Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Pankos Business Data Networks and Telecommunications, 7th edition © 2009 Pearson Education,

Similar presentations


Presentation on theme: "© 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Pankos Business Data Networks and Telecommunications, 7th edition © 2009 Pearson Education,"— Presentation transcript:

1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Pankos Business Data Networks and Telecommunications, 7th edition © 2009 Pearson Education, Inc. Publishing as Prentice Hall May only be used by adopters of the book Security

2 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-2 9-1: Security A Major Threat Intelligent Adversaries –Not just human error to content with –Adapt to defenses Recap from Chapter 1 –Authentication –Cryptography for messages –Firewalls –Host hardening 2

3 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-3 9-3: Malware Malware –A general name for evil software Viruses –Pieces of code that attach to other programs –Virus code executes when infected programs execute –Infect other programs on the computer –Spread to other computers by e-mail attachments, IM, peer-to-peer file transfers, etc. –Antivirus programs are needed to scan arriving files Also scan for other malware 3

4 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-4 9-3: Malware Worms –Stand-alone programs that do not need to attach to other programs –Can propagate like viruses through e-mail, etc. This requires human gullibility, which is unreliable and slow 4

5 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-5 9-3: Malware Worms –Vulnerability-enabled worms jump to victim hosts directly Can do this because hosts have vulnerabilities –Vulnerability-enabled worms can spread with amazing speed –Vendors develop patches for vulnerabilities, but companies often fail or are slow to apply them 5 Infested Computer with Vulnerability

6 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-6 9-3: Malware Payloads –After propagation, viruses and worms execute their payloads –Payloads erase hard disks or send users to pornography sites if they mistype URLs –Trojan horses are exploitation programs that disguise themselves as system files –Spyware Trojans collect sensitive data and send the data it to an attacker 6

7 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-7 9-4: Attacks on Individuals Social Engineering –Tricking the victim into doing something against his or her interests Spam –Unsolicited commercial e-mail Fraud –Deceiving individuals to get them to do things against their interests Taking the Reader to a Website with Malware 7

8 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-8 9-4: Attacks on Individuals Credit Card Number Theft –Performed by carders Identity theft –Involves collecting enough data to impersonate the victim in large financial transactions Phishing –A sophisticated social engineering attack in which an authentic-looking e-mail or website entices the user to enter his or her username, password, or other sensitive information 8

9 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-9 9-5: Human Break-Ins Human Break-Ins –Viruses and worms rely on one main attack method –Humans can keep trying different approaches until they succeed Hacking –Hacking is breaking into a computer –More precisely, hacking is intentionally using a computer resource without authorization or in excess of authorization 9

10 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-10 9-5: Human Break-Ins Scanning Phase –Send attack probes to map the network and identify possible victim hosts –The Nmap program is popular for scanning attacks (Figure 9-6) 10

11 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-11 Figure 9-6: Nmap Scanning Output 11 IP Range to Scan Type of Scan Identified Host and Open Ports

12 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-12 9-5: Human Break-Ins The Break-In –Uses an exploita tailored attack method that is often a program –Normally exploits a vulnerability on the victim computer –Often aided by a hacker tool –The act of breaking in is called the exploit –The hacker tool is also called an exploit 12

13 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-13 9-5: Human Break-Ins After the Break-In –The hacker downloads a hacker tool kit to automate hacking work –The hacker becomes invisible by deleting log files –The hacker creates a backdoor (way to get back into the computer) Backdoor accountaccount with a known password and full privileges Backdoor programprogram to allow reentry; usually Trojanized 13

14 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-14 9-5: Human Break-Ins After the Break-In –The hacker can then do damage at his or her leisure Download a Trojan horse to continue exploiting the computer after the attacker leaves Manually give operating system commands to do damage 14

15 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-15 9-7: Distributed Denial-of-Service (DDoS) Attack Using Bots 15 In a distributed denial-of-service attack, the attacker floods the victim computer (or network) with more traffic than the victim can handle. Legitimate users are denied service from the unavailable server.

16 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-16 9-7: Distributed Denial-of-Service (DDoS) Attack Using Bots 16 The attacker installs Bot programs on many PCs. This is called a botnet.

17 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-17 9-7: Distributed Denial-of-Service (DDoS) Attack Using Bots 17 When it is time to attack the victim, the attacker sends attack commands to all of the Bots.

18 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-18 9-7: Distributed Denial-of-Service (DDoS) Attack Using Bots 18 The Bots then begin flooding the victim with attack packets, rendering the victim unavailable to users

19 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-19 9-8: Bots 19 Bots can be updated by their human master to fix bugs or to give new functionality for instance, to change the Bot from a DOS attacker to a spambot.

