Chapter 7 –Security in Networks  Introduction to networks  Threats against network applications  Controls against network applications  Firewalls  Intrusion detection systems  Private

Terminal-Host Systems  Created in the 1960s Central host computer does all the processingCentral host computer does all the processing Terminal is dumb--only a remote screen and keyboardTerminal is dumb--only a remote screen and keyboard Created in the 1960s, when microprocessors for terminal intelligence did not existCreated in the 1960s, when microprocessors for terminal intelligence did not exist TerminalsHost

PC Networks  The Most Common Platform in Organizations Allows PCs to share resourcesAllows PCs to share resources Both Wintel (Windows/Intel) PCs and MacintoshesBoth Wintel (Windows/Intel) PCs and Macintoshes Network

Network  A Network is an Any-to-Any Communication System Can connect any station to any otherCan connect any station to any other

“Connect to GHI” Network  Each Station has a Unique Network Address To connect, only need to know the receiver’s addressTo connect, only need to know the receiver’s address Like telephone numberLike telephone number ABC DEF GHI JKL MNO

LANs and WANs  Networks Have Different Geographical Scopes  Local Area Networks (LANs) Small OfficeSmall Office Office BuildingOffice Building Industrial Park / University CampusIndustrial Park / University Campus  Wide Area Networks (WANs) Connect corporate sites orConnect corporate sites or Connect corporate sites with sites of customers and suppliersConnect corporate sites with sites of customers and suppliers

Elements of a Simple LAN Hub or Switch Wiring Hub or Switch connects all stations Wiring is standard business telephone wiring (4 pairs in a bundle)

Elements of a Simple LAN Server Client PC Server Client PCs are used by ordinary managers and professionals; receive service Servers provide services to client PCs Server

Elements of a Simple LAN  Client PC Begin with stand-alone PCBegin with stand-alone PC Add a network interface card (NIC) to deal with the networkAdd a network interface card (NIC) to deal with the network Networks have many client PCsNetworks have many client PCs  Server Most PC nets have multiple serversMost PC nets have multiple servers

Wide Area Networks  WANs Link Sites (Locations) Usually sites of the same organizationUsually sites of the same organization Sometimes, sites of different organizationsSometimes, sites of different organizations WAN Site A Site C Site B

Client/Server Processing  Two Programs Client program on client machineClient program on client machine Server program on server machineServer program on server machine Work together to do the required processingWork together to do the required processing Client MachineServer Client Program Server Program

Client/Server Processing  Cooperation Through Message Exchange Client program sends Request message, such as a database retrieval requestClient program sends Request message, such as a database retrieval request Server program sends a Response message to deliver the requested information or an explanation for failureServer program sends a Response message to deliver the requested information or an explanation for failure Client MachineServer Client Program Server Program Request Response

Client/Server Processing  Widely Used on the Internet  For instance, webservice Client program (browser) sends an HTTP request asking for a webserver fileClient program (browser) sends an HTTP request asking for a webserver file Server program (webserver application program) sends an HTTP response message with the requested webpageServer program (webserver application program) sends an HTTP response message with the requested webpage HTTP Request Message HTTP Response Message

Client/Server Processing  On the Internet, a Single Client Program--the Browser (also known as the client suite)--Works with Many Kinds of C/S server applications WWW, some , etc.WWW, some , etc. Browser Webserver Server

Standards Organizations and Architectures  TCP/IP Standards Created by the Internet Engineering Task Force (IETF)Created by the Internet Engineering Task Force (IETF) Named after its two most widely known standards, TCP and IPNamed after its two most widely known standards, TCP and IP  TCP/IP is the architecture, while TCP and IP are individual standards  However, these are not its only standards, even at the transport and internet layers IETF standards dominate in corporations at the application, transport, and internet layersIETF standards dominate in corporations at the application, transport, and internet layers  However, application, transport, and internet standards from other architectures are still used

