key. 1 4 3 5 8 7 2 6 C O M P U T E R t h i s i s t h e b e s t c l a s s i h a v e e v e r t a k e n
Transposition-based Ciphers, cont’d Then read ciphertext down the columns, starting with the column numbered 1, followed by column number 2. TESVTLEEIEIRHBSESSHTHAENSCVKITAA
Public Key Cryptography and Secure Sockets Layer Powerful encryption technique in which two keys are used: first key (public key) encrypts message while second key (private key) decrypts message. Not possible to deduce one key from other. Not possible to break code given public key. If you want someone to send you secure data, give them your public key, you keep private key. Secure sockets layer on Internet is common example of public key cryptography.
Public Key Infrastructure Combination of encryption techniques, software, and services that involves all necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management. Digital certificate is an electronic document, similar to passport, that establishes your credentials when you are performing transactions.
Public Key Infrastructure, cont’d Digital certificate contains your name, serial number, expiration dates, copy of your public key, and digital signature of certificate-issuing authority. Certificates are usually kept in registry so other users may check them for authenticity.
Public Key Infrastructure, cont’d Certificates are issued by certificate authority (CA). CA is either specialized software on company network or trusted third party. Let’s say you want to order something over Internet. Web site wants to make sure you are legitimate, so web server requests your browser to sign order with your private key (obtained from your certificate).
Public Key Infrastructure, cont’d Web server then requests your certificate from third party CA, validates that certificate by verifying third party’s signature, then uses that certificate to validate signature on your order. User can do same procedure to make sure web server is not bogus operation. Certificate revocation list is used to “deactivate” user’s certificate.
Triple-DES More powerful data encryption standard. Data is encrypted using DES three times: the first time by first key, second time by second key, and third time by first key again. (Can also have 3 unique keys.) While virtually unbreakable, triple-DES is CPU intensive. With more smart cards, cell phones, and PDAs, a faster (and smaller) piece of code is highly desirable.
Advanced Encryption Standard (AES) Selected by U.S. government to replace DES. National Institute of Standards and Technology selected the algorithm Rijndael (pronounced rain-doll) in October 2000 as basis for AES. AES has more elegant mathematical formulas, requires only one pass, and was designed to be fast, unbreakable, and able to support even smallest computing device.
Advanced Encryption Standard (AES) Key size of AES: 128, 192, or 256 bits. Estimated time to crack (assuming a machine could crack a DES key in 1 second) : 149 trillion years. Very fast execution with very good use of resources. AES should be widely implemented by 2004.
Public key dissemination must be managed so users are assured public keys received are actually public keys of companies or organizations they are alleged to be.
Public key infrastructures that link user to are implemented through use of server based software known as certificate services.
Certificate server software supports encryption and digital signatures while flexibility supporting directory integration, multiple certificate types, and variety of request fulfillment options.
Digital Signatures Document to be signed is sent through complex mathematical computation that generates hash. Hash is encoded with owner’s private key. To prove future ownership, hash is decoded using owner’s public key and hash is compared with current hash of document. If two hashes agree, document belongs to owner. U.S. has just approved legislation to accept digitally signed documents as legal proof.
PCT supports secure transmissions across unreliable (UDP rather TCP based) connections by allowing decryption of transmitted records independently from each other, as transmitted in individual datagrams.
Targeted primarily toward on-line commerce and financial transactions
An Internet e-mail specific encryption standard that also uses digital signature encryption to guarantee the authenticity, security, and message integrity
PGP over-comes inherent security loopholes with public/private key security schemes by implementing Web of trust in which e-mail users electronically sign each other’s public keys to create an interconnected group of key users.
To provide virtual private networking capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols needed to be developed that could establish private, secure channels between connected systems.
Two rival standards are examples of such tunneling protocols:
Single access control view allows users access from client workstation to only display resources user actually has access too.
Security auditing and intrusion detection is able to track and identify suspicious behaviors from both internal employees and potential intruders. Detection and response to such events must be controlled from centralized security management location.