2. Index
• Introduction to Database
Security Requirements
Reliability and Integrity
Sensitive Data
Inference
Multilevel Database
• Network Security
Network Concepts
Threats in Networks
Security Controls
Firewalls
Intrusion Detection System
• Secure Email
2
3. Database Concepts
• Database
a collection of data & set of rules that organize the data
user works with a logical representation of the data
• Relational database
in the relational model, data is organized as a collection of RELATIONS or tables
relations is a set of ATTRIBUTES or columns
each row (or record) of a relation is called a TUPLE
• Database management system (DBMS)
maintains the DB and controls read write access
• Database administrator (DBA)
sets the organization of and access rules to the DB
3
4. Database Concepts
• Relationships between tables (relations) must be in the form of other relations
base (‘real’) relations: named and autonomous relations, not derived from other relations
(have stored data)
views: named derived relations (no stored data)
snapshots: like views are named, derived relations, but they do have stored data
query results: result of a query - may or may not have name, and no persistent existence
4
5. Database Concepts
• Within every relation, need to uniquely identify every tuple
a primary key of a relation is a unique and minimal identifier for that relation
can be a single attribute - or may be a choice of attributes to use
when primary key of one relation used as attribute in another relation it is a foreign key in that
relation
5
6. Database Concepts
• Structured Query Language (SQL)
to manipulate relations and data in a relational database
• Types of SQL Commands
Data Dictionary Language (DDL)
define, maintain, drop schema objects
Data Manipulation Language (DML)
SELECT, INSERT, UPDATE
Data Control Language (DCL):
control security (GRANT,REVOKE) and concurrent access (COMMIT , ROLLBACK)
6
7. Security Requirements
• Physical database integrity
• Logical database integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability
7
8. Security Requirements
• Physical database integrity
immunity to physical catastrophe, such as power failures, media failure
physical securing hardware, UPS
regular backups
• Logical database integrity
reconstruction Ability
maintain a log of transactions
replay log to restore the systems to a stable point
8
9. Security Requirements
• Element integrity
integrity of specific database elements is their correctness or accuracy
field checks
– allow only acceptable values
access controls
– allow only authorized users to update elements
change log
– used to undo changes made in error
referential Integrity (key integrity concerns)
two phase locking process
• Auditability
log read/write to database
9
10. Security Requirements
• Access Control (similar to OS)
logical separation by user access privileges
more complicated than OS due to complexity of DB (granularity/inference/aggregation)
• User Authentication
may be separate from OS
can be rigorous
• Availability
concurrent users
granularity of locking
reliability
10
11. SQL Security Model
• SQL security model implements DAC based on
users: users of database - user identity checked during login process;
actions: including SELECT, UPDATE, DELETE and INSERT;
objects: tables (base relations), views, and columns (attributes) of tables and views
• Users can protect objects they own
when object created, a user is designated as ‘owner’ of object
owner may grant access to others
users other than owner have to be granted privileges to access object
11
12. SQL Security Model
• Components of privilege are
grantor, grantee, object, action, grantable
privileges managed using GRANT and REVOKE operations
the right to grant privileges can be granted
• Issues with privilege management
each grant of privileges is to an individual or to “Public”
makes security administration in large organizations difficult
individual with multiple roles may have too many privileges for one of the roles
SQL3 is moving more to role based privileges
12
13. SQL Security Model
• Authentication & identification mechanisms
CONNECT <user> USING<password>
DBMS may chose OS authentication
or its own authentication mechanism
Kerberose
PAM
13
14. SQL Security Model
• Access control through views
many security policies better expressed by granting privileges to views derived from base
relations
example
CREATE VIEW AVSAL(DEPT, AVG)
AS SELECT DEPT, AVG(SALARY)
FROM EMP GROUP BY DEPT
access can be granted to this view for every dept mgr
example
CREATE VIEW MYACCOUNT AS
SELECT * FROM Account
WHERE Customer = current_user()
view containing account info for current user
14
15. SQL Security Model
• Advantages of views
views are flexible, and allow access control to be defined at a description level appropriate to
application
views can enforce context and data-dependent policies
data can easily be reclassified
15
16. SQL Security Model
• Disadvantages of views
access checking may become complex
views need to be checked for correctness (do they properly capture policy?)