Standards Organizations and Architectures  OSI Standards Reference Model of Open Systems InterconnectionReference Model of Open Systems Interconnection Created by the International Telecommunications Union- Telecommunications Standards Sector (ITU- T)Created by the International Telecommunications Union- Telecommunications Standards Sector (ITU- T) And the International Organization for Standardization (ISO)And the International Organization for Standardization (ISO) OSI standards dominate the data link and physical layersOSI standards dominate the data link and physical layers  Other architectures specify the use of OSI standards at these layers

OSI Reference Model

TCP/IP versus OSI  Lowest Four Layers are Comparable in Functionality TCP/IPOSI ApplicationApplication Presentation Session TransportTransport InternetNetwork Data Link (use OSI) Data Link Physical (use OSI) Physical

Internet Standards  Accessing the WWW from Home App Trans Int DL Phy User PC Int DL Phy Router App Trans Int DL Phy Webserver HTTP TCP IP PPP Modem IP ? ?

Indirect Communication  Application programs on different machines cannot communicate directly They are on different machines!They are on different machines! Browser Trans Int DL Phy User PC Web App Trans Int DL Phy Webserver HTTP Request

Layer Cooperation on the Source Host  Application layer process passes HTTP-request to transport layer process Application Transport Internet Data Link HTTP Request PhysicalUser PC

Layer Cooperation on the Source Host  Transport layer makes TCP segments HTTP message is the data fieldHTTP message is the data field Adds TCP header fields shown earlierAdds TCP header fields shown earlier Transport process “encapsulates” HTTP request within a TCP segmentTransport process “encapsulates” HTTP request within a TCP segment HTTP Request TCP-H TCP Segment Data Field TCP Header

Layer Cooperation on the Source Host  Transport layer process passes the TCP segment down to the internet layer process Application Transport Internet Data Link TCP segment PhysicalUser PC

Layer Cooperation on the Source Host  The internet layer process passes the IP packet to the data link layer process Internet layer messages are called packetsInternet layer messages are called packets Application Transport Internet Data Link IP packet PhysicalUser PC

Layer Cooperation on the Source Host  The data link layer process passes the PPP frame to the physical layer process, which delivers it to the physical layer process on the first router, one bit at a time (no message at the physical layer) Application Transport Internet Data Link Physical (10110 …)User PC PPP frame To first router

PPP-T Layer Cooperation on the Source Host  Recap: Adding Headers and Trailers: Application Transport Internet Data Link HTTP msg PhysicalUser PC HTTP msg TCP-H HTTP msg TCP-H IP-H HTTP msg TCP-H IP-H PPP-H

Protocols  A protocol is a standard for communication between peer processes, that is, processes at the same layer, but on different machines TCP, IP, and PPP all have “protocol” as their final “P;” they are all protocolsTCP, IP, and PPP all have “protocol” as their final “P;” they are all protocols TCP (Transmission Control Protocol) is the protocol governing communication between transport layer processes on two hostsTCP (Transmission Control Protocol) is the protocol governing communication between transport layer processes on two hosts Trans TCP Message

Domain Name System (DNS)  Only IP addresses are official e.g., e.g., These are 32-bit binary numbersThese are 32-bit binary numbers Only they fit into the 32-bit destination and source address fields of the IP headersOnly they fit into the 32-bit destination and source address fields of the IP headers IP Packet 32-bit Source and Destination Addresses ( )

Domain Name System (DNS)  Users typically only know host names e.g., voyager.cba.hawaii.edue.g., voyager.cba.hawaii.edu More easily remembered, butMore easily remembered, but Will not fit into the address fields of an IP packetWill not fit into the address fields of an IP packet IP Packet voyager.cba.hawaii.edu NO

Internet and Data Link Layer Addresses  Each host and router on a subnet needs a data link layer address to specify its address on the subnet This address appears in the data link layer frame sent on a subnetThis address appears in the data link layer frame sent on a subnet For instance, 48-bit MAC layer frame addresses for LANsFor instance, 48-bit MAC layer frame addresses for LANs Subnet DA DL Frame for Subnet

