Authentication Assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header Assures that the packet has not been altered in transit Confidentiality Enables communicating nodes to encrypt messages to prevent eavesdropping by third parties Key management Concerned with the secure exchange of keys Provided by the Internet Key Exchange standard IKEv2 Encompasses three functional areas: Encompasses authentication and confidentiality using a protocol known as Encapsulating Security Payload (ESP) Current version of IPsec is IPsecv3

ESP supports two modes of use: Transport mode Provides protection primarily for upper-layer protocols Encrypts and optionally authenticates the IP payload but not the IP header Tunnel mode Provides protection for the entire IP packet After ESP fields are added the entire packet plus security fields is treated as the payload of a new “outer” IP packet with a new outer IP header The entire original, or inner, packet travels through a “tunnel” from one point to an IP network to another No routers along the way are able to examine the inner IP header The new, larger packet may have totally different source and destination addresses, adding to the security Used when at least one of the two ends is a security gateway, such as a firewall or router that implements IPsec

Involves the determination and distribution of secret keys The IPsec Architecture document mandates support for two types of key management Manual System administrator (SA) manually configures each system with its own keys and with the keys of other communicating systems Practical for small, relatively static environments Automated Enables the on-demand creation of keys and facilitates the use of keys in a large distributed system with an evolving configuration Is the most flexible but requires more effort to configure and requires more software

Driving force is the need for business and government users to connect their private WAN/LAN infrastructure in a secure manner to the Internet With IPsec, managers have a standardized means of implementing security for VPNs Because IPsec can be implemented in routers or firewalls owned and operated by the organization, the network manager has complete control over security aspects of the VPN

SSL Record Protocol provides basic security services to various higher-layer protocols The Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL Three higher-layer protocols are defined as part of SSL: Handshake Protocol Change Cipher Spec Protocol Alert Protocol

Connection A transport in the OSI layering model definition that provides a suitable type of service Are peer-to-peer relationships Transient Every connection is associated with one session Session An association between a client and a server Created by the Handshake Protocol Defines a set of cryptographic security parameters, which can be shared among multiple connections Used to avoid the expensive negotiation of new security parameters for each connection

The most complex part of SSL Allows the server and client to authenticate each other and negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record Used before any application data are transmitted

Phase 1 Used to initiate a logical connection and to establish the security capabilities that will be associated with it Phase 2 Details depend on the underlying public-key encryption scheme that is used In some cases, the server passes a certificate to the client and a request for a certificate from the client Phase 3 Client sends one or more messages back to the server after verifying certificate Phase 4 Completes the setting up of a secure connection by signaling to both parties that the exchange has been successful

Wi-Fi standard Set of security mechanisms that eliminates most security issues and was based on the current state of the i standard IEEE i addresses three main security areas: Authentication Key management Data transfer privacy

Authentication A protocol is used to define an exchange between a user and an AS that provides mutual authentication and generates temporary keys to be used between the client and the AP over the wireless link Access control Function that enforces the use of the authentication function, routes the message properly, and facilitates key exchange Can work with a variety of authentication protocols Privacy with message integrity MAC-level data are encrypted, along with a message integrity code that ensures that the data have not been altered

Security Intrusion A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so Intrusion Detection A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner

Host-based IDS Monitors the characteristics of a single host and the events occurring within that host for suspicious activity Network-based IDS Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity

Sensors Responsible for collecting data Types of input include network packets, log files, and system call traces Analyzers Receive input from one or more sensors or from other analyzers Responsible for determining if an intrusion has occurred User interface Enables a user to view output from the system or control the behavior of the system In some systems the user interface may equate to a manager, director, or console component

If an intrusion is detected quickly enough the intruder can be identified and ejected from the system before any damage is done or any data are compromised An effective IDS can serve as a deterrent, thus acting to prevent intrusions Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen intrusion prevention measures

