Presentation is loading. Please wait.

Presentation is loading. Please wait.

COS 338 Day 18. DAY 18 Agenda Second capstone progress report over due Lab 5 graded 1 A, 2 B’s, 2 F’s and 1 non-submits Assignment 5 Graded 2 A’s, 2 B’s.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "COS 338 Day 18. DAY 18 Agenda Second capstone progress report over due Lab 5 graded 1 A, 2 B’s, 2 F’s and 1 non-submits Assignment 5 Graded 2 A’s, 2 B’s."— Presentation transcript:

1 COS 338 Day 18

2 DAY 18 Agenda Second capstone progress report over due Lab 5 graded 1 A, 2 B’s, 2 F’s and 1 non-submits Assignment 5 Graded 2 A’s, 2 B’s and 2 non-submits Lab 6 Due Assignment 6 Posted Due November 17 Monday November 14 is Road Trip To UM http://www.umcs.maine.edu/~markov/seminarsf05.html http://www.papert.org/ Meet by Physical Plant at 10:15, Van leaves promptly at 10:30 AM Today we will begin finish discussing Security Along with Security for windows XP (chap 9a)

3 Security Management

4 Figure 9-10: Digital Certificate Authentication Digital Certificate User gets secret private key and non-secret public key Digital certificates give the name of a true party and his or her public key

5 Figure 9-10: Digital Certificate Authentication Testing a Digital Signature Applicant performs a calculation with his or her private key Verifier tests calculation using the public key found in the true party’s digital certificate If the test succeeds, the applicant must be the true party

6 Figure 9-11: Testing a Digital Signature Digital CertificateDigital Signature Authentication Name of True Party Public Key of True Party Digital Signature Created with Private Key of Applicant. Added to each Message.

7 Figure 9-10: Digital Certificate Authentication Strong Authentication The strongest method today Expensive and Time-Consuming to Implement Software must be added to clients and servers, and each computer must be configured Expensive because there are so many clients in a firm

8 Figure 9-10: Digital Certificate Authentication Client Weaknesses Sometimes, only server gets digital certificate Client uses passwords or something else

9 Figure 9-11: Testing a Digital Signature Verifier must test the digital signature with the public key of the true party. If the test succeeds, the applicant must have the true party’s private key. Only the true party should know this private key; so the applicant must be the true party.

10 Figure 9-12: Biometric Authentication Biometric Authentication Based on bodily measurements Promises to dramatically simplify authentication

11 Figure 9-12: Biometric Authentication Fingerprint Scanning Simple and inexpensive Substantial error rate (misidentification) Often can be fooled fairly easily by impostors Dominates biometrics today

12 Figure 9-12: Biometric Authentication Iris Scanners Scan the iris (colored part of the eye) Irises are complex, so strong authentication Expensive (Do NOT shine light in your eyes; scanner is a camera.)

13 Figure 9-12: Biometric Authentication Face Recognition Camera allows analysis of facial structure Can be done surreptitiously— without the knowledge or consent of person being scanned Very high error rate and easy to fool

14 Figure 9-12: Biometric Authentication Error Rates and Deception Error and deception rates are higher than vendors claim Usefulness of biometrics is uncertain

15 Firewalls, IDSs, and IPSs

16 Figure 9-13: Firewall Operation Corporate NetworkThe Internet Log File Arriving Packets Permit (Pass) Legitimate Packet Deny (Drop) Attack Packet Application Message ICMP MessageIP-H TCP-H UDP-H Static Packet Filter Firewall

17 Figure 9-14: Access Control List (ACL) for a Packet Filter Firewall 1.If destination IP address = 60.47.3.9 AND TCP destination port = 80 OR 443, PASS [connection to a public webserver] 2.If ICMP Type = 0, PASS [allow incoming echo reply messages] 3.If TCP destination port = 49153 to 65535, PASS [allow incoming packets to ephemeral TCP port numbers]

18 Figure 9-14: Access Control List (ACL) for a Packet Filter Firewall 4.If UDP destination port = 49153 to 65535, PASS [allow incoming packets to ephemeral UDP port numbers] 5.DENY ALL [deny all other packets]

19 Figure 9-15: Stateful Firewall Default Operation Internal Host External Host Internally initiated communication is allowed. Externally initiated communication is stopped. X

20 Figure 9-16: Application Firewalls Application Firewalls Examine application layer messages in packets Packet filter firewalls and stateful firewalls do not look at application messages at all This makes them vulnerable to certain attacks

