• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Chapter13 - Network Security
 

Chapter13 - Network Security

on

  • 1,549 views

 

Statistics

Views

Total Views
1,549
Views on SlideShare
1,549
Embed Views
0

Actions

Likes
1
Downloads
86
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Chapter13 - Network Security Chapter13 - Network Security Presentation Transcript

    • Network Security - Introduction While computer systems today have good security systems, they are also vulnerable. Vulnerability stems from world-wide access to computer systems via Internet. Computer and network security comes in many forms including encryption algorithms, access to facilities, digital signatures, finger prints, face scans, other biometric means, and passwords.
    • Network Security , cont’d
      • Companies are reluctant to publicly admit that they have suffered losses due to failed network security.
      • Security goals must be set by IT, BUT SUPPORTED BY HIGHEST LEVELS OF MANAGEMENT .
    • Basic Security Measures Basic security measures for computer systems fall into eight categories: External security Operational security Surveillance Passwords Auditing Access rights Standard system attacks Viruses
    • External Security Protection from environmental damage such as floods, earthquakes, and heat. Physical security such as locking rooms, locking down computers, keyboards, and other devices. Electrical protection from power surges. Electromagnetic noise protection from placing computers away from devices that generate electromagnetic interference.
    • Operational Security Deciding who has access to what. Limiting time of day access. Limiting day of week access. Limiting access from a location, such as not allowing user to use a remote login during certain periods or any time.
    • Passwords and ID Systems
      • Passwords - common form of security and most abused.
      • Rules for safe passwords include:
      • Change your password often.
      • Password - minimum 8 characters, mixed symbols.
      • Don’t share passwords or write them down.
      • Don’t select names and familiar objects as passwords.
    • Passwords and ID Systems
      • Many new forms of “passwords” are emerging (biometrics):
      • Fingerprints
      • Face prints
      • Retina scans and iris scans
      • Voice prints
      • Ear prints
    • Auditing as Security Creating computer or paper audit can help detect wrongdoing. Auditing can also be used as a deterrent. Many network operating systems allow administrator to audit most types of transactions.
    • Auditing as Security, cont’d
      • Manual audits can be done by either internal or external personnel.
      • Manual audits severe to verify effectiveness of policy development and implementation, and extent of security in overall corporate security policy.
      • Automated audits depend on software able to assess weaknesses of network security and security standards.
    • Auditing as Security, cont’d
      • Some automated audit tools are able to analyze network for vulnerabilities and make recommendations
      • Other tools merely capture events so that security people can figure out who did what and when after security breach has occurred.
    • Auditing as Security, cont’d
      • Security probes test various aspects of enterprise network security and report results and suggest improvements.
      • Intrusion detection systems test perimeter of enterprise network through dial modems, remote access servers, web servers, or Internet access.
      • Network based intrusion detection systems use network traffic probes distributed throughout network to identify traffic patterns that may indicate some type of attack may be underway
    • Access Rights as Security Two basic questions to access rights: who and how? Who do you give access rights to? No one, group of users, entire set of users? What level of access does a user or group of users get? Read, write, delete, print, copy, execute? Procedures set to remove people who leave or transfer. Most network OS have method system for assigning access rights.
    • SECURITY POLICY DEVELOPMENT LIFE CYCLE
      • SPDLC is depicted as cycle since evaluation processes validate the effectiveness of original analysis stages.
      • Next slide shows SDLC.
      • Look at this slide as management tool of steps that have to be taken.
    • Security Policy Development Life Cycle
    • Security Requirements Assessment
      • Start research by finding out if your friends in field can give you manuals of what they have done.
      • Define needs requirements for users in organization.
      • Security refers to restrictions of information upon users, and responsibilities of users for implementation and enforcement.
    • Scope and Feasibility of Studies
      • Define scope of security study.
      • Realize that there is a balance between security and productivity.
      • Optimal balance will protect resources while not impacting on worker productivity.
    • Security vs. Productivity Balance
    • Assets, Threats, and Risks
      • Security methodologies have major steps;
        • Identify assets – includes hardware, software, and media used to store data.
        • Identify threats – anything that can pose a danger to assets.
