Session 8 Notes
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Session 8 Notes

on

  • 527 views

 

Statistics

Views

Total Views
527
Views on SlideShare
527
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Session 8 Notes Presentation Transcript

  • 1. Session Number: 8 Internet Supply Chain Management – ECT 581 Winter 2003
    • Session Date: February 25, 2003
    • Session Outline:
      • Administrative Items
      • Session Topics: Extranet Security Considerations
        • Network Fundamentals
        • TCP/IP Security Considerations
        • Firewalls & Other Security Considerations
  • 2. Mission Critical Terminology
    • Network – a system of interconnected computer systems and terminals connected by communications channels..
    • Protocol – a specification that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data.
    • Transmission Control Protocol/Internet Protocol (TCP/IP) – a set of protocols developed by the Department of Defense to link dissimilar computers across large networks.
    • Security – the combination of software, hardware, networks, and policies designed to protect sensitive business information and to prevent fraud.
    • Virtual Private Network (VPN) – a wide-area network (WAN) created to link a company with external users (including mobile users, field representatives, or strategic allies). It uses the Internet for data transmission, but ensures confidentiality and security through the use of protocol tunneling.
  • 3. Mission Critical Terminology (continued)
    • Firewall – a security screen placed between an organization’s internal network and the external Internet. According to the National Computer Security Association (NCSA), a firewall is a system or combination of systems that enforces a boundary between two or more networks.
    • De-militarized Zone (DMZ) – a term used to refer to a screened subnet that resides between a LAN and the Internet. It is a network environment that is configured to provide an additional shield from undesirable or unauthorized intruders.
    • Repudiation – A security feature that prevents a third party from proving that a communication between two other parties took place.
    • Non-repudiation – the opposite of repudiation; desirable if you want to be able to trace your communications and prove that they occurred.
  • 4. Fundamental Technology Components: Focus on Networks & Security Considerations
    • Network Components
      • Connectivity Equipment
      • Internet Server Hardware and Software
      • Application Server
      • Database System
      • E-mail Gateway
    • Firewall
      • Internet Server/Intranet Server
      • Authoring/Web Development Server
  • 5. Network Fundamentals: Open Systems Interconnection (OSI) Model
    • Network are defined by architecture or protocol
    • OSI reference model defines functional network layers
      • Application Layer
      • Presentation Layer
      • Session Layer
      • Transport Layer
      • Network Layer
      • Data Link Layer
      • Physical Layer
    • Each layer has its own protocol or set of protocols.
  • 6.
    • Think of OSI model as a ‘ layer cake ’.
    • At the bottom is the Physical Layer supporting and holding everything up .
    • At the top is the Application Layer describing and managing how each application programs will interact .
    Network Fundamentals: OSI Model (continued)
  • 7. Network Fundamentals: Open Systems Interconnection (OSI) Model (continued) Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
    • Describes and manages how applications interact with the network operating system.
    • Protocols include the Network Filing System (NFS), Netware Core Protocol, and Appleshare.
  • 8. Network Fundamentals: Open Systems Interconnection (OSI) Model (continued) Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
    • Handles encryption and some special file formatting. Formats screens and files so that the final product looks like the programmer wanted it to.
    • This layer is the home to terminal emulators that can make a PC think that it is a DEC VT-100 or an IBM 3270 terminal.
    • Protocols include Netware Core Protocol, Network Filing System (NFS), and AppleTalk File Protocol (AFP).
  • 9. Network Fundamentals: Open Systems Interconnection (OSI) Model (continued) Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
    • Performs the function that enables two applications to communicate across the network, performing security, name recognition, logging, administration, and other similar functions.
    • Protocols include Simple Network Management Protocol (SNMP), File Transfer Protocol (FTP), Telnet, Simple Mail Transport Protocol (SMTP), Netbios, LU 6.2 (from IBM’s SNA) and Advanced Program-to-Program Communications (APPC).
  • 10. Network Fundamentals: Open Systems Interconnection (OSI) Model (continued) Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
    • Considered the “railroad yard dispatcher” who takes over if there is a ‘wreck’ somewhere in the system.
    • Performs a similar function as the Network Layer, only its function is specific to local traffic.
    • Also handles quality control. Drivers in the networking software perform this layers tasks.
