Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 351 Internet Security. Network Layer Security Application Layer Security System Security.

Published byGeraldine Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "COEN 351 Internet Security. Network Layer Security Application Layer Security System Security."— Presentation transcript:

1 COEN 351 Internet Security

2 Network Layer Security Application Layer Security System Security

3 Network Layer Security Packets might be Modified in transit May be spoofed May contain bad payload. Network layer security provides Authentication and integrity Confidentiality Access control

4 Application Layer Security Safeguards built into a particular application. Becomes more important as trust in network layer security diminishes. Provides Authentication Access Control Confidentiality Data integrity Non-repudiation

5 System Security Protection of a particular end system by Removal of known vulnerabilities (patching) Minimal penetration risk configuration Limits ports on which it listens Limits services that run. Authentication of downloaded software Proper audit mechanisms Up-to-date administration Password changes enforced. Guessable passwords are disallowed. User accounts reflect needs.

6 Firewalls Border Router First / last router under control of system administration. DMZ Demilitarized zone. Security is low, since not protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic. Firewall Filters packages based on a variety of rules.

7 Firewalls IDS Intrusion Detection System. NIDS: glean intrusion signatures from traffic. HIDS: monitor activity at a host on which they are located. VPN Virtual private network Screened subnet Area protected by an internal firewall.

8 Firewalls Configuration Management Known vulnerabilities account for most of actually perpetrated exploits. For most of them, patches were available, but not installed. CM tries to enforce uniform security policies. Backdoors An entrance into the system that avoids perimeter defenses.

9 Firewall Packet Filtering Static Packet Filtering Allow or deny access to packets based on internal characteristics. access list 111 deny ip host 205.205.205.205.1 any access list 111 permit tcp host 205.205.205.205.1 any access list 111 deny icmp any any echo-request access list 111 permit icmp any any packet-to-big access list 111 deny icmp any any Cisco extended ACL

10 Firewall Static Packet Filtering Difficult to design efficient rules. Easy to get the rules tables wrong and allow bad traffic. Security risks People can piggy-back bad messages in harmless ones. http traffic is known to be used as a backdoor. Loki uses unused fields in normal TCP packets. Fragmentation allows the filter to look only at a fragment Most only look at the first fragment

11 Firewall Static Packet Filtering Configuring a packet filter: Security Policy: what is allowed, what is not allowed. Allowable types of packets must be specified logically, in terms of logical expression on packet fields. Expressions need to be rewritten in the firewall vendor’s language.

12 Firewall Static Packet Filtering Example Security Policy: Allow inbound mail messages (SMTP, port 25), but only to gateway. Block host faucet. actionOur hostportTheir hostport comment block**faucet* We don’t trust these people. allowOUR-GW25** Connection to our SMTP server

13 Firewall Static Packet Filtering Example If no rule applies, then the packet is dropped. Without additional rules, our rule set would drop all non-mail packets. There would also be no replies. Beware of a rule like this (intended to allow acks) Based solely on outside host’s port number. Port 25 is usually the mail port. But there is no guarantee. actionOur hostportTheir hostport comment allow***25 Connection to their SMTP port

14 Firewall Static Packet Filtering Example Expand rule set to allow connection with the outside: actionOur hostportTheir hostport Flagcomment block**faucet* allowOUR-GW25** allow(our host)**25 Our packets to their port allow*25**ACK Their replies Specify the names of all machines allowed to send mail to the outside here.

15 Firewall Static Packet Filtering Address Spoofing At a minimum: Don’t allow inside source addresses coming in. Don’t allow outside source addresses going out. Block source routing at the border routers.

16 Firewall Static Packet Filtering Routing Information If a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net. Internal routers should not advertise paths to such nodes to the outside. Filter routes learned from the outside: Subversion by route confusion. Route squatting: Use internal addresses that belong to a different domain. The nodes are de facto unreachable from the outside. Use non-announced addresses. (e.g. 10.x.x.x) But beware, when companies merge, these addresses tend to be incompatible. So pick addresses in unpopular address ranges.