completeness and consistency not achieved automatically - views may overlap or miss parts of
database
security-relevant part of DBMS may become very large
16
17. SQL Security Model
• Inherent weakness of DAC
DAC allows subject to be written to any other object which can be written by that subject
trojan horses to copy information from one object to another
17
18. SQL Security Model
• Mandatory access controls (MAC)
no read up, no write down
traditional MAC implementations in RDBMS have focused solely on MLS
there have been three commercial MLS RDBMS offerings
trusted Oracle ,Informix OnLine/Secure, Sybase Secure SQL Server
18
19. SQL Security Model
• Enforce MAC using security labels
assign security levels to all data
label associated with a row
assign a security clearance to each users
label associated with the user
DBMS enforces MAC
access to a row based upon
– the label associated with that row and the label associated with the user accessing that row.
19
20. Case Study
RECORDID CLIENTNO DEPTNO ALLOCATION_DATE LAST_UPDATE MEDICAL_HISTORY RISK_FACTOR
0010 K108341 K01 2006/01/05 2006/02/05 Diabetes 0
0020 K104546 K01 2006/10/20 2006/11/05 Arthritis 2
0030 S245987 S02 2006/09/01 2006/10/05 High Blood Pressure 3
0040 S245456 S02 2006/06/26 2006/07/05 Asthma 1
– Medical record analyst
• READ all records
• WRITE all records
– Managers
• READ client records of their department
• READ only non-confidential columns
• No WRITE access
20
21. Case Study
• Columns
medical record analysts have READ/WRITE access to confidential columns
managers have READ access to non-confidential columns
• Rows:
medical record analysts can read and update all the records
managers can read but not update client records for their department
21
22. Case Study: DAC Solution
Three approaches used to provide row level security using DAC (Discretionary
Access Control)
• application views
• programming logic embedded in the application
• physical separation using one or more databases
22
23. Case Study: DAC Solution
• Application views
• Widely used approach
• Views provide the ability to
filter data.
23
24. Case Study: DAC Solution
Create view manager_K01 as
select recordid, clientno,
deptno, allocation_date,
last_update,risk_factor
from Med_records
where Dept = ‘K01’;
Create view manager_S01 as
select recordid, clientno, deptno,
allocation_date, last_update, risk_factor
from Med_records
where Dept = ‘S01’;
Create view med_rec_analyst as
select * from Med_records;
24
25. Case Study: DAC Solution
• Application views
number of views required is sometimes large as application ages
directing application users to the correct view becomes management burden
application complexity tends to increase due to unforeseen security requirements
25
26. Case Study: DAC Solution
• Application Programmatic Logic Approach
in this approach, application controls SQL statements outside the application.
26
27. Case Study: DAC Solution
• Application program logic approach
SQL statements issued outside the application using utility such as SQL Plus can’t be
controlled
In scenario of application rewriting SQL statements to restrict access based on data sensitivity,
typically numerous additional tables must be build
Those tables need to be maintained to manage information related authorizations of
application user
27
28. Case Study: DAC Solution
• Multiple database approach
• No of databases required is equal to the number of data sensitivities.
• data can be protected by using dedicated databases to manage each
sensitivity
28
29. Case Study: DAC Solution
• Multiple database approach
number of databases required is equal to the number of data sensitivities
overhead created by running multiple databases in terms of memory, processing power and
physical storage is substantially increased
cost associated of managing single database is multiplied by number of databases
viewing information across multiple database requires distributed queries and application logic
29
30. Case Study: MAC Solution
• Designing security solution
row and column security labels that protect the columns and rows
user security labels that grant users the appropriate access
30
31. Case Study: MAC Solution
revisit the problem
to restrict access to the column that is confidential, apply confidential security label to the
column
to restrict managers' access to only the records for their department, each row can be tagged
with a security label that indicates the department.
write restriction for managers can be implemented by revoking their write privileges.
Position READ WRITE
Medical record analyst ALL ALL
Managers Client records for their department and only non-confidential columns None
31
32. Case Study: MAC Solution
• a column security label.