    • Protocols include Transmission Control Protocol (TCP) and Novell’s SPX.
  • 11. Network Fundamentals: Open Systems Interconnection (OSI) Model (continued) Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
    • Functions as the ‘network traffic cop’ deciding which physical pathway the data should take based on network conditions, priorities of service, and other factors.
    • Protocols include Internet Protocol (IP), Novell’s IPX, and Apple’s Datagram Delivery Protocol (DDP).
  • 12. Network Fundamentals: Open Systems Interconnection (OSI) Model (continued) Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
    • Controls the data stream between the communicating systems. Works like the foreman of a railroad yard putting cars together to make a train.
    • Governing protocols include high-level data link control (HDLC), bi-synch, and Advanced Data Communications Control Procedures (ADCCP).
  • 13. Network Fundamentals: Open Systems Interconnection (OSI) Model (continued) Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
    • Furnishes electrical connections and signals and carries them to higher layers.
    • Governing protocols include RS-232C, RS-449, X.21 (primarily in Europe).
  • 14. TCP/IP Overview
    • A set or family of protocols.
    • Developed to allow cooperating computers to share resources across a network.
    • Initially included Arpanet, NSFnet, regional networks such as local university networks, research institutions, and military networks.
    • All networks are connected and the Internet protocols standardized the order and structure of computer communication within the inter-connected networks.
  • 15. TCP/IP Overview (continued)
    • A ‘connection-less’ protocol.
    • Info transferred in packets.
    • Built to ensure establishment of connections between end systems.
    • TCP/IP has limited to no inherent security features.
    • TCP/IP provides no systematic way to perform encryption (due to unavailability of data-encoding layer) .
    • IP was built for speed and efficiency; ‘just delivers goods’ .
    • IP host address is part of address that identifies networked processors.
  • 16. Contrasting OSI & TCP/IP
    • TCP/IP is the de facto global interoperability standard; OSI has more of a presence in Europe.
    • TCP/IP does not formally have an application layer.
    • TCP is equivalent of OSI layer 4 protocol.
    • IP is OSI layer 3 protocol.
  • 17. TCP/IP Overview (continued)
    • TCP/IP protocols of primary importance include:
      • Transmission Control Protocol (TCP) – provides reliable data transport from one node to another using connection-oriented techniques.
      • User Datagram Protocol (UDP) – provides datagram services for applications. Primary role is to add the port address of an application process to an IP packet & to move packets through the network (used by DNS).
      • Internet Protocol (IP) – a connectionless, unacknowledged network service; does not care about the order of transmitted packets.
  • 18. TCP/IP Overview (continued)
    • Additional services or ‘applications’ built on top of TCP/IP include:
      • Network File System (NFS) – filing system for Unix hosts.
      • Simple Network Management Protocol (SNMP) – collects info about the network and reports back to network administrators.
      • File Transfer Protocol (FTP) – enables file transfers between workstations and a Unix host or Novell Netware NFS.
      • Simple Mail Transfer Protocol (SMTP) – enables electronic messaging.
      • Network News Transport Protocol (NNTP) – distributes and manages Usenet articles and replies.
      • Post Office Protocol (POP) – stores incoming mail until users access it.
      • Telnet – DECVT100 and VT330 terminal emulation.
      • Hypertext Transfer Protocol (HTTP) – defines means of addressing and locating resources stored on other systems (by means of uniform resource locators – URL’s) and defines request and transmission formats for the World Wide Web.
  • 19. IP Addressing
    • Addresses used to provide hierarchical address space for the Internet.
    • Provides for computers on diverse types of networks to exchange data.
    • IP address is 4 bytes (32 bits) long & usually expressed in dotted decimal notation.
    • Addresses are divided into three major classes: A, B, and C.
      • Classes D & E are reserved for special use.
    • Each class can be identified through examination of the first four bits of the address.
    1111 E 111x D 110x C 10xx B 0xxx A 1 st Four Address Bits Classes
  • 20. Reserved for special use IP Addressing (continued) 240-255 E Limits # of hosts Balance of networks & hosts Limits # of networks Impact on network setup 205.35.4.120 157.100.5.195 100.10.240.28 Example net.net.net.host net.net.host.host net.host.host.host Address Format 224-239 D 254 2,097,152 192-223 C 65K 16,384 128-191 B 16M 127 1-127 A Max # of Host Addresses Max # Net Addresses Value of High-order Byte Class
  • 21. Internet Security Concerns
    • Findings from 2000 Computer Crime and Security Survey conducted by
    • the Computer Security Institute (CSI) & the FBI with responses from 538
    • computer security professionals.