17 Firewall Static Packet Filtering Performance Packet filtering is done at the border. No degradation for the internal network. Typically, connection to ISP is the bottleneck. However: Degradation depends on the number of rules applied. Can be mitigated by careful ordering of rules.

18 Firewall Application Level Filtering Packet filters only look at The source address The destination address TCP / UDP port numbers TCP / UDP flags. Application filters deals with the details of the service they are checking. E.g. a mail application filter looks at RFC 822 headers. MIME attachments. Might identify virus infected attachments.

19 Firewall Application Level Filtering Snort: Allows to set up rules that pass a packet on to another service. Commercial firewalls Include application level filters for many products. Use non-disclosure agreement to obtain proprietary protocols

20 Firewall Dynamic Packet Filtering Stateful Firewall Still look at each packet. Maintains a state of each connection. Implements connection filtering. Dynamically adjust a filtering table of current connections. Implementation Adjust the filtering rules dynamically. E.g.: We started an HTTP connection to a given host. Now HTTP packages from that host are allowed. OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying).

21 Proxy Firewalls Proxies act on behalf of a client. Proxy firewall Reverse Proxy Receives packages on one card. Processes requests. Translates them into internal requests on other card. Receives answers from inside and translates to the outside.

22 Proxy Firewalls Proxy firewall Forward Proxy Receives requests from the inside. Processes requests. Translates them into requests to the outside on other card. Receives answers from outside and translates to the inside. Acts on behalf of inside machine that is protected from the vagaries of the internet.

23 Proxy Firewalls Application level proxies work at the level of application. Circuit-level proxies does not understand the application makes filtering decisions by validating and monitoring sessions.

24 Virtual Private Networks

25 VPN uses connections over an existing public network Connection secured with encryption Host to Host Host to Gateway Gateway to Gateway

26 Virtual Private Networks

27 Encryption can be done at Application level. Transport level. Network level. Data link level.

28 Virtual Private Networks Application Level Pretty Good Privacy Secure Shell (SSH) Transport Level Secure Socket Layer Does not protect the package, but its content. Typically runs at the application level of the OS, so OS does not need to be changed. Network Level IPSec Encrypts package itself. Encrypted package receives a new package header. IPSec protects port address, but not destination address. OS need to be changed (but only once: Win2000, WinXP) Data Link Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP) Encrypts packets on the data layer.

29 Virtual Private Networks Alternatives are dedicated point-to- point connections such as a private T1 line. Most secure. Most expensive. Takes time to set-up.

30 IPSec Overview Changes the IP layer to provide security. Transport mode Protects the upper-layer protocol (TCP) data in each packet and provides end-to-end protection Tunnel mode Protects an entire IP packet by enveloping it in a new packet with its own plaintext IP header.

31 IPSec Implemented below the transport layer. No application needs to be rewritten. Is part of the OS. Applications TCP IPsec IP lower layers

32 IPSec An IPSec packet in tunnel mode completely encapsulates the payload. IP Header is either an Authentication Header ESP Encapsulating Security Payload that tells the user which Security Association to use. IP HeaderIPSec headerSecure IP Payload

33 IPSec Security Association Cryptographically protected connection. Paradigm to manage authentication and confidentiality between sender and receiver. Unidirectional. IPSec header contains SPI (Security Parameter Index) that identifies the security association. Allows partner to look up the necessary data such as the key in SA database.

34 IPSec Security Association Database When X transmits to Y in IPSec, X looks up Y in the SA database. Provides key Provides SPI Provides algorithms to be used Provides sequence number When Y receives a transmission, Y uses the SPI and the destination address to find the SA.

35 IPSec Security Policy Database Specifies what to do with packets: Dropping Forwarded and accepted without IPSec protection Forwarded and protected by IPSec Decision based on fields in the IPsec packet.