Addresses  Each host and router also needs an IP address at the internet layer to designate its position in the overall Internet Subnet

IPv6  Current version of the Internet Protocol is Version 4 (v4) Earlier versions were not implementedEarlier versions were not implemented  The next version will be Version 6 (v6) No v5 was implementedNo v5 was implemented Informally called IPng (Next Generation)Informally called IPng (Next Generation)  IPv6 is Already Defined Continuing improvements in v4 may delay its adoptionContinuing improvements in v4 may delay its adoption

IPv6  IPv6 will raise the size of the internet address from 32 bits to 128 bits Now running out of IP addressesNow running out of IP addresses Will solve the problemWill solve the problem But current work-arounds are delaying the need for IPv6 addressesBut current work-arounds are delaying the need for IPv6 addresses

What Makes a Network Vulnerable?  Anonymity  Many points of attack (targets & origins)  Sharing  Complexity of system  Unknown perimeter  Unknown path

Who Attacks Networks  Hackers break into organizations from the outside ChallengeChallenge FameFame Money & EspionageMoney & Espionage IdeologyIdeology  However, most security breaches are internal, by employees and ex-employees

Threat Precursors  Port Scan  Social Engineering ReconnaissanceReconnaissance Bulletin Board / ChatBulletin Board / Chat DocsDocs  Packet Sniffers (telnet/ftp in cleartext)

Network Security Threats  Interception If interceptor cannot read, have confidentiality (privacy)If interceptor cannot read, have confidentiality (privacy) If cannot modify without detection, have message integrityIf cannot modify without detection, have message integrity

Network Security Threats  Impostors (Spoofing/ Masquerade) Claim to be someone elseClaim to be someone else Need to authenticate the sender-- prove that they are who they claim to beNeed to authenticate the sender-- prove that they are who they claim to be True Person Impostor

Network Security Threats  Remotely Log in as Root User Requires cracking the root login passwordRequires cracking the root login password Then control the machineThen control the machine Read and/or steal informationRead and/or steal information Damage data (erase hard disk)Damage data (erase hard disk) Create backdoor user account that will let them in easily laterCreate backdoor user account that will let them in easily later Root Login Command

Security Threats  Content Threats Application layer content may cause problemsApplication layer content may cause problems  Viruses  In many ways, most severe security problem in corporations today  Must examine application messages

Replay Attack  First, attacker intercepts a message Not difficult to doNot difficult to do

Replay Attack  Later, attacker retransmits (replays) the message to the original destination host Does not have to be able to read a message to replay itDoes not have to be able to read a message to replay it

Replay Attack  Why replay attacks? To gain access to resources by replaying an authentication messageTo gain access to resources by replaying an authentication message In a denial-of-service attack, to confuse the destination hostIn a denial-of-service attack, to confuse the destination host

Thwarting Replay Attacks  Put a time stamp in each message to ensure that the message is “fresh” Do not accept a message that is too oldDo not accept a message that is too old  Place a sequence number in each message Do not accept a duplicated messageDo not accept a duplicated message Message Sequence Number Time Stamp

Thwarting Replay Attacks  In request-response applications, Sender of request generates a nonce (random number)Sender of request generates a nonce (random number) Places the nonce in the requestPlaces the nonce in the request Server places the nonce in the responseServer places the nonce in the response Neither party accepts duplicate noncesNeither party accepts duplicate nonces Nonce RequestResponse

Network Security Threats  Denial of Service (DOS) Attacks Overload system with a flood of messagesOverload system with a flood of messages Or, send a single message that crashes the machineOr, send a single message that crashes the machine

Denial of Service (DOS) Attacks  Transmission Failure  Connection Flooding Echo-ChargenEcho-Chargen Ping of DeathPing of Death SmurfSmurf Syn FloodSyn Flood Traffic RedirectionTraffic Redirection DNS AttacksDNS Attacks  Distributed Denial of Service

VPNs  IETF developing IPsec security standards IP securityIP security At the internet layerAt the internet layer Protects all messages at the transport and application layersProtects all messages at the transport and application layers IPsec TCPUDP , WWW, Database, etc.

VPNs  IPsec Transport Mode End-to-end security for hostsEnd-to-end security for hosts Local Network Internet Local Network Secure Communication

VPNs  IPsec Tunnel Mode IPsec server at each siteIPsec server at each site Secure communication between sitesSecure communication between sites Local Network Internet Local Network Secure Communication IPsec Server

VPNs  IPsec Modes Can be Combined End-to-end transport mode connectionEnd-to-end transport mode connection Within site-to-site tunnel connectionWithin site-to-site tunnel connection Local Network Internet Local Network Tunnel Mode Transport Mode

VPNs  Another Security System for VPNs is the Point-to-Point Tunneling Protocol (PPTP) For dial-up connections, based on PPPFor dial-up connections, based on PPP Connects user with securely to a remote access server at a siteConnects user with securely to a remote access server at a site Internet Local Network Remote Access Server Dial-Up Connection PPTP Connection

PKIs  To use public key methods, an organization must establish a comprehensive Public Key Infrastructure (PKI) A PKI automates most aspects of using public key encryption and authenticationA PKI automates most aspects of using public key encryption and authentication Uses a PKI ServerUses a PKI Server PKI Server

PKIs  PKI Server Creates Public Key- Private Key Pairs Distributes private keys to applicants securelyDistributes private keys to applicants securely Often, private keys are embedded in delivered softwareOften, private keys are embedded in delivered software PKI Server Private Key

PKIs  PKI Server Provides CRL Checks Distributes digital certificates to verifiersDistributes digital certificates to verifiers Checks certificate revocation list before sending digital certificatesChecks certificate revocation list before sending digital certificates PKI Server Digital Certificate

PKIs  CRL (Certificate Revocation List) Checks If applicant gives verifier a digital certificate,If applicant gives verifier a digital certificate, The verifier must check the certificate revocation listThe verifier must check the certificate revocation list PKI Server OK? OK or Revoked CRL

Integrated Security System  When two parties communicate … Their software usually handles the detailsTheir software usually handles the details First, negotiate security methodsFirst, negotiate security methods Then, authenticate one anotherThen, authenticate one another Then, exchange symmetric session keyThen, exchange symmetric session key Then can communicate securely using symmetric session key and message- by-message authenticationThen can communicate securely using symmetric session key and message- by-message authentication

SSL Integrated Security System  SSL Secure Sockets LayerSecure Sockets Layer Developed by NetscapeDeveloped by Netscape  TLS (now) Netscape gave IETF control over SSLNetscape gave IETF control over SSL IETF renamed it TLS (Transport Layer Security)IETF renamed it TLS (Transport Layer Security) Usually still called SSLUsually still called SSL

Location of SSL  Below the Application Layer IETF views it at the transport layerIETF views it at the transport layer Protects all application exchangesProtects all application exchanges Not limited to any single applicationNot limited to any single application  WWW transactions, , etc. SSL WWW WWW

SSL Operation  Browser & Webserver Software Implement SSL User can be unawareUser can be unaware

SSL Operation  SSL ISS Process Two sides negotiate security parametersTwo sides negotiate security parameters Webserver authenticates itselfWebserver authenticates itself Browser may authenticate itself but rarely doesBrowser may authenticate itself but rarely does Browser selects a symmetric session key, sends to webserverBrowser selects a symmetric session key, sends to webserver Adds a digital signature and encrypts all messages with the symmetric keyAdds a digital signature and encrypts all messages with the symmetric key

Importance of SSL  Supported by Almost All Browsers De facto standard for Internet application securityDe facto standard for Internet application security  Problems Relatively weak securityRelatively weak security Does not involve security on merchant serverDoes not involve security on merchant server Does not validate credit card numbersDoes not validate credit card numbers Viewed as an available but temporary approach to consumer securityViewed as an available but temporary approach to consumer security

Other ISSs  SSL is merely an example integrated security system  Many other ISSs exist IPsecIPsec PPP and PPTPPPP and PPTP Etc.Etc.

Other ISSs  All ISSs have the same general steps Negotiate security parametersNegotiate security parameters Authenticate the partnersAuthenticate the partners Exchange a session keyExchange a session key Communicate with message-by- message privacy, authentication, and message integrityCommunicate with message-by- message privacy, authentication, and message integrity

IPsec  IPsec (IP security)  Security for transmission over IP networks The InternetThe Internet Internal corporate IP networksInternal corporate IP networks IP packets sent over public switched data networks (PSDN)IP packets sent over public switched data networks (PSDN) Local Network Internet Local Network

IPsec  Why do we need IPsec? IP has no securityIP has no security Add security to create a virtual private network (VPN) to give secure communication over the Internet or another IP networkAdd security to create a virtual private network (VPN) to give secure communication over the Internet or another IP network Local Network Internet Local Network

IPsec  Genesis Being created by the Internet Engineering Task ForceBeing created by the Internet Engineering Task Force For both IP version 4 and IP version 6For both IP version 4 and IP version 6

IPsec  Two Modes of operation  Tunnel Mode IPsec server at each siteIPsec server at each site Secures messages going through the InternetSecures messages going through the Internet Local Network Internet Local Network Secure Communication IPsec Server

IPsec  Tunnel Mode Hosts operate in their usual wayHosts operate in their usual way  Tunnel mode IPsec is transparent to the hosts No security within the site networksNo security within the site networks Local Network Internet Local Network Secure Communication IPsec Server

IPsec  Two Modes of operation  Transport Mode End-to-end security between the hostsEnd-to-end security between the hosts Security within site networks as wellSecurity within site networks as well Requires hosts to implement IPsecRequires hosts to implement IPsec Local Network Internet Local Network Secure Communication

IPsec  Transport Mode Adds a security header to IP packetAdds a security header to IP packet After the main IP headerAfter the main IP header Source and destination addresses of hosts can be learned by interceptorSource and destination addresses of hosts can be learned by interceptor Only the original data field is protectedOnly the original data field is protected Protected Original Data Field Original IP Header Transport Security Header

IPsec  Tunnel Mode Adds a security header before the original IP headerAdds a security header before the original IP header Has IP addresses of the source and destination IPsec servers only, not those of the source and destination hostsHas IP addresses of the source and destination IPsec servers only, not those of the source and destination hosts Protects the main IP headerProtects the main IP header Protected Original Data Field Protected Original IP Header Tunnel Security Header

IPsec  Can combine the two modes Transport mode for end-to-end securityTransport mode for end-to-end security Plus tunnel mode to hide the IP addresses of the source and destination hosts during passage through the InternetPlus tunnel mode to hide the IP addresses of the source and destination hosts during passage through the Internet Local Network Internet Local Network Tunnel Mode Transport Mode

IPsec  Two forms of protection  Encapsulating Security Protocol (ESP) security provides confidentiality as well as authentication  Authentication Header (AH) security provides authentication but not confidentiality Useful where encryption is forbidden by lawUseful where encryption is forbidden by law Provides slightly better authentication by providing authentication over a slightly larger part of the message, but this is rarely decisiveProvides slightly better authentication by providing authentication over a slightly larger part of the message, but this is rarely decisive

IPsec  Modes and protection methods can be applied in any combination Tunnel Mode Transport Mode ESPSupportedSupported AHSupportedSupported

IPsec  Security Associations (SAs) are agreements between two hosts or two IPsec servers, depending on the mode  “Contracts” for how security will be performed  Negotiated  Governs subsequent transmissions Host AHost B Negotiate Security Association

IPsec  Security Associations (SAs) can be asymmetrical Different strengths in the two directionsDifferent strengths in the two directions For instance, clients and servers may have different security needsFor instance, clients and servers may have different security needs Host AHost B SA for messages From A to B SA for messages From B to A

