Download presentation
Presentation is loading. Please wait.
Published byLydia Hampton Modified over 8 years ago
1
2/24/2000 Will Lennon 1 Internet Security Based on Learning Tree Course #468: Internet and Intranet Security: A Comprehensive Introduction
2
February 20, 2001 Will Lennon 2 Security Model Objectives vs. Threats Information Source Information Destination Normal Flow Authenticity vs. Masquerade Integrity vs. Modification Privacy vs. Interception Availability vs. Interruption
3
February 20, 2001 Will Lennon 3 Authenticity vs. Masquerade Personal Authenticity (Logins) restrict access to unauthorized users Interior Authenticity (DHCP, IPSec) restrict access to unauthorized hosts Exterior Authenticity (firewalls) restrict access to internal services
4
February 20, 2001 Will Lennon 4 Authenticity vs Masquerade 3 ways to establish personal identity: Something you know (Passwords) Something you have (Keys) Something you are (Biometrics)
5
February 20, 2001 Will Lennon 5 Personal Authenticity vs. Masquerade Passwords attacks: Guessing (spouse, pets, child) Cracking passwords (dictionary attacks) Snooping passwords (network analyzers) Social Engineering (Deception) Trojan Horses
6
February 20, 2001 Will Lennon 6 Personal Authentication methods One-time lists Repeated hashing (S/Key, OPIE) Electronic tokens Challenge-Response Schemes (CHAP)
7
February 20, 2001 Will Lennon 7 Interior Authentication: IPSec Generic security mechanism for IPv6 A security association is created between two parties Provides privacy services as well as authentication Included in most modern O.S.s
8
February 20, 2001 Will Lennon 8 Exterior Authentication: Firewalls Packet Filters Stateless Packet Filters State-full Packet Filters Proxies Application Proxy Circuit-Level Gateways
9
February 20, 2001 Will Lennon 9 Sanity Check Network 1: 147.117.xx.xx Network 2: 192.168.88.xx From: 192.168.88.11 To: 192.168.88.33 From: 147.117.32.65 To: 192.168.88.33 Insane: blocked Sane: Pass Router
10
February 20, 2001 Will Lennon 10 Stateless Packet Filters Network 1: 147.117.xx.xx Network 2: 192.168.88.xx Telnet SMTP Telnet (port 23): Block SMTP (port 25): Pass Router
11
February 20, 2001 Will Lennon 11 Stateless Packet Filter Refinements: TCP Block incoming packets without ACK to block connections initiated by external hosts Doesn’t work for UDP SYN SYN + ACK ACK ClientServer TCP Handshake
12
February 20, 2001 Will Lennon 12 Problems with Stateless Packet Filtering IP Fragmentation Protocols with variable port numbers Non-standard use of standard ports
13
February 20, 2001 Will Lennon 13 Circuit-Level Gateway Outside Host Inside Host 1 2 3 1: Inside Host connects to TCP port on Gateway 2: Gateway connects to Outside Host 3: Gateway passes messages transparently Gateway
14
February 20, 2001 Will Lennon 14 Screened Subnet Topology WWW FTP Server WWW Server Internal Network Screening Router (Packet Filter) DMZ DWOS Proxy
15
February 20, 2001 Will Lennon 15 Chapman Architecture WWW FTP Server WWW Server Internal Network Screening Router (Packet Filter) Screening Router DMZ DWOS Bastion Host
16
February 20, 2001 Will Lennon 16 Privacy vs. Interception 3 ways to maintain information privacy: Hide the existence -> steganography Hide the content -> access control Hide the meaning -> encryption
17
February 20, 2001 Will Lennon 17 Cryptography / Encryption EncryptorDecryptor Helloa#k3WjHello Key AKey B Two types of cryptographic algorithms exist: 1) Secret Key (aka Symmetrical) Key A == Key B DES, 3DES, Blowfish, RC5, IDEA, Skipjack 2) Public Key (aka Symmetrical) Key A != Key B RSA, DSA Hash Functions: MD5, SHA
18
February 20, 2001 Will Lennon 18 Public Key Encryption Example ? Alice: “I want to send you a secret message.” Ahab: “Encrypt it with my public key: s6sd2KlUq.” Alice: “Here’s the message: iqm3k2lsjesk Ahab: “Got it.” Alice Ahab
19
February 20, 2001 Will Lennon 19 Virtual Private Networks (VPNs) VPN is an encrypted tunnel through which all data passes between two endpoints Endpoints are usually firewalls Encryption technology varies, often negotiated using IPSec Net 1 Internet VPN Net 2
20
February 20, 2001 Will Lennon 20 Integrity vs. Modification Use a Hash Function to assure Integrity. A Hash Sum or message digest is: data dependent irreversible collision free Hash Function Hash Sum Message
21
February 20, 2001 Will Lennon 21 Cryptography for Personal Messages MD5 Hash (Integrity) Hash Sum Encrypt (Authenticity) Digital Signature Sender’s Private Key Digital Signature Message Encrypt (Privacy) Encrypted Private Message Receiver’s Public Key
22
February 20, 2001 Will Lennon 22 Availability vs. Interruption Bombs: Files that have undesirable behavior Viruses: Designed to propagate themselves Limited to a particular OS or application Must be attached to another piece of software Worms: Similar to viruses but are stand-alone software
23
February 20, 2001 Will Lennon 23 Availability vs. Interruption Electro-Magnetic Pulse (EMP) HERF gun: High Energy Radiated Frequency Data Flood: -->traceOn(“”) Broadcast Storms: “Smurf Attack” Bombardment Attacks: SYN flood Duplicate IP Address problem
24
February 20, 2001 Will Lennon 24 SYN Flood SYN SYN + ACK ACK Client Server Server opens a new port, sends response, and waits for client to acknowledge Client repeated sends SYN messages. Client never sends the ACK message. Server’s ports quickly become full.
25
February 20, 2001 Will Lennon 25 Smurf Attack Victim 1.2.3.4 Relays Zombies Attack Station Ping To: 255.255.255.255 From: 1.2.3.4 Zombies Relays Start Ping Response To: 1.2.3.4 From: w.x.y.z
26
February 20, 2001 Will Lennon 26 Requirements for Good Security Security Policy Security Technology Activity Logging Incidence Response Plan Enforcement
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.