21 Figure 9-16: Application Firewalls Application Fidelity Requiring the application using a well-known port to be the application that is supposed to use that port For instance, if an application uses Port 80, application firewall requires it to be HTTP, not a peer-to-peer file transfer program or something else This is called enforcing application fidelity

22 Figure 9-16: Application Firewalls Limited Content Filtering Allow FTP Get commands but stop FTP Put commands Do not allow HTTP connections to black-listed (banned) websites E-mail application server may delete all attachments

23 Figure 9-16: Application Firewalls Antivirus Scanning Few application firewalls do antivirus filtering Packets also must be passed through separate antivirus filtering programs

24 Figure 9-17: Defense in Depth with Firewalls Client with Host Firewall Software Internet Application Firewall e-mail, HTTP, etc. Main Firewall: Stateful Inspection Firewall Screening Border Router with Packet Filter Firewall Software Site

25 Figure 9-18: Firewalls Log File Hardened Server IDS Hardened Client PC Network Management Console Internal Corporate Network Internet Firewall Allowed Legitimate Packet Legitimate Host Legitimate Packet Attacker

26 Figure 9-18: Firewall Log File Hardened Server IDS Hardened Client PC Network Management Console Internal Corporate Network Internet Firewall Legitimate Host Attacker Attack Packet Denied Attack Packet

27 Figure 9-18: Intrusion Detection System (IDS) Log File IDS Hardened Client PC Network Management Console Internal Corporate Network IDS Legitimate Host Attacker Alarm About Suspicious Packet Suspicious Packet Hardened Server Suspicious Packet

28 Figure 9-18: Intrusion Prevention Systems (IPSs) Firewalls stop simple attacks IDSs can identify complex attacks involving multiple packets But many false positives (false alarms) Intrusion prevention systems (IPSs) Like IDSs, can identify complex attacks Unlike IDSs, also stop these attacks Only allowed to stop clearer complex attacks

29 Figure 9-19: Cryptographic System (SSL/TLS) Applicant (Customer Client) without Digital Certificate Verifier (Merchant Webserver) with Digital Certificate Provides Protection at Transport Layer Protects all Application Traffic That is SSL/TLS-Aware (Mostly HTTP)

30 Figure 9-19: Cryptographic System (SSL/TLS) Applicant (Customer Client) without Digital Certificate Verifier (Merchant Webserver) with Digital Certificate 1. Negotiation of Security Options (Brief) 2. Merchant Authenticates Self to Customer Uses a Digital Certificate Customer Authentication Is Optional and Uncommon

31 Figure 9-19: Cryptographic System (SSL/TLS) Applicant (Customer Client) without Digital Certificate Verifier (Merchant Webserver) with Digital Certificate 3. Client Generates Random Session Key Client Sends to Server Encrypted by Merchant’s Public Key 4. Ongoing Communication with Confidentiality and Merchant Digital Signatures

32 Figure 9-19: Cryptographic System (SSL/TLS) Perspective Initial Hand-Shaking Phases are Very Brief (Milliseconds) The Last Phase (Ongoing Communication) Is Almost All Total Communication

33 Encryption for Confidentiality

34 Figure 9-20: Symmetric Key Encryption and Public Key Encryption Symmetric Key Encryption for Confidentiality Message “Hello” Encryption Method & Key Symmetric Key Party A Party B Interceptor Network Encrypted Message Encryption uses a non-secret encryption method and a secret key

35 Figure 9-20: Symmetric Key Encryption and Public Key Encryption Symmetric Key Encryption for Confidentiality Encrypted Message Symmetric Key Party A Party B Interceptor Network Interceptor cannot read encrypted messages Encrypted Message

36 Figure 9-20: Symmetric Key Encryption and Public Key Encryption Symmetric Key Encryption for Confidentiality Message “Hello” Encryption Method & Key Encrypted Message Message “Hello” Decryption Method & Key Symmetric Key Same Symmetric Key Party A Party B Interceptor Network Receiver decrypts the message Using the same encryption message And the same symmetric key Encrypted Message

37 Figure 9-20: Symmetric Key Encryption and Public Key Encryption Public Key Encryption for Confidentiality Encrypted Message Encrypted Message Party A Party B Encrypt with Party B’s Public Key Decrypt with Party B’s Private Key Decrypt with Party A’s Private Key Encrypt with Party A’s Public Key Note: Four keys are used to encrypt and decrypt in both directions

38 Figure 9-21: Other Aspects of Protection Hardening Servers and Client PCs Setting up computers to protect themselves Server Hardening Patch vulnerabilities Minimize applications running on each server Use host firewalls Backup so that restoration is possible

