E gov security_tut_session_12


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E gov security_tut_session_12

  1. 1. ‫أكاديمية الحكومة اإللكترونية الفلسطينية‬The Palestinian eGovernment Academy www.egovacademy.psSecurity Tutorial Sessions 12 PalGov © 2011 1
  2. 2. AboutThis tutorial is part of the PalGov project, funded by the TEMPUS IV program of theCommission of the European Communities, grant agreement 511159-TEMPUS-1-2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.psProject Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, PalestineCoordinator:Dr. Mustafa JarrarBirzeit University, P.O.Box 14- Birzeit, PalestineTelfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
  3. 3. © Copyright NotesEveryone is encouraged to use this material, or part of it, but should properlycite the project (logo and website), and the author of that part.No part of this tutorial may be reproduced or modified in any form or by anymeans, without prior written permission from the project, who have the fullcopyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SAThis license lets others remix, tweak, and build upon your work non-commercially, as long as they credit you and license their new creationsunder the identical terms. PalGov © 2011 3
  4. 4. Tutorial 5: Information SecuritySession 12: Auditing and WirelessSecuritySession 12 Outline: • Security Auditing • Break • Wireless Security Protocols PalGov © 2011 4
  5. 5. Tutorial 5: Session 12: AuditingThis session will contribute to the followingILOs:• A: Knowledge and Understanding a2: Defines security standards and policies.• B: Intellectual Skills b3: Design end-to-end secure and available systems.• D: General and Transferable Skills d2: Systems configurations. d3: Analysis and identification skills. PalGov © 2011 5
  6. 6. Security Audit• Auditing used on the security of an organization’s information system (IS) assets.• Definition – “An independent review and examination of a systems records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions. Thus, means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate attacks and security compromises.” [from RFC2828.] PalGov © 2011 6
  7. 7. Security Audit Trail• Definition – “A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security- relevant transaction from inception to final results” [from RFC2828]. PalGov © 2011 7
  8. 8. Security Audit Architecture PalGov © 2011 8
  9. 9. Distributed Audit Trail Model PalGov © 2011 9
  10. 10. Basic Security Auditing Functions PalGov © 2011 10
  11. 11. Definition of Events• Must define what are auditable events• Common criteria suggests: – Introduction of objects – Deletion of objects – Distribution or revocation of access rights or capabilities – Changes to subject or object security attributes – Policy checks performed by the security software – Use of access rights to bypass a policy check – Use of identification and authentication functions; – Security-related actions taken by an operator/user – Import/export of data from/to removable media PalGov © 2011 11
  12. 12. Implementation Requirements• Decide requirements management• Scope of checks to be agreed and controlled• Checks limited to read-only access to s/w & data• Identified resources for performing the checks• Identify special requirements• Monitor /Log all access• Use DOCUMENT procedures, PalGov © 2011 12
  13. 13. Collected Information• Decide on amount of generated data – Size vs quality• Data items captured may include: – Operating system access (system calls) – Use of system security mechanisms – Auditing software use – Remote access – Events from IDS and firewall systems – System management / operation events – Access to selected applications – Others… PalGov © 2011 13
  14. 14. Audit Trails on System Level• Useful to categorize audit trails• System-level audit trails – See MS System event viewer. PalGov © 2011 14
  15. 15. Application-Level Audit Trails• to detect security violations within an application• to detect flaws in applications system interaction• for critical / sensitive applications, e.g. email, DB – See MS Application event viewer. PalGov © 2011 15
  16. 16. User-Level Audit Trails• Trace activity of individual users over time – To hold user accountable for actions taken – As input to an analysis program that attempts to define normal versus anomalous behavior – See ms system and security event viewers. PalGov © 2011 16
  17. 17. Physical-Level Audit Trails• Generated by physical access controls – E.G. Card-key systems, alarm systems• Sent to central host for analysis / storage• Used in many ministries and organizations in Palestine PalGov © 2011 17
