Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lecture1 Introduction


Published on

Network Security Course (ET1318, ET2437) at Blekinge Institute of Technology, Karlskrona, Sweden

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

Lecture1 Introduction

  1. 1. Network Security Raja M. Khurram Shahzad
  2. 2. Course Overview• ~16 lectures = 2x45 minutes• Two laborations in Karlskrona (telekom-labbet)  One simple firewall laboration (iptables)  One VPN-laboration• Assignment/s• Course homepage It’s Learning (• Roll call  Done online through the submission of the assignment, more information on this later on• Course literature  Stallings, W. Network Security Essentials. Applications and Standards. 4/E, Prentice Hall. 2
  3. 3. Security• Security is not a new concept• Quotes from “The Art of War”:• “The art of war teaches us to rely not on the likelihood of the enemys not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”• “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” - The Art of War, Sun Tzu (late-sixth century BC) 3
  4. 4. History• ENIGMA:  The most sophisticated encoding machine of its time.  Used during World War II by the Germans.  Intercepting and decoding German transmissions would prove to be a turning point in the war 4
  5. 5. History cont.• U – 2:  US, spy plane  High altitude reconnaissance flights over the Soviet Union.  U-2 was brought down by the Soviet Union.  This incident set in motion a pattern of mistrust that culminated in the Cuban Missile Crisis. No one can predict if the Cold War might have ended sooner had the U-2 incident not occurred! 5
  6. 6. What is SECURITY ???1. Measures taken to guard against espionage or sabotage, crime or attack2. The protection of data against unauthorized access• ” The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts” Computer Recreations: Of Worms, Viruses and Core War" by A. K. Dewdney in Scientific American• The Institute for Security and Open Methodologies (ISECOM) in the OSSTMM 3 defines security as "a form of protection where a separation is created between the assets and the threat".• In simple words : Security is the degree of protection against danger, damage, loss, and criminal activity. 6
  7. 7. Security ViolationsUser A transmits a file F having sensitive information to user B. File F is SENSITIVE F A -------> B C CAPTURES F • Unauthorized User C capture copy during transmissionF contains data about authorizationsA sends message m to B: ”Update file F with names in message m” A(m) m B(F) C INTERCEPTS m and adds name of C A(m) m C(m) m B(F) 7
  8. 8. Computer & Network Security• Computer Security:  generic name for the collection of tools designed to protect data.• Network Security:  protect data during their transmission• There are no clear boundaries between these two forms of security. 8
  9. 9. Computer Security• NIST Computer Security Handbook defines  The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunication).• Three Key Objectives  Also called C I A Triad Confidentiality  Embody fundamental security objectives for – Data and information – Computing services Integrity Availability 9
  10. 10. Computer Security• Confidentiality : Authorized disclosure of information  Data Confidentiality : Not disclosed to unauthorized persons  Privacy : Who will collect information and to whom it will be disclosed  Example : Student grade information• Integrity: Authorized modification or destruction of information  Data Integrity : Information and Programs are changed in specific and authorized manner  System Integrity : No compromised functionality  Example: Patients information in hospital• Availability: Timely and reliable access to and use information.  Service is not denied to authorized users  Example: Authentication to services for critical systems. 10
  11. 11. Computer Security• Additional concepts• Authenticity  The property of being genuine and being able to be verified and trusted• Accountability  Actions of an entity can be traced uniquely to that entity 11
  12. 12. Impact of breach of Security LOW MODERATE HIGHEffect Limited Serious Serious or catastrophicFunctional Ability Minor degradation Significant Severe(Primary functions degradationDamage to Assets Minor Significant MajorFinancial Loss Minor Significant MajorHarm to Individual Minor Significant Severe (Loss of life or life- threatining injuries) 12
  13. 13. Secure Networks• Because no absolute definition of secure network exists:  Networks cannot be classified simply as secure or not secure.• Each organization defines the level of access that is permitted or denied, Security Policy  Security policy does not specify how to achieve protection.  The policy must apply to information stored in computers as well as to information traversing a network. 13
  14. 14. Securitys impact on overall functionality SecurityFunctionality Ease of use 14
  15. 15. THE OSI Security Architecture• Security Attack: Any action that compromises the security of information.• Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.• Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. Source Dest Normal Flow 15
  16. 16. Security Attacks Security Attack: Any action that compromises the security of information Interruption: This is an attack on availability Source Destination Darth Interception: This is an attack on confidentiality Source Destination Darth 16
  17. 17. Security Attacks Modification: This is an attack on integrity Source Dest Darth Fabrication: This is an attack on authenticity Source Dest Darth 17
  18. 18. Security Services• Confidentiality (privacy)• Authentication (who created or sent the data)• Integrity (has not been altered)• Non-repudiation (the order is final)• Access control (prevent misuse of resources)• Availability (permanence, non-erasure)  Denial of Service Attacks  Virus that deletes files 18
  19. 19. Passive & Active Attacks• Passive Attacks: Difficult to detect, No alteration of data, focus on prevention 1. Release of message contents 2. Traffic analysis• Active Attacks: Modification of stream / data or its false creation, difficult to prevent, focus is on detection and recovery 1. Masquerade (impersonation) 2. Replay 3. Modification of message 4. Denial of service 19
  20. 20. Passive Attacks 20
  21. 21. Active Attacks I 21