IPsec Policies may limit what SAs can be negotiated To ensure that adequately strong SAs for the organization’s threatsTo ensure that adequately strong SAs for the organization’s threats Gives uniformity to negotiation decisionsGives uniformity to negotiation decisions Host AHost B Security Association Negotiations Limited By Policies

IPsec  First, two parties negotiate IKE (Internet Key Exchange) Security Associations IKE is not IPsec-specificIKE is not IPsec-specific Can be used in other security protocolsCan be used in other security protocols Host AHost B Communication Governed by IKE SA

IPsec  Under the protection of communication governed by this IKE SA, negotiate IPsec-specific security associations Host AHost B Communication Governed by IKE SA IPsec SA Negotiation

IPsec  Process of Creating IKE SAs (and other SAs) Negotiate security parameters within policy limitationsNegotiate security parameters within policy limitations Authenticate the parties using SA-agreed methodsAuthenticate the parties using SA-agreed methods Exchange a symmetric session key using SA-agreed methodExchange a symmetric session key using SA-agreed method Communicate securely with confidentiality, message-by-message authentication, and message integrity using SA-agreed methodCommunicate securely with confidentiality, message-by-message authentication, and message integrity using SA-agreed method

IPsec  IPsec has mandatory security algorithms Uses them as defaults if no other algorithm is negotiatedUses them as defaults if no other algorithm is negotiated Other algorithms may be negotiatedOther algorithms may be negotiated But these mandatory algorithms MUST be supportedBut these mandatory algorithms MUST be supported

IPsec  Diffie-Hellman Key Agreement To agree upon a symmetric session key to be used for confidentiality during this sessionTo agree upon a symmetric session key to be used for confidentiality during this session Also does authenticationAlso does authentication Party AParty B

IPsec  Diffie-Hellman Key Agreement Each party sends the other a nonce (random number)Each party sends the other a nonce (random number) The nonces will almost certainly be differentThe nonces will almost certainly be different Nonces are not sent confidentiallyNonces are not sent confidentially Party AParty B Nonce B Nonce A

IPsec  Diffie-Hellman Key Agreement From the different nonces, each party will be able to compute the same symmetric session key for subsequent useFrom the different nonces, each party will be able to compute the same symmetric session key for subsequent use No exchange of the key; instead, agreement on the keyNo exchange of the key; instead, agreement on the key Party AParty B Symmetric Key From nonces, independently compute same symmetric session key

Kerberos  Kerberos was a 3-headed dog in Greek mythology Guarded the gates of the deadGuarded the gates of the dead Decided who might enterDecided who might enter Talk about strong security!Talk about strong security!

Kerberos  Three Parties are Present Kerberos serverKerberos server Applicant hostApplicant host Verifier hostVerifier host Verifier Kerberos Server Applicant

Kerberos  Kerberos Server shares a symmetric key with each host Key shared with the Applicant will be called Key AS (Applicant-Server)Key shared with the Applicant will be called Key AS (Applicant-Server) Key shared with verifier will be Key VSKey shared with verifier will be Key VS Applicant Verifier Kerberos Server Key ASKey VS

Kerberos  Applicant sends message to Kerberos server Logs in and asks for ticket-granting ticket (TGT)Logs in and asks for ticket-granting ticket (TGT)  Authenticates the applicant to the server Server sends back ticket-granting ticketServer sends back ticket-granting ticket TGT allows applicant to request connectionsTGT allows applicant to request connections Applicant Kerberos Server TGT RQ TGT

Kerberos  To connect to the verifier  Applicant asks Kerberos server for credentials to introduce the applicant to the verifier  Request includes the Ticket- Granting Tickets Applicant Kerberos Server Credentials RQ

Kerberos  Kerberos server sends the credentials Credential include the session Key AV that applicant and verifier will use for secure communicationCredential include the session Key AV that applicant and verifier will use for secure communication Encrypted with Key AS so that interceptors cannot read itEncrypted with Key AS so that interceptors cannot read it Applicant Kerberos Server Credentials= Session Key AV Service Ticket