  18. 18. Example 1: Windows Event Log• Each event an entity that describes some interesting occurrence and – Each event record contains: • Numeric id, set of attributes, optional user data – Presented as XML or binary data• Have three types of event logs: – System - system related apps & drivers – Application - user-level apps – Security - windows LSA PalGov © 2011 18
  19. 19. Windows Event Categories• Account logon events• Account management• Directory service access• Logon events• Object access• Policy changes• Privilege use• Process tracking• System events PalGov © 2011 19
  20. 20. Example 1: Windows Event Log Demo• SEE DEMO PalGov © 2011 20
  21. 21. Example 2: UNIX Syslog• UNIXs general-purpose logging mechanism – found on all UNIX / Linux variants – but with variants in facility and log format PalGov © 2011 21
  22. 22. Syslog Service• Basic service provides: – A means of capturing relevant events – A storage facility – A protocol for transmitting syslog messages from other hosts to a central syslog server• Extra add-on features may include: – Robust filtering, log analysis, event response, alternative message formats, log file encryption, database storage, rate limiting PalGov © 2011 22
  23. 23. Syslog Protocol• A transport allowing hosts to send IP event notification messages to syslog servers – Provides a very general message format – Allowing processes / apps to use suitable conventions for their logged events – Can be plain or encrypted PalGov © 2011 23
  24. 24. Unix Syslog ExamplesMar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from port 21011 ssh2Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from port 1070 ssh2Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!Mar 1 07:26:28 server1 sshd[22572]: Accepted publickey for server2 from port 30606 ssh2Mar 1 07:28:33 server1 su: BAD SU kPPU to root on /dev/ttyp2Mar 1 07:28:41 server1 su: kPPU to root on /dev/ttyp2 PalGov © 2011 24
  25. 25. Logging at Application Level• privileged applications have security issues – which system/user-level audit data may not see – a large percentage of reported vulnerabilities – e.g. failure to adequately check input data, application logic errors• hence need to capture detailed behavior• applications can be written to create audit data PalGov © 2011 25
  26. 26. Tutorial 5: Information SecuritySession 12: Auditing and WirelessSecuritySession 12 Outline: • Security Auditing • Break • Wireless Security Protocols PalGov © 2011 26
  27. 27. Introduction to Wireless Security Protocols.• Introduction Wireless and Wireless Standards• Authentication and Association• WEP and WPA Security Protocols• Other Wireless Network Security Issues PalGov © 2011 27
  28. 28. Différent Wireless Standards• Used radio frequencies: – 2.4GHZ (b, g, n) – 5GHZ (a, n)• Wi-fi , wireless LAN and IEEE802.11 – Wi-fi: • Industry standard proposed by the wi-fi alliance which implements the (drafts of, slightly modified) IEEE802.11 standards – Wireless LAN: • A general term used for wireless short range, high- speed radio networks – IEEE802.11: • A standard defining a type of wireless connection PalGov © 2011 28
  29. 29. Wireless LAN Standards• IEEE 802.11 • IEEE 802.11a – Original wireless LAN – Up to 54Mbps in the standard 5GHz band – Up to 2Mbps in the 2.4GHz – Security: WEP & WPA band – "Wi-Fi Certified" – Security: WEP & WPA• IEEE 802.11b • IEEE 802.11g – Up to 11Mbps in the 2.4GHz – Up to 54Mbps in the band 2.4GHz band – Security: WEP & WPA – Security: WEP & WPA – "Wi-Fi Certified" – "Wi-Fi Certified" PalGov © 2011 29
  30. 30. Service Set Identifier• SSID – 2-32 byte alphanumeric sequence of characters – Uniquely names a WLAN, – Case sensitive and is – Encoded in plain text. PalGov © 2011 30
  31. 31. Beacons• Beacons – Information frame sent by an AP. – Approximately 50-bytes: • Timestamp • Beacon interval • Capability info • Service set identifier PalGov © 2011 31
  32. 32. Wireless Authentication and Association• Wireless authentication – A means to establish or prove identity to wireless access points – Verifying eligibility of users, devices, or applications. – Only authorized clients are allowed to gain access to the wireless network.• Wireless Association – The binding of a wireless network client to an access point before starting data transfer. PalGov © 2011 32
  33. 33. Wireless Connection Steps and States• Connection Process – First: Authentication Phase • Open System Authentication • Shared Key Authentication – Second: Association Phase• The Connection Process has 3 States: – Authenticated and Associated – Authenticated and Unassociated – Unauthenticated and Unassociated PalGov © 2011 33
