Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue Network Security Review and Beyond Network Security.

Published byReynold Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "@Yuan Xue Network Security Review and Beyond Network Security."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu) Network Security Review and Beyond Network Security

2 @Yuan Xue (yuan.xue@vanderbilt.edu) From a Computer to Internet Building a network of global scale Start from a collection of computers Direct link network  internetwork  Transport layer connectionless v.s. connection-oriented Network protocol stack Internet Link IP TCP/UDP Application Link IP TCP/UDP Application Link IP Link IP

3 @Yuan Xue (yuan.xue@vanderbilt.edu) From a Computer to Internet Security issues Single computer Networking environment  Secure communication in a public environment  Computer system security with remote access Internet Link IP TCP/UDP Application Link IP TCP/UDP Application Link IP Link IP

4 @Yuan Xue (yuan.xue@vanderbilt.edu) Security Goals Goals Confidentiality  Data and traffic Integrity  Data integrity (Data authentication )  Origin Integrity (Source Authentication) Peer authentication and data origin authentication  Non-repudiation Source and Destination Availability Mechanisms Authentication Access control Encryption Data integrity protection & Digital Signature Traffic control  Routing, padding Internet Link IP TCP/UDP Application Link IP TCP/UDP Application Link IP Link IP

5 @Yuan Xue (yuan.xue@vanderbilt.edu) Security Mechanisms This course -- Network Security Cryptographic Approach  Encryption  Data integrity protection & Digital Signature  Authentication Network Approach  Traffic control System Approach  Intrusion detection systems  Firewall System Security Authentication Access Control (Authorization) Multi-level Security Program Security Security issues Single computer Networking environment  Secure communication in a public environment  Computer system security with remote access Mechanisms Authentication Access control Encryption Data integrity protection & Digital Signature Traffic control  Routing, padding Methodology Examine all possible vulnerabilities of the system Consider available countermeasures.

6 @Yuan Xue (yuan.xue@vanderbilt.edu) DSS SHA CBC Confidentiality Symmetric encryption algorithm – Block cipher e.g., DES, 3DES, AES Asymmetric encryption algorithm – Block cipher e.g., RSA, ECC Modes of operation (block  stream) Symmetric encryption algorithm -- Stream cipher e.g., RC4 Asymmetric key algorithm – key exchange, e.g., Diffie-Hellman Asymmetric key algorithm -- digital signature e.g., DSA MACHash function Key establishment Integrity Data integrity + source authentication HMAC Non-repudiation

7 @Yuan Xue (yuan.xue@vanderbilt.edu) From Principle to Practice Application/Transport layer based solutions Secure network-based applications  Web – SSL, transportation layer solution  Email – PGP, application layer solution Secure network + support for application  IPsec  Internet Security BGP security  Wireless Security IEEE 802.11 security Link Network Transport Application PGP SSL WEP, WPA, IEEE 802.11i IPSec

8 @Yuan Xue (yuan.xue@vanderbilt.edu) Put things together GPG

9 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL (I) Services Confidentiality – symmetric encryption Message Integrity – MAC Application data fragment MAC Encrypted compress Encrypted SSL record header Content type Version Compressed length

10 @Yuan Xue (yuan.xue@vanderbilt.edu) AliceBob I want to talk to you, R Alice Certificate, R Bob E(KU bob,S) Secure communication via keys derived from K E(KU bob,S) Certificate, R Bob Secure communication via keys derived from K SSL (II)

11 @Yuan Xue (yuan.xue@vanderbilt.edu) IPSec Transport mode Encrypts the payload data from upper-layer protocol IP header in clear text Tunnel-mode Encrypts the entire IP packets including the IP header Adding a new IP header IP header Encrypted data payload New IP header IP header data payload Encrypted IPSec header

12 @Yuan Xue (yuan.xue@vanderbilt.edu) BGP Overview AS: Internet routers are grouped into management domains called Autonomous Systems (AS). BGP: Routing information between AS is exchanged via BGP UPDATE messages. Threat BGP does not have any security protection over routing information, for example:  Routing information source authentication  UPDATE message integrity protection If malicious attacker injects or modifies routing information (UPDATE messages), BPG routing will be interrupted and packets will get dropped.

13 @Yuan Xue (yuan.xue@vanderbilt.edu) S-BGP Three security mechanisms are employed Public Key Infrastructure (PKI) is used to support the authentication of AS's identity, and BGP router's identity. BGP transitive path attribute is employed to carry digital signatures covering the routing information in a BGP UPDATE message. IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic. Further reading Stephen Kent, Charles Lynn, and Karen Seo, Secure Border Gateway Protocol (Secure-BGP), IEEE Journal on Selected Areas in Communications Vol. 18, No. 4, April 2000, pp. 582-592 Stephen Kent, Charles Lynn, J. Mikkelson, and Karen Seo, Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues, in ISOC Symposium on Network and Distributed System Security, 2000.

14 @Yuan Xue (yuan.xue@vanderbilt.edu) Security in Wireless LAN WEP (Wireless Equivalent Privacy) a link-level security mechanism defined in IEEE 802.11 Stream cipher RC4 used in a nonstandard way  A base key is concatenated with a 24-bit per-packet nonce, and is used as a per-packet RC4 key. CRC checksum is used for integrity protection Fluher, Mantin, and Shamir Attack An eavesdropping can deduce the base RC4 key based on several millions encrypted packets whose first byte of plaintext is known. Stubblefield, Ioannidis, and Rubin demonstrated its feasibility Problems with WEP: A summary 24-bit IVs are too short to provide confidentiality CRC checksum is insecure, and can not protect packet integrity The way that IV is combined with the key is subject to cryptanalysis. Passive eavesdroppers can learn the key after observing a few million encrypted packets Lack of source and destination address authentication

15 @Yuan Xue (yuan.xue@vanderbilt.edu) Improved 802.11i Architecture Stage 1: Network and security capability discovery Stage 2: 802.1X authentication and key establishment (mutual authentication, establish shared secret, ciphersuite) Stage 3: Secure association (management frames protected) Stage 4: Four-way handshake (master key confirmation, session key derivation, group key distribution) Stage 5: Group key handshake Stage 6: Secure data communications 802.1X failure Association failure Four-way handshake timeout Group key handshake timeout Invalid MIC or other security failures Security Analysis and Improvements for IEEE 802.11i, He and Mitchell, NDSS05

16 @Yuan Xue (yuan.xue@vanderbilt.edu) Web Security Authentication of Web Service Cookies Scripts Java Scripts XSS SQL injection Active X

17 @Yuan Xue (yuan.xue@vanderbilt.edu) Worm& DoS Availability Issues Probe rate of Code red worm (a typical random-scanning worm) Probes of Slammer worm from Dshield data set Initially matched random scanning worm Soon slowed down due to bw saturation and network failures

18 @Yuan Xue (yuan.xue@vanderbilt.edu) Firewall & IDS Deployment Internet SMTP HTTP FTP TELNET Packet filter Application gateway

Download ppt "@Yuan Xue Network Security Review and Beyond Network Security."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.

Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.

Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Chapter 8 Network Security 4/17/2017 www.noteshit.com.

Chapter 8 Network Security 4/17/2017
Chapter 8 Web Security.

Chapter 8 Web Security.

Similar presentations

Ads by Google