Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Published byDeborah Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina."— Presentation transcript:

1 CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

2 10/25/20052 Certificates An instrument signed by an authority to certify something about a subject Original function is to bind names to keys or keys to names Now it can contain authorization, delegation, and validity conditions

3 10/25/20053 Types of Certificates ID certificates name  key Attribute certificates authorization  name Authorization certificates authorization  key An attribute certificate needs to combine with an ID certificate to be used for authorization

4 10/25/20054 X.509 Authentication Service Part of CCITT X.500 directory service standards distributed servers maintaining some info database Define framework for authentication services directory may store public-key certificates with public key of user signed by certification authority Also define authentication protocols Use public-key cryptography and digital signatures algorithms not standardised, but RSA recommended

5 10/25/20055 X.509 Certificates Issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) Notation CA > denotes certificate for A signed by CA

6 10/25/20056 X.509 Certificates

7 10/25/20057 Obtaining a Certificate Any user with access to CA can get any certificate from it Only the CA can modify a certificate Certificates can be placed in a public directory since they cannot be forged

8 10/25/20058 CA Hierarchy If both users share a common CA then they are assumed to know its public key Otherwise CA's must form a hierarchy Use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy

9 10/25/20059 CA Hierarchy Use

10 10/25/200510 Certificate Revocation Certificates have a period of validity May need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised CA’s maintain list of revoked certificates the Certificate Revocation List (CRL) Users should check certs with CA’s CRL

11 10/25/200511 Authentication Procedures X.509 includes three alternative authentication procedures One-Way Authentication Two-Way Authentication Three-Way Authentication All use public-key signatures

12 10/25/200512 One-Way Authentication 1 message (A->B) used to establish the identity of A and that message is from A message was intended for B integrity & originality of message message must include timestamp, nonce, B's identity and is signed by A

13 10/25/200513 Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply reply includes original nonce from A, also timestamp and nonce from B

14 10/25/200514 Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks has reply from A back to B containing signed copy of nonce from B means that timestamps need not be checked or relied upon

15 10/25/200515 X.509 Version 3 It has been recognized that additional information is needed in a certificate email/URL, policy details, usage constraints Define a general extension method rather than naming new fields Components of extensions extension identifier criticality indicator extension value

16 10/25/200516 Certificate Extensions Key and policy information convey info about subject & issuer keys, plus indicators of certificate policy Certificate subject and issuer attributes support alternative names, in alternative formats for certificate subject and/or issuer Certificate path constraints allow constraints on use of certificates by other CA’s

17 10/25/200517 Need of Firewalls Everyone want to be on the Internet and to interconnect networks Persistent security concerns cannot easily secure every system in organization Use firewall to provide “harm minimization”

18 10/25/200518 Functions of Firewalls A choke point of control and monitoring Interconnect networks with differing trust Impose restrictions on network services only authorized traffic is allowed Auditing and controlling access can implement alarms for abnormal behavior Immune to penetration Provide perimeter defence

19 10/25/200519 What Firewalls Can Do Service control Direction control User control Behavior control

20 10/25/200520 What Firewalls Cannot Do Cannot protect from attacks bypassing it e.g. sneaker net, utility modems, trusted organisations, trusted services (e.g. SSL/SSH) Cannot protect against internal threats e.g. disgruntled employee Cannot protect against transfer of all virus infected programs or files because of huge range of OS and file types

21 10/25/200521 Types of Firewalls Three common types Packet-filtering router Application-level gateway Circuit-level gateway

22 10/25/200522 Packet-filtering Router

23 10/25/200523 Packet-filtering Router Foundation of any firewall system Examine each IP packet (no context) and permit or deny according to rules Restrict access to services (ports) Possible default policies prohibited if not expressly permitted permitted if not expressly prohibited

24 10/25/200524 Examples of Rule Sets

25 10/25/200525 Attacks on Packet Filters IP address spoofing fake source address to be trusted add filters on router to block Source routing attacks attacker sets a route other than default block source routed packets Tiny fragment attacks split header info over several tiny packets either discard or reassemble before check

26 10/25/200526 Stateful Packet Filters Examine each IP packet in context keep tracks of client-server sessions check each packet validly belongs to one Better able to detect bogus packets out of context

27 10/25/200527 Application Level Gateway

28 10/25/200528 Application Level Gateway Use an application specific gateway / proxy Has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user Need separate proxies for each service some services naturally support proxying others are more problematic custom services generally not supported

29 10/25/200529 Circuit Level Gateway

30 10/25/200530 Circuit Level Gateway Relay two TCP connections Impose security by limiting which such connections are allowed Once created, usually relays traffic without examining contents Typically used when trust internal users by allowing general outbound connections SOCKS commonly used for this

31 10/25/200531 Bastion Host Highly secure host system Potentially exposed to "hostile" elements, so need to be secured to withstand this May support 2 or more net connections May be trusted to enforce trusted separation between network connections Run circuit / application level gateways or provide externally accessible services

32 10/25/200532 Firewall Configurations

33 10/25/200533 Firewall Configurations

34 10/25/200534 Firewall Configurations

35 10/25/200535 Next Class Presentation of paper “A Framework for Classifying Denial of Service Attack” Submit your review through dropbox before class

Download ppt "CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Authentication Applications We cannot enter into alliance with neighbouring princes until we are acquainted with their designs. —The Art of War, Sun Tzu.

Authentication Applications We cannot enter into alliance with neighbouring princes until we are acquainted with their designs. —The Art of War, Sun Tzu.
Network Security Essentials Chapter 4

Network Security Essentials Chapter 4
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Similar presentations

Ads by Google