        • Identify vulnerabilities – potential problems in security system
    • Assets, Threats, and Risks
      • Security methodologies- continued
        • Consider risks – probability of successfully attacking particular asset
        • Identify risk domains – groups of network systems sharing common functions and common elements of exposure.
        • Take protective measures – Virus protection, firewalls, authentication, encryption
    • Firewalls, cont’d System or combination of systems that supports an access control policy between two networks. Firewall can limit types of transactions that enter system, as well as types of transactions that leave system. Firewalls can be programmed to stop certain types or ranges of IP addresses, as well as certain types of TCP port numbers (applications).
    • Firewalls
    • Firewalls, cont’d Packet filter firewall - essentially router that has been programmed to filter out or allow in certain IP addresses or TCP port numbers. Proxy server - more advanced firewall that acts as doorman into corporate network. Any external transaction that requests something from corporate network must enter through proxy server. Proxy servers are more advanced but make external accesses slower.
    • Proxy Server
    • Attack Strategies
      • Attack strategies concentrate on weaknesses of specific systems.
      • Two servers communicating with TCP set up three step exchange of address and confirmation.
    • Attack Strategies, cont’d
      • Following attack strategies take negative advantage of three step exchange
        • Denial of service attack – hacker floods server with request to connect to non-existent servers
        • Land attack – hacker substitutes targeted server’s own address as address of server requesting connection
    • Guarding Against Viruses Signature-based scanners look for particular virus patterns or signatures and alert user. Terminate-and-stay-resident programs run in background constantly watching for viruses and their actions. Multi-level generic scanning is combination of antivirus techniques including intelligent checksum analysis and expert system analysis.
    • Standard System Attacks, cont’d Denial of service attacks - bombard computer site with many messages site is incapable of answering valid requests. e-mail bombing - user sends an excessive amount of unwanted e-mail. Smurfing - technique in which program attacks network by exploiting IP broadcast addressing operations. Ping storm - Internet Ping program is used to send flood of packets to server.
    • Standard System Attacks, cont’d Spoofing - user creates packet that appears to be something else or from someone else. Trojan Horse - malicious piece of code hidden inside seemingly harmless piece of code. Stealing, guessing, and intercepting passwords is also tried and true form of attack.
    • Web Specific Attack Strategies
      • Minimizing web attacks requires using following techniques:
        • Eliminate unused user accounts and default accounts (Guest)
        • Remove/disable unused services such as FTP, Telnet, etc.
        • Remove unused Unix command shells and interpreters
    • Web Specific Attack Strategies cont’d
      • Properly set permission levels on files and directories
      • Stay up to date with current attack strategies, and defenses.
      • Beware of Common Gateway Interface programs extracting web server password files. Take corrective measures.
    • Management Role and Responsibility
      • Executive responsibilities
        • Set Security Policy of the Organization
        • Allocate sufficient resources – staff, funding, etc.
        • Information is corporate resource
        • Assign responsibility for protecting information resources
        • Require computer security training for staff
    • Management Role and Responsibility, cont’d
        • Hold employees responsibility for corporate resources in their care
        • Audit (internal and external) corporate security
        • Follow through with penalties for violations of corporate security
    • Management Role and Responsibility, cont’d
      • Management responsibility
        • Assess responsibilities in your corporate security area
        • Assess balance between security and productivity
        • Assess vulnerabilities with your area of responsibility
        • Adhere and enforce corporate policies
    • Policy Development Process
      • Establish processes and policies
      • Be sure affected user groups are represented on policy development task force.
      • Emphasis should be on corporate wide awareness relating to importance of protecting corporate information and network access.
    • Policy Implementation Process
      • Having been included in policy development process, users are expected to support policies
      • User responsibilities
        • Protect data you have
        • Corporate resources are property of company
    • Policy Implementation Process
      • Continued
        • Inform supervisor of suspicious actions, or people
        • Never share your passwords
        • Choose password that is impossible to discover
        • Log off before leaving your computer
        • Lock up sensitive material backups
        • Backup important data
    • Policy Implementation Process, cont’d
      • Policy implementation should force changes in people’s behaviors, which can cause resistance
      • Use appropriate technology and associated processes to execute policy.
      • Security architectures imply security solutions have been predefined for given corporation’s variety of computing and network platforms.
