453 Network Security

Section 1: Introduction to Network Security Dr. E.C. Kulasekere

Sri Lanka Institute of Information Technology - 2006

Text Books

• Network Security: Private Communication in a Public World, Charlie Kaufman, Pearson Education Inc., 2002 • Network Security: A Complete Reference – Roberta Bragg, Mark Rhodes-Ousley, Keith Strassberg – Tata McGraw-Hill 2004.

• Cryptography and Network Security/3e – William Stallings, Pearson Ed. 2003.

Syllabus

• Foundations of computer and network security.

• Access Control and Site Security.

• Threats and vulnerabilities. • Attack Methods.

• Technical defenses: authentication, operating system security, firewalls, etc.

• Elements of Cryptography.

• Cryptographic Systems: SSL/TLS, VPNs, Kerberos.

• Application Security: Electronic Commerce and E-mail.

Syllabus …

• Network vulnerability assessment and intrusion detection.

• Remediation methods, including backup and repair strategies.

• Business continuity planning and disaster recovery planning • Legal issues, privacy, cyber war and cyber terror.

Other Information

• Web site: – http://www.ent.mrt.ac.lk/~ekulasek/ns • Email: – [email protected]

• Telephone: – Found at website.

• All information will be updated on the website since I am a visiting instructor.

Expectation from Students

• Friendly atmosphere in class.

• Student involvement in discussions. • Complete laboratory work in time. • Do individual assignments by yourself and not copy.

• Have an attitude that the course is for learning and not for passing exams.

Outline For this Section

• Computer Security, Laws and Crime • Attacks, services and mechanisms • Security attacks and security services • Methods of defense • Model for internetwork security, Internet standards and Request for comments.

• Cryptographic algorithms • Secure protocols • Authentication, access control.

Security is it a New Concept?

• Lock the Doors and Windows. Control access • Role Based Access - Only Mom is allowed to enter • Don ’ t talk to strangers - even if you see some one you know Look beyond.

• Don ’ t share your secrets – keep sniffers at bay • Don ’ t accept gifts from strangers • Play nice with others • Leave your valuables at home. Don ’ t steal • Keep your shots up to date • If you see something wrong, call the police.

Levels of Security

• Information security – Early days, security was provided by physical access restrictions.

– With networking this changed. • Computer security – Restriction to shared resource – Physical security • Network security – Protection of data during transmission.

– Infrastructure setup for security. Eg. Bastion host

Are these definitions enough?

More Classifications

• Three D’s of security – Detection: tool based by monitoring – Defense: patching and updating – Deterrence: laws and policy making • Classification based on business – Business agility – Return on investment – Risk management and business continuity planning – Customer confidence

Attack, Services and Mechanisms

• Security attack: any action that will compromise the security of information.

• Security mechanism: A mechanism that is designed to detect , prevent, or recover from a security attack. • Security services: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

Security Attacks

Normal flow of Information

source destination

Security Attacks …

Interception

• Unauthorized party gets access to information • This is an attack on confidentiality • The attacker could be a person or program.

• Eg. of this could be unauthorized copying of files.

Security Attacks …

Interruption

• The system is destroyed or becomes unavailable • This is an attack on availability.

• This could be a destruction of a piece of hardware or cutting a communication line.

Security Attacks …

Modification

• An unauthorized party gains access to information and also modifies it. • This is an attack on integrity of information. • Modification of program or date files to operate or contain different information.

Security Attacks …

Fabrication

• An unauthorized party injects fabricated information into the system.

• This is an attack on authenticity.

• Examples of this is insertion of spurious messages, addition of records to a file etc.

Attack Types

• Passive Attack: – This type of attack does not involve the parties concerned.

– Does not alter the information flowing between the parties.

• Active Attack – This type of attack involves the other parties concerned.

– The information flow is altered.

Passive Attack

• This type of attacks are hard to detect since it does not involve the other party or alter the data. • This kind of attack can be prevented rather than detected . • Examples are Eavesdropping or monitoring of traffic.

• The objective of the opponent is to obtain the information that is being transmitted. – Release of message content – Opponent getting to know the contents. – Traffic analysis – the link traffic profile and information gathering is done by the opponent.

Active Attack

• This is easier to detect since the information stream is altered and involves the other party. • Harder to prevent since no absolute protection is available with the current buggy systems. • Involves some modification of the data stream or creation of a false stream.

– Masquerading – The entity pretends to be a different entity. Eg. Use a sniffer on a telnet stream – Replay – passive capture of data, alter and then retransmit.

Security Services

• Confidentiality (privacy) – is the protection of transmitted data from passive attacks.

• Authentication (who created or sent the data) – is assuring that the communication is authentic. • Integrity (has not been altered) – will ensure that the messages are received with no duplication, insertion, modification. Reordering or replays. – Connection oriented service – addresses DoS and modifications (duplication, insertion, modification and reordering problems handled).

– Connectionless service - deals with only individual messages and only assures against modification. This is because it only deals with individual packets.

Security Mechanisms

• Separation – Physical separation – Temporal separation – Logical separation – cryptographic separation – combinations of all above • Share all or nothing • share via access limitations • share by capabilities (tokens) • limit use of an object

Relationship Between Services and Mechanisms

A Model for Network Security

Design Issues in the Model

• Design an algorithm for performing the security related transformation. The algorithm should be such that an opponent cannot defeat its purpose. • Generate the secret information to be used with the algorithm.

• Develop methods for the distribution and sharing of the secret information.

• Specify a protocol to be used by the two principles that makes use of the security algorithm and the secret information to achieve a particular security service.

Other Considerations

• Network Design Considerations – Designing for acceptable risk.

– Use of network models with security (LAN/WAN more secure?, Dedicated/non-dedicated?, segregation and isolation) • Host hardening – Firewalls, Packet filtering • Choice of network devices – Choice of routers and other hardware – Routing protocols • Intrusion detection systems (IDS) – Host based IDS – Network based IDS

Security Highlighted Kevin Mitnick

• • •

FBI arrested Kevin in February 1995

–

stealing 20,000 credit-card numbers through the Internet. Valued at over one million dollars. broke into the computer of Tsutomu Shimomura, a computer-security expert. managed to get access to a set of utility programs, that would basically give him the tools necessary to break-in almost anywhere.

–

may have distributed these tools to other hackers.

The Downside!!

•

Kevin served five years in a Federal correctional institution before being released in January 2000.

•

Now charges $15,000 for a one hour talk !!

Security Highlighted - Kevin Mitnick

– FBI arrested Kevin in February 1995 • stealing 20,000 credit-card numbers

through the Internet

• valued at over one million dollars.