• four security labels for row protection
• user security label for medical record analysts
• grant security labels to users
32
33. SQL Security Model
• Issues with MAC
information tends to becomes over classified
no protection against violations that produce illegal information flow through indirect means
inference Channels - A user at a low security class uses the low data to infer information about
high security class
covert channels - Require two active agents, one at a low level and the other at a high level and an
encoding scheme
33
34. Sensitive Data
• Sensitive data is data that should not be made public
• Factors determining sensitivity
inherently sensitive: The value itself may be so revealing that it is sensitive
locations of defensive missiles
from a sensitive source
CIA informer whose identity may be compromised
part of a sensitive attribute or a sensitive record
salary attribute from an HR database
sensitive with respect to previously disclosed data
longitude of secret army base if latitude is known
34
35. Sensitive Data
• Even metadata (data about data) may be sensitive
bounds: indicating that a sensitive value, y, is between two values, L and H.
negative Result: disclosing that z is not the value of y may be sensitive. Especially when z has
only small set of possible values
existence: existence of data is itself may be sensitive piece of data
probable Value: probability that a certain element has a certain value
35
36. Security vs. Precision
• Precision: revealing as much non sensitive data as possible
disclose as much data as possible
Issue: User may put together pieces of disclosed data and infer other, more deeply hidden, data
• Security: reveal only those data that are not sensitive
rejecting any query that mentions a sensitive field
Issue: may reject many reasonable and non disclosing queries
• The ideal combination : perfect confidentiality with maximum precision
achieving this goal is not easy !
36
38. Statistical Databases
• A database limited to statistical measures (primarily counts and sums)
• Example: medical record database where researchers access only statistical
measures
• In a statistical database, information retrieved by means of statistical (aggregate)
queries on an attribute
38
39. Inference
• Security issue with statistical databases
• Inference problem exists when sensitive data can be deduced from non sensitive
data
attacker combines information from outside the database with database responses
39
40. Inference
• Sensitive fields exist in database
• Only when viewed row wise
• DBA must not allow names to be associated with sensitive attributes
• “n items over k percent” rule (do not respond if n items represents over k% of the
result)
40
41. Inference
SSN Name Race DOB Sex Zip Marital Heath
Asian 09/07/64 F 22030 Married Obesity
Black 05/14/61 M 22030 Married Obesity
White 05/08/61 M 22030 Married Chest pain
White 09/15/61 F 22031 Widow Aids
•Anonymous medical data:
Name Address City Zip DOB Sex Party
…. …. …. …. …. …. ….
Sue Carlson 900 Market
St.
Fairfax 22031 09/15/61 F Democrat
•Public available voter list:
•Sue Carlson has Aids!
41
42. Inference
• Types of attack
direct attack: aggregate computed over a small sample so individual data items leaked
indirect attack: combines several aggregates;
tracker attack: type of indirect attack (very effective)
linear system vulnerability: takes tracker attacks further, using algebraic relations between
query sets to construct equations yielding desired information
42
43. Inference
NAME SEX RACE AID FINES DRUGS DORM
Adams M C 5000 45 1 Holmes
Bailey M B 0 0 0 Grey
Chin F A 3000 20 0 West
Dewitt M B 1000 35 3 Grey
Earhart F C 2000 95 1 Holmes
Fein F C 1000 15 0 West
Groff M C 4000 0 3 West
Hill F B 5000 10 2 Holmes
Koch F C 0 0 1 West
Liu F A 0 10 2 Grey
Majors M C 2000 0 2 Grey
43
44. Inference
• Direct Attack
determine values of sensitive fields by seeking them directly with queries that yield few
records
request LIST which is a union of 3 sets
LIST NAME where (SEX =M DRUGS = 1)
(SEX M SEX F) (DORM = Ayres)
No dorm named Ayres , Sex either M or F
“n items over k percent” rule helps prevent attack
44
45. Inference
Indirect attack: combines several aggregates
1 Male in Holmes receives 5000
1 Female in Grey received no aid
request a list of names by dorm (non sensitive)
Students by Dorm and Sex
Holmes Grey West Total
M 1 3 1 5
F 2 1 3 6
Total 3 4 4 11
Sums of Financial Aid by Dorm and Sex
Holmes Grey West Total
M 5000 3000 4000 12000
F 7000 0 4000 11000
Total 12000 3000 8000 23000
45
46. Inference
• Often databases protected against delivering small response sets to queries
• Trackers can identify unique value
request (n) and (n-1) values
given n and n – 1, we can easily compute the desired single element
46
47. Inference
• How many caucasian females live in Holmes Hall?