      • 97% have WWW sites.
      • 47% conduct electronic commerce on their sites.
      • 85% of respondents detected security breaches within last 12 months.
      • 64% of respondents reported financial losses due to computer security breaches
      • 70% of respondents cited their Internet connection as a frequent point of attack.
      • 23% suffered unauthorized Internet access or misuse in last 12 months.
      • 27% said they did not know if there had been unauthorized access or misuse.
  • 22.
      • 35% of respondents reported detected financial losses totaling $377,828,700.
      • 16% reported losses due to unauthorized access.
      • 40% of respondents detected unauthorized external system penetration.
      • 38% detected denial of service attacks.
      • 91% detected employee abuse (including downloading of unsavory content or pirated software, or inappropriate use of e-mail systems).
      • 94% detected computer viruses.
    Internet Security Concerns (Y2K results continued)
  • 23.
      • Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months.
      • Eighty percent acknowledged financial losses due to computer breaches.
      • Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.
      • As in previous years, the most serious financial losses occurred through theft of proprietary information (26 respondents reported $170,827,000) and financial fraud (25 respondents reported $115,753,000).
      • For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).
      • Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)
      • Forty percent detected system penetration from the outside.
      • Forty percent detected denial of service attacks.
      • Seventy-eight percent detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems)
      • Eighty-five percent detected computer viruses.
    Internet Security Concerns: 2002 CSI Report Highlights
  • 24. Classifying Potential Security Threats (From Most to Least Prevalent)
    • Ignorance and Accidents
    • Company Employees and Partners
    • Casual “Doorknob Twisters”
    • Concerted Individual Efforts
    • Coordinated Group Efforts
  • 25. Potential Security Gaps
    • Lack of safeguards (no firewalls).
    • Poorly configured and administered systems.
    • Basic security problems with communication protocols (TCP, IP, UDP).
    • Faulty service programs.
    • Basic security problems with service programs (WWW. FTP, Telnet, etc.).
  • 26. Madness in the Method: Tactics and Techniques to ‘Bring the System Down’
    • Programmed attacks including denial-of-service attacks.
    • E-mail bombing, spamming, and spoofing
    • Viruses
  • 27. Most Successful Break-in Methods
    • Sniffer attacks (sniffer-kits & Trojan Horses included as programs smuggled in to monitor data flows and to retrieve passwords and ID’s).
    • IP-spoofing (attacker gives data packets addresses in the address range of the target)
    • Sendmail attacks (exploits security gaps in the sendmail daemon that supports SMTP).
    • NFS (Network File System) attacks (exploits gaps in two primary NFS daemons; nfsd & rpc.mountd).
    • NIS (Sun’s Network Information Service) attacks (exploits gap in NIS
  • 28. Unique Security Challenges of Extranets
    • Shared endpoint security – with an extranet, security becomes a joint responsibility of the organizations at the endpoints that link a group of intranets or users.
    • Unmanaged heterogeneity - an extranet involves a population of local and remote users where it is virtually impossible to manage the types of technical heterogeneity used to access the extranet.
    • Politics – extranet administrators and uses must deal with the political wrangling and sensitivity of their electronic business partners.
    • Added costs – added layers of access for multiple business entities translate to added costs of protecting internal systems of unwanted visitors.
    • Cross-pollination – electronic joining of organizations increases the risk of cross-pollination and unwanted transfer of competitive information.
    • User anxiety – extranet security must be more extreme and apparent; administrators must always be convincing anxious users that a site is secure.
  • 29. Basic Security Tenets
    • Authentication – validation of claimed identity.
    • Authorization – determining access privileges.
    • Integrity – assuring that the extranet information is accurate and that it cannot be altered accidentally or deliberately.
    • Availability – ensure immediate and continuous access to the extranet information, 24 hours per day, 7 days a week, 365 days per year.
    • Confidentiality – assuring that the data is seen only by authorized viewers.