Kerberos  Kerberos server sends the credentials Credential also include the Service Ticket, which is encrypted with Key VS; Applicant cannot read or change itCredential also include the Service Ticket, which is encrypted with Key VS; Applicant cannot read or change it Applicant Kerberos Server Credentials= Session Key AV, Service Ticket

Kerberos  Applicant sends the Service Ticket plus a Authenticator to the Verifier Service ticket contains the symmetric session key (Key AV)Service ticket contains the symmetric session key (Key AV) Now both parties have Key AV and so can communicate with confidentialityNow both parties have Key AV and so can communicate with confidentiality ApplicantVerifier Service Ticket (Contains Key AV) + Authenticator

Kerberos  Applicant sends the Service Ticket plus a Authenticator to the Verifier Authenticator contains information encrypted with Key AVAuthenticator contains information encrypted with Key AV  Guarantees that the service ticket came from the applicant, which alone knows Key AV  Service ticket has a time stamp to prevent replay Service Ticket (Contains Key AV) + Authenticator

Kerberos  Subsequent communication between the applicant and verifier uses the symmetric session key (Key AV) for confidentiality ApplicantVerifier Communication Encrypted with Key AV

Kerberos  The Service Ticket can contain more than Key AV  If the applicant is a client and the verifier is a server, service ticket may contain Verifier’s user name and passwordVerifier’s user name and password List of rights to files and directories on the serverList of rights to files and directories on the server Verifier

Kerberos  Is the basis for security in Microsoft Windows 2000  Only uses symmetric key encryption for reduced processing cost

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from the Internet Facilitates internal users’ access to the InternetFacilitates internal users’ access to the Internet OK No Firewall Access only if Authenticated

Firewalls  Packet Filter Firewalls Examine each incoming IP packetExamine each incoming IP packet Examine IP and TCP header fieldsExamine IP and TCP header fields If bad behavior is detected, reject the packetIf bad behavior is detected, reject the packet No sense of previous communication: analyzes each packet in isolationNo sense of previous communication: analyzes each packet in isolation IP Firewall IP Packet

Firewalls  Application (Proxy) Firewalls Filter based on application behaviorFilter based on application behavior Do not examine packets in isolation: use historyDo not examine packets in isolation: use history  In HTTP, for example, do not accept a response unless an HTTP request has just gone out to that site Application

Firewalls  Application (Proxy) Firewalls Hide internal internet addressesHide internal internet addresses Internal user sends an HTTP requestInternal user sends an HTTP request HTTP proxy program replaces user internet address with proxy server’s IP address, sends to the webserverHTTP proxy program replaces user internet address with proxy server’s IP address, sends to the webserver HTTP Request Request with Proxy Server’s IP Address

Firewalls  Application (Proxy) Firewalls Webserver sends response to proxy server, to proxy server IP addressWebserver sends response to proxy server, to proxy server IP address HTTP proxy server sends the IP packet to the originating hostHTTP proxy server sends the IP packet to the originating host Overall, proxy program acts on behalf of the internal userOverall, proxy program acts on behalf of the internal user Response to Proxy Server’s IP Address HTTP Response

Firewalls  Why Hide Internal IP Addresses? The first step in an attack usually is to find potential victim hostsThe first step in an attack usually is to find potential victim hosts Sniffer programs read IP packet streams for IP addresses of potential target hostsSniffer programs read IP packet streams for IP addresses of potential target hosts With proxy server, sniffers will not learn IP addresses of internal hostsWith proxy server, sniffers will not learn IP addresses of internal hosts False IP Address Host IP Address Sniffer

Firewalls  Application Firewalls Need a separate program (proxy) for each applicationNeed a separate program (proxy) for each application Not all applications have rules that allow filteringNot all applications have rules that allow filtering

