Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.

Published byLetitia Parsons Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition."— Presentation transcript:

1 Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.

2 2 Figure 9.1: Types of Attackers Wizard Internet Hackers Highly capable attackers Amateurs (Script Kiddies) Light skills, but numerous and armed with automated attack programs (kiddie scripts) of increasing potency

3 3 Figure 9.1: Types of Attackers Criminals Theft of credit card numbers, trade secrets, and other sensitive information Sell the information or attempt extortion to prevent the release of the information Individual criminals and organized crime Industrial and government espionage spies

4 4 Figure 9.1: Types of Attackers Employees Dangerous because of internal knowledge and access Often, large losses per incident due to theft, fraud, or sabotage

5 5 Figure 9.1: Types of Attackers Information Warfare and Cyberterrorism Massive attack by a government or terrorist group against a country’s IT infrastructure Attacks by amateur cyberterrorists are already starting to approach this level of threat

6 6 Figure 9.3: Attacks Requiring Protection Hacking Servers Access without permission or in excess of permission Attractive because of the data they store Hacking Clients Attractive because of their data or as a way to attack other systems by using the hacked client as an attack platform Soft targets compared to servers; most users are security novices

7 7 Figure 9.3: Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unavailable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability Single Message DOS Attack (Crashes the Victim) ServerAttacker

8 8 Figure 9.3: Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability. Message Stream DOS Attack (Overloads the Victim) ServerAttacker

9 9 Figure 9.4: Denial-of-Service Attacks Distributed DOS (DDoS) Attack: Messages Come from Many Sources Server DoS Attack Packets Computer with Zombie Computer with Zombie Attacker Attack Command Attack Command

10 10 Figure 9.3: Attacks Requiring Protection Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and attack methods Examines data that responses reveal IP addresses of potential victims What services victims are running; different services have different weaknesses Host’s operating system, version number, etc.

11 11 Figure 9.3: Attacks Requiring Protection Malicious Content Viruses Infect files; propagate by executing infected program Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a game, but actually are malicious) Snakes: combine worm with virus, Trojan horses, and other attacks

12 12 Figure 9.3: Attacks Requiring Protection Malicious Content Illegal content: pornography, sexual or racial harassment Spam (unsolicited commercial e-mail) Security group is often called upon to address pornography, harassment, and spam

13 13 Figure 9.2: Types of Security Systems Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Client PC Server Message Exchange Secure Communication System

14 14 Figure 9.2: Types of Security Systems Attack Prevention System Corporate Network Hardened Client PC Hardened Server With Permissions Internet Attacker Attack Message Attack Message Firewall

15 15 Figure 9.5: Packet Filter Firewall Packet Filter Firewall IP-H TCP-H UDP-HApplication Message IP-HICMP Message Arriving Packets Permit Deny Corporate NetworkThe Internet Examines Packets in Isolation Fast but Misses Some Attacks

16 16 For Packets Containing TCP Segments: Rule 1 IF Interface = Internal AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007) THEN DENY Remark: Used by a well-known Trojan horse program. Figure 9.6: Access Control List Fragment

17 17 Figure 9.6: Access Control List Fragment Rule 2: IF Interface = External AND Destination Port Number = 80 AND Destination IP address = 60.16.210.22 THEN PERMIT Remark: Going to a known webserver.

18 18 Figure 9.6: Access Control List Fragment Rule 3: IF Interface = External AND Destination Port Number = 80 AND Destination IP Address = NOT 60.16.210.22 THEN DENY Remark: Going to an unknown webserver.

19 19 Figure 9.6: Access Control List Fragment Rule 4: IF Interface = External AND (SYN = AND FIN = Set) THEN DENY REMARK: Used in host scanning attacks and not in real transactions. 60.14.27.9 1. To: 60.14.27.9; SYN FIN 2. From: 60.14.27.9; RST

20 20 Figure 9.6: Access Control List Fragment Order Rules are executed in order If passed or denied by one rule, will not reach subsequent rules Misconfiguration is easy, opening the network to attack Always test a firewall by hitting it with attack messages to see if they are handled properly

21 21 Stateful Firewall Does not examine packets in isolation Examines each packet to see if it is part of an ongoing conversation Catches attacks that packet filter firewalls cannot Refuses a TCP acknowledgement if an internal host has not opened a connection to that host Usually does not examine a packet in detail if the packet is part of an ongoing conversation This can miss attack packets Beyond what is In the book

22 22 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 1. HTTP Request Client PC Webserver 2. Inspect Request Message

23 23 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall 3. Examined HTTP Request HTTP Proxy Browser Webserver Application Client PC Webserver

24 24 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 4. HTTP Response Client PC Webserver 5. Inspect Response Message

25 25 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 6. Examined HTTP Response Client PC Webserver

26 26 Figure 9.7: Application (Proxy) Firewall Can examine the application message to filter packets by application content If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.