    • Policy Implementation Process, cont’d
      • If users involvement was substantial during policy development stage and if buy-in was assured at each stage of policy development , then process stands better chance of succeeding.
    • VIRUS PROTECTION
      • Comprehensive protection plan must combine policy, people, processes, and technology to be effective.
      • Virus - describes computer program that gains access to computer system or network with potential to disrupt normal activity of that system or network.
    • VIRUS PROTECTION, cont’d
      • Viruses triggered by passing of certain date or time is referred to as time bombs whereas viruses that require certain event to transpire are known as logic bombs.
      • Trojan horse - actual virus is hidden inside program and delivered to target system or network to be infected.
    • ANTIVIRUS STRATEGIES
      • Effective antivirus policies and procedures must first focus on use and checking of diskettes/files.
      • Antivirus strategies
        • Identify vulnerabilities
        • Keep antivirus updated
    • ANTIVIRUS STRATEGIES, cont’d
      • Antivirus strategies, continued
        • Install virus scanning software
        • Non employees should be prohibited from installing laptops to system.
        • Install virus scanning software on commonly used laptops
        • Write protect diskettes with .exe, .com files
    • Collaborative Software Infection/Reinfection Cycle
    • ANTIVIRUS TECHNOLOGIES
      • Virus scanning is primary method for successful detection and removal.
      • Emulation technology - detect unknown viruses by running programs with software emulation program known as a virtual PC. Execution program can be examined in environment for symptoms of viruses.
      • Advantage of such programs is they identify potentially unknown viruses based on behavior rather than by relying on natures of known viruses.
    • ANTIVIRUS TECHNOLOGIES, cont’d
      • CRC checkers or hashing checkers creates and saves unique cyclical redundancy check character each file to be monitored. Each time that file is subsequently saved, new CRC is checked against the reference CRC.
      • If CRCs do not match, then file has been changed. Shortcoming of technology - only able to detect viruses after infection.
      • Active control monitors is able to examine transmissions from Internet in real time and identify known malicious content based on contents of definition libraries.
    • Virus Infection Points of Attack and Protective Measures
    • FIREWALLS
      • To prevent unauthorized access from Internet into company’s confidential data, specialized software known as firewall is often deployed.
      • Firewall software usually runs on dedicated server that is connected to, but outside of, corporate network.
      • All network packets entering firewall are filtered, or examined, to determine whether or not those users have authority to access requested files.
    • Firewall Architecture
      • Difficulty with firewalls is there are no standards for firewall functionality, architectures, or interoperability.
      • Firewall architecture
        • 1. Packet filtering
        • 2. Application gateway
        • 3. Internet firewalls
    • PACKET FILTERING
      • Packets of data on Internet are identified by source address of computer that issued message and destination address of Internet server.
      • Filter - program that examines source address and destination address of incoming packet to firewall server.
      • Filter tables - lists of addresses whose data packets and embedded messages are either allowed or prohibited from proceeding through the firewall.
      • Filter tables can limit access of certain IP addresses to certain directories.
    • PACKET FILTERING, cont’d
      • Filtering time introduces latency to overall transmission time.
      • Packet filter gateways can be implemented on routers. Existing piece of technology can be used for dual purposes.
      • Packet filters can be breached by hackers in technique known as IP spoofing.
      • If hacker can make packet appear to come from an unauthorized or trusted IP address, then it can pass through firewall.
    • Application Gateways
      • Also called application level filters
      • Port level filters determine legitimacy of party asking for information, application level filters assures validity of what they are asking for.
      • Application level filters examine entire request for data rather than source and destination addresses.
    • Application Gateways, cont’d
      • Application gateways are concerned with what services or applications message is requesting in addition to who is making request.
      • Once legitimacy of request has been established, only proxy clients and servers actually communicate with each other.
    • Packet Filters and Application Gateways
    • Proxies, Trusted Gateways, and Dual-Homed Gateways
    • INTERNET FIREWALLS
      • Category of software known as internal firewalls has begun to emerge.
      • Internal firewalls include filters that work on data link, network, and application layers to examine communications that occur only on a corporation’s internal network, inside reach of traditional firewall.
      • Internal firewalls act as access control mechanisms, denying access to applications user does not have specific access approval.