Host-based IDSs: Add a specialized layer of security software to vulnerable or sensitive systems Monitor activity on the system in a variety of ways to detect suspicious behavior Primary purpose is to detect intrusions, log suspicious events, and send alerts Primary benefit is that it can detect both external and internal intrusions

Anomaly Detection Involves the collection of data relating to the behavior of legitimate users over a period of time Two approaches to statistical anomaly detection: Threshold detection Involves defining threshold, independent of user, for the frequency of occurrence of various events Profile based A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts Signature Detection Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder

Typically are inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter Provide an additional layer of defense, insulating the internal systems from external networks Design goals for a firewall: All traffic from inside to outside and vice versa must pass through the firewall Only authorized traffic, as defined by the local security policy, will be allowed to pass The firewall itself is immune to penetration

Service control Determines the types of Internet services that can be accessed, inbound or outbound Direction control Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall User control Controls access to a service according to which user is attempting to access it Behavior control Controls how particular services are used

Capabilities within the scope of a firewall: Defines a single choke point that: Keeps unauthorized users out of the protected network Prohibits potentially vulnerable services from entering or leaving the network Provides protection from various kinds of IP spoofing and routing attacks Provides a location for monitoring security-related events Is a convenient platform for several Internet functions that are not security related Can serve as the platform for IPsec Limitations: Cannot protect against attacks that bypass the firewall May not protect fully against internal threats An improperly secured WLAN may be accessed from outside the organization A laptop, tablet, or portable storage device may be used and infected outside the corporate network, and then attached and used internally

They cannot prevent attacks that employ application specific vulnerabilities or functions The logging functionality present in packet filter firewalls is limited Most do not support advanced user authentication schemes Generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack Are susceptible to security breaches caused by improper configurations

Prevention The ideal solution to the threat of viruses Do not allow a virus to get into the system in the first place Detection Once the infection has occurred, determine that it has occurred and locate the virus Identification Once detection has been achieved, identify the specific virus that has infected a program Removal Remove all traces of the virus from the infected program and restore it to its original state Remove the virus from all infected systems so that the disease cannot spread further

Integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions Blocks potentially malicious actions before they have a chance to affect the system Monitored behaviors can include: Attempts to open, view, delete, and/or modify files Attempts to format disk drives and other unrecoverable disk operations Modifications to the logic of executable files or macros Modification of critical system settings Scripting of and instant messaging clients to send executable content Initiation of network communications

Once a worm is resident on a machine, antivirus software can be used to detect it Worm propagation generates considerable network activity Network activity and usage monitoring can form the basis of a worm defense Administrators typically need to use multiple approaches in defending against worm attacks Worm countermeasures focus either on identifying suspected worm content or on identifying traffic patterns that appear to conform to worm behavior

Should be able to handle a wide variety of worm attacks, including polymorphic worms Generality Should respond quickly so as to limit the number of infected systems and the number of generated transmissions from infected systems Timeliness Should be resistant to evasion techniques employed by attackers to evade worm countermeasures Resiliency In an attempt to contain worm propagation, the countermeasure should not significantly disrupt normal operation Minimal denial-of- service costs Should not require modification to existing (legacy) OSs, application software, and hardware Transparency Should be able to deal with attack sources both from outside and inside the enterprise network Global and local coverage

A number of the countermeasures previously discussed make sense against bots (IDSs, behavior-blocking software) Once bots are activated and an attack is underway these countermeasures can be used to detect the attack Primary objective is to try to detect and disable the botnet during its construction phase

VPNs and IPsec IPsec functions Transport and tunnel modes Key management IPsec and VPNs SSL and TLS SSL architecture SSL record protocol Handshake protocol Wi-Fi protected access Access control Chapter 19: Computer and Network Security Techniques Intrusion detection Basic principles Host-based intrusion detection techniques Firewalls Characteristics Types Malware defense Antivirus approaches Worm countermeasures Bot countermeasures