27 27 Figure 9.7: Application (Proxy) Firewall SMTP (E-Mail) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application Client PC Webserver There must be a proxy for each application

28 28 Figure 9.8: Network Address Translation (NAT) 12 NAT Firewall Client From 172.47.9.6, Port 59789 From 60.168.34.2, Port 63472 Internet Server Host IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … InternalExternal Translation Table

29 29 Figure 9.8: Network Address Translation (NAT) 43 NAT Firewall Client Internet Server Host To 172.47.9.6, Port 59789 To 60.168.34.2, Port 63472 Translation Table IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … InternalExternal

30 30 Figure 9.9: Intrusion Detection Dump Intrusion Detection System 4. Analysis of Dump Internal Host Network Administrator Attacker Legitimate Host 1. Attack Packet 2. All Packets 3. Notification of Possible Attack 1. Legitimate Packet

31 31 Firewalls versus Intrusion Detection Firewalls permit or deny traffic based on filtering rules Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific Some firewalls issue alerts when packets are dropped and most firewalls log all drops New Not in the book

32 32 Figure 9.10: Hardening Clients and Servers Known Weaknesses Known security weaknesses in operating systems and application programs Most download vendor patches to fix these known weaknesses Firms often fail to do so (vendors issue 30-50 patches per week); must be installed on each server Host Firewalls Server firewalls and personal (client) firewalls

33 33 Figure 9.10: Hardening Clients and Servers Server Authentication Passwords Cracking with exhaustive search and dictionary attacks Strong passwords Super accounts Root in UNIX Administrator in Windows

34 34 Figure 9.10: Hardening Clients and Servers Server Authentication Rules for Strong Passwords At least 8 characters long At least one change of case At least one digit (0-9) not at the end At least one non-alphanumeric character (#@%^&*!) not at the end

35 35 Figure 9.11: Kerberos Authentication (Simplified) Kerberos Server Verifier Applicant 4. Ticket 1. Initial Sign On 2. Request Ticket 3. Ticket

36 36 Figure 9.10: Hardening Clients and Servers Server Authentication Biometric authentication Fingerprint: least expensive Iris: most accurate Face recognition: controversial in public places for mass identification Other forms of biometric identification Smart cards (ID card with microprocessor and data)

37 37 Figure 9.10: Hardening Clients and Servers Limiting Permissions on Servers (Ch. 10) Only permit access to some directories Limit permissions (what the user can do) there Like controlling access to a high-security building; not allowed to go anywhere and remove items, etc.

38 38 Figure 9.2: Types of Security Systems Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Client PC Server Message Exchange Secure Communication System

39 39 Figure 9.12: Secure Communication System Client PC Server 1. Initial Negotiation of Security Parameters 2. Mutual Authentication 3. Key Exchange or Key Agreement 4. Subsequent Communication with Message-by-Message Confidentiality, Authentication, and Message Integrity

40 40 Figure 9.13: Symmetric Key Encryption for Confidentiality Plaintext “Hello” Encryption Method & Key Ciphertext “11011101” Symmetric Key Interceptor Network Same Symmetric Key Party A Party B

41 41 Figure 9.13: Symmetric Key Encryption for Confidentiality Ciphertext “11011101” Symmetric Key Interceptor Network Ciphertext “11011101” Same Symmetric Key Party A Party B ???

42 42 Figure 9.13: Symmetric Key Encryption for Confidentiality Symmetric Key Interceptor Network Ciphertext “11011101” Decryption Method & Key Plaintext “Hello” Same Symmetric Key Party A Party B

43 43 Figure 9.14: Symmetric Key Encryption for Confidentiality Shared Symmetric Key Party A Party B Shared Symmetric Key In Symmetric Key Encryption, Both sides Encrypt and Decrypt with The Same Symmetric Key

44 44 Figure 9.14: Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Party A Party B Decrypt with Party B’s Private Key

45 45 Figure 9.14: Public Key Encryption for Confidentiality Decrypt with Party A’s Private Key Party A Encrypt with Party A’s Public Key Party B

46 46 Quiz 1. In two-way conversations encrypted with symmetric key encryption, how many keys are used? 2. In two-way conversations encrypted with Public key encryption, how many keys are used?

47 47 Quiz 3. In public key encryption for confidentiality, the sender always encrypts with the _____ key of the _____. 4. In public key encryption for confidentiality, the receiver always decrypts with the ___ key of the _____.