    • Authentication and Access Control
      • Authentication products break down into three overall categories:
        • What you know - single sign-on (SSO) access to multiple network attached servers and resources via passwords.
        • What you have - requires user to posses type of smart card or token authentication device to generate single use passwords.
        • What you are - validates users based on physical characteristic, i.e. fingerprints, hand geometry, or retinal scans.
    • Token Authentication
      • Provides one-time use session passwords authenticated by associated server software.
        • Hardware based smart cards are about size of credit card with or without numeric keypad.
        • In-line token authentication devices connect to serial port of computer for dial-in authentication through modem.
        • Software tokens are installed on the client PC and authenticated with server portion of token authentication product transparently to end user.
    • Challenge-response token authentication
      • Challenge-response token authentication involves following steps:
        • User enters an assigned user ID and password at client.
        • Token authentication server software returns numeric string known as challenge.
        • Challenge number and PIN are entered on smart card.
    • Challenge-response token authentication, cont’d
        • Smart card displays response number on LCD screen.
        • Response number is entered on client workstation and transmitted back to token authentication server.
        • Token authentication server validates response against expected response from user and this particular smart card.
    • Challange-Response vs. Time-Synchronous Token Authentication
    • Biometric Authentication
      • Biometric authentication can authenticate users based on fingerprints, palm prints, retinal patterns, voice recognition, or other physical characteristics.
      • Biometric authentication devices require valid users first register by storing copies of fingerprints, voice, or retinal patterns in validation database.
    • Authorization vs. Authentication
      • Authorization is concerned with assuring that properly authorized uses are able to access particular network resources.
      • Authentication - ensures that only legitimate users are able to log into network.
    • KERBEROS
      • Kerberos – combination of authentication and authorization software.
      • Kerberos architecture consists of three key components:
        • Kerberos client software
        • Kerberos authentication server software
        • Kerberos application server software
    • Kerberos Architecture
    • KERBEROS, cont’d
      • Kerberos must communicate directly with application.
      • Kerberos enforces authentication and authorization through use of ticket based system. Encrypted ticket is issued for sever to client session and is valid for preset amount of time.
      • From network analyst’s perspective, concern is centered on amount of network bandwidth consumed by addition of Kerberos security.
    • Basic Encryption and Decryption Techniques Cryptography - creating and using encryption and decryption techniques. Plaintext - data before any encryption has been performed. Ciphertext - data after encryption has been performed. Key is unique piece of information used to create ciphertext and decrypt ciphertext back into plaintext .
    • Encryption/Decryption
    • Ciphers
      • A few ciphers to be examined:
        • Monoalphabetic Substitution-based Ciphers
        • Polyalphabetic Substitution-based Ciphers
        • Transposition-based Ciphers
    • Monoalphabetic Substitution-based Ciphers Monoalphabetic substitution-based ciphers replace character or characters with different character or characters, based upon some key. Replacing: abcdefghijklmnopqrstuvwxyz With: POIUYTREWQLKJHGFDSAMNBVCXZ The message: how about lunch at noon encodes into EGVPO GNMKN HIEPM HGGH
    • Polyalphabetic Substitution-based Ciphers Similar to monoalphabetic ciphers except multiple alphabetic strings are used to encode the plaintext. For example, matrix of strings, 26 rows by 26 characters or columns can be used. Key such as COMPUTERSCIENCE is placed repeatedly over the plaintext. COMPUTERSCIENCECOMPUTERSCIENCECOMPUTER thisclassondatacommunicationsisthebest
    • Polyalphabetic Substitution-based Ciphers To encode the message, take the first letter of the plaintext, t, and the corresponding key character immediately above it, C. Go to row C column t in the 26x26 matrix and retrieve the cipher text character V. See next slide for 26 x 26 matrix. Continue with other characters in plaintext.