count((SEX=F)(RACE=C) (DORM=Holmes)
result: refused because one record dominates the result
now issue two queries on database
count(SEX=F) response = 6
count((SEX=F) (RACE C) (DORM Holmes)) response=5
thus 6-5=1 females live in Holmes Hall
47
48. Inference
• Tracker is a specific case of ‘Linear system vulnerability’
result of the query is a set of records
q1 = c1+c2+c3+c4+c5
q2 = c1+c2 +c4
q3 = c3+c4
q4 = c4+c5
q5 = c2 +c5
we can obtain c5 = ((q1 – q2) – (q3 –q4))/2
all other c can be derived
48
49. Inference
• Protection techniques
• Only queries disclosing non sensitive data allowed
difficult to discriminate between queries
effective primarily against direct attacks
• Controls applied to individual items within the database
suppression: don’t provider sensitive data
concealing: provider slightly modified value
49
50. Inference
• “n item over k percent rule” not sufficient in itself prevent inference
• We must suppress one other value in each row and column to disallow
Students by Dorm and Sex, with Low Count
Suppression
Holmes Grey West Total
M – 3 – 5
F 2 – 3 6
Total 3 4 4 11
50
51. Inference
• Suppression by Combining results
combines rows or columns to protect sensitive values
Suppression by Combining
Revealing Values
Drug Use
Sex 0 or 1 2 or 3
M 2 3
F 4 2
51
52. Inference
• Random sample
partition data and take random sample from partition
equivalent queries may or may not result in the same sample
• Random data perturbation
intentionally introduce error into response
• Query analysis
history Driven
difficult
52
53. Aggregation
• Aggregation problem exists when the aggregate of two or more data items is
classified at a level higher than the least upper bound of the classification of the
individual items that comprise the aggregate
the data items multiple instances of same entity
• Addressing the aggregation problem is difficult
requires the DBMS to track what results each user had already received
it can take place outside the system
relatively few proposals for countering aggregation
53
54. Aggregation
• Data association: A sub-problem of aggregation
data association – sensitive associations between instances of two or more distinct data items
(cardinal) aggregation - associations among multiple instances of the same entity
54
55. Inference vs. Aggregation
• They are similar but different
inference: sensitive data deduced from non sensitive data
relatively easier problem
protection by means of control over query , data and other ways
aggregation: multiple instances of entity result in sensitive data
difficult problem
protection requires the DBMS to track what results each user had already received
55
56. Multilevel Databases
• Data sensitivity not black or white
exist shades of sensitivity
grades of security may be needed
• So far we seen sensitivity a function of the attribute (column)
e.g. ‘Drug use’ column sensitive
• Actually sensitivity not function of column or row
the security of one element may be different from that of other elements of the same row or
column
security implemented for each individual element
56
57. Multilevel Databases
Data and Attribute Sensitivity
Name Department Salary Phone Performance
Rogers training 43,800 4-5067 A2
Jenkins research 62,900 6-4281 D4
Poling training 38,200 4-4501 B1
Garland user services 54,600 6-6600 A4
Hilten user services 44,500 4-5351 B1
Davis admin 51,400 4-9505 A3
57
58. Multilevel Databases
• Leads to Multi Level Security Model
n levels of sensitivity
objects separated into compartments by category
sensitivity marked for each value in database
every combination of elements can also have a distinct sensitivity
access control policy dictate which users may have access to what data
58
59. Multilevel Databases
• To preserve Integrity , DBMS must enforce “No write down” (*-property)