    • Auditing – logging of all events.
    • Non-repudiation – preventing participants from denying roles in a transaction once it is completed.
  • 30.
    • Three Major Steps
    • Threat assessment
    • Vulnerability analysis
    • Design and implementation of security measures
    Building a Security Program
  • 31. Building a Security Program: Detailed Process
      • Identify assets including processors, data, and network components.
      • Analyze security risks.
      • Analyze security requirements and tradeoffs.
      • Develop a security plan identifying measures to be deployed.
      • Define a security policy.
      • Develop procedures for applying security policies.
      • Develop a technical implementation strategy.
      • Achieve buy-in from users, managers, and technical staff.
      • Train users, managers, and technical staff.
      • Implement the technical strategy and security procedures.
      • Test the security program and update it if any problems are found.
      • Maintain security by scheduling periodic independent audits, reading of audit logs, responding to incidents, continuing to train and test, etc.
  • 32. Security Measure or Protection Mechanisms
    • Authentication
    • Authorization or Access Control
    • Accounting (Auditing)
    • Data Integrity
    • Data Confidentiality
    • Policies
    • Education
    • Security through Obscurity (If They Don’t Ask, Don’t Tell)
  • 33. Widely Used Security Techniques
    • Certificates & Cryptography for ensuring data integrity and for authentication
    • Firewalls for controlling access to vital and sensitive resources.
    • Non-repudiation
  • 34. Data Encryption
    • Process that scrambles data to protect it from being read by anyone but the intended receiver.
    • Useful for providing data confidentiality.
    • Has two parts:
      • encryption algorithm – a set of instructions to scramble and unscramble data
      • encryption key – a code used by an algorithm to scramble and unscramble data
    • Best known symmetric system is DES
    • Best known asymmetric system is Public/Private Key encryption
  • 35. Firewalls
    • A set of components that function as a choke point, restricting access between a protected network and the Internet.
    • Provides:
      • Authorization or Access Control
      • Authentication
      • Logging
      • Notification
  • 36. Firewall Architectures
    • First consideration in designing a firewall is to meet the requirements set out in the security policy.
    • May include port filtering, application filtering, and user-based restrictions.
    • Firewalls also need to provide a system for logging that can be used to monitor the activity of internal and external users and intruders.
    • A good security rule of thumb is to minimize the number of access to points to the private network.
  • 37.
    • A good firewall architecture consists of an access router, a perimeter network, a dual-homed proxy server and an interior router.
    • The access router would be the first opportunity to prevent intruders from accessing the restricted systems.
    • Packet filters should be used to restrict the use of unnecessary protocols on the perimeter network.
      • This may include filtering for specific services such as source routing, SNMP, X windows, Telnet, RPC, and FTP.
      • Packet filters should also be used to allow access only to specific servers such as the proxy server and other bastion hosts.
    Firewall Architectures
  • 38. Firewall Architectures
    • The perimeter network is between the access router and the interior router.
    • By creating a separate network for externally accessed hosts you can minimize the probability of an intruder listening for passwords or confidential data.
    • Servers that provide access to external users are usually placed here.
    • All servers placed here should be bastion hosts with only a limited amount of services enabled.
    • A perimeter network is also referred to as a De-Militarized Zone (DMZ).
  • 39. Firewall Essential Features
    • Proxies - Each application that runs through the firewall needs its own proxy.
    • Customized kernel - Customization consists of disabling non-required services and modifying the insecure ones.
    • Logging -The logging feature is vital not only for analyzing attacks but also for providing legal evidence that an effort has been made to secure the network.
    • Authentication - The firewall should support some authentication based on the security policy.
  • 40. Firewall Essential Features (continued)
    • Administration - The administration utilities for the system should be straight forward and provide a quick method of viewing the current configuration to reduce configuration errors.
    • User Transparency - Depending on the product and services supported, proxy servers may require modifications to clients and procedures.
    • Platform - The firewall should run on a platform the organization has experience in using.
    • Network Interface - With Internet traffic growing, the ability for firewalls to integrate into high speed backbones will become more important.
    • Throughput - Demand for faster firewalls is being driven by faster WAN links and backbones.
  • 41. Non-repudiation
    • Non-repudiation is a security measure that provides proof of participation in a transaction for legal purposes.