    • 26 x 26 Cipher Character Matrix
    • Transposition-based Ciphers In transposition-based cipher, order of plaintext is not preserved. As simple example, select key such as COMPUTER. Number letters of word COMPUTER in order they appear in alphabet. 1 4 3 5 8 7 2 6 C O M P U T E R
    • Transposition-based Ciphers, cont’d Transposition-based Ciphers Now take the plaintext message and write it under the key. 1 4 3 5 8 7 2 6 C O M P U T E R t h i s i s t h e b e s t c l a s s i h a v e e v e r t a k e n
    • Transposition-based Ciphers, cont’d Then read ciphertext down the columns, starting with the column numbered 1, followed by column number 2. TESVTLEEIEIRHBSESSHTHAENSCVKITAA
    • Public Key Cryptography and Secure Sockets Layer Powerful encryption technique in which two keys are used: first key (public key) encrypts message while second key (private key) decrypts message. Not possible to deduce one key from other. Not possible to break code given public key. If you want someone to send you secure data, give them your public key, you keep private key. Secure sockets layer on Internet is common example of public key cryptography.
    • Public Key Infrastructure Combination of encryption techniques, software, and services that involves all necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management. Digital certificate is an electronic document, similar to passport, that establishes your credentials when you are performing transactions.
    • Public Key Infrastructure, cont’d Digital certificate contains your name, serial number, expiration dates, copy of your public key, and digital signature of certificate-issuing authority. Certificates are usually kept in registry so other users may check them for authenticity.
    • Public Key Infrastructure, cont’d Certificates are issued by certificate authority (CA). CA is either specialized software on company network or trusted third party. Let’s say you want to order something over Internet. Web site wants to make sure you are legitimate, so web server requests your browser to sign order with your private key (obtained from your certificate).
    • Public Key Infrastructure, cont’d Web server then requests your certificate from third party CA, validates that certificate by verifying third party’s signature, then uses that certificate to validate signature on your order. User can do same procedure to make sure web server is not bogus operation. Certificate revocation list is used to “deactivate” user’s certificate.
    • Public Key Infrastructure, cont’d
      • Applications that could benefit from PKI:
      • World Wide Web transactions
      • Virtual private networks
      • Electronic mail
      • Client-server applications
      • Banking transactions
    • Triple-DES More powerful data encryption standard. Data is encrypted using DES three times: the first time by first key, second time by second key, and third time by first key again. (Can also have 3 unique keys.) While virtually unbreakable, triple-DES is CPU intensive. With more smart cards, cell phones, and PDAs, a faster (and smaller) piece of code is highly desirable.
    • Advanced Encryption Standard (AES) Selected by U.S. government to replace DES. National Institute of Standards and Technology selected the algorithm Rijndael (pronounced rain-doll) in October 2000 as basis for AES. AES has more elegant mathematical formulas, requires only one pass, and was designed to be fast, unbreakable, and able to support even smallest computing device.
    • Advanced Encryption Standard (AES) Key size of AES: 128, 192, or 256 bits. Estimated time to crack (assuming a machine could crack a DES key in 1 second) : 149 trillion years. Very fast execution with very good use of resources. AES should be widely implemented by 2004.
    • ENCRYPTION
      • Encryption - changing of data into indecipherable form before transmission.
      • Decryption - changing unreadable text back into its original form.
      • Types of encryption
        • DES-Private Key
        • RSA – Public key
        • Digital signature
        • Key Management Alternatives
    • DES – Private Key Encryption
      • Decrypting device must use same algorithm to decode or decrypt data as encrypting device used to encrypt data.
      • DES allows encryption devices manufactured by different firms to interoperate successfully.
      • Encryption key customizes commonly known algorithm to prevent anyone without private key from decrypting documents.
    • RSA – Public Key Encryption
      • Public key - combines usage of both public and private keys.
      • In public key encryption, sensing encryption device encrypts document using intended recipient’s public key and originating party’s private key.
      • To decrypt the document, receiving encryption/decryption device must be programmed with intended recipient’s own private key and sending party’s public key.
    • Digital Signature Encryption
      • Digital signature encryption - electronic means of guaranteeing authenticity of sending party and assurance that encrypted documents have not been altered during transmission.
      • Original document is processed by hashing program to produce a mathematical string unique to exact content of original document.
      • Unique mathematical string is encrypted using originator’s private key.
      • Encrypted digital signature is appended to and transmitted with encrypted original document.
    • Digital Signature Encryption, cont’d
      • To validate authenticity of received document, recipient uses public key associated with apparent sender to regenerate digital signature from received encrypted document.