20 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-20 9-9: Types of Attackers Traditional Attackers –Traditional Hackers Hackers break into computers Driven by curiosity, a desire for power, and peer reputation –Virus writers 20

21 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-21 9-9: Types of Attackers Traditional Attackers –Script kiddies use scripts written by experienced hackers and virus writers They have limited knowledge and abilities But large numbers of script kiddies make them dangerous –Disgruntled employees and ex-employees 21

22 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-22 9-9: Types of Attackers Criminal Attackers –Most attacks are now made by criminals –Crime generates funds that criminal attackers need to increase attack sophistication 22

23 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-23 9-9: Types of Attackers (Cont.) On the Horizon –Cyberterror attacks by terrorists –Cyberwar by nations –Potential for massive attacks 23

24 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-24 9-10: Security Planning Security Is a Management Issue, Not a Technical Issue –Without good management, technology cannot be effective –A company must have good security processes 24

25 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-25 9-10: Security Planning 25

26 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-26 9-10: Security Planning Security Planning Principles –Risk analysis Risk analysis is the process of balancing threats and protection costs for individual assets Cost of protection should not exceed the cost of likely damage Absolute protection is impossible. Financially reasonable protection is not. 26

27 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-27 9-10: Security Planning Security Planning Principles –Comprehensive security An attacker has to find only one weakness A firm needs comprehensive security to close all avenues of attack 27

28 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-28 9-10: Security Planning Security Planning Principles –Access control Limit access to resources to legitimate users Give legitimate users minimum permissions (things they can do) 28

29 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-29 9-10: Security Planning Security Planning Principles –Defense in depth Every protection breaks down sometimes An attacker should have to break through several lines of defense to succeed Providing this protection is called defense in depth 29 Countermeasure 2 Stops the Attack Countermeasure 1 (fails)

30 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-30 9-10: Security Planning Access Control Planning for Individual Resources –Enumerating and Prioritizing Resources Firms must enumerate and prioritize the resource they have to protect Otherwise, security planning is impossible 30

31 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-31 9-10: Security Planning Access Control Planning for Individual Resources –Companies Must Then Develop an Access Control Plan for Each Resource The plan includes the AAA protections Authentication is proving the identity of the person wishing access Authorization is determining what the person may do if he or she is authenticated Auditing is logging data on user actions for later appraisal 31

32 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-32 9-11: Authentication with a Central Authentication Server 32 1. The supplicant sends its credentials to the verifier.

33 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-33 9-11: Authentication with a Central Authentication Server 33 2. The verifier passes the credentials to a central authentication server. 3. The central authentication server checks the credentials. If the credentials are correct, the authentication server sends an OK to the verifier, along with authorizations. 1

34 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-34 9-11: Authentication with a Central Authentication Server 34 Central authentication servers bring consistency. All supplicants are evaluated exactly the same way No matter what verifiers they connect to.

35 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-35 9-12: Password Authentication Passwords –Passwords are strings of characters –They are typed to authenticate the use of a username (account) on a computer Benefits –Ease of use for users (familiar) –Inexpensive because they are built into operating systems 35

36 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-36 9-12: Password Authentication Often Weak (Easy to Crack) –Word and name passwords are common –They can be cracked quickly with dictionary attacks –Hybrid dictionary attacks can crack simple variations, such as Processing1 almost as fast. 36

37 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-3737 9-12: Password Authentication Passwords should be complex –Mix case (A and a), digits (6), and other keyboard characters ($, #, etc.) –Can only be cracked with brute force attacks (trying all possibilities) Passwords should be long –Eight characters minimum –Each added character increases the brute force search time by a factor of about 70

38 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-3838 9-12: Password Authentication Tell what attack can break it fastest, and tell how difficult it will be for the attacker to guess the password. –swordfish –Processing1 –SeAtTLe –R7%t& –4h*6tU9$^l

39 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-39 9-12: Password Authentication Other Concerns –If people are forced to use long and complex passwords, they tend to write them down –People should use different passwords for different sites Otherwise, a compromised password will give access to multiple sites 39

40 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-40 9-13: Digital Certificate Authentication Public and Private Keys –Each party has both a public key and a private key –A party makes its public key available to everybody –A party keeps its private key secret If there are 12 employees, how many private keys will there be? How many public keys will there be? 40

41 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-41 9-13: Digital Certificate Authentication Digital Certificate –Tamper-proof file that gives a partys public key 41 Name: Smith Public Key: 8m27cj$leo62@lj*^l18dwk... Other field … Tamper Checking Field

42 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-4242 9-13: Digital Certificate Authentication CalculationDigital Certificate Authentication Test 2. Public key of the person the applicant claims to be 1. Applicant does a calculation with his or her Private key 3. Verifier tests the calculation with the public key of the claimed party (not of the sender). If the test succeeds, the applicant must know the secret private key of the claimed party, which only the claimed party should know. 2