48 48 Symmetric Versus Public Key Encryption Symmetric key encryption is very fast, so it can be used to encrypt long messages for confidentiality, including e-mail messages, website communication, database transactions, and almost all other user applications. However, public key encryption can provide confidentiality for very short messages. We will see how this helps in transferring symmetric keys and in digital signatures.

49 49 Figure 9.15: Public Key Distribution for Symmetric Keys Party A Party B 1.Create Symmetric Session Key 2. Encrypt Session Key with Party B’s Public Key 4. Decrypt Session Key with Party B’s Private Key 3. Send the Symmetric Session Key Encrypted With Party B’s Public Key

50 50 Figure 9.15: Public Key Distribution for Symmetric Keys Party A Party B 5. Subsequent Bulk Encryption For Confidentiality with Symmetric Session Key For All Messages

51 51 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol Client Applicant Server Verifier Challenge 1. Creates Challenge Message 2. Sends Challenge Message Note: Both the Client and the Server Know the Client’s Password

52 52 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol 3. Applicant Creates the Response Message: a)Adds Password to Challenge Message b)Hashes the Resultant Bit String c) This Gives the Response Message PasswordChallenge Response Hashing

53 53 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol PasswordChallenge Expected Response Hashing Transmitted Response 4. Applicant Sends Response Message 5. Verifier Adds password to the challenge message it sent. Hashes the combination. This should be the expected response message.

54 54 Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol Expected ResponseTransmitted Response = ? 6. If the Two are Equal, The Client Knows the Password and is Authenticated

55 55 Figure 9.17: Digital Signature Sender Receiver DSPlaintext Add Digital Signature to Each Message Provides Message-by-Message Authentication Encrypted for Confidentiality

56 56 Figure 9.17: Digital Signature: Sender DS Plaintext MD Hash Sign (Encrypt) MD with Sender’s Private Key To Create the Digital Signature: 1.Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the sender’s private key to create the digital Signature

57 57 Figure 9.17: Digital Signature Sender Encrypts Receiver Decrypts Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DSPlaintext Transmission

58 58 Figure 9.17: Digital Signature: Receiver DSReceived Plaintext MD 1. Hash 2. Decrypt with True Party’s Public Key 3. Are they Equal? 1. Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key

59 59 Figure 9.18: Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception

60 60 Digital Certificates Digital certificates are electronic documents that give the true party’s name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true party’s private key and so will not be authenticated

61 61 Digital Signatures and Digital Certificates Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature DSPlaintext Applicant Verifier Certificate Authority Digital Certificate: True Party’s Public Key

62 62 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server Create & Distribute (1)Private Key and (2) Digital Certificate Applicant (Lee) Verifier (Cheng)

63 63 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 4. Certificate for Brown Applicant (Lee) Verifier (Cheng) 3. Request Certificate for Brown

64 64 Figure 9.19: Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 6. Check Certificate Revocation List (CRL) For Lee’s Digital Certificate Applicant (Lee) 5. Certificate for Lee Verifier (Cheng) 7. Revoked or OK

65 65 Figure 9.20: Security at Multiple Layers LayerExample Application Application-specific (for instance, passwords for a database program); Application (Proxy) Firewalls TransportSSL (TLS), Packet Filter Firewalls InternetIPsec, Packet Filter Firewalls Data Link Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) PhysicalPhysical locks on computers, Notebook Encryption

66 66 Figure 9.20: Security at Multiple Layers Having security at multiple layers provides protection if one layer’s security fails Having security at multiple layers also slows processing on the device So provide protection in at least two layers but not in all layers

67 67 Figure 9.21: Creating Appropriate Security Understanding Needs Need to make security proportional to risks Organizations face different risks Policies and Enforcement Policies bring consistency Must be enforced. Training in the importance of security and in protection techniques Social engineering prevention training

68 68 Figure 9.21: Creating Appropriate Security Policies and Enforcement Security audits: attack your system proactively You must really be able to trust your testers Incident handling Stopping the attack Restoring the system Prosecution Planning and practicing before the incident Privacy Need to protect employee & customer privacy

Download ppt "Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Chapter 9 Copyright 2004 Prentice-Hall Panko’s Business Data Networks and Telecommunications, 5 th edition.

Security Chapter 9 Copyright 2004 Prentice-Hall Panko’s Business Data Networks and Telecommunications, 5 th edition.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Information Security 1 Information Security: Lecture no 7 Jeffy Mwakalinga.

Information Security 1 Information Security: Lecture no 7 Jeffy Mwakalinga.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)

Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google