APNIC, profile picture
Uploaded byAPNIC
PPTX, PDF6,557 views

Fundamentals of Network security

The document discusses the fundamental aspects of network security and the challenges posed by the design of the internet, which was created with a focus on openness rather than security. It highlights myths and the realities of internet security, including threats, vulnerabilities, and the evolution of technology, as well as the growing importance of securing services and networks. Key topics include social engineering, the implications of IPv6 and IoT on security, and the overall internet security ecosystem.

Internet
Related topics:
Cyber-Security

Embed presentation

Downloaded 201 times
Fundamentals of Network Security Asia Pacific Internet Leadership Program Taipei, TW 26 July 2016
What’s coming up • Is the Internet secure? • Myths and Mysteries • Evolution of security • Security concepts and management • Examples • Developments: IPv6 and IoT • The Internet security ecosystem
Is the Internet secure? • The Internet was designed for open connectivity • For low barriers to entry in a trusting environment • A deliberately “dumb” network • “Security” was always optional (and normally a low priority)
The real questions • If you ask… – “Is the Internet secure?” – “Can the Internet be secured?” – “Can society ever be safe?” – The truthful answer is “No” • But if you ask… – “Can my services/networks/transactions be secured?” – “Can the Internet be used securely?” – “Can I stay safe?” – The answer is probably “Yes” (but with care!)
Myths and Mysteries • Fiction: The Internet can be secured • Fiction: Hackers are magicians • Fiction: Security experts are the magicians • Fiction: Computer viruses are like actual viruses • Fact: The Internet can be used securely • Fact: EVERY breach can be explained, and avoided • Fact: The first bug was an actual moth
Some history… • 1946: Grace Hopper, a US Naval Officer, tracks down a moth causing problems in an electromechanical computer; hence “bug”. • 1960s: MIT model train group "hacks" their trains to make them perform better • 1971: Joe Draper aka "Captain Crunch", uses cereal toy to generate 2600 Hz tone, “phreaking” the AT&T long distance system • 1983: "War Games" film introduces public to the concept of hacking, and “wardialing” • 1988: Cornell student Robert Morris Jr. releases self-replicating “worm” on ARPAnet, the first Internet-borne viral programme • Late 1990s: Online sharing of automated tools. The first “botnets” – armies of virus-infected machines.
Terms: Breaking it down • Threat – Any circumstance or factor with the potential to cause harm – a motivated, capable adversary • Vulnerability – A weakness in a system; in procedures, design, or implementation that can be exploited • Software bugs, design flaws, operational mistakes • The human factor – “Social engineering” • Risk = likelihood x consequence – The liklihood (probablility) that a particular vulnerability will occur – The severity (impact) of that occurrence
Authentication and Authorisation • Access control – The ability to permit or deny the use of a resource by a user, through three essential services… • Authentication – To reliably identify individual users – Users = people, processes, devices • Authorisation – To control which users are allowed to do what with a resource – Representing trust, assuming reliable authentication
Security tradeoffs • Services offered vs. security provided – Each service offers its own security risk – The more services, the less security • Ease of use vs. security – Every security mechanism causes inconvenience – The more “plug n play”, the less security • Risk of loss vs. Cost of security – Assets carry value and risk of loss – The higher the value, the higher the security cost • These factors can be balanced in a comprehensive organisational security policy
An unexpected success… • Evolution of technology, usage and value • Evolution of security problems and solutions • Evolution never stops… 1990s: Basic connectivity 2000s: Application-specific online content 2010s: Applications/data in the “cloud” 2020s: “IoT”
What is going on?
What can the attackers do? • Eavesdropping – Listen in on communications • Masquerading – Impersonating someone else • Forgery – Invent or duplicate/replay information • Trespass – Obtain unauthorised access • Subversion – Modify data and messages in transit • Destruction – Vandalise or delete important data • Disruption – Disable or prevent access to services • Infiltration – Hide out inside our machines • Hijacking – “Own” and use machines for nefarious purposes
And why do they do it? Motivation Examples Knowledge driven • Recreational • Research Issue-based • Hacktivism • Patriotism Antisocial • Revenge • Vandalism Competitive • Theft of IP • Damage to competitors Criminal • Theft of assets • Extortion Strategic • Espionage • State-driven or sponsored
And, how to they do it? • Social engineering attacks – Human beings – the weakest links – “Phishing” – Password attacks etc etc • DNS attacks – Corruption and cache poisoning • Masquerading – Address “spoofing” • Denial of Service – DoS attacks – DDoS attacks