39 Figure 9-21: Other Aspects of Protection Hardening Servers and Client PCs Client PC Hardening As with servers, patching vulnerabilities, minimizing applications, having a firewall, and implementing backup Also, a good antivirus program that is updated regularly Client PC users often make errors or sabotage hardening techniques

40 Figure 9-21: Other Aspects of Protection Vulnerability Testing Protections are difficult to set up correctly Vulnerability testing is attacking your system yourself or through a consultant There must be follow-up to fix vulnerabilities that are discovered

41 Incident Response Dealing with attacks that succeed

42 Figure 9-22: Incident Response Response Phases Detecting the attack If not detected, damage will continue unabated IDS or employee reports are common ways to detect attacks Stopping the attack Depends on the attack Reconfiguring firewalls may work

43 Figure 9-22: Incident Response Response Phase Repairing the damage Sometimes as simple as running a cleanup utility Sometimes, must reformat a server disk and reinstall software Can be very expensive if the attacker has done much damage

44 Figure 9-22: Incident Response Response Phase Punishing the attackers Easier to punish employees than remote attackers Forensic tools collect data in a manner suitable for legal proceedings

45 Figure 9-22: Incident Response Major Attacks and CSIRTs Major attacks cannot be handled by the on-duty staff On-duty staff convenes the computer security incident response team (CSIRT) CSIRT has people from security, IT, functional departments, and the legal department

46 Figure 9-22: Incident Response Disasters Natural and attacker-created disasters Can stop business continuity (operation) Data backup and recovery are crucial for disaster response Dedicated backup facilities versus real-time backup between different sites

47 Figure 9-22: Incident Response Disasters Business continuity recovery is broader Protecting employees Maintaining or reestablishing communication Providing exact procedures to get the most crucial operations working again in correct order

48 Topics Covered

49 A Wide Variety of Attacks Viruses and Worms Hacking (Break-in) Scanning Break-In Exploitation (delete log files, create backdoors, do damage) Denial-of-Service (DoS) Attacks Employee misuse of the Internet Growing in frequency (and viciousness)

50 Topics Covered A Wide Variety of Attackers Traditional Attackers Wizard attackers Employees and Ex-Employees Criminals (Exploding) Cyberterrorists and National Governments

51 Topics Covered A Management Issue, not a Technical Issue Technology does not work automatically Planning Risk analysis Comprehensive security Defense in depth

52 Topics Covered Authentication and Authorization Authentication servers give consistency Passwords (weak) Digital signatures and digital certificates High security but difficult to implement Biometric authentication Could eliminate passwords Error rates and deception

53 Topics Covered Firewalls Drop and log packets Packet filter firewalls and ACLs Stateful firewalls (dominate for main firewalls today) Application firewalls filter application content Usually do NOT provide antivirus filtering Defense in depth with multiple firewalls IDSs to detect complex attacks IPSs to stop some complex attacks

54 Topics Covered Cryptographic Systems Negotiate security parameters Authentication Key exchange Ongoing communication (dominates) SSL/TLS Cryptographic system used in e-commerce Protects HTTP communication

55 Topics Covered Encryption for Confidentiality Symmetric key encryption Both sides use the same symmetric key Dominates because fast and efficient Public key encryption Each side has a secret private key and a non- secret public key

56 Topics Covered Hardening Servers and Client PCs Patching vulnerabilities Minimize applications Host firewalls Backup Clients: antivirus filtering (users may sabotage) Vulnerability Testing

57 Topics Covered Incident Response Detection, stopping, repair, punishment CSIRTs for major attacks to big for the on-duty staff to handle Disaster response and business continuity recovery

58 Hands-On: Windows XP Home Security Chapter 9a Copyright 2004 Prentice-Hall Panko’s Business Data Networks and Telecommunications, 5 th edition

59 Figure 9a-1: Windows Updates (Study Figure) The Need for Windows Updates To patch security vulnerabilities To fix bugs and add functionality

60 Figure 9a-1: Windows Updates (Study Figure) Options Automatic updating turned on by default in Windows XP Default is to notify user of updates before downloading and installing Option to download but notify user of the need to install

61 Figure 9a-1: Windows Updates (Study Figure) Options Option to download and install without user intervention Dangerous because problem updates may cause difficulties for users

62 Figure 9a-1: Windows Updates (Study Figure) Other Matters Work-arounds (manual) are difficult for end users Service packs are cumulative collections of updates Service packs must be installed in order of their creation Severe updates may be loaded immediately while others wait

63 Figure 9a-1: Windows Updates (Study Figure) Updating Applications All applications must be updated as well to eliminate security vulnerabilities If an application is taken over, an attacker may be able to take over the computer Updating applications is difficult because there are so many of them Each will have a different method for users to discover, download, and install updates

