2 What is network security about ? It is about secure communicationWhat do we mean by secure communication?Everything is connected by the InternetWe will often use Alice and BobAlice is on a vacation and wants to send a command to her assistant—Bob—or just a computer to control the nuclear power plant, how can she do that?
3 What is it about ?There are eavesdroppers that can listen on the communication channelsInformation needs to be forwarded through packet switches, and these switches can be reprogrammed to listen to or modify data in transitIs it hopeless for Alice?
4 Other examples Alice sends Bob some sensitive information via Internet Network manager remotely changes some Access Control Lists (intercepts, impersonation)On-line stock trading, customer denies that she has sent the order
5 CryptographyCryptography allows us to disguise data so that eavesdroppers gain no information from listeningCryptography also allows us to create unforgettable message and detect if it has been modified in transit: a digital signature is often used for this purpose—a magic number
6 Network/System Security Overview CryptographySecret key cryptographyModes of operationHashes and message digestPublic key cryptographySome number theory, AES and elliptic curve cryptographyAuthenticationHow can Alice prove that she is Alice on networks?StandardsKerberos, PKI, IPSec, SSLThe underlying philosophy for these standards, that is, intuition behind various choices, design decisions, and flaws in these standardssecurityFirewalls and secure systems
7 Two kinds of securityComputer securityNetwork security
8 Vulnerabilities of comp sys attacks on hardwareattacks on softwaredeletion, modification (Trojan horse, trapdoor/backdoor, covert channel), infection through computer virus, theft, copyingattacks on datacompromising secrecy & integrityattacks on other resourcesstorage media, time, key people
9 Computer security The goal is to protect data and resources How to design security mechanisms?Cost/benefitsThreat modelTrust modelAvailable toolsWhere to use security toolSecurity is not only about cryptographyIdentify the weakest point
10 Failures of security mechanisms Failure to understand the threat modelFailure to understand what a mechanism protects against and what it does notBad designImplementation faultMisconfigurationBad interaction with other partsBad user interface
11 Network securitySecurity of data in transitSecurity of data at rest
12 Importance of network security Increasing large deployment of networked computersSensitive information/resources are coming onlinePersonal informationFinancial servicesMilitaryInfrastructureLarge number of users, large amounts of money
15 Differences from systems security Attacks come from anywhere, at any timeHighly automated attacks (script kiddies)Physical security measures are inadequateWide variety of applications, services, protocolsNo single authority/administrator
16 Reactions to Information Security Active research in security & privacy (numerous conferences each year)New lawsEducationCollaborations between governments, industries & academiaEmployment of computer security specialists
17 Methods of defence (1) modern cryptography software controls encryption, authentication code, digital signature etcsoftware controlsstandard development tools (design, code, test, maintain, etc)operating system controlsinternal program controls (eg. database)fire-walls
18 Methods of defence (2) hardware controls physical controls security devicessmart cards, ...SecureIDphysical controlslocks, guards, backup of data & software, thick walls, ...security policies & proceduresuser educationlaw
20 Intro Network Security To assess the security needs of an organization effectively and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements.One approach is to consider 3 aspects of information security:Security attack: any action that compromises the security of informationowned by an organizationSecurity method: a mechanism that is designed to detect, prevent, orrecover from a security attackSecurity service: a service that enhances the security of the dataprocessing systems and the information transfers of an organizationThe services are intended to counter security attacks, and they make use of one or more security methods to provide the service
21 Classification of Security Services Confidentiality – Ensures that the information in a computer system and transmitted information are accessible only for reading by authorized partiesAuthentication – Ensures that the origin of a message or electronic document is correctly identified, with an assurance that the identity is not falseIntegrity – Ensures that only authorized parties are able to modify computer systems assets and transmitted information.Nonrepudiation– Requires that neither the sender nor the receiver of a message be able to deny the transmission (nonrepudiation with proof of origin/delivery)Access control (Authorization) – Requires that access to information resources may be controlled by or for the target systemAvailability – Requires that computer system assets be available to authorized parties when needed
22 Threats Passive attacks Active attacks Illegal interception (secrecy) Traffic analysisActive attacksDenial of Service / Interruption (availability)Un-authorised modification (integrity)Fabrication (authenticity)ReplayMan-in-the-middle attacksModification of messages
23 Illegal Interception also called “un-authorised access” difficult to detectit leaves no tracesexample: US military Tempest program measures how far away an intruder must be before eavesdropping is impossible.The movement of electron can be measured from a surprising distance (control zone)
24 Traffic analysis Military applications (spy identification) Zeroknowledge Inc. (anonymous web browsing and private, encrypted, untraceable for customers stopped services)AT&T Crowds project (system for protecting your anonymity while you browse the web)AnonymizerUntraceable s: Mix by David Chaum
25 Denial of Servicealso called “Interruption”—recent example: DDoS, tool used in that DDoS trinooinformation resources (hardware, software and data) are deliberately made unavailable, lost or unusable, usually through malicious destruction
26 Un-authorized Modification un-authorised access & tampering with a resource (data, programs, hardware devices, copy of hand-written signature, etc.)Ex. some portion of a legitimate message is altered, or that message is delayed or altered to produce an unauthorized effect
27 Fabrication and Impersonation fabricate counterfeit objects (data, programs, devices, etc)related examples:counterfeit bank notesfake chequesimpersonation/masqueradingto gain access to data, services etcIt takes place when one entity pretends to be a different entity. Example: by capturing authentication sequences and replaying them
28 Replay attacksPassive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. The attacker records a valid transaction and plays it back again later.Most often when a same shared key is used between two peersDefending against replay attacks is possible but painful as it requires maintenance of state