“Phishing” • “Fishing” for information such as usernames, passwords, credit card details, other personal information • Forged emails apparently from legitimate enterprises, direct users to forged websites.
Other social engineering • Password guessing or cracking – Hence need for “non-guessable” passwords – Use of different passwords for different services • Email harvesting and “proof of life” – Misuse of collected personal information – Spam as a validation tool • embedded images – Turn them off! • unique URLs – Don’t click on anything! • Short URLs – E.g. http://bit.ly/SGWjdif – We’re accustomed to clicking without checking where we go next
Masquerading example: ARP • Address Resolution Protocol (RFC 826, 1982) – Used by any TCP/IP device to discover the Layer 2 address of an IPv4 address that it wants to reach IPv4: 10.1.1.10 MAC: EtherA IPv4: 10.1.1.20 MAC: EtherB IPv4: 10.1.1.30 MAC: EtherC Here I am! IPv4: 10.1.1.30 MAC: EtherC ☺︎ IPv4 MAC 10.1.1.30 EtherCEthernet, who’s at IPv4: 10.1.1.30 ? *AKA “ARP spoofing”
Masquerading example: ARP • Address Resolution Protocol (RFC 826, 1982) – SEND: IPv6 SEcure Neighbour Discovery (RFC 3971, 2005) IPv4: 10.1.1.10 MAC: EtherA IPv4: 10.1.1.20 MAC: EtherB IPv4: 10.1.1.30 MAC: EtherC ☹︎ IPv4 MAC 10.1.1.30 EtherC 10.1.1.20 EtherA Ethernet, who’s at IPv4 10.1.1.20 ? *AKA “ARP spoofing” Here I am! IPv4: 10.1.1.20 MAC: EtherA IPv4 MAC 10.1.1.30 EtherC
Attacking the DNS The Internet www.apnic.netwww.apnic.net? www.apnic.net 199.43.0.44 DNS 175.98.98.133 203.119.102.244 199.43.0.44 ☹︎
Securing websites – SSL certificates The Internet www.apnic.net www.apnic.net? 203.119.102.244 DNS 175.98.98.133 203.119.102.244 ☺︎ SSL
Securing DNS – DNSSEC The Internet www.apnic.net www.apnic.net? DNS 175.98.98.133 203.119.102.244 ☺︎ 203.119.102.244 SEC
Misusing IP Addresses… The Internet Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 … Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 199.43.0.0/24 … Announce 199.43.0.0/24 R 202.12.29.0/24 Traffic 199.43.0.0/24 ☹︎
Misusing IP Addresses… The Internet Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 … Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 202.12.29.0/24 … Announce 202.12.29.0/24 R 202.12.29.0/24 RPKI ☺︎
Masquerading again: IP spoofing InternetISP 203.119.102.244 175.98.98.133 Request Src: 175.98.98.133 Dst: 203.119.102.244 Response Src: 203.119.102.244 Dst: 175.98.98.133 ☺︎
Masquerading again: IP spoofing InternetISP 203.119.102.244 175.98.98.133 Response Src: 203.119.102.244 Dst: 199.43.0.44 199.43.0.44 Request Src: 199.43.0.44 Dst: 203.119.102.244 ☹︎
DoS attack: Amplification InternetISP 203.119.102.244 175.98.98.133 199.43.0.44 Request Src: 199.43.0.44 Dst: 203.119.102.244 ☹︎ Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Request Src: 199.43.0.44 Dst: 203.119.102.244 Request Src: 199.43.0.44 Dst: 203.119.102.244 Request Src: 199.43.0.44 Dst: 203.119.102.244 Request Src: 199.43.0.44 Dst: 203.119.102.244 Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD
Defeating IP spoofing – BCP38 InternetISP 203.119.102.244 175.98.98.133 ☺︎ BCP38 (2000) Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing ISP Request Src: 199.43.0.44 Dst: 203.119.102.244
DDoS attack: Distributed DoS InternetISP ☹︎ “Botnet”
DDoS attack: Distributed DoS • Botnets for hire – Millions of virus-infected computers – Ready to be deployed by remote control • Huge amplification – Target traffic volumes in 100s of Gbps • Motivation – Various, but often extortion (requiring payment in BTC) • Mitigation – Various approaches and services available – Often bandwidth is the best solution (using cloud-based services)
Source: Arbor Networks’ WISR 2016 Survey
Security and IPv6 • “IPsec” is mandatory in IPv6 implementation – but this does not mean it must be used. • No difference… – Traffic monitoring (Sniffing) – no change without IPsec – Application vulnerabilities – no change – Rogue devices, viruses etc • Improvements… – IPsec available when needed (eg routing protocols) – Scanning address space for devices is much harder • Threats – New expertise required, new implementations, less mature – Mistakes will be made
Security and IoT • We have a long history of “things” on the Internet – In that sense, there is nothing fundamentally new with “IoT” • However… – There will be huge increase in the variety of devices – Many new vendors will enter the market – Many vendors are not “Internet companies” • Challenges – Implementation, Testing, Software upgrades, “EoL” management • Reference: “Internet of stupid things” – Geoff Huston, APNIC
Internet Security Ecosystem
The Bigger Picture Cybersecurity Network & Information Security
Users Public Safety Regulators Operators Vendors Software CERTs Internet Security Ecosystem
Asia-Pacific CERTs
Recap… • Is the Internet secure? • Myths and Mysteries • Evolution of security • Security concepts and management • Examples • Developments: IPv6 and IoT • The Internet security ecosystem
Questions? Thank you dg@apnic.net