64 Figure 9a-3: Antivirus Scanning (Study Figure) Importance Viruses are widespread Every PC needs antivirus software to stop incoming (and outgoing) viruses Free Anti-virus for UMFK students and staff http://www.umfk.maine.edu/it/

65 Figure 9a-3: Antivirus Scanning (Study Figure) Using Antivirus Programs Effectively Virus definitions database and program must be updated frequently Preferably daily Program must be configured to work with user’s e- mail, other programs Antivirus software must be selected to work with user’s applications, including peer-to-peer

66 Figure 9a-3: Antivirus Scanning (Study Figure) User Subversion Turning off antivirus programs to reduce problems, work faster Turning off (or not turning on) automatic updating Failing to pay for subscription extensions

67 Figure 9a-4: Network and Internet Connections Dialog Box

68 Figure 9a-5: Internet Options Dialog Box Security Tab Security tab of Internet Options dialog box URLs are automatically treated as part of your Internet zone Internet is set to a moderate setting by default Custom Level… allows you to customize security

69 Figure 9a-6: Security Settings Dialog Box

70 Figure 9a-7: Internet Options Dialog Box Privacy Tab Privacy settings in Internet Options Uses a slide tab Default is medium

71 Figure 9a-8: Network Connections Dialog Box

72 Figure 9a-9: Internet Connection Properties Dialog Box

73 Figure 9a-10: Options in Advanced TCP/IP Settings Dialog Box

74 Figure 9a-11: TCP/IP Filtering Configuration Would check Enable box to enable TCP/IP filtering

75 Figure 9a-12: Malware Scanning Programs (Study Figure) Malware Evil software Viruses and worms Trojan horses Spyware (reports personal information to outside parties) Gets onto client PCs despite security precautions

76 Figure 9a-12: Malware Scanning Programs (Study Figure) Malware Scanning Programs Scan for Malware Usually find malware Must be updated More info http://perleybrook.umfk.maine.edu/slides/spring%202005/cos12 5/Keeping%20Your%20PC%20Spyware%20Free.pdf http://perleybrook.umfk.maine.edu/slides/spring%202005/cos12 5/Keeping%20Your%20PC%20Spyware%20Free.pdf Anti-Spyware Applications http://perleybrook.umfk.maine.edu/slides/spring%202005/cos12 5/spyware%20stuff/ http://perleybrook.umfk.maine.edu/slides/spring%202005/cos12 5/spyware%20stuff/

77 Figure 9a-13: Two Connections for Windows XP VPN Security Server at Remote Site 1. Internet Connection 2. VPN Connection Internet To create a VPN, you create two connections One to the Internet One to the host you are trying to reach

78 Figure 9a-14: Connection Screen for a VPN

79 Figure 9a-15: VPN Properties Dialog Box

80 Figure 9a-16: Advanced VPN Security Settings VPN will use MS- CHAP or MS-CHAP v 2 for authentication Bad because original MS-CHAP had serious security weaknesses

81 Figure 9a-17: Windows Domain Client PC Member Server Domain Controller GPO Group Policy Object (GPO) Domain GPO With Windows XP Professional, client PC Security settings can be set on a domain controller Group Policy Object (GPO) specifies settings

Download ppt "COS 338 Day 18. DAY 18 Agenda Second capstone progress report over due Lab 5 graded 1 A, 2 B’s, 2 F’s and 1 non-submits Assignment 5 Graded 2 A’s, 2 B’s."

Similar presentations

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Security Chapter 9 Copyright 2004 Prentice-Hall Panko’s Business Data Networks and Telecommunications, 5 th edition.

Security Chapter 9 Copyright 2004 Prentice-Hall Panko’s Business Data Networks and Telecommunications, 5 th edition.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
COS 338 Day 16. DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.

COS 338 Day 16. DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)

Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Chapter 9 Security. The Threat Environment 3 Figure 9-1: CSI/FBI Survey Companies Face Many Attacks –Viruses (and other malware) –Insider abuse of net.

Chapter 9 Security. The Threat Environment 3 Figure 9-1: CSI/FBI Survey Companies Face Many Attacks –Viruses (and other malware) –Insider abuse of net.
Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2.

Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall
1 Firewalls Types of Firewalls  Screening router firewalls  Computer-based firewalls  Firewall appliances  Host firewalls (firewalls on clients and.

1 Firewalls Types of Firewalls  Screening router firewalls  Computer-based firewalls  Firewall appliances  Host firewalls (firewalls on clients and.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Similar presentations

Ads by Google