43 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-43 9-13: Digital Certificate Authentication Perspective –Digital certificate authentication is very strong –However, it is very expensive because companies must set up the infrastructure for distributing public–private key pairs –The firm must do the labor of creating, distributing, and installing private keys 43

44 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-44 9-14: Biometric Authentication Biometric Authentication –Authentication based on bodily measurements –Promises to eliminate passwords Fingerprint Scanning –Dominates biometrics use today –Simple and inexpensive –Substantial error rate (misidentification) –Often can be fooled fairly easily by impostors 44

45 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-45 9-14: Biometric Authentication Iris Scanners –Scan the iris (colored part of the eye) –Irises are complex, so iris scanning gives strong authentication –Expensive Face Recognition –Camera: allows analysis of facial structure –Can be done surreptitiouslythat is, without the knowledge or consent of the person being scanned –Very high error rate and easy to fool 45

46 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-46 9-14: Biometric Authentication Error and Deception Rates –Error and deception rates are higher than vendors claim –The effectiveness of biometrics is uncertain 46

47 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-47 Figure 9-15: Firewall Operation 47 The border firewall examines Each packet passing through it. Ingress filtering Egress filtering The border firewall examines Each packet passing through it. Ingress filtering Egress filtering

48 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-48 Figure 9-15: Firewall Operation 48 If the firewall identifies a PROVABLE attack packet, the firewall drops and logs the packet in a log file. If the firewall identifies a PROVABLE attack packet, the firewall drops and logs the packet in a log file.

49 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-49 Figure 9-15: Firewall Operation 49 If the firewall identifies a PROVABLE attack packet, the firewall drops and logs the packet in a log file. If the firewall identifies a PROVABLE attack packet, the firewall drops and logs the packet in a log file. If the firewall identifies a packet That is not a provable attack packet, The firewall passes the packet. Even if the packet is suspicious, the firewall passes it. If the firewall identifies a packet That is not a provable attack packet, The firewall passes the packet. Even if the packet is suspicious, the firewall passes it.

50 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-50 9-16: Stateful Firewall Filtering Stateful Firewall Filtering –There are several types of firewall filtering –Stateful inspection is the dominant filtering method today –Stateful firewalls often use other filtering mechanisms as secondary mechanisms 50

51 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-51 9-16: Stateful Firewall Filtering States –Connections often go through several states –Connection opening, going communication, closing, etc. –Different security actions are appropriate for different states 51 Connection Opening State Ongoing Communication State Connection Closing State

52 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-52 9-16: Stateful Firewall Filtering Connection Initiation State –State when packets attempt to open a connection Example: packets with TCP segments whose SYN bits are set 52 Connection Opening State Ongoing Communication State Connection Closing State

53 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-53 9-17: Default Stateful Firewall Behavior for a Connection- Opening Attempt 53 Stateful firewalls have simple default behavior. If an outside host attempts to open a connection, the firewall prevents the connection by default. If an inside host attempts to open a connection, the firewall permits it by default.

54 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-54 9-16: Stateful Firewall Filtering Connection Initiation State –Access control lists can create exceptions to the default behaviors –Access control lists (ACLs) (see Figure 9-18) ACLs modify the default behavior for ingress or egress Ingress ACL rules allow access to selected internal servers Egress ACL rules prevent access to certain external servers 54

55 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-55 9-18: Ingress Access Control List (ACL) for a Stateful Inspection Firewall 1. If protocol = TCP AND destination port number = 25, PASS and add connection to connection table. –This rule permits external access to all internal mail servers. 55

56 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-56 9-18: Ingress Access Control List (ACL) for a Stateful Inspection Firewall 2. If IP address = 10.47.122.79 AND protocol = TCP AND destination port number = 80, PASS and add connection to connection table. –This rule permits access to a particular webserver (10.47.122.79). 56

57 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-57 9-18: Ingress Access Control List (ACL) for a Stateful Inspection Firewall 3. Deny All AND LOG. –If earlier rules do not result in a pass or deny decision, this last rule enforces the default rule of banning all externally initiated connection-opening attempts. 57

58 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-58 9-16: Stateful Firewall Filtering Packets in the Ongoing Communication State –If the packet does not attempt to open a connection, Then if the packet is part of an established connection –It is passed without further inspection –(However, these packets can be filtered if desired) If the packet is not part of an established connection, it must be an attack –It is dropped and logged 58 Connection Opening State Ongoing Communication State Connection Closing State

59 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-59 9-16: Stateful Firewall Filtering Packets in the Ongoing Communication State –This simplicity makes the cost of processing most packets minimal –Nearly all packets are part of the ongoing communication state 59 Connection Opening State Ongoing Communication State Connection Closing State