the process that reads high level data cannot write to a lower level
issue: DBMS must read all records and write new records for backups, query processing etc
solution: trusted process
• Preserving confidentiality
issue: Leads to redundancy
59
60. Multilevel Databases
• Polyinstantiation
different users operating at two different levels of security might get two different answers to
the same query
one record can appear (be instantiated) many times, with a different level of confidentiality
each time
Polyinstantiated Records
Name Sensitivity Assignment Location
Hill, Bob C Program Mgr London
Hill, Bob TS Secret Agent South Bend
60
61. Future Direction
• Civilian users dislike inflexibility of MLS databases
MLS databases primarily research interest
• Privacy concerns fueling interest in database security
hippocratic database
database design that takes consumer privacy into account in the way it stores and retrieves
information
61
62. Case Study: MAC Solution
Example of steps to implement LBAC:
1. Defining the security policies and labels
a. Defining the security label component
CREATE SECURITY LABEL COMPONENT SLC_LEVEL
SET {'CONFIDENTIAL'}
CREATE SECURITY LABEL COMPONENT SLC_LIFEINS_ORG TREE {'LIFE_INS_DEPT' ROOT,
'K01' UNDER 'LIFE_INS_DEPT',
'K02' UNDER 'LIFE_INS_DEPT',
'S01' UNDER 'LIFE_INS_DEPT',
'S02' UNDER 'LIFE_INS_DEPT' }
b. Defining the security policy
CREATE SECURITY POLICY MEDICAL_RECORD_POLICY COMPONENTS SLC_LEVEL, SLC_LIFEINS_ORG
WITH DB2LBACRULES
RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
62
63. Case Study: MAC Solution
c. Defining the security labels
CREATE SECURITY LABEL MEDICAL_RECORD_POLICY.MED_RECORD COMPONENT
SLC_LEVEL 'CONFIDENTIAL'
For each department,
CREATE SECURITY LABEL MEDICAL_RECORD_POLICY.LIFEINS_DEPT_K01 COMPONENT
SLC_LIFEINS_ORG 'K01'
For Medical analyst
CREATE SECURITY LABEL MEDICAL_RECORD_POLICY.MEDICAL_ANALYST
COMPONENT SLC_LEVEL 'CONFIDENTIAL', COMPONENT SLC_LIFEINS_ORG
'K01', 'K02', 'S01', 'S02'
63
64. Case Study: MAC Solution
2. Altering the MEDICAL_RECORD table by adding a security label column for row level
protection, marking the confidential column as protected, and attaching the security policy to
the table.
GRANT SECURITY LABEL MEDICAL_RECORD_POLICY.MEDICAL_ANALYST TO USER <administrator_auth_id>
FOR ALL ACCESS
ALTER TABLE MEDICAL_RECORD ALTER COLUMN MEDICAL_HISTORY SECURED WITH
MEDICAL_RECORD_POLICY.MED_RECORD ADD COLUMN DEPARTMENT_TAG DB2SECURITYLABEL ADD
SECURITY POLICY MEDICAL_RECORD_POLICY
64
65. Case Study: MAC Solution
3. Updating the MEDICAL_RECORD table security label column.
GRANT EXEMPTION ON RULE DB2LBACWRITETREE FOR MEDICAL_RECORD_POLICY TO USER
<administrator_auth_id>
For each department,
UPDATE MEDICAL_RECORD set DEPARTMENT_TAG= SECLABEL_BY_NAME
('MEDICAL_RECORD_POLICY', 'DEPT_K01') where DEPTNO='K01'
65
66. LBAC(Label Based Access Control)
4. Granting the appropriate security labels to users.
GRANT SECURITY LABEL MEDICAL_RECORD_POLICY. MEDICAL_ANALYST TO USER PETER
FOR ALL ACCESS
GRANT SECURITY LABEL MEDICAL_RECORD_POLICY.DEPT_K01 TO USER Andrea FOR ALL
ACCESS
GRANT SECURITY LABEL MEDICAL_RECORD_POLICY.DEPT_S02 TO USER Joseph for ALL
ACCESS
66
68. Threats in Network
Intercepting data in traffic
Accessing programs or data at remote hosts
Modifying programs or data at remote hosts
Modifying data in transit
Inserting communications
Impersonating a user
Inserting a repeat of a previous communication
Blocking selected traffic
Blocking all traffic
Running a program at a remote host
68
69. Security Threat Analysis
• 3 steps in analyzing a security threat:
Scrutinize all the parts of the systems
Consider the possible damage to confidentiality, integrity, & availability
Hypothesize the kinds of attacks that could cause the specific kind of damage
• Similar approach can be taken to analyze threats in a network.
