• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
E gov security_tut_session_12

E gov security_tut_session_12






Total Views
Views on SlideShare
Embed Views



1 Embed 27

http://www.egovacademy.ps 27



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    E gov security_tut_session_12 E gov security_tut_session_12 Presentation Transcript

    • ‫أكاديمية الحكومة اإللكترونية الفلسطينية‬The Palestinian eGovernment Academy www.egovacademy.psSecurity Tutorial Sessions 12 PalGov © 2011 1
    • AboutThis tutorial is part of the PalGov project, funded by the TEMPUS IV program of theCommission of the European Communities, grant agreement 511159-TEMPUS-1-2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.psProject Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, PalestineCoordinator:Dr. Mustafa JarrarBirzeit University, P.O.Box 14- Birzeit, PalestineTelfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
    • © Copyright NotesEveryone is encouraged to use this material, or part of it, but should properlycite the project (logo and website), and the author of that part.No part of this tutorial may be reproduced or modified in any form or by anymeans, without prior written permission from the project, who have the fullcopyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SAThis license lets others remix, tweak, and build upon your work non-commercially, as long as they credit you and license their new creationsunder the identical terms. PalGov © 2011 3
    • Tutorial 5: Information SecuritySession 12: Auditing and WirelessSecuritySession 12 Outline: • Security Auditing • Break • Wireless Security Protocols PalGov © 2011 4
    • Tutorial 5: Session 12: AuditingThis session will contribute to the followingILOs:• A: Knowledge and Understanding a2: Defines security standards and policies.• B: Intellectual Skills b3: Design end-to-end secure and available systems.• D: General and Transferable Skills d2: Systems configurations. d3: Analysis and identification skills. PalGov © 2011 5
    • Security Audit• Auditing used on the security of an organization’s information system (IS) assets.• Definition – “An independent review and examination of a systems records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions. Thus, means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate attacks and security compromises.” [from RFC2828.] PalGov © 2011 6
    • Security Audit Trail• Definition – “A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security- relevant transaction from inception to final results” [from RFC2828]. PalGov © 2011 7
    • Security Audit Architecture PalGov © 2011 8
    • Distributed Audit Trail Model PalGov © 2011 9
    • Basic Security Auditing Functions PalGov © 2011 10
    • Definition of Events• Must define what are auditable events• Common criteria suggests: – Introduction of objects – Deletion of objects – Distribution or revocation of access rights or capabilities – Changes to subject or object security attributes – Policy checks performed by the security software – Use of access rights to bypass a policy check – Use of identification and authentication functions; – Security-related actions taken by an operator/user – Import/export of data from/to removable media PalGov © 2011 11
    • Implementation Requirements• Decide requirements management• Scope of checks to be agreed and controlled• Checks limited to read-only access to s/w & data• Identified resources for performing the checks• Identify special requirements• Monitor /Log all access• Use DOCUMENT procedures, PalGov © 2011 12
    • Collected Information• Decide on amount of generated data – Size vs quality• Data items captured may include: – Operating system access (system calls) – Use of system security mechanisms – Auditing software use – Remote access – Events from IDS and firewall systems – System management / operation events – Access to selected applications – Others… PalGov © 2011 13
    • Audit Trails on System Level• Useful to categorize audit trails• System-level audit trails – See MS System event viewer. PalGov © 2011 14
    • Application-Level Audit Trails• to detect security violations within an application• to detect flaws in applications system interaction• for critical / sensitive applications, e.g. email, DB – See MS Application event viewer. PalGov © 2011 15
    • User-Level Audit Trails• Trace activity of individual users over time – To hold user accountable for actions taken – As input to an analysis program that attempts to define normal versus anomalous behavior – See ms system and security event viewers. PalGov © 2011 16
