Presentation is loading. Please wait.

Presentation is loading. Please wait.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine."— Presentation transcript:

1 8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine what hosts have addresses on network m Port-scanning: try to establish TCP connection (e.g. socket programming) to each port in sequence (see what happens) m nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing” Mapping: countermeasures m record traffic entering network m look for suspicious activity (IP addresses, ports being scanned sequentially)

2 8-2 Internet security threats Packet sniffing: m broadcast media m promiscuous network interface card reads all packets passing by m can read all unencrypted data (e.g. passwords) m e.g.: C sniffs B’s packets A B C src:B dest:A payload Packet sniffing: countermeasures m all hosts in organization run software that checks periodically if host interface in promiscuous mode. m encrypt all data.

3 8-3 Internet security threats IP Spoofing: m can generate “raw” IP packets directly from application, putting any value into IP source address field m receiver can’t tell if source is spoofed m e.g.: C pretends to be B A B C src:B dest:A payload IP Spoofing: ingress filtering m routers should not forward outgoing packets with invalid source addresses (= ingress filtering), e.g. datagram source address not in router’s network. m great, but ingress filtering can not be mandated for all networks

4 8-4 Denial of service (DOS): m flood of maliciously generated packets “swamp” receiver (e.g. TCP SYN-attack, incomplete IP datagram) m Distributed DOS (DDOS): multiple coordinated sources swamp receiver: e.g., C and remote host TCP SYN- attack A A B C SYN Denial of service (DOS): countermeasures m Difficult to filter bad from good packets because of IP spoofing m filter out flooded packets (e.g., TCP SYN) before reaching host: throw out good with bad m traceback to source of floods (most likely an innocent, compromised machine), current research

5 8-5 Why security and many layers? Security in many layers (upper layer services may take advantage of lower level security) 1. Secure email (application layer) 2. Secure sockets (transport layer) 3. IPsec (network layer) 4. Security in 802.11 (link layer) r Lower layers cannot offer user-level security, m A commerce site need to authenticate customers r Easier to deploy services, including security, at the higher layers r Security is not broadly deployed at the network layer m E.g. IP spoofing m IPsec (with source authentication, hence no IP spoofing) is many years away m Performance?

6 8-6 Secure e-mail Alice:  generates random symmetric private session key, K S.  encrypts message with K S (for efficiency)  also encrypts K S with Bob’s public key.  sends both K S (m) and K B (K S ) to Bob.  Alice wants to send confidential e-mail, m, to Bob. K S ( ). K B ( ). + + - K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) + Bob:  uses his private key to decrypt and recover K S  uses K S to decrypt K S (m) to recover m

7 8-7 Secure e-mail (continued) Alice wants to provide sender authentication and message integrity. Alice digitally signs message. sends both message (in the clear) and digital signature. H( ). K A ( ). - + - H(m ) K A (H(m)) - m KAKA - Internet m K A ( ). + KAKA + K A (H(m)) - m H( ). H(m ) compare

8 8-8 Secure e-mail (continued) Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric session key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

9 8-9 Pretty good privacy (PGP) r Internet e-mail encryption scheme, de-facto standard. r uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described on previous slides r provides secrecy, sender authentication, integrity. r inventor, Phil Zimmerman, was target of 3-year federal investigation. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight. Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ hFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- A PGP signed message:

10 8-10 Network Security (summary) Basic techniques…... m cryptography (symmetric and public) m authentication m message integrity m key distribution …. used in many different security scenarios m secure email m secure transport (SSL) m IP sec m 802.11

Download ppt "8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine."

Similar presentations

Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.

Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.
PGP Overview 2004/11/30 Information-Center meeting peterkim.

PGP Overview 2004/11/30 Information-Center meeting peterkim.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.

Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.
7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity Security in practice:

7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity Security in practice:
7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.

7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
1 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures.

1 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures.
Chapter 7: Network Security

Chapter 7: Network Security
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
7: Network Security1 Chapter 7: Network security – Author? Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.

7: Network Security1 Chapter 7: Network security – Author? Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
8: Network Security8-1 22 – Integrity, Firewalls.

8: Network Security – Integrity, Firewalls.
CSE401n:Computer Networks

CSE401n:Computer Networks
Network Security7-1 Network Security 1. What is network security 2. Principles of cryptography 3. Authentication 4. Integrity 5. Key Distribution and certification.

Network Security7-1 Network Security 1. What is network security 2. Principles of cryptography 3. Authentication 4. Integrity 5. Key Distribution and certification.
Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.

Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,

Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
7: Network Security1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,

7: Network Security1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Network security EECS 489 Computer Networks Z. Morley Mao Monday, April 9, 2007.

Network security EECS 489 Computer Networks Z. Morley Mao Monday, April 9, 2007.
CPSC 441 TUTORIAL TA: FANG WANG NETWORK SECURITY.

CPSC 441 TUTORIAL TA: FANG WANG NETWORK SECURITY.
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

Similar presentations

Ads by Google