Intrusion Detection  Intrusion detection software to detect and report intrusions as they are occurring Lets organization stop intruders so that intruders do not have unlimited time to probe for weaknessesLets organization stop intruders so that intruders do not have unlimited time to probe for weaknesses Helps organization assess security threatsHelps organization assess security threats Audit logs list where intruder has been: vital in legal prosecutionAudit logs list where intruder has been: vital in legal prosecution

Intrusion Detection  Signature-based IDS – performs simple pattern-matching and report situtations that match a pattern corresponding to a known attack type  Heuristic IDS (anomaly based) – build model of acceptable behavior and flag exceptions to that model

Intrusion Detection  Network-based IDS – stand-alone device attached to the network to monitor traffic throughout network  Host-based IDS – runs on a single workstation or client or host, to protect that one host

Default-Deny Posture  Perimeter Settings: block all protocols except those expressly permitted [i.e. SMTP(25), DNS(53), HTTP(80), SSL(443),…]  Internal Settings: block all unnecessary traffic between internal network segments, remote & VPN connections  Security Configurations: harden servers & workstations to run only necessary services and applications  Segment Networks  Patch Management

Secure  Message interception (confidentiality)  Message interception (blocked delivery)  Message interception and subsequent replay  Message content modification  Message origin modification  Message content forgery by outsider  Message origin forgery by outsider  Message content forgery by recipient  Message origin forgery by recipient  Denial of message transmission

Requirements and Solutions  Message confidentiality  Message integrity  Sender authenticity  nonrepudiation

Examples of Secure Systems  PGP (Pretty Good Privacy) – uses public key ring; confidentiality, integrity  S/MIME (Secure Multipurpose Internet Mail Extensions) – uses certificates

Multi-Layer Security  Security Can be Applied at Multiple Layers Simultaneously Application layer security for database, , etc.Application layer security for database, , etc. Transport layer: SSLTransport layer: SSL Internet layer: IPsecInternet layer: IPsec Data link layer: PPTP, L2TPData link layer: PPTP, L2TP Physical layer: locksPhysical layer: locks

Multi-Layer Security  Applying security at 2 or more layers is good If security is broken at one layer, the communication will still be secureIf security is broken at one layer, the communication will still be secure  However, Security slows down processingSecurity slows down processing Multi-Layer security slows down processing at each layerMulti-Layer security slows down processing at each layer

Total Security  Network Security is Only Part  Server Security Hackers can take down servers with denial-of-service attackHackers can take down servers with denial-of-service attack Hacker can log in as root user and take over the serverHacker can log in as root user and take over the server Steal data, lock out legitimate users, etc.Steal data, lock out legitimate users, etc.

Total Security  Server Security Occasionally, weakness are discovered in server operating systemsOccasionally, weakness are discovered in server operating systems This knowledge is quickly disseminatedThis knowledge is quickly disseminated Known security weaknessesKnown security weaknesses

Total Security  Server Security Server operating system (SOS) vendors create patchesServer operating system (SOS) vendors create patches Many firms do not download patchesMany firms do not download patches This makes them vulnerable to hackers, who quickly develop tools to probe for and then exploit known weaknessesThis makes them vulnerable to hackers, who quickly develop tools to probe for and then exploit known weaknesses

Total Security  Client PC Security Known security weaknesses exist but patches are rarely downloadedKnown security weaknesses exist but patches are rarely downloaded Users often have no passwords or weak passwords on their computerUsers often have no passwords or weak passwords on their computer Adversaries take over client PCs and can therefore take over control over SSL, other secure communication protocolsAdversaries take over client PCs and can therefore take over control over SSL, other secure communication protocols

Total Security  Application Software May contain virusesMay contain viruses  Must filter incoming messages Database and other applications can add their own security with passwords and other protectionsDatabase and other applications can add their own security with passwords and other protections

Total Security  Managing Users Often violate security procedures, making technical security worthlessOften violate security procedures, making technical security worthless Social engineering: attacker tricks user into violating security proceduresSocial engineering: attacker tricks user into violating security procedures

Defense in Depth  Firewalls  Antivirus  Intrusion Detection Systems  Intrusion Protection Systems