  22. 22. Active Attacks II 22
  23. 23. Shane Stephens definition of Hackers• Group A: People who attempt to gain illegal access to machines on the internet for the ”fun” of it, but with no malicious intent.• Group B: People who attempt to gain illegal access to machines on the internet WITH malicious intent.• Group C: People who are adept at writing C/C++ code very quickly to do a specific thing (or similar)• Group D: Everybody else (esp. mainstream media). 23
  24. 24. Shane Stephens definition of Hackers (cont)• Group A call themselves "Hackers". Group A call Group B "Crackers".• Group B usually call themselves 31337 H4x0r5• Group C call themselves "Hackers". Group C also call Group A "Hackers".• Many people in Group A are also in Group C.• Group D hasnt got any clue, and calls them all the same thing - "hackers".• The following naming scheme is appropriate:  Group A: Hacker  Group B: Cracker  Group C: Hacker (as well. Use context.)  Group D: Morons 24
  25. 25. Inside Security• What hacker´s don´t want you to KNOW• Firewalls are just the beginning:  critical component of an effective defence system, but they are significantly limited in terms of the types of attacks the can detect and repel.• Not all the bad guys are “out there”:  roughly half of all attacks are engineered by insiders who can potentially do more damage than hackers coming in from the outside.• Humans are the weakest link:  well-intentioned but uninformed employees are easily exploited by hackers who know which strings to pull• Passwords are not secure:  the most common form of user authentication is a “secret” password. This happens to be one of the most vulnerable for a verity of reasons. 25
  26. 26. Inside Security • They can see you but you can´t see them:  eavesdropping on network transmissions can reveal more than enough information to a hacker looking to gain higher levels of access. • Defaults are dangerous  a vendor´s choice of defaults for their product might meet their needs perfectly well but might spell disaster for you. • Yesterday´s strong crypto is today´s weak crypto:  just because you´ve encrypted a message is no guarantee that only authorized personnel will be able to read it. 26FREDRIK ERLANDSSON
  27. 27. Inside Security • “It takes a thief to catch a thief”:  if you want to repel hackers attacks, it helps to think as They do. You can learn the tricks of the hacker trade from the same source that they do – the Internet • They future of hacking is bright:  Hackers are not going away any time soon. Their numbers seem to be growing. Emerging trends in the IT arena point to a brighter day when computers will do even more for us than they do now. These same changes may also usher in a host of new vulnerabilities for the next generation of hackers to exploit. 27FREDRIK ERLANDSSON
  28. 28. The Golden Age of Hacking • There are so many possible systems to break into, most of them with weak security. • Companies have insufficient information to track these attackers  even if attackers are detected the chances of getting caught are slim • Ironically, companies were afraid of Y2K problem and spent a lot of money trying fixing it. But in most cases it seemed like the problem was overestimated, hyped by the media. Now there is a REAL PROBLEM but companies do not want to invest the money. • Lack of Awareness is the main reasons why so many companies are vulnerable. • It’s also a good time to be a security professional 28FREDRIK ERLANDSSON
  29. 29. Methods of Defense• Encryption• Software Controls (access limitations in a data base, in operating system protect each user from other users)• Hardware Controls (smart-card)• Policies (frequent changes of passwords)• Physical Controls 29
  30. 30. Security Services• Authentication:  peer-entity Security Service:  data-origin A service that enhances• Access Control the security of data• Data Confidentiality: processing systems and  connection, information transfers. A  Connectionless security service makes  selective-field  traffic-flow use of one or more• Data Integrity security mechanisms.  connection [recovery, no-recovery, selective-field]  connectionless [no-recovery,selective-field]• NonRepudiation  Origin  Destination 30
  31. 31. Authentication• The assurance that communicating entity is the one that it claims to be• Data Origin: Provides that source of recieved data as claimed (m not protected) A(m) m B B(m,A)  AUTHENTIC(A)?• Peer Entity: Provide confidence in identities of entities connected A c B S(A,B)  AUTHENTIC(A,B)? S(c,masquerador,replay)  SECURE(c)?* m : message * c : connection 31
  32. 32. Access Control• The prevention of unauthorized use of a resource• Access REQUEST: A(m) m {Host / System} Host MATCHES m to A: {Host / System}(m,A) m’ A A GRANTED read/write access: c A(m’)  {Host / System} * m’ : modified message or authentication message 32
  33. 33. Confidentiality• The protection of data from unauthorized disclosure.• CONNECTION: cK A  B (e.g. TCP) (*K : Key)• CONNECTIONLESS: A mK B• SELECTIVE-FIELD: cK|c’ A  B• TRAFFIC-FLOW: A {} B 33
  34. 34. Integrity• The assurance that data recieved are exactly as sent by an authorized entity.• CONNECTION-RECOVERY: c modification/destruction A m B(m)  recover  m• CONNECTION-NO RECOVERY: c modification/destruction A m B(m)  detect  !!• SELECTIVE FIELD: c modification/destruction A m|m’ B(m)  detect(m)  !! 34
  35. 35. Non-Repudiation• Provides protection against denial by one of the entities involved in communication• SENDER VERIFICATION: A m,[A] B(m,[A])  mA• RECEIVER VERIFICATION: A m B B [m],[B] A([m],[B])  mB 35
  36. 36. Security Mechanism• Encipherment – unintelligible• Digital Signature – data tag to ensure  a) Source b) Integrity c) anti-forgery Security• Access Control Mechanism:• Data Integrity A mechanism• Authentication that is• Traffic Padding – prevent traffic analysis designed to• Routing Control – adapt upon partial failure detect,• Notarization – trusted third party prevent, or• Trusted Functionality recover from• Security Label a security• Event Detection attack.• Audit Trail• Recovery 36
  37. 37. Model for Network Security 37
  38. 38. Network Access Security Model• Gatekeeper: password-based login, screening logic• Internal controls: monitor activity, analyse stored info 38
  39. 39. The End 39