Presentation is loading. Please wait.

Presentation is loading. Please wait.

Review and Announcement

Published byJarno Salo Modified over 5 years ago

Similar presentations

Presentation on theme: "Review and Announcement"— Presentation transcript:

1 Review and Announcement
Ethernet Ethernet CSMA/CD algorithm Hubs, bridges, and switches Hub: physical layer Can’t interconnect 10BaseT & 100BaseT Bridges and switches: data link layers Wireless links and LANs a, b, g. All use CSMA/CA for multiple access Homework 4 due tonight so that TA can discuss it in recitation tomorrow Final review in Thu. Class Final 3/18 (Th) 12:00-1:30pm

2 Network Security Overview
What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures Part of the final

3 What is network security?
Confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users

4 Friends and enemies: Alice, Bob, Trudy
well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages Alice Bob channel data, control messages secure sender secure receiver data data Trudy

5 Who might Bob, Alice be? … well, real-life Bobs and Alices!
Web browser/server for electronic transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?

6 There are bad guys (and girls) out there!
Q: What can a “bad guy” do? A: a lot! eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source address in packet (or any field in packet) hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

7 Overview What is network security? Principles of cryptography
Authentication Access control: firewalls Attacks and counter measures

8 The language of cryptography
Alice’s encryption key Bob’s decryption key K A K B encryption algorithm plaintext ciphertext decryption algorithm plaintext symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private)

9 Symmetric key cryptography
substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc

10 Public Key Cryptography
radically different approach sender, receiver do not share secret key public encryption key known to all private decryption key known only to receiver symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if never “met”)?

11 Public key cryptography
+ Bob’s public key K B - Bob’s private key K B plaintext message, m encryption algorithm ciphertext decryption algorithm plaintext message K (m) B + m = K (K (m)) B + -

12 Public key encryption algorithms
Requirements: . . + - 1 need K ( ) and K ( ) such that B B K (K (m)) = m B - + + 2 given public key K , it should be impossible to compute private key K B - B RSA: Rivest, Shamir, Adelson algorithm

13 Overview What is network security? Principles of cryptography
Authentication Access control: firewalls Attacks and counter measures

14 Protocol ap1.0: Alice says “I am Alice”
Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” “I am Alice” Failure scenario??

15 Authentication Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice” in a network, Bob can not “see” Alice, so Trudy simply declares herself to be Alice “I am Alice”

16 Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her source IP address “I am Alice” Alice’s IP address Failure scenario??

17 Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her source IP address Trudy can create a packet “spoofing” Alice’s address “I am Alice” Alice’s IP address

18 Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it. “I’m Alice” Alice’s IP addr password Failure scenario?? OK Alice’s IP addr

19 Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s IP addr Alice’s password “I’m Alice” playback attack: Trudy records Alice’s packet and later plays it back to Bob OK Alice’s IP addr “I’m Alice” Alice’s IP addr password

20 Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. “I’m Alice” Alice’s IP addr encrypted password Failure scenario?? OK Alice’s IP addr

21 Authentication: another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. Alice’s IP addr encryppted password “I’m Alice” record and playback still works! OK Alice’s IP addr “I’m Alice” Alice’s IP addr encrypted password

22 Authentication: yet another try
Goal: avoid playback attack Nonce: number (R) used only once –in-a-lifetime ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R K (R) A-B Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! Failures, drawbacks?

23 “send me your public key”
Authentication: ap5.0 ap4.0 requires shared symmetric key can we authenticate using public key techniques? ap5.0: use nonce, public key cryptography “I am Alice” Bob computes R (K (R)) = R A - K + K (R) A - and knows only Alice could have the private key, that encrypted R such that “send me your public key” K A + (K (R)) = R A - K +

24 Overview What is network security? Principles of cryptography
Authentication Access control: firewalls Attacks and counter measures

25 Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public Internet firewall

26 Firewalls: Why prevent denial of service attacks:
SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts)

27 Should arriving packet be allowed in? Departing packet let out?
Packet Filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits

28 Packet Filtering Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked.

29 Overview What is network security? Principles of cryptography
Authentication Access control: firewalls Attacks and counter measures

30 Internet security threats
Packet sniffing: broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets A C src:B dest:A payload B Countermeasures?

31 Internet security threats
Packet sniffing: countermeasures all hosts in organization run software that checks periodically if host interface in promiscuous mode. A C src:B dest:A payload B

32 Internet security threats
IP Spoofing: can generate “raw” IP packets directly from application, putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B A C src:B dest:A payload B Countermeasures?

33 Internet security threats
IP Spoofing: ingress filtering routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network) great, but ingress filtering can not be mandated for all networks A C src:B dest:A payload B

34 Internet security threats
Denial of service (DOS): flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., C and remote host SYN-attack A A C SYN SYN SYN SYN SYN B SYN Countermeasures? SYN

35 Internet security threats
Denial of service (DOS): countermeasures filter out flooded packets (e.g., SYN) before reaaching host: throw out good with bad traceback to source of floods (most likely an innocent, compromised machine) A C SYN SYN SYN SYN SYN B SYN SYN

Download ppt "Review and Announcement"

Similar presentations

Chapter 8 Network Security

Chapter 8 Network Security
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,

Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Network Security Hwajung Lee. What is Computer Networks? A collection of autonomous computers interconnected by a single technology –Interconnected via:

Network Security Hwajung Lee. What is Computer Networks? A collection of autonomous computers interconnected by a single technology –Interconnected via:
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures.

1 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures.
8: Network Security8-1 21 - Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.

8: Network Security Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.
Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
1 ITC242 – Introduction to Data Communications Week 11 Topic 17 Chapter 18 Network Security.

1 ITC242 – Introduction to Data Communications Week 11 Topic 17 Chapter 18 Network Security.
CSE401n:Computer Networks

CSE401n:Computer Networks
Network Security understand principles of network security:

Network Security understand principles of network security:
8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,

8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,
Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.

Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.
Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.

Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.
University of Calgary – CPSC 441.  The field of network security is about:  how bad guys can attack computer networks  how we can defend networks against.

University of Calgary – CPSC 441.  The field of network security is about:  how bad guys can attack computer networks  how we can defend networks against.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
CPSC 441 TUTORIAL TA: FANG WANG NETWORK SECURITY.

CPSC 441 TUTORIAL TA: FANG WANG NETWORK SECURITY.
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

Similar presentations

Ads by Google