29 Man-in-the-middle attack Is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims.MITM attacks on SSL:Alice attackerreal siteMafia in the Middle attackAlice coffee Jewelry
30 Modification of message Some portion of a legitimate message is altered, or that message is delayed or altered to produce an unauthorized effect
31 How to defeat these attacks? illegal interceptionsecrecymixtraffic analysisun-authorised modificationintegrityauthenticationimpersonationauthorizationre-playman-in-the-middleother mechanismsdenial of service
32 Key escrow for law enforcement Law enforcement would like to preserve its ability to wiretap otherwise secure communicationGovernment wants to wiretap all the time, so it must prevent use of encryption, break the codes used for encryption, or somehow learn everyone’s cryptographic keyClipper proposal attempted the 3rd option (encryption is done with Clipper chip—unique key)At present, government is giving up the control of cryptography
33 Key escrow for careless users It is prudent to keep your key in a safe placeWhere?Do you trust the unique key bank?Split your keys and deposit in several independent places
34 Digital Pest: Virus, Worms, Trojan Horses No need to distinguish them.. But..Trojan horses: instructions hidden in a useful codeVirus: when executed, insert a copy in other codesWorm: self-replicating codeTrap (back)-door: undocumented entry pointLogic bomb: malicious instruction which triggers on some event, such as a particular time occuringZombie: malicious code installed on a system that can be remotely triggered to do bad things
35 More on Digital PestIs it possible to detect a digital pest in a program?– One of the famous results in computer science is that it is impossible to be able to tell what an arbitrary program will do by looking at it!– In fact it is impossible in general to discern any nontrivial property of a program by looking at it (e.g. if the program will halt)Anyway, nobody looks– Open source can help: maybe someone else will look!A virus can be installed in any program as follows:– Replace any instruction, say the instruction at location x, by a jump to some free space in memory, say location y; then– Write the virus program starting at location y; then– Place the instruction that was originally at location x at the end of the virus program, followed by a jump to x+1Replication– Besides the delayed planned damage, the virus replicates itself silently.– If it did not wait before damaging the infected system, it would not spread as far!
36 Where do they come from ?Commercial package: malicious employee? Infected before shipping?...sFloppy disk bootCDROM start-up executionSpreading from machine to machine (scripts…guessing passwords automatically...)
37 Virus CheckerCheck the instruction sequences for lots of types of viruses (virus patterns)Smart virus changes its form each time (polymorphic virus), more work for virus checker to detect but still possibleUsing snapshots of the files (not useful for some kinds of code)
38 Best practices No perfect virus checker Some precautions: Do not run software from unknown sourcesFrequently run virus checkersRun code in the most restricted environmentsWhen system tells you something is dangerous, do not try itDo frequent backupsDo not boot off floppies, do not insert suspicious CDs into CDROM
39 Best Practices: How to protect a machine Three key items would increase the security of a system and protect it from attacks:Install critical security updates / patches for the Operating System and services / programs running on the machine as soon as they become available (with Microsoft platform, sign up for Automatic Windows Updates). Those will patch backdoors, and design flows/security vulnerabilities which can be exploit.Install an Antivirus Software, and ensure it updates itself properly / constantly with latest virus definitionsInstall a firewall: as most attacks will come from the network, closing unused ports would substantially decreases chances of successful attack.
40 Authentication and authorization In a network application, the first question is “who you are?” then “what you are allowed to do?”Authentication proves who you are and authorization defines what you can doAccess Control Lists (ACL)—database listing who can access a certain objectsCapability Model—database listing what each user can do
41 Access Control Lists S\O Operating system Accounts program Accounting dataAudit trailSamrwxrwrAlicex-Bobrx
42 Discretionary and Nondiscretionary Access Controls (DAC & MAC) Discretionary means that someone who owns a resource can make a decision as to who is allowed to use (access) itNondiscretionary (mandatory) access controls enforce a policy where users might be allowed to use information themselves but might not be allowed to make copy of it available to someone else (even the owner cannot change the attribute of a data file)
43 Philosophy behind these access controls Discretionary controls: users and programs are good guys, OS decide how to protect each user’s dataNondiscretionary: users are careless, programs may be infected. Careless users may type a wrong command and attach a secret file to an sent to the public world. The information should be confined in a security perimeter
44 Multi-level model of security Security labels:Both subjects and objects have security labelsOnly subjects with the proper clearance (security label) can see the objects with the same or lower level of security labelsTOP SECRETSECRETCONFIDENTIALOPEN
45 Information Flow control Bell LaPadula (BLP) modelSimple security property: no read up*-property: no write down
46 Covert channelsA covert channel is a method for a Trojan horse to circumvent the automatic confinement of information within a security perimeter (Assume the Trojan horse program has not enough privileges to directly send confidential data outside the system)Example: OS enforce the multilevel security. A bad guy tricked a “TOP SECRET” guy to run a Trojan horse.
47 Covert channels (cont.) The timing channel – The Trojan horse program alternately loops and waits, in cycles of, say one minute per bit (of the confidential data). When the bit is 1: the program loops for one minute. When the bit is 0: the program waits for a minute. Another program running on the same computer (but without access to the sensitive data) constantly tests the loading of the Trojan horse.The storage channel – The Trojan horse program loads a (printer) queue to represent a 1, and delete its jobs to represent a 0. Easy to check the queue status and get the information.The error channel – The Trojan horse program creates a file to represent a 1, and delete it to represent a 0. The external process tries to read the file: since different error messages are reported when the file exists (but its access is not permitted) or when the file does not exist, which are used to distinguish between the 0's and 1's.
48 The Orange BookThe National Computer Security Center (NCSC) published an official standard called “Trusted Computer System Evaluation Criteria” (the Orange Book) which defines a series of ratings a computer system can have based on its security features and the care that went into its design, documentation, and testing