    • Digital signature services provide strong and substantial evidence of
      • the identity of the signer,
      • the time of the message,
      • the context of a message, and
      • the message’s integrity.
    • Non-repudiation offers sufficient evidence to prevent a party from successfully denying the origin, submission or delivery of the message and the integrity of its contents.
      • For example, if you purchase a home furnishing via the WWW, you can be assured that no one else can easily make purchases in your name.
      • Non-repudiation provides evidence to prevent a false denial of message creation or message receipt, and renders an added level of confidence to buyers and sellers of products and services over the Internet
  • 42. Emerging Standard: IP Security Protocol (IPSec)
    • IPSec is a set of open standards providing data confidentiality, data integrity, and authentication between participating peers at the IP layer.
    • Relatively new standard.
    • Enables a system to select protocols and algorithms, and establishes cryptographic keys.
    • Uses the Internet Key Exchange (IKE) protocol to authenticate IPSec peers.
  • 43.
    • IKE uses the following technologies:
      • DES – encrypts packet data.
      • Diffie-Hellman – establishes a shared, secret, session key.
      • Message Digest 5 (MD5) – hash algorithm that authenticates packet data.
      • Secure Hash Algorithm (SHA) – hash algorithm that authenticates packet data.
      • RSA encrypted nonces – provides repudiation.
      • RSA signatures – provides non-repudiation.
    Emerging Standard: IPSec (continued)
  • 44. Emerging Standard: IPv6
    • IPv6 , also known as IPng (IP new generation).
    • With the rapid growth of the Internet over the last few years, two major limitations have become evident: the routing tables are growing too fast and the address space is insufficient.
    • IPv4 is based on a 32 bit address, allowing for addressing of up to about 4 billion computers. After debate address space increased from 32 to 128 bits.
    • IPv6 is based on a 128 bit address scheme.
    • By using 128 bits for addressing, this not only allows for addressing billions of billions of hosts, but it also allows a more hierarchical network to be built.
    • IPv6 has been designed to solve these problems and also include support for security and multimedia.
    • IPv6 requires IPSec . IPSec will be mandatory in IPv6 while it can be ‘transparently’ implemented on the current IPv4 Internet.
  • 45. Enabling Extranets through Virtual Private Networks (VPN’s)
      • Key extranet systems enabling tool.
      • VPN’s enable a customer to use a public network, such as the Internet, to provide a secure connection between sites on the organization’s inter-network.
      • VPN connectivity must be secure, but still allow ease of access to key resources via the Internet.
      • Interconnection to service provider’s network enabled through variety of technologies including leased lines (T1/T3), frame relay, cable modems, satellite, digital subscriber line (DSL), etc.
  • 46. VPN Architecture
    • Conceptually, constructing a virtual private network is straightforward.
    • Basic configuration consists of an
      • Internet connection,
      • a firewall architecture, and
      • a data security architecture.
    • The primary item that is needed by each LAN is an Internet connection.
    • The pipe should be large enough to service the potential traffic from VPN applications as well as regular Internet traffic.
    • Key Design Point: Examine the prospective ISP for connectivity, and make sure the ISP has the bandwidth to transport the potential traffic between sites.
  • 47. Typical VPN Configuration - LAN/WAN to Internet
  • 48.
      • Typically, firewall software is used to protect corporate LAN resources.
      • Also, a separate network (commonly referred to as the ‘demilitarized zone or DMZ’ placed between Internet router and firewall.
      • Some firewall vendors enable integration of DMZ and firewall.
    Enabling Extranets through VPN’s (continued)
  • 49.
      • Protocol tunneling is one technique used to create secure VPN.
      • In tunneling, data packets are encrypted and encapsulated in a clear text packet.
      • Layer 2 Tunneling Protocol (L2TP) is an emerging standard for tunneling private data over public networks.
      • Cisco, Microsoft, 3Com and Ascend Communications support standard setting efforts.
      • Microsoft has derived Point-to-Point Tunneling Protocol (PPTP) as built-in feature in NT & 2000 Server products.
    Enabling Extranets through VPN’s (continued)
  • 50. Next Session Highlights:
    • Firewalls, VPNs & Other Security Considerations (continued)
    • Read required article ‘Web Services Fundamentals’