69
70. What an Attacker Might Do?
• Read communication
• Modify communication
• Forge communication
• Inhibit communication
• Inhibit all communication passing through a point
• Read data at some machine C between two people
• Modify or destroy data at C
70
71. Security Controls
• Can be implemented at different levels
• Compliant with different security requirements
• Have some advantages and drawbacks depending on the scenario
71
72. Architectural Security Control 1
• Segmentation
It reduces the number of
threats
It limits the amount of
damage a single
vulnerability
can allow
72
Segmented Architecture
73. Architectural Security Control 2
Redundancy
It allows a function to be performed on more than one node
Failure over mode- The server communicates with each other periodically, each determining if
the other is still active.
Single points of failure
Eliminating a single point in the network which if failed, could deny access to all or a
significant part of the network
Mobile agents
73
74. Encryption
Encryption is the most important & versatile tool for a network security expert.
Encryption is used for providing:
Privacy
Authenticity
Integrity
Limited access to data
Note: Encryption protects only what is encrypted
74
75. Kinds of Encryption 1
• Link Encryption
Data are encrypted just before the system places them on the physical communication link
Encryption occurs at layer 1 or 2 in the OSI model
Encryption protects the message in transit between two computers
This kind of encryption is invisible to user
It is most appropriate when the transmission line is the point of greatest vulnerability
75
76. Kinds of Encryption 2
• End-to-End Encryption
It provides security from one end of a transmission to the other
The message is transmitted in encrypted form through the network
It addresses potential flaws in lower layers in the transfer model
When used, messages sent through several hosts are protected
76
77. Virtual Private Networks (VPN)
VPN allows users to access their internal networks and computers over the
Internet or other public network, using encrypted tunnels (communication passes
through encrypted tunnel).
VPN are created when the firewall interacts with an authentication service inside
the parameter.
Firewall
It is an access control device that sits between two networks or two network segments.
It filters all traffic between the protected or “inside” network and a less trustworthy or
“outside” network or segment.
77
78. Public Key Infrastructure (PKI)
• PKI
It is a set of policies, products, & procedures leaving some room for interpretation.
It is a process created to enable users to implement public key cryptography, usually in large
settings.
It offers each user a set of services related to identification & access control.
It sets up entitles called certificate authorities that implement the PKI policy on certificates.
It is not yet a mature process.
78
79. Encryption
SSH (Secure Shell) encryption
A pair of protocols, originally defined for UNIX
It provides authenticated and encrypted path to the shell or operating system command
interpreter.
SSL (Secure Sockets layer) encryption
It is also known as TLS (Transport Layer Security)
It was originally designed by Netscape
It interfaces between applications and the TCP/IP protocols to provide server authentication,
optional client authentication, & an encrypted communication channel between client & server.
79
80. IP Security Protocol Suite (IPSec)
IPSec
It is designed to address fundamental shortcomings such as being subject to spoofing,
eavesdropping, & session hijacking.
It is implemented at the IP layer
It is somewhat similar to SSL (supports authentication & confidentiality in a way that does not
necessitate significant change either above or below it)
Security association
The basis of IPSec
It is roughly compared to an SSL session
80
81. Related Terms
Security Parameter Index (SPI)
A data element that is essentially a pointer into a table of security associations.
Encapsulated Security Payload (ESP)
It replaces (includes) the conventional TCP header and data portion of a packet.
It contains both an authenticated header (AH) and an encrypted portion.
Internet Security Association Key Management Protocol (ISAKMP)
It requires that a distinct key be generated for each security association.
It is implemented through IKE or ISAKMP key exchange
81
82. Content Integrity
• Three potential threats:
Malicious modification that changes content in a meaningful way
Malicious or non-malicious modification that changes content in a way that is not necessarily
meaningful
Non-malicious modification that changes content in a way that will not be detected
82
83. Guard Modification Threats
• Error correcting codes
Error detection & error correcting codes can be used to guard against modification in a
transmission.