More Related Content

PPTX
Network security
bySimranpreet Singh
 
PPTX
Network Security
byManoj Singh
 
PPTX
Network security
byEstiak Khan
 
PDF
Network Security Presentation
byAllan Pratt MBA
 
PPTX
Network security
byNkosinathi Lungu
 
PDF
What is Network Security?
byFaith Zeller
 
PPTX
NETWORK SECURITY
byafaque jaya
 
PPTX
Seminar (network security)
byGaurav Dalvi
 
Network security
bySimranpreet Singh
 
Network Security
byManoj Singh
 
Network security
byEstiak Khan
 
Network Security Presentation
byAllan Pratt MBA
 
Network security
byNkosinathi Lungu
 
What is Network Security?
byFaith Zeller
 
NETWORK SECURITY
byafaque jaya
 
Seminar (network security)
byGaurav Dalvi
 

What's hot

PDF
Network Security Fundamentals
byRahmat Suhatman
 
PPSX
Security policies
byNishant Pahad
 
PPTX
Intrusion detection
byCAS
 
PPTX
Footprinting and reconnaissance
byNishaYadav177
 
PPTX
Firewalls in network security
byVikram Khanna
 
PPTX
Network Security Risk
byDedi Dwianto
 
PPTX
Network security
byquest university nawabshah
 
PPTX
Network Security
bymoviebro1
 
PDF
Network security - OSI Security Architecture
byBharathiKrishna6
 
PPTX
Network security
byMadhumithah Ilango
 
PPT
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
PPTX
Introduction to Cybersecurity Fundamentals
byToño Herrera
 
PDF
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PPT
Protocol for Secure Communication
bychauhankapil
 
PPT
Network security cryptography ppt
byThushara92
 
PPTX
Virtual Private Networks (VPN) ppt
byOECLIB Odisha Electronics Control Library
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
PDF
Network Monitoring System ppt.pdf
bykristinatemen
 
PPTX
Intrusion prevention system(ips)
byPapun Papun
 
PPTX
Introduction to Network Security
byJohn Ely Masculino
 
Network Security Fundamentals
byRahmat Suhatman
 
Security policies
byNishant Pahad
 
Intrusion detection
byCAS
 
Footprinting and reconnaissance
byNishaYadav177
 
Firewalls in network security
byVikram Khanna
 
Network Security Risk
byDedi Dwianto
 
Network security
byquest university nawabshah
 
Network Security
bymoviebro1
 
Network security - OSI Security Architecture
byBharathiKrishna6
 
Network security
byMadhumithah Ilango
 
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
Introduction to Cybersecurity Fundamentals
byToño Herrera
 
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
Protocol for Secure Communication
bychauhankapil
 
Network security cryptography ppt
byThushara92
 
Virtual Private Networks (VPN) ppt
byOECLIB Odisha Electronics Control Library
 
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
Network Monitoring System ppt.pdf
bykristinatemen
 