36 IPSec Two types of IPsec headers. AH Authentication header. Provides integrity protection only. Allows firewalls to peek at TCP ports. ESP Encapsulating Security Payload Optional integrity protection Optional encryption

37 IPSec Transport mode versus Tunnel mode Original PacketIPsec Package in Transport ModeIPSec Package in Tunnel Mode IP header | restIP header | IPsec header | restnew IP hdr | IPSec | IP header | rest

38 IPSec IPsec in tunnel mode for a VPN: IP: src=R1, dst=R2 | ESP | IP: src=A, dst=B | packet

39 Secure Socket Layer 1995: deployed in Netscape Navigator as SSLv2. 1995: Microsoft fixes SSLv2 and introduces a similar protocol Private Communication Technology (PCT) 1996: Netscape introduces SSLv3 1999: IETF introduces Transport Layer Security. SSLv3 remains the most implemented protocol.

40 Secure Socket Layer SSL is built on top of TCP. TCP provides reliable packet delivery. Rogue packet problem: Maliciously introduced TCP packet. Easy to do, since it only needs to satisfy the non- cryptographic TCP checksum. SSL disregards the package. TCP however will not accept the true packet, because it looks like a double to it. SSL will have to start over.

41 Secure Socket Layer Various keys are formed from various random numbers exchanged during the protocol. Negotiate crypto-protocols.

42 Secure Socket Layer SSL sessions are long-lived. Many SSL connections can be derived from an SSL session.

43 Secure Socket Layer: Session Connection AliceBob Hello. Ciphers I support. R Alice Certificate. Ciphers I choose. R Bob {S} Public Key of Bob. {Keyed Hash of Messages} {Keyed Hash of Messages} S is a random number, the pre-master secret. K is the master secret, calculated from R Alice, R Bob, S

44 Secure Socket Layer: Session Resumption If Bob wants to have multiple connections per session, he sends in Message 2 a session id. If Alice presents in Message 1 a session id, they skip the handshake. Alice can still negotiate ciphers with Bob who might have changed policies. AliceBob Session ID. Ciphers I support. R Alice Session ID. Certificate. Ciphers I choose. R Bob {Keyed Hash of Messages}

45 Secure Socket Layer SSL comes deployed with public keys of various trusted organizations. User can modify this list. User verifies public keys by sending certificate requests to the organizations in the list.

46 Secure Socket Layer SSLv3 upgrades: Protects against the “downgrade attack” Active attacker replaces the initial messages with ones containing weak crypto. Protects against the “truncation attack” Active attacker sends a TCP close (FIN) message. TCP is not protected, so the connection is abnormally terminated without SSL being aware of it.

47 Secure Shell: SSH SSH client and server are applications (running on top of OS). SSH consists of a bunch of applications. But SSH is not a UNIX shell.

48 Secure Shell: SSH Client contacts server. Client and server disclose the SSH versions they support. Client and server switch to a packet based protocol. Packet consists of 4B length, 1-8B of random padding, one-byte packet type code, packet payload data, four-byte integrity check field.

49 Secure Shell: SSH Server identifies itself by sending Host key Server key 8 random bytes (use as cookie) List of encryption, compression, authentication methods. Both sides compute a 128b session identifier.

50 Secure Shell: SSH When the client receives the host key, the client looks into the known host database. If the host key matches the one in the database then the client proceeds. If the host is in the database but with a different key, then the client queries the user. Otherwise, the client warns the user and proposes to add host and key to the known host database.

51 Secure Shell: SSH Client randomly generates a session key. Clients sends the session key encrypted with the server key and then with the host’s public key. Together with the choice of crypto-suites. Both sides now use the session key for encryption. Server sends confirmation message encrypted with the session key. This proves the server’s authenticity to the client.

52 Secure Shell: SSH Authentication phase starts: SSH1 tries out Kerberos Rhosts RhostsRSA Public key TIS Password

53 WAP: Wireless Application Protocol Wireless information and telephony services on wireless phones

Download ppt "COEN 351 Internet Security. Network Layer Security Application Layer Security System Security."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
COEN 350 Network Defense in Depth Firewalls. Terms of the Trade Border Router First / last router under control of system administration. DMZ Demilitarized.

COEN 350 Network Defense in Depth Firewalls. Terms of the Trade Border Router First / last router under control of system administration. DMZ Demilitarized.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google