Parity Check is the simplest error detection code technique.
Even Parity – the parity bit is set so that the sum of all data bits plus the parity bit is even.
Odd Parity – It is similar to the even parity bit except the sum is odd.
Hash code or Huffman code are some other error detection codes
83
84. Cryptographic Checksum
• Cryptographic Checksum (Message Digest)
It is a cryptographic function that produces a checksum.
It prevents the attacker from changing the data block.
Major uses of cryptographic checksum are code tamper protection & message integrity
protection in transit.
84
85. Authentication Methods
One-Time Password
It is good for only one time use
A password token can help in generating unpredictable passwords
This technique is immune to spoofing as it works on a password generating algorithm
Challenge-Response System
It looks like a simple pocket calculator
This device eliminates the small window of vulnerability in which a user could reuse a time-
sensitive authenticator
Digital Distributed Authentication
85
86. Access Controls
• ACLs on Routers
Problems on adding ACLs to the routers
Routers in a large network perform a lot of work
Efficiency issues
Nature of threat
• Firewalls
Can examine an entire
packet’s content, including
the data portion.
86
Access to Services & Servers in Kerberos
87. Wireless Security 1
Service Set Identifier (SSID)
It is the identification of an access point
It is a string of up to 32 characters
Wired Equivalent Privacy (WEP)
It uses an encryption key shared between the client and the access point.
It uses either a 64bit or 128 bit encryption key.
WiFI protected access (WPA)
It is an alternate to WEP
The encryption key is changed automatically on each pocket by a key change approach called
Temporal Key Integrity Program (TKIP)
87
88. Wireless Security 2
Alarms & Alerts
An intrusion detection system is a device that is placed inside a protected network to monitor
what occurs within the network.
Honey pots
Loaded with servers, devices & data; it is a computer system or a network segment.
A honeypot is put up for several reasons
To watch what attackers do
To lure an attacker to a place where you can identify and stop the attacker
To provide an attractive but diversionary playground
88
89. Wireless Security 3
• Traffic Flow Security
Onion routing – messages are repeatedly encrypted and then sent through several network
89
Onion Routing
92. Summary 3
92
Target Vulnerability Control
Integrity •Protocol Flaw
•Active Wiretap
•Noise
•DNS Attack
•Controlled Execution Environment
•Audit
•Encryption
•Error Detection Code
•Error Detection Code
•Firewall
•Intrusion Detection System
•Strong Authentication for DNS
Changes
•Audit
93. Summary 4
93
Target Vulnerability Control
Availability •Protocol Flaw
•DNS Attack
•Traffic Redirection
•DDoS
•Firewall
•Redundant Architecture
•Firewall
•Intrusion Detection System
•ACL on Border Router
•Honeypot
•Encryption
•Audit
•ACL on Border Router
•Honeypot
94. Firewalls
94
What Is a Firewall?
• A device that filters all traffic between a protected or "inside” network and a less trustworthy or "outside”
network.
• The purpose of a firewall is to keep "bad" things outside a protected environment.
Types of Firewall
• packet filtering gateways or screening routers
• stateful inspection firewalls
• application proxies
• Guards
• personal firewalls
95. Packet Filtering Gateway
• A packet filtering gateway or screening router is the simplest, and in some
situations, the most effective type of firewall.
95
96. Stateful Inspection and Application Proxy Firewall
• A stateful inspection firewall maintains state information from one packet to
another in the input stream.
• An application proxy gateway, also called a bastion host, is a firewall that
simulates the (proper) effects of an application so that the application receives
only requests to act properly.
• A proxy gateway is a two-headed device: It looks to the inside as if it is the
outside (destination) connection, while to the outside it responds just as the insider
would.
96
97. Guard
• A sophisticated firewall.
• Like a proxy firewall, it receives protocol data units, interprets them, and passes
through the same or different protocol data units that achieve either the same result
or a modified result.
• The guard decides what services to perform on the user's behalf in accordance
with its available knowledge, such as whatever it can reliably know of the
(outside) user's identity, previous interactions, and so forth.
• The degree of control a guard can provide is limited only by what is computable.
• But guards and proxy firewalls are similar enough that the distinction between
them is sometimes fuzzy.
97
98. Personal Firewalls
• An application program that runs on a workstation to block unwanted traffic,
usually from the network.
98
99. Intrusion Detection System
99
• An intrusion detection system (IDS) is a device, typically another separate computer, that monitors
activity to identify malicious or suspicious events.
100. Functions of IDS
• IDSs perform a variety of functions:
monitoring users and system activity
auditing system configuration for vulnerabilities and misconfigurations
assessing the integrity of critical system and data files
recognizing known attack patterns in system activity
identifying abnormal activity through statistical analysis
managing audit trails and highlighting user violation of policy or normal activity
correcting system configuration errors
installing and operating traps to record information about intruders
100
101. Types of IDS
• The two general types of intrusion detection systems
Signature-based intrusion detection systems perform simple pattern-matching and report
situations that match a pattern corresponding to a known attack type.
Heuristic intrusion detection systems, also known as anomaly based, build a model of
acceptable behavior and flag exceptions to that model Intrusion detection devices.
• A network-based IDS is a stand-alone device attached to the network to monitor
traffic throughout that network;
• A host-based IDS runs on a single workstation or client or host, to protect that
one host.
101
102. Signature-Based Intrusion Detection
• The problem with signature-based detection is the signatures themselves.
• An attacker will try to modify a basic attack in such a way that it will not match
the known signature of that attack.
• Signature-based IDSs cannot detect a new attack for which a signature is not yet
installed in the database.
• Tend to use statistical analysis
102
103. Heuristic Intrusion Detection
• Instead of looking for matches, heuristic intrusion detection looks for behavior
that is out of the ordinary.
• The inference engine of an intrusion detection system performs continuous
analysis of the system, raising an alert when the system's dirtiness exceeds a
threshold.
• Inference engines work in two ways.
state-based intrusion detection systems, see the system going through changes of overall state
or configuration.
model-based intrusion detection systems, try to map current activity onto a model of
unacceptable activity and raise an alarm when the activity resembles the model.
103
104. Stealth Mode
• Most IDSs run in stealth mode, whereby an IDS has two network interfaces: one
for the network (or network segment) being monitored and the other to generate
alerts and perhaps other administrative needs.
104
105. Goals for IDS
• Filter on packet headers
• Filter on packet content
• Maintain connection state
• Use complex, multipacket signatures
• Use minimal number of signatures with maximum effect Filter in real time, online
• Hide its presence
• Use optimal sliding time window size to match signatures
105
106. Responding to Alarms
• Whatever the type, an intrusion detection system raises an alarm when it finds a
match
• In general, responses fall into three major categories (any or all of which can be
used in a single response): Monitor, collect data, perhaps increase amount of data
collected Protect, act to reduce exposure
• Call a human
106
107. False Results
• Although an IDS might detect an intruder correctly most of the time, it may
stumble in two different ways:
Raising an alarm for something that is not really an attack (called a false positive, or type I
error in the statistical community)
Not raising an alarm for a real attack (a false negative, or type II error).
• Too many false positives means the administrator will be less confident of the
IDS's warnings, perhaps leading to a real alarm's being ignored.
• But false negatives mean that real attacks are passing the IDS without action.
• We say that the degree of false positives and false negatives represents the
sensitivity of the system.
107
109. Threats to Email
109
• Consider threats to electronic mail:
• message interception (confidentiality)
• message interception (blocked delivery)
• message interception and subsequent replay message
• content modification
• message origin modification
• message content forgery by outsider message origin forgery by outsider
• message content forgery by recipient message origin forgery by recipient
• denial of message transmission
110. Requirements and Solutions
• If we were to make a list of the requirements for secure e-mail, our wish list would
include the following protections.
• Message confidentiality (the message is not exposed en route to the receiver)
• Message integrity (what the receiver sees is what was sent)
• Sender authenticity (the receiver is confident who the sender was)
• Non-repudiation (the sender cannot deny having sent the message)
110