Intrusion prevention system(ips)
byPapun Papun
 
Introduction to Network Security
byJohn Ely Masculino
 

Similar to Fundamentals of Network security

PPT
NewIinternet security
byuniversity of mumbai
 
PPT
New internet security
byuniversity of mumbai
 
PPTX
Network security
byhajra azam
 
PPTX
network security ppt.pptx
byMijanurSepai1
 
PPTX
TOPIC7.pptx
bytahaniali27
 
PPTX
network security ppt.pptx
byKellyIsaac3
 
PDF
Module 1 Introduction of Network security
byhoangvttlu
 
PDF
Peripheral Review and Analysis of Internet Network Security
byIJRES Journal
 
DOCX
Network security
byMadhumithah Ilango
 
PPTX
Network Security
byPuneet Abichandani
 
PDF
Network security
bynageshkanna13
 
PPTX
Network security ppt
byOECLIB Odisha Electronics Control Library
 
PPS
Sreerag cs network security
bySreerag Gopinath
 
PPTX
Network-security-ppt.pptx...............
byAkilSayyad2
 
PPTX
INTERNET SECURITY.pptx
bybabepa2317
 
PPTX
Cyber Security
byBryCunal
 
PPT
Network sec 1
byJasleen Kaur
 
PPTX
chapter1 Introduction to Software Security.pptx
byLina Shimelis
 
PPTX
Network security and firewalls
byMurali Mohan
 
PPT
Web security
byJin Castor
 
NewIinternet security
byuniversity of mumbai
 
New internet security
byuniversity of mumbai
 
Network security
byhajra azam
 
network security ppt.pptx
byMijanurSepai1
 
TOPIC7.pptx
bytahaniali27
 
network security ppt.pptx
byKellyIsaac3
 
Module 1 Introduction of Network security
byhoangvttlu
 
Peripheral Review and Analysis of Internet Network Security
byIJRES Journal
 
Network security
byMadhumithah Ilango
 
Network Security
byPuneet Abichandani
 
Network security
bynageshkanna13
 
Network security ppt
byOECLIB Odisha Electronics Control Library
 
Sreerag cs network security
bySreerag Gopinath
 
Network-security-ppt.pptx...............
byAkilSayyad2
 
INTERNET SECURITY.pptx
bybabepa2317
 
Cyber Security
byBryCunal
 
Network sec 1
byJasleen Kaur
 
chapter1 Introduction to Software Security.pptx
byLina Shimelis
 
Network security and firewalls
byMurali Mohan
 
Web security
byJin Castor
 

More from APNIC

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
PDF
Make DDoS expensive for the threat actors
byAPNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
Make DDoS expensive for the threat actors
byAPNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 

Recently uploaded

PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
In this document
Powered by AI

Overview of network security in the Asia Pacific. Topics include internet security questions, myths, evolution, concepts, and the security ecosystem.

Discusses the fundamental insecurity of the Internet and explores whether individual services can be secured.

Debunks several myths related to internet security while providing historical context on early hacking incidents.

Defines key terms such as threat, vulnerability, and risk. Discusses authentication, authorization, and trade-offs between security services and usability.

Explores the evolution of technology, usage, and security problems from the 1990s to present.

Details various attack methods including eavesdropping, masquerading, forgery, and social engineering tactics.

Explains phishing and other social engineering attacks aimed at compromising user information.

Examines technical aspects of masquerading attacks, DNS attacks, and securing websites using SSL.

Discusses how IP addresses can be misused in routing attacks, including the concept of RPKI.

Describes DoS and DDoS attacks, their implementation, amplification, motivations, and mitigation strategies.

Discusses the security implications of IPv6, how IPsec is implemented, and the security challenges posed by IoT.

Introduces the broader ecosystem of internet security, including various stakeholders and their roles.

Recap of key points discussed throughout the presentation and a closing invitation for questions.