60 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-60 9-16: Stateful Firewall Filtering Perspective –Simple operation for most packets leads to inexpensive stateful firewall operation –However, stateful inspection firewall operation is highly secure 60

61 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-61 9-19: Firewalls, Intrusion Detection Systems (IDSs), and Intrusion Prevention Systems (IPS) 61 FirewallsIDSsIPSs Inspect Packets? Yes Action TakenDrop and log individual proven attack packets based on individual packet or connection inspections. Log multipacket attacks based on deep (multilayer) packet inspections of streams of packet flows Notify an administrator of severe attacks but do not stop the attacks. Applies IDS processing methodsdeep packet inspection and packet stream inspection But actually stops some attacks that have high confidence but are not provably attacks.

62 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-62 9-19: Firewalls, Intrusion Detection Systems (IDSs), and Intrusion Prevention Systems (IPS) 62 FirewallsIDSsIPSs Inspect Packets? Yes Processing Power Required ModestHeavy MaturityFairly matureStill immature with too many false positives (false alarms) Tuning can reduce false positives, but this takes a great deal of labor. New. Only used to stop attacks that can be identified fairly accurately.

63 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-6363 9-20: Cryptographic Systems Cryptographic Systems –Provide security to multi-message dialogues At the Beginning of Each Communication Session –The two parties usually mutually authenticate each other Party A Party B Initial Authentication As Credentials To B Bs Credentials To A

64 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-64 Message-by-Message Protection –After this initial authentication, cryptographic systems provide protection to every message –Encrypt each message for confidentiality so that eavesdroppers cannot read it 9-20: Cryptographic Systems Party A Party B Messages Encrypted for Confidentiality Eavesdropper Cannot Read Messages

65 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-6565 9-21: Symmetric Key Encryption for Confidentiality Message Hello Cipher & Key Symmetric Key Party A Party B Network Encrypted Message Encryption uses a non-secret cipher (encryption method ) and a secret key

66 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-66 9-21: Symmetric Key Encryption for Confidentiality Encrypted Message Symmetric Key Party A Party B Interceptor Network Interceptor cannot read encrypted messages en route Encrypted Message

67 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-6767 9-21: Symmetric Key Encryption for Confidentiality Encrypted Message Message Hello Cipher & Key Symmetric Key Same Symmetric Key Party A Party B Interceptor Network Receiver decrypts the message using the same cipher and the same symmetric key

68 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-6868 9-20: Cryptographic Systems Message-by-Message Protection –Adds an electronic signature to each message The electronic signature authenticates the sender It also provides message integrity: receiver can tell if a message has been changed in transit Party A Party B Electronic Signature

69 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-69 9-20: Cryptographic Systems Message-by-Message Protection –Digital signatures use digital certificate authentication Very strong authentication, but also very expensive –HMACs (key-hashed message authentication codes) are less expensive They are not quite as secure as digital signatures, but are still quite secure The most widely used electronic signature method 69

70 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-70 9-22: Other Aspects of Protection Hardening Servers and Client PCs –Setting up computers to protect themselves Server Hardening –Back up so that restoration is possible –Patch vulnerabilities –Use host firewalls 70

71 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-71 9-22: Other Aspects of Protection Client PC Hardening –As with servers, patching vulnerabilities, having a firewall, and implementing backup –Also, a good antivirus program that is updated regularly –Client PC users often make errors or sabotage hardening techniques –In corporations, group policy objects (GPOs) can be used to centrally manage security on clients 71

72 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-72 9-22: Other Aspects of Protection Vulnerability Testing –Protections are difficult to set up correctly –Vulnerability testing is attacking your system yourself or through a consultant –There must be follow-up to fix vulnerabilities that are discovered 72

73 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-73 9-23: Incident Response Even with the best security, successful attacks sometimes happen 1. Detect the Attack 2. Stop the Attack 3. Repair the Damage 4. Punish the Attacker

74 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-74 9-23: Incident Response Major Attacks and CSIRTs –Major incidents are those the on-duty staff cannot handle –Computer security incident response team (CSIRT) –Must include members of senior management, the firms security staff, members of the IT staff, members of functional departments, and the firms public relations and legal departments 74

75 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-75 9-23: Incident Response Disasters and Disaster Recovery –Natural and humanly-made disasters –IT disaster recovery for IT Dedicated backup sites and transferring personnel Having two sites that mutually back up each other –Business continuity recovery Getting the whole firm back in operation IT is only one player 75

76 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-76 9-23: Incident Response Rehearsals –Rehearsals are necessary for speed and accuracy in response –Time literally is money 76


Download ppt "© 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Pankos Business Data Networks and Telecommunications, 7th edition © 2009 Pearson Education,"

Similar presentations


Ads by Google