  34. 34. System Authentication• Open System Authentication – Default – Authentications based on sending empty / null string SSID – Receiving station, (AP) sends acknowledgment• Closed System – Authentications based only on SSID – Receiving station, (AP) sends acknowledgment PalGov © 2011 34
  35. 35. Shared Key Authentication• Shared Key – IEEE 802.11 Wireless Equivalent Privacy, (WEP). – Authentications based on Text and WEP Keys. – Challenge – Response Scheme PalGov © 2011 35
  36. 36. 802.1x and EAP• 802.1x : – a port-level access control protocol, – provides a security framework for IEEE networks, – including Ethernet and wireless networks.• EAP - Extensible Authentication Protocol, – sits inside of PPPs authentication protocol – provides a framework for many authentication methods. PalGov © 2011 36
  37. 37. Wired Equivalent Privacy (WEP)• 802.11b standard.• A secret key is shared between stations and an access point.• The secret key is used to encrypt data packets• Uses Integrity check• Logical service is located within the MAC layer.• Provided are : – Confidentiality; – Authentication; – Access control in conjunction with layer management. PalGov © 2011 37
  38. 38. WEP Properties• Reasonably strong (RC4) !!!! (breakable?)• Self-synchronizing, Efficient and May be exportable• Optional PalGov © 2011 38
  39. 39. WEP IV and Secret Keys• 802.11b – 64-bit shared RC4 Key. 24-bit IV plus a 40-bit Secret Key. IV Secret Key 24 - bits 40 - bits PRNG Seed – 128-bit shared RC4 Key. 24/104 – 152-bit shared RC4 Key. 24/128 PalGov © 2011 39
  40. 40. WEP Key Servers• Advantages of Key Servers – Centralized key generation – Centralized key distribution – Ongoing key rotation – Reduced key management overhead. PalGov © 2011 40
  41. 41. WEP Key Weaknesses• Small key size (40 bit)• Simple Key management• Too small IV vectors. 24-bit = 16,777,216 different cipher streams.• Weak ICV algorithm (CRC-32)• Authentication messages can be easily faked. PalGov © 2011 41
  42. 42. IEEE 802.11i and WPA• Overview • IEEE 802.11 task group I: • Specification for robust security – Robust security network (RSN): – Implements only the new mechanisms proposed by the 802.11i – Transitional security network (TSN): – Allows RSN and WEP to cooperate – Generally 802.11i is used to designate both of them • WI-FI – Wireless protected access (WPA) – Adopts a subset of 802.11i specifications – Extensions added PalGov © 2011 42
  43. 43. IEEE 802.11i Features• Separation of security services – Avoids that a security services relies on each other. – Uses different mechanisms• Use of session keys – Master key is never used for encryption• Use of existing standards – Already tested, more robust PalGov © 2011 43
  44. 44. Key usage for IEEE 802.11i• Use of master and temporal keys• WPA Master keys are generated while authentication.• Temporal keys are generated using the master key once the STA is authenticated• Temporal keys are short life keys PalGov © 2011 44
  45. 45. IEEE 802.11i: Security ServicesA. Authentication: mutual authentication between the STA and the network – Personal: pre-shared keys (WPA-PSK , passwords) – Enterprise: IEEE802.1X (EAP, RADIUS)B. Confidentiality and Data Integrity – Key distribution using EAPOL, 802.1X – TKIP: Temporal Key Integrity Protocol – CCMP: Counter-Mode CBC-MAC ProtocolC. Access Control: ensures that only legitimate users access the network – Entirely based on the authentication result – Implemented at the AP » This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.” PalGov © 2011 45
  46. 46. Enterprise Authentication• The WPA-PSK is not efficient• Enterprise suite: – 802.1x: allows limiting the access to the network to EAP traffic until the authentication is done – EAP: carries authentication exchanges • EAPOL-Key packets are used to distribute the session keys after successful authentication • Originally designed for dial-up connections – Runs over 802.1x inside a LAN – Runs over RADIUS outside the LAN – RADIUS: the RADIUS server holds the users’ credentials » This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.” PalGov © 2011 46
  47. 47. IEEE802.1X, EAP and RADIUS Supplicant Auth ServeThis slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.” PalGov © 2011 47
  48. 48. Extensible Authentication Protocol (EAP)• Extensible Authentication Protocol (RFC2284)• Used between the authentication server (AS) and the supplicant, the authenticator forwards EAP messages• Middle messages are defined for each authentication method – Transport Layer Security (TLS) – Tunneled TLS (TTLS) – Kerberos• Mutual Authentication is possible PalGov © 2011 48