      • Transmitted digital signature is compared by recipient to regenerated digital signature produced by using public key and received document.
    • Private, & Public, and Digital Signature Encryption
    • Key Management Alternatives
      • Key Management - Before computers can communicate in secure manner, they must be able to agree on encryption and authentication algorithms and establish keys.
      • Standards for key management:
        • ISAKMP (Internal Security Association and Key Management Protocol) from IETF. Largely replaced by IKE (Internet Key Exchange).
        • SKIP (Simple Key Management for IP)
    • Key Management Alternatives, cont’d
      • Public key dissemination must be managed so users are assured public keys received are actually public keys of companies or organizations they are alleged to be.
      • Public key infrastructures that link user to are implemented through use of server based software known as certificate services.
      • Certificate server software supports encryption and digital signatures while flexibility supporting directory integration, multiple certificate types, and variety of request fulfillment options.
    • Digital Signatures Document to be signed is sent through complex mathematical computation that generates hash. Hash is encoded with owner’s private key. To prove future ownership, hash is decoded using owner’s public key and hash is compared with current hash of document. If two hashes agree, document belongs to owner. U.S. has just approved legislation to accept digitally signed documents as legal proof.
    • Applied Security Scenarios
        • Install only software/hardware need.
        • Allow only essential traffic into/out of network. Eliminate other traffic by blocking with routers or firewalls.
        • Investigate outsourcing web-hosting services so corporate web server is not physically on same network as rest of corporate information assets.
        • Use routers to filter traffic by IP addresses.
    • Applied Security Scenarios, cont’d
        • Make sure router OS software has been patched to prevent attacks by exploiting TCP vulnerabilities.
        • Identify information assets most critical to corporation, and protect those servers first.
        • Implement physical security constraints to hinder physical access to critical resources such as servers.
    • Applied Security Scenarios, cont’d
        • Develop effective, and enforceable security policy. Monitor its implementation and effectiveness.
        • Consider installing proxy server or application layer firewall.
        • Block incoming DNS queries and requests for zone transfers.
        • Disable all TCP ports and services not essential so hackers are not able to exploit and use services.
    • Integration with Information Systems and Application Development
      • Authentication products must be integrated with existing information systems and applications development efforts.
      • APIs (Application Program Interfaces) are means by which authentication products are able to integrate with client/server applications.
      • Application development fits combine an application development language with supported APIs.
    • Remote Access Security
      • Protocol and associated architecture known as remote authentication dial-in user (RADIUS) offers potential to enable centralized management of remote access users and technology.
      • RADIUS enables communication between following three tiers of technology:
        • Remote access devices such as remote access servers and token authentication technology from variety of vendors.
        • Enterprise databases that contain authentication and access control information.
        • RADIUS authentication server.
    • RADIUS
    • Remote Access Security, cont’d
      • RADIUS allows network managers to centrally manage remote access users, access methods, and logon restrictions.
      • RADIUS allows centralized auditing capabilities such as keeping track of volume of traffic sent and amount of time on-line.
      • For authentication, it supports password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), and SecurID token authentication.
    • Password Authentication Protocol (PAP),
      • PAP is designed for dial in communication.
      • PAP repeatedly sends user ID and password to authenticating system in clear text pairs until it is acknowledged or connection is dropped.
    • Challenge Handshake Authentication Protocol (CHAP)
      • CHAP provides secure means for establishing dial in communication.
      • CHAP uses three-way challenge or handshake that includes user ID, password, and key encryption for ID and password.
      • Problem with system is some mechanism must be in place for both receiver and sender to know and have access to key.
    • E-Mail, Web, and Internet/Intranet Security
      • Two primary standards for encrypting traffic on the WWW
        • S-HTTP (Secure Hypertext Transport Protocol) – secure version of HTTP requires both client and server S-HTTP versions to be installed for secure end-to-end encrypted transmission.
        • SSL – SSL is described as wrapping an encrypted envelope around HTTP transmissions. SSL is connection-level encryption method providing security to network link itself.
    • E-Mail, Web, and Internet/Intranet Security, cont’d
      • Secure Courier and is offered by Netscape.
      • Secure Courier is based on SSL and allows users to create a secure digital envelope for transmission of financial transactions over Internet.