Fundamentals of Network security

  • 1.
    Fundamentals of Network Security AsiaPacific Internet Leadership Program Taipei, TW 26 July 2016
  • 2.
    What’s coming up •Is the Internet secure? • Myths and Mysteries • Evolution of security • Security concepts and management • Examples • Developments: IPv6 and IoT • The Internet security ecosystem
  • 3.
    Is the Internetsecure? • The Internet was designed for open connectivity • For low barriers to entry in a trusting environment • A deliberately “dumb” network • “Security” was always optional (and normally a low priority)
  • 4.
    The real questions •If you ask… – “Is the Internet secure?” – “Can the Internet be secured?” – “Can society ever be safe?” – The truthful answer is “No” • But if you ask… – “Can my services/networks/transactions be secured?” – “Can the Internet be used securely?” – “Can I stay safe?” – The answer is probably “Yes” (but with care!)
  • 5.
    Myths and Mysteries •Fiction: The Internet can be secured • Fiction: Hackers are magicians • Fiction: Security experts are the magicians • Fiction: Computer viruses are like actual viruses • Fact: The Internet can be used securely • Fact: EVERY breach can be explained, and avoided • Fact: The first bug was an actual moth
  • 6.
    Some history… • 1946:Grace Hopper, a US Naval Officer, tracks down a moth causing problems in an electromechanical computer; hence “bug”. • 1960s: MIT model train group "hacks" their trains to make them perform better • 1971: Joe Draper aka "Captain Crunch", uses cereal toy to generate 2600 Hz tone, “phreaking” the AT&T long distance system • 1983: "War Games" film introduces public to the concept of hacking, and “wardialing” • 1988: Cornell student Robert Morris Jr. releases self-replicating “worm” on ARPAnet, the first Internet-borne viral programme • Late 1990s: Online sharing of automated tools. The first “botnets” – armies of virus-infected machines.
  • 7.
    Terms: Breaking itdown • Threat – Any circumstance or factor with the potential to cause harm – a motivated, capable adversary • Vulnerability – A weakness in a system; in procedures, design, or implementation that can be exploited • Software bugs, design flaws, operational mistakes • The human factor – “Social engineering” • Risk = likelihood x consequence – The liklihood (probablility) that a particular vulnerability will occur – The severity (impact) of that occurrence
  • 8.
    Authentication and Authorisation •Access control – The ability to permit or deny the use of a resource by a user, through three essential services… • Authentication – To reliably identify individual users – Users = people, processes, devices • Authorisation – To control which users are allowed to do what with a resource – Representing trust, assuming reliable authentication
  • 9.
    Security tradeoffs • Servicesoffered vs. security provided – Each service offers its own security risk – The more services, the less security • Ease of use vs. security – Every security mechanism causes inconvenience – The more “plug n play”, the less security • Risk of loss vs. Cost of security – Assets carry value and risk of loss – The higher the value, the higher the security cost • These factors can be balanced in a comprehensive organisational security policy
  • 10.
    An unexpected success… •Evolution of technology, usage and value • Evolution of security problems and solutions • Evolution never stops… 1990s: Basic connectivity 2000s: Application-specific online content 2010s: Applications/data in the “cloud” 2020s: “IoT”
  • 11.
  • 12.
    What can theattackers do? • Eavesdropping – Listen in on communications • Masquerading – Impersonating someone else • Forgery – Invent or duplicate/replay information • Trespass – Obtain unauthorised access • Subversion – Modify data and messages in transit • Destruction – Vandalise or delete important data • Disruption – Disable or prevent access to services • Infiltration – Hide out inside our machines • Hijacking – “Own” and use machines for nefarious purposes
  • 13.
    And why dothey do it? Motivation Examples Knowledge driven • Recreational • Research Issue-based • Hacktivism • Patriotism Antisocial • Revenge • Vandalism Competitive • Theft of IP • Damage to competitors Criminal • Theft of assets • Extortion Strategic • Espionage • State-driven or sponsored
  • 14.
    And, how tothey do it? • Social engineering attacks – Human beings – the weakest links – “Phishing” – Password attacks etc etc • DNS attacks – Corruption and cache poisoning • Masquerading – Address “spoofing” • Denial of Service – DoS attacks – DDoS attacks
  • 15.
    “Phishing” • “Fishing” forinformation such as usernames, passwords, credit card details, other personal information • Forged emails apparently from legitimate enterprises, direct users to forged websites.
  • 16.