    • Physical-Level Audit Trails• Generated by physical access controls – E.G. Card-key systems, alarm systems• Sent to central host for analysis / storage• Used in many ministries and organizations in Palestine PalGov © 2011 17
    • Example 1: Windows Event Log• Each event an entity that describes some interesting occurrence and – Each event record contains: • Numeric id, set of attributes, optional user data – Presented as XML or binary data• Have three types of event logs: – System - system related apps & drivers – Application - user-level apps – Security - windows LSA PalGov © 2011 18
    • Windows Event Categories• Account logon events• Account management• Directory service access• Logon events• Object access• Policy changes• Privilege use• Process tracking• System events PalGov © 2011 19
    • Example 1: Windows Event Log Demo• SEE DEMO PalGov © 2011 20
    • Example 2: UNIX Syslog• UNIXs general-purpose logging mechanism – found on all UNIX / Linux variants – but with variants in facility and log format PalGov © 2011 21
    • Syslog Service• Basic service provides: – A means of capturing relevant events – A storage facility – A protocol for transmitting syslog messages from other hosts to a central syslog server• Extra add-on features may include: – Robust filtering, log analysis, event response, alternative message formats, log file encryption, database storage, rate limiting PalGov © 2011 22
    • Syslog Protocol• A transport allowing hosts to send IP event notification messages to syslog servers – Provides a very general message format – Allowing processes / apps to use suitable conventions for their logged events – Can be plain or encrypted PalGov © 2011 23
    • Unix Syslog ExamplesMar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from port 21011 ssh2Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from port 1070 ssh2Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!Mar 1 07:26:28 server1 sshd[22572]: Accepted publickey for server2 from port 30606 ssh2Mar 1 07:28:33 server1 su: BAD SU kPPU to root on /dev/ttyp2Mar 1 07:28:41 server1 su: kPPU to root on /dev/ttyp2 PalGov © 2011 24
    • Logging at Application Level• privileged applications have security issues – which system/user-level audit data may not see – a large percentage of reported vulnerabilities – e.g. failure to adequately check input data, application logic errors• hence need to capture detailed behavior• applications can be written to create audit data PalGov © 2011 25
    • Tutorial 5: Information SecuritySession 12: Auditing and WirelessSecuritySession 12 Outline: • Security Auditing • Break • Wireless Security Protocols PalGov © 2011 26
    • Introduction to Wireless Security Protocols.• Introduction Wireless and Wireless Standards• Authentication and Association• WEP and WPA Security Protocols• Other Wireless Network Security Issues PalGov © 2011 27
    • Différent Wireless Standards• Used radio frequencies: – 2.4GHZ (b, g, n) – 5GHZ (a, n)• Wi-fi , wireless LAN and IEEE802.11 – Wi-fi: • Industry standard proposed by the wi-fi alliance which implements the (drafts of, slightly modified) IEEE802.11 standards – Wireless LAN: • A general term used for wireless short range, high- speed radio networks – IEEE802.11: • A standard defining a type of wireless connection PalGov © 2011 28
    • Wireless LAN Standards• IEEE 802.11 • IEEE 802.11a – Original wireless LAN – Up to 54Mbps in the standard 5GHz band – Up to 2Mbps in the 2.4GHz – Security: WEP & WPA band – "Wi-Fi Certified" – Security: WEP & WPA• IEEE 802.11b • IEEE 802.11g – Up to 11Mbps in the 2.4GHz – Up to 54Mbps in the band 2.4GHz band – Security: WEP & WPA – Security: WEP & WPA – "Wi-Fi Certified" – "Wi-Fi Certified" PalGov © 2011 29
    • Service Set Identifier• SSID – 2-32 byte alphanumeric sequence of characters – Uniquely names a WLAN, – Case sensitive and is – Encoded in plain text. PalGov © 2011 30
    • Beacons• Beacons – Information frame sent by an AP. – Approximately 50-bytes: • Timestamp • Beacon interval • Capability info • Service set identifier PalGov © 2011 31
    • Wireless Authentication and Association• Wireless authentication – A means to establish or prove identity to wireless access points – Verifying eligibility of users, devices, or applications. – Only authorized clients are allowed to gain access to the wireless network.• Wireless Association – The binding of a wireless network client to an access point before starting data transfer. PalGov © 2011 32
    • Wireless Connection Steps and States• Connection Process – First: Authentication Phase • Open System Authentication • Shared Key Authentication – Second: Association Phase• The Connection Process has 3 States: – Authenticated and Associated – Authenticated and Unassociated – Unauthenticated and Unassociated PalGov © 2011 33
    • System Authentication• Open System Authentication – Default – Authentications based on sending empty / null string SSID – Receiving station, (AP) sends acknowledgment• Closed System – Authentications based only on SSID – Receiving station, (AP) sends acknowledgment PalGov © 2011 34
    • Shared Key Authentication• Shared Key – IEEE 802.11 Wireless Equivalent Privacy, (WEP). – Authentications based on Text and WEP Keys. – Challenge – Response Scheme PalGov © 2011 35
    • 802.1x and EAP• 802.1x : – a port-level access control protocol, – provides a security framework for IEEE networks, – including Ethernet and wireless networks.• EAP - Extensible Authentication Protocol, – sits inside of PPPs authentication protocol – provides a framework for many authentication methods. PalGov © 2011 36
    • Wired Equivalent Privacy (WEP)• 802.11b standard.• A secret key is shared between stations and an access point.• The secret key is used to encrypt data packets• Uses Integrity check• Logical service is located within the MAC layer.• Provided are : – Confidentiality; – Authentication; – Access control in conjunction with layer management. PalGov © 2011 37
    • WEP Properties• Reasonably strong (RC4) !!!! (breakable?)• Self-synchronizing, Efficient and May be exportable• Optional PalGov © 2011 38
    • WEP IV and Secret Keys• 802.11b – 64-bit shared RC4 Key. 24-bit IV plus a 40-bit Secret Key. IV Secret Key 24 - bits 40 - bits PRNG Seed – 128-bit shared RC4 Key. 24/104 – 152-bit shared RC4 Key. 24/128 PalGov © 2011 39
    • WEP Key Servers• Advantages of Key Servers – Centralized key generation – Centralized key distribution – Ongoing key rotation – Reduced key management overhead. PalGov © 2011 40
    • WEP Key Weaknesses• Small key size (40 bit)• Simple Key management• Too small IV vectors. 24-bit = 16,777,216 different cipher streams.• Weak ICV algorithm (CRC-32)• Authentication messages can be easily faked. PalGov © 2011 41
    • IEEE 802.11i and WPA• Overview • IEEE 802.11 task group I: • Specification for robust security – Robust security network (RSN): – Implements only the new mechanisms proposed by the 802.11i – Transitional security network (TSN): – Allows RSN and WEP to cooperate – Generally 802.11i is used to designate both of them • WI-FI – Wireless protected access (WPA) – Adopts a subset of 802.11i specifications – Extensions added PalGov © 2011 42
    • IEEE 802.11i Features• Separation of security services – Avoids that a security services relies on each other. – Uses different mechanisms• Use of session keys – Master key is never used for encryption• Use of existing standards – Already tested, more robust PalGov © 2011 43
    • Key usage for IEEE 802.11i• Use of master and temporal keys• WPA Master keys are generated while authentication.• Temporal keys are generated using the master key once the STA is authenticated• Temporal keys are short life keys PalGov © 2011 44
    • IEEE 802.11i: Security ServicesA. Authentication: mutual authentication between the STA and the network – Personal: pre-shared keys (WPA-PSK , passwords) – Enterprise: IEEE802.1X (EAP, RADIUS)B. Confidentiality and Data Integrity – Key distribution using EAPOL, 802.1X – TKIP: Temporal Key Integrity Protocol – CCMP: Counter-Mode CBC-MAC ProtocolC. Access Control: ensures that only legitimate users access the network – Entirely based on the authentication result – Implemented at the AP » This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.” PalGov © 2011 45
    • Enterprise Authentication• The WPA-PSK is not efficient• Enterprise suite: – 802.1x: allows limiting the access to the network to EAP traffic until the authentication is done – EAP: carries authentication exchanges • EAPOL-Key packets are used to distribute the session keys after successful authentication • Originally designed for dial-up connections – Runs over 802.1x inside a LAN – Runs over RADIUS outside the LAN – RADIUS: the RADIUS server holds the users’ credentials » This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.” PalGov © 2011 46
    • IEEE802.1X, EAP and RADIUS Supplicant Auth ServeThis slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.” PalGov © 2011 47