    • E-Mail, Web, and Internet/Intranet Security, cont’d
      • Additional forms of security are:
        • PCT
        • PEM
        • PGP
        • SET
        • S/MIME
        • Virtual Private Network Security
    • Private Communications Technology (PCT)
      • Microsoft’s version of SSL
      • PCT supports secure transmissions across unreliable (UDP rather TCP based) connections by allowing decryption of transmitted records independently from each other, as transmitted in individual datagrams.
      • Targeted primarily toward on-line commerce and financial transactions
    • Privacy Enhanced Mail (PEM)
      • PEM - encryption technique for e-mail use on Internet used in association with SMTP (Single Mail Transport Protocol).
      • PEM was designed to use both DES and RSA encryption techniques, but it would work with other encryption algorithms as well.
    • Pretty Good Privacy (PGP)
      • An Internet e-mail specific encryption standard that also uses digital signature encryption to guarantee the authenticity, security, and message integrity
      • PGP over-comes inherent security loopholes with public/private key security schemes by implementing Web of trust in which e-mail users electronically sign each other’s public keys to create an interconnected group of key users.
    • Secure Electronic Transactions (SET)
      • SET - series of standards to assure confidentiality of electronic commerce transactions.
      • Standards are becoming promoted by credit card giants VISA and MasterCard.
      • A single SET compliant electronic transaction could require as many as six cryptographic functions, taking from one-third to one-half of second on high-powered UNIX workstation.
      • An important aspect of SET standards is incorporation of digital certificates or DIgital IDs
    • Secure Multipurpose Internet Mail Extension (S/MIME)
      • S/MEME secures e-mail in e-mail applications that have been S/MEME enabled.
      • S/MEME enables different e-mail systems to exchange encrypted messages and encrypt multimedia as well as text based e-mail.
    • Virtual Private Network (VPN) Security
      • To provide virtual private networking capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols needed to be developed that could establish private, secure channels between connected systems.
      • Two rival standards are examples of such tunneling protocols:
        • Microsoft’s point-to-point tunneling protocol (PPTP)
        • Cisco’s layer two forwarding (L2F)
    • Virtual Private Network (VPN) Security, cont’d
      • Unification of two rival standards is known as layer 2 tunneling protocol (L2TP).
      • One shortcoming of proposed specification is that it does not deal with security issues such as encryption and authentication.
      • Next slide illustrates use of tunneling protocols to build VPN using Internet as enterprise network backbone.
    • Tunneling Protocols Enable Virtual Private Networks
    • Virtual Private Network (VPN) Security, cont’d
      • IPsec - protocol that ensures encrypted communications across Internet via VPN through use of manually exchange.
      • IPsec supports only IP-based communications.
      • IPsec is standard that should enable interoperability between firewalls supporting protocol.
    • PPTP
      • PPTP is essentially tunneling protocol that allows managers to choose whatever encryption or authentication technology they wish to hang off either end of the established tunnel.
      • PPTP Microsoft tunneling protocol specific to Windows NT and remote access servers.
      • PPTP concerned with secure remote access in that PPP-enabled clients would be able to dial into corporate network by Internet.
    • Enterprise Network Security
      • To maintain proper security over widely distributed enterprise network, it is essential to be able to conduct certain security-related processes from single, centralized security management location.
    • Enterprise Network Security, cont’d
      • Among these processes or functions are
        • Single point of registration (SPR) allows network security manager to enter new user (or delete terminated user) from single centralized location and assign all associated rights, privileges, etc.
        • Single sign-on (SSO) also sometimes known as secure single sign-on (SSSO), allows users to log into enterprise network and be authenticated from client PC location.
    • Enterprise Network Security, cont’d
        • Single access control view allows users access from client workstation to only display resources user actually has access too.
        • Security auditing and intrusion detection is able to track and identify suspicious behaviors from both internal employees and potential intruders. Detection and response to such events must be controlled from centralized security management location.
    • Government Impact
      • Government agencies play major role in area of network security.
      • Two primary functions of government agencies are:
        • Standards making organizations that set standards for the design, implementation, and certification of security technology and systems.
        • Regulatory agencies that control export of security technology to company’s international locations.