Chapter13 - Network Security

Chapter13-Network Security 1

While computer systems today have good security systems, they are also vulnerable.

Vulnerability stems from world-wide access to computer systems via Internet.

Computer and network security comes in many forms including encryption algorithms, access to facilities, digital signatures, finger prints, face scans, other biometric means, and passwords.

Network Security - Introduction


Network Security, cont’d

Companies are reluctant to publicly admit that they have suffered losses due to failed network security.Security goals must be set by IT, BUT SUPPORTED BY HIGHEST LEVELS OF MANAGEMENT.


Basic security measures for computer systems fall into eight categories:

External security Operational security

Surveillance Passwords

Auditing Access rights

Standard system attacks Viruses

Basic Security Measures


Protection from environmental damage such as floods, earthquakes, and heat.

Physical security such as locking rooms, locking down computers, keyboards, and other devices.

Electrical protection from power surges.

Electromagnetic noise protection from placing computers away from devices that generate electromagnetic interference.

External Security


Deciding who has access to what.

Limiting time of day access.

Limiting day of week access.

Limiting access from a location, such as not allowing user to use a remote login during certain periods or any time.

Operational Security


Passwords - common form of security and most abused.

Rules for safe passwords include:

• Change your password often.

• Password - minimum 8 characters, mixed symbols.

• Don’t share passwords or write them down.

• Don’t select names and familiar objects as passwords.

Passwords and ID Systems


Many new forms of “passwords” are emerging (biometrics):

• Fingