Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT443 – Network Security Administration Instructor: Bo Sheng

Similar presentations


Presentation on theme: "IT443 – Network Security Administration Instructor: Bo Sheng"— Presentation transcript:

1 IT443 – Network Security Administration Instructor: Bo Sheng
Introduction IT443 – Network Security Administration Instructor: Bo Sheng

2 Basic Information Location and time Instructor (Bo Sheng) S-3-028,
Mondays and Wednesdays 7:00~8:15pm Instructor (Bo Sheng) , Office: S-3-167 Office hours: Mon & Wed, 2~4pm

3 Course Outline Network Basics Cryptography Basics Authentication
Network layers, headers, services, … TCP/IP, MAC, DNS, ARP, … Cryptography Basics Secret key encryption, Public key encryption, Hash function Doesn’t cover theoretical foundation Authentication Password, challenge/response, mutual authentication, …

4 Course Outline Public Key Infrastructure IPsec SSL/TLS Firewall
PKI architecture, certificates, … IPsec Secure IP layer protocol SSL/TLS Secure transport layer protocol Firewall Prevent attacks, iptables, …

5 Course Outline Intrusion Detection System Email Security
Host-based IDS and network-based IDS Security Wireless security / Worm (backup) Rouge AP attacks, WEP crack, Worm propagation/detection, …

6 Course Work 6~7 lab assignments (70%) Team of 2 students Lab report
Follow the instructions Observe the output Understand the results (may need more tests to confirm)

7 Course Work Final exam (30%) Lecture + Lab
Last time this course was taught 8 “true or false” 6 “multiple choices” 3 “descriptive questions” Lecture + Lab Virtual machines

8 Lab Outline Understanding network packets Encryption/decryption
IP prefix, DNS service Encryption/decryption Conduct file encryption (openssl) Distinguish cryptographic algorithms Password cracking Dictionary attack, john-the-ripper Network attacks SYN flood, ARP poisoning

9 Lab Outline Implementing certificate Configuring a firewall
Set up https service Configuring a firewall iptables System monitoring Remote logging Intrusion detection Aide and Snort SQL injection (backup)

10 Other Info Course web page Prerequisite IT341
Prerequisite IT341 If you take IT341 later, you will lose the credits of this course.

11 Policies Lab reports Honor code No makeup exam Accommodations
Partial points will be given, but no later submissions are accepted. Honor code No makeup exam Accommodations Ross Center for Disability Service Campus Center Room 211

12 Information Door code: 434598* Login: Your windows account
If you use your own laptop, install Vmware workstation 10.0 Virtualbox Install Ubuntu Desktop on a VM Vmware 10.0: NM21L-LK05L-N8864-0J0K0-28X25

13 Introduction to Network Security
Security Breaches Symantec Threat Explorer Spam

14 Introduction to Network Security
Security threats Malware: Virus, worm, spyware Spam Botnet DDoS attacks Phishing Cross-site scripting (XSS)

15 Contributing Factors Lack of awareness of threats and risks of information systems Security measures are often not considered until an Enterprise has been penetrated by malicious users Wide-open network policies Many Internet sites allow wide-open Internet access Lack of security in TCP/IP protocol suite Most TCP/IP protocols not built with security in mind Complexity of security management and administration Software vulnerabilities Example: buffer overflow vulnerabilities Cracker skills keep improving The biggest contributing factor is the lack of security awareness. Many Internet Enterprises are not aware of the risks associated with connecting to the Internet. As a result, Internet Enterprises often do not consider security measures until they have been penetrated by malicious users or have learned about other penetration incidents. Senior managers need to understand what it means to connect to the Internet from a threat and risk standpoint. Many Internet sites employ wide-open network policies. For example, internal Enterprise systems may be easily accessible from the Internet and Enterprise users may be allowed to initiate all types of network services from their desktop workstations. These internal Enterprise systems may employ weak passwords or have user accounts with no passwords. Enterprise anonymous FTP machines may also be improperly configured, thereby inviting malicious users to use these machines as hostile attack or storage facilities. The compromise of a single internal Enterprise machine may enable malicious users to “island hop” to other internal machines. The vast majority of Internet traffic is unencrypted or plaintext traffic. , file transfers, userID/password combinations, hostnames, and other sensitive information that flows across the Internet are subject to monitoring and capture. The recent Internet breakins were attributed to malicious users that employed network monitoring tools. Many of the TCP/IP protocols were not designed with security in mind. A number of the TCP/IP services (e.g., rlogin) rely on mutually trusting domains. However, a great deal of work is progressing within the Internet Engineering Task Force (IETF). Examples include the Internet Security Architecture, Kerberized versions of TELNET and FTP, Common Authentication Technology (CAT), and Privacy Enhanced Mail (PEM). The complexity of security management often leads to unauthorized entry within an Internet Enterprise. For example, filter definitions on screening routers may be improperly configured. Firewalls composed of multiple components may also increase the complexity of system administration. In addition, Enterprise systems that are accessible from the Internet may be configured with key security mechanisms disabled. Software bugs, especially protocol implementation bugs, are often exploited by crackers. Sendmail is a good example of a protocol implementation that is often exploited by crackers. Cracker skills and techniques continue to improve. Sophisticated crackers employ tools to capture Internet traffic and to probe Internet machines. For example, crackers run password cracking programs, monitor and spoof network traffic, masquerade as authorized users, and use compromised Internet machines as attack or storage facilities.

