security

1. Security
DBIT05206

2. Learning Objectives
• Clarify need for security (what are we
trying to protect?)
• Identify fundamental security objectives
• Review basic network attacks
• Classify typical attackers
• Examine technical safeguards
• Explore firewall options

3. Internet Security Needs
• “While non-technical publications are
obsessed with the Internet, technical
publications are obsessed with security”
• Information view: marvelous technological
advance in information dissemination with a
major danger to pollute and destroy
• Transaction view: major deterrent to E-Commerce
growth

4. What do we Need to
Protect?
• Data
 Information we keep on computers (product
design, financial records, personnel data)
 Lost time, lost sales, lost confidence
• Resources
 Unauthorized use of computer time & space
• Reputation
 Misrepresentation, forgery, negative publicity

5. Fundamental Security
Objectives
• Four fundamental objectives of Info Security
 Confidentiality - Protection from unauthorized
persons
 Integrity - consistency of data; no unauthorized
creation, alteration or destruction
 Availability - ensuring access to legitimate users
 Legitimate use - ensuring appropriate use by
authorized users

6. Basic Security Attacks
• Intrusion - unauthorized access and use of
systems
• Denial of service - an attack aimed at preventing
use of company computers
 email bomb or flooding/Internet worm
 disabled, rerouted or replaced services
• Information theft - network taps, database access,
hacking into sites to give out more info or to
wrong parties

7. Technical Safeguards
• Security Services
 Authentication (entity, data origin)
 Access control (prevent unauthorized access)
 Confidentiality (disclosure, encryption)
 Data integrity (value of data item)
 Non-repudiation (falsely denying a transaction)

8. Security Models
• No Security - not an option
• Security thru Obscurity - don’t tell anyone
where your site is
• Host Security - enforced security on each host;
progressively difficult to manage as number of
hosts increase
• Network Security - control network access to
hosts and services; firewalls, strong
authentication, and encryption

9. Firewall Solutions
• Definition - hardware &/or software components
that restrict access between a restricted network &
the Internet or between networks
• Logically - a separator, restricter, analyzer
• Rarely a single object
 Restricts people to entering at a controlled point
 Prevents attackers from getting close to other defenses
(host controls)
 Restricts people to leaving at a controlled point

10. Firewall Capabilities
• Focus security decisions - single point to
leverage control
• Enforce security policy - minimize
exceptions
• Log Internet activity - analysis
• Limit exposure - separate sensitive areas of
one network from another or outside world

11. Firewall Limitations
• Can’t protect against
 malicious insiders
 connections that don’t go through it
 new threats
 viruses
• scans for source & destination addresses &
port numbers, not details of data

12. Types of Firewalls
• Simple traffic logging systems
 audit log file of files accessed (HTTPD)
 site usage/demand hours/links/browsers used
• IP Packet Screening Routers (packet filtering
gateway)
 not only looks at ‘can’ it route, but ‘should’ it
 selectively routes or blocks packets based on rules
 based on protocols, destination (port 80), known source
IP addresses

13. Types of Firewalls (cont.)
• Hardened Firewall Host (hardware)
 Halts unauthorized users
 Concentrates security, hides internal system
names, centralizes & simplifies net
management
• Proxy Server (software)
 Deals with external server requests on behalf of
internal clients
 May limit certain HTTP methods (CGI or Java
applets)

14. Futures
• Third-generation Firewalls
 combined features of packet filtering & proxy systems
• Client & server applications with native support
for proxied environments
• Dynamic packet filtering
 Packet rules modified “on the fly” in response to
triggers
• Underlying Internet protocol undergoing revisions
- IPv6

15. Internet Security
• Three levels (Network, application, system)
 Network - data packet integrity in-transit
(Authentication/confidentiality/access controls)
• IP layer/ headers + data = IP datagram
• Not inherently secure (IP Spoofing - attacks w/false
source addresses)
• Authentication headers - integrity check values to
indicate source & transit integrity of datagram
 Security Association / Security Parameter Index

16. Internet Security (Network)
• Packet Encryption - Encapsulating Security Payload (ESP) provides
confidentiality + integrity
 Algorithm (transforms)
 Tunnel-mode encryption (entire datagram encrypted)
 Transport-mode encryption (data only encrypted)
• Key Management - no single standard
 Host-oriented - all users share same association & key
 Potential for decrypt another’s messages
 User-oriented - user has 1 or more association & keys
 Lower risk / Superior method
• Firewalls - screening routers/proxy servers, perimeter networks

17. Internet Security (Network)
 Virtual Private Networks (VPN)
• Secure groups of network sites using Inet backbone
 IP tunneling / firewalls
• Messaging - special security needs above network
measures
 E-mail / mail enabled applications
• Writer to reader protection via user agent
• Message Transfer Agents (MTAs) = message
transfer backbone (originating & delivering)

18. Internet Security
(Messaging)
• Basic Message Protection Services
 Message origin authentication / content
integrity / content confidentiality / non-repudiation
of origin
• Enhanced Message Protection Services
 Confirmation services (proof of delivery &
submission, non-repudiation of delivery &
submission)
 Other - I.e. security labeling service

19. Internet Security
(Messaging)
• Secure Messaging Protocols
 PEM - Privacy Enhanced Mail (basic services)
• Wraps itself around standard mail message
 MIME Security Multi-parts
• Multi-purpose Internet Extensions - supports structuring of
message body
• Different body parts - text, image, audio, etc
• 1995 specifications:
 Security Multi-parts for MIME
 MIME Object Security Services (MOSS)
 Transforms messages into standard representation for transport

20. Web Security
• Web Risks - server content / communications
• Solutions - SSL / S-HTTP / SET (evolving stds)
• SSL (Secure Sockets Layer) - session protection
 Developed by Netscape to add communication
protection
 New layer protocol operating above TCP protocol
 Protects any application protocol normally operating
over TCP (HTTP, FTP, TELNET)
 HTTPs represents SSL communication handling
 Services: server authentication / client authentication /
integrity (check values) / confidentiality (encryption)

21. Web Security (SSL cont.)
• SSL has two sub-protocols
 SSL Record Protocol - defines basic format
• Compression/MAC/encryption/data length
• Assumes pre-existing keys
 SSL Handshake Protocol - coordination
• Negotiates protection algorithms between client and server for
authentication, transmission of key certificates, establish
session keys for use in integrity check and encryption
 Domestic (128-bit) and intern’l (40-bit)

22. Web Security - S-HTTP
• Secure HTTP - security extension
 Protects individual transaction request or
response messages, similar to e-mail
 Services: authentication, integrity,
confidentiality + digital signatures (adds non-repudiation)
 Flexibility in how messages are protected and
key management

23. Web Security Threats
• Executable Programs - no foolproof defense
 Java Applets - execution occurs on client system
• Trusted execution environment (sandbox)
• Should not: inspect or alter client files, run system commands or
load system s/w libraries
• Should: contact only originating server
• Potential for hostile applets to send forged e-mail, crash browsers,
kill running applets, consume resources
 Active-X - reusable software components
• Source Authentication Programs -read signed code