  49. 49. IEEE802.1X for IEEE802.11• Three involved entities: 1.Supplicant: the STA which needs to have access, initiates the authentication 2.Authenticator: gate controller (AP) 3.Authentication Server (AS): decides whether to grant the supplicant the access or not according to the information transmitted by the authenticator PalGov © 2011 49
  50. 50. EAP and 802.1X• EAP was designed originally for dial-up authentication – Not adapted for LAN• The 802.1X defines EAP over LAN (EAPOL) – EAPOL-Packet: encapsulates EAP packets – EAPOL-Start: allows local authenticators discovering – EAPOL-Key: transports keys after successful authentication – EAPOL-Logoff: sent by the supplicant to disconnect PalGov © 2011 50
  51. 51. RADIUS: Why?• EAPOL can not transport EAP packets over an IP network• A secure channel should be used• EAP over RADIUS (RFC2869:EAP Extensions)• Remote Access Dial-In User Service (RFC2865)• A central authentication server + local authenticators – As in IEEE802.11 – Designed firstly to be used by Internet Service Providers (ISP) PalGov © 2011 51
  52. 52. RADIUS: How? PalGov © 2011 52
  53. 53. Fitting it all together !Supplicant Auth Serv. PalGov © 2011 53
  54. 54. 802.11 Security Protocols 802.11 WPA WPA2Security WEP 802.11i Perso Enterprise Personal EnterpriseProtocols nal 802.1X/ 802.1X/ 802.1X/Authenticatio PSK EAP/ PSK EAP/ PSK EAP n Radius Radius Radius (O) Data TKIP TKIP CCMP/ CCMP/ WEP CCMP/ Encryption TKIP(O) TKIP(O) TKIP PalGov © 2011 54
  55. 55. Wireless Packet / Data Filtering• Blocking unwanted traffic.• Three basic types of filtering: – SSID Filtering – MAC Address Filtering – Protocol Filtering PalGov © 2011 55
  56. 56. Attacks on WLANs• Some attack methods: – Passive Attacks (Eavesdropping) – Active Attacks • Jamming Attacks • Man-in-the-middle Attacks PalGov © 2011 56
  57. 57. Emerging Security Solutions• WEP Key Management• Wireless VPNs• TKIP• AES• Wireless Gateways• 802.1X and EAP• Policies• Etc… PalGov © 2011 57
  58. 58. Wireless VPN• VPN – Virtual private network. – Private network link carried on a public network – Uses tunnelling – Utilizes encryption techniques PalGov © 2011 58
  59. 59. Roaming• Roaming – ability for a user to function when the serving network is different from their home network. – The process of a client moving from one area or AP to another while maintaining a data link.• Mobile IP – allows users with mobile devices whose IP addresses are associated with one network to stay connected when moving to another network with a different IP. PalGov © 2011 59
  60. 60. Roaming and Mobility PalGov © 2011 60
  61. 61. VPN Use in Roaming• Wireless VPN implemented by two methods: – A centralized VPN server (Hardware/ software) – A distributed set of VPN servers • Can be located in the AP with RADIUS support PalGov © 2011 61
  62. 62. Corporate Security Policy• Develop a wireless security policy – define what is and what is not allowed with wireless technology.• Measure the basic field coverage of the wireless network.• Know the technologies and the users that use the network.• Physical Security PalGov © 2011 62
  63. 63. Corporate Security Policy• Set base lines and perform audits/monitoring of the network.• Harden AP’s, servers, and gateways.• Determine level of security protocols and standards.• Consider using switches, DMZ, RADIUS servers, and VPN.• Update firmware and software. PalGov © 2011 63
  64. 64. Securing WLAN Policies• If possible, put the wireless network behind its own routed interface so you can shut it off if necessary.• Pick a random SSID that gives nothing about your network.• Set your AP to Closed Network.• Set the authentication method to Open.• Have your broadcast keys rotate every few minutes.• Use 802.1X for key management and authentication – Look over the available EAP protocols and decide which is right for your environment. – Set the session to time out every few minutes. PalGov © 2011 64
  65. 65. References1. Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13-600424-5.2. Cisco CWNA Course3. Dr. Hani Ragab Hassen Lecture Notes, Kent University. PalGov © 2011 65
  66. 66. Summary• In this session we discussed the following: – Introduced need for security auditing – Audit model, functions, requirements – Security audit trails – Implementing logging and analysis. – Overview of wireless networking and standards – Wireless security protocols and policies PalGov © 2011 66
  67. 67. Thanks Radwan Tahboub PalGov © 2011 67