    • Extensible Authentication Protocol (EAP)• Extensible Authentication Protocol (RFC2284)• Used between the authentication server (AS) and the supplicant, the authenticator forwards EAP messages• Middle messages are defined for each authentication method – Transport Layer Security (TLS) – Tunneled TLS (TTLS) – Kerberos• Mutual Authentication is possible PalGov © 2011 48
    • IEEE802.1X for IEEE802.11• Three involved entities: 1.Supplicant: the STA which needs to have access, initiates the authentication 2.Authenticator: gate controller (AP) 3.Authentication Server (AS): decides whether to grant the supplicant the access or not according to the information transmitted by the authenticator PalGov © 2011 49
    • EAP and 802.1X• EAP was designed originally for dial-up authentication – Not adapted for LAN• The 802.1X defines EAP over LAN (EAPOL) – EAPOL-Packet: encapsulates EAP packets – EAPOL-Start: allows local authenticators discovering – EAPOL-Key: transports keys after successful authentication – EAPOL-Logoff: sent by the supplicant to disconnect PalGov © 2011 50
    • RADIUS: Why?• EAPOL can not transport EAP packets over an IP network• A secure channel should be used• EAP over RADIUS (RFC2869:EAP Extensions)• Remote Access Dial-In User Service (RFC2865)• A central authentication server + local authenticators – As in IEEE802.11 – Designed firstly to be used by Internet Service Providers (ISP) PalGov © 2011 51
    • RADIUS: How? PalGov © 2011 52
    • Fitting it all together !Supplicant Auth Serv. PalGov © 2011 53
    • 802.11 Security Protocols 802.11 WPA WPA2Security WEP 802.11i Perso Enterprise Personal EnterpriseProtocols nal 802.1X/ 802.1X/ 802.1X/Authenticatio PSK EAP/ PSK EAP/ PSK EAP n Radius Radius Radius (O) Data TKIP TKIP CCMP/ CCMP/ WEP CCMP/ Encryption TKIP(O) TKIP(O) TKIP PalGov © 2011 54
    • Wireless Packet / Data Filtering• Blocking unwanted traffic.• Three basic types of filtering: – SSID Filtering – MAC Address Filtering – Protocol Filtering PalGov © 2011 55
    • Attacks on WLANs• Some attack methods: – Passive Attacks (Eavesdropping) – Active Attacks • Jamming Attacks • Man-in-the-middle Attacks PalGov © 2011 56
    • Emerging Security Solutions• WEP Key Management• Wireless VPNs• TKIP• AES• Wireless Gateways• 802.1X and EAP• Policies• Etc… PalGov © 2011 57
    • Wireless VPN• VPN – Virtual private network. – Private network link carried on a public network – Uses tunnelling – Utilizes encryption techniques PalGov © 2011 58
    • Roaming• Roaming – ability for a user to function when the serving network is different from their home network. – The process of a client moving from one area or AP to another while maintaining a data link.• Mobile IP – allows users with mobile devices whose IP addresses are associated with one network to stay connected when moving to another network with a different IP. PalGov © 2011 59
    • Roaming and Mobility PalGov © 2011 60
    • VPN Use in Roaming• Wireless VPN implemented by two methods: – A centralized VPN server (Hardware/ software) – A distributed set of VPN servers • Can be located in the AP with RADIUS support PalGov © 2011 61
    • Corporate Security Policy• Develop a wireless security policy – define what is and what is not allowed with wireless technology.• Measure the basic field coverage of the wireless network.• Know the technologies and the users that use the network.• Physical Security PalGov © 2011 62
    • Corporate Security Policy• Set base lines and perform audits/monitoring of the network.• Harden AP’s, servers, and gateways.• Determine level of security protocols and standards.• Consider using switches, DMZ, RADIUS servers, and VPN.• Update firmware and software. PalGov © 2011 63
    • Securing WLAN Policies• If possible, put the wireless network behind its own routed interface so you can shut it off if necessary.• Pick a random SSID that gives nothing about your network.• Set your AP to Closed Network.• Set the authentication method to Open.• Have your broadcast keys rotate every few minutes.• Use 802.1X for key management and authentication – Look over the available EAP protocols and decide which is right for your environment. – Set the session to time out every few minutes. PalGov © 2011 64
    • References1. Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13-600424-5.2. Cisco CWNA Course3. Dr. Hani Ragab Hassen Lecture Notes, Kent University. PalGov © 2011 65
    • Summary• In this session we discussed the following: – Introduced need for security auditing – Audit model, functions, requirements – Security audit trails – Implementing logging and analysis. – Overview of wireless networking and standards – Wireless security protocols and policies PalGov © 2011 66
    • Thanks Radwan Tahboub PalGov © 2011 67