16 Security Objectives (CIA)

17 Security Objectives (CIA)
Confidentiality — Prevent/detect/deter improper disclosure of information Integrity — Prevent/detect/deter improper modification of information Availability — Prevent/detect/deter improper denial of access to services provided by the system These three concepts form what is often referred to as the CIA triad (Figure 1.1). The three concepts embody the fundamental security objectives for both data and for information and computing services. FIPS PUB 199 provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category: • Confidentiality (covers both data confidentiality and privacy): preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. • Integrity (covers both data and system integrity): Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. • Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are: • Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. • Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

18 OSI Security Architecture
ITU-T X.800 “Security Architecture for OSI” Defines a systematic way of defining and providing security requirements It provides a useful, if abstract, overview of concepts we will study To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. This is difficult enough in a centralized data processing environment; with the use of local and wide area networks the problems are compounded. ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic approach. The OSI security architecture is useful to managers as a way of organizing the task of providing security.

19 Aspects of Security 3 aspects of security: security attack
Any action that compromises the security of information owned by an organization security mechanism A process that is designed to detect, prevent, or recover from a security attack security service Counter security attacks: make use of one or more security mechanisms to provide the service The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows: • Security attack: Any action that compromises the security of information owned by an organization. • Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. • Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. In the literature, the terms threat and attack are commonly used to mean more or less the same thing. Table 1.1 provides definitions taken from RFC 2828, Internet Security Glossary. Threat - A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. Attack - An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

20 Threat Model and Attack Model
Threat model and attack model need to be clarified before any security mechanism is developed Threat model Assumptions about potential attackers Describes the attacker’s capabilities Attack model Assumptions about the attacks Describe how attacks are launched

21 Passive Attacks A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are: + release of message contents - as shown above in Stallings Figure 1.2a here + traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged These attacks are difficult to detect because they do not involve any alteration of the data.

22 Active Attacks Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service: masquerade of one entity as some other replay previous messages (as shown above in Stallings Figure 1.3b) modify/alter (part of) messages in transit to produce an unauthorized effect denial of service - prevents or inhibits the normal use or management of communications facilities Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.

23 Security Mechanism (X.800)
Specific security mechanisms: encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization Pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery Some examples of mechanisms from X.800. Note that the “specific security mechanisms” are protocol layer specific, whilst the “pervasive security mechanisms” are not. We will meet some of these mechanisms in much greater detail later.

24 Security Service Enhance security of data processing systems and information transfers of an organization Intended to counter security attacks Using one or more security mechanisms Often replicates functions normally associated with physical documents For example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed Consider the role of a security service, and what may be required. Note both similarities and differences with traditional paper documents, which for example: have signatures & dates; need protection from disclosure, tampering, or destruction; may be notarized or witnessed; may be recorded or licensed

25 Security Service Authentication - assurance that communicating entity is the one claimed Access Control - prevention of the unauthorized use of a resource Data Confidentiality –protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation - protection against denial by one of the parties in a communication Availability – resource accessible/usable The broad service categories are: authentication is concerned with assuring that a communication is authentic. Two specific authentication services are defined in X.800: Peer entity authentication: provides corroboration of the identity of a peer entity in an association; and Data origin authentication: provides corroboration of the source of a data unit. access control is the ability to limit and control the access to host systems and applications via communications links. confidentiality is the protection of transmitted data from passive attacks, and the protection of traffic flow from analysis. integrity assures that messages are received as sent, with no duplication, insertion, modification, reordering, replay, or loss. availability is the property of a system / resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system.

26 Check network connection
ping google.com Log out


Download ppt "IT443 – Network Security Administration Instructor: Bo Sheng"

Similar presentations


Ads by Google