    Other social engineering •Password guessing or cracking – Hence need for “non-guessable” passwords – Use of different passwords for different services • Email harvesting and “proof of life” – Misuse of collected personal information – Spam as a validation tool • embedded images – Turn them off! • unique URLs – Don’t click on anything! • Short URLs – E.g. http://bit.ly/SGWjdif – We’re accustomed to clicking without checking where we go next
  • 17.
    Masquerading example: ARP •Address Resolution Protocol (RFC 826, 1982) – Used by any TCP/IP device to discover the Layer 2 address of an IPv4 address that it wants to reach IPv4: 10.1.1.10 MAC: EtherA IPv4: 10.1.1.20 MAC: EtherB IPv4: 10.1.1.30 MAC: EtherC Here I am! IPv4: 10.1.1.30 MAC: EtherC ☺︎ IPv4 MAC 10.1.1.30 EtherCEthernet, who’s at IPv4: 10.1.1.30 ? *AKA “ARP spoofing”
  • 18.
    Masquerading example: ARP •Address Resolution Protocol (RFC 826, 1982) – SEND: IPv6 SEcure Neighbour Discovery (RFC 3971, 2005) IPv4: 10.1.1.10 MAC: EtherA IPv4: 10.1.1.20 MAC: EtherB IPv4: 10.1.1.30 MAC: EtherC ☹︎ IPv4 MAC 10.1.1.30 EtherC 10.1.1.20 EtherA Ethernet, who’s at IPv4 10.1.1.20 ? *AKA “ARP spoofing” Here I am! IPv4: 10.1.1.20 MAC: EtherA IPv4 MAC 10.1.1.30 EtherC
  • 19.
    Attacking the DNS TheInternet www.apnic.netwww.apnic.net? www.apnic.net 199.43.0.44 DNS 175.98.98.133 203.119.102.244 199.43.0.44 ☹︎
  • 20.
    Securing websites –SSL certificates The Internet www.apnic.net www.apnic.net? 203.119.102.244 DNS 175.98.98.133 203.119.102.244 ☺︎ SSL
  • 21.
    Securing DNS –DNSSEC The Internet www.apnic.net www.apnic.net? DNS 175.98.98.133 203.119.102.244 ☺︎ 203.119.102.244 SEC
  • 22.
    Misusing IP Addresses… TheInternet Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 … Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 199.43.0.0/24 … Announce 199.43.0.0/24 R 202.12.29.0/24 Traffic 199.43.0.0/24 ☹︎
  • 23.
    Misusing IP Addresses… TheInternet Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 … Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 202.12.29.0/24 … Announce 202.12.29.0/24 R 202.12.29.0/24 RPKI ☺︎
  • 24.
    Masquerading again: IPspoofing InternetISP 203.119.102.244 175.98.98.133 Request Src: 175.98.98.133 Dst: 203.119.102.244 Response Src: 203.119.102.244 Dst: 175.98.98.133 ☺︎
  • 25.
    Masquerading again: IPspoofing InternetISP 203.119.102.244 175.98.98.133 Response Src: 203.119.102.244 Dst: 199.43.0.44 199.43.0.44 Request Src: 199.43.0.44 Dst: 203.119.102.244 ☹︎
  • 26.
    DoS attack: Amplification InternetISP 203.119.102.244 175.98.98.133 199.43.0.44 Request Src:199.43.0.44 Dst: 203.119.102.244 ☹︎ Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Request Src: 199.43.0.44 Dst: 203.119.102.244 Request Src: 199.43.0.44 Dst: 203.119.102.244 Request Src: 199.43.0.44 Dst: 203.119.102.244 Request Src: 199.43.0.44 Dst: 203.119.102.244 Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD Response Src: 203.119.102.244 Dst: 199.43.0.44 BIG PAYLOAD
  • 27.
    Defeating IP spoofing– BCP38 InternetISP 203.119.102.244 175.98.98.133 ☺︎ BCP38 (2000) Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing ISP Request Src: 199.43.0.44 Dst: 203.119.102.244
  • 28.
    DDoS attack: DistributedDoS InternetISP ☹︎ “Botnet”
  • 29.
    DDoS attack: DistributedDoS • Botnets for hire – Millions of virus-infected computers – Ready to be deployed by remote control • Huge amplification – Target traffic volumes in 100s of Gbps • Motivation – Various, but often extortion (requiring payment in BTC) • Mitigation – Various approaches and services available – Often bandwidth is the best solution (using cloud-based services)
  • 30.
    Source: Arbor Networks’WISR 2016 Survey
  • 31.
    Security and IPv6 •“IPsec” is mandatory in IPv6 implementation – but this does not mean it must be used. • No difference… – Traffic monitoring (Sniffing) – no change without IPsec – Application vulnerabilities – no change – Rogue devices, viruses etc • Improvements… – IPsec available when needed (eg routing protocols) – Scanning address space for devices is much harder • Threats – New expertise required, new implementations, less mature – Mistakes will be made
  • 32.
    Security and IoT •We have a long history of “things” on the Internet – In that sense, there is nothing fundamentally new with “IoT” • However… – There will be huge increase in the variety of devices – Many new vendors will enter the market – Many vendors are not “Internet companies” • Challenges – Implementation, Testing, Software upgrades, “EoL” management • Reference: “Internet of stupid things” – Geoff Huston, APNIC
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
    Recap… • Is theInternet secure? • Myths and Mysteries • Evolution of security • Security concepts and management • Examples • Developments: IPv6 and IoT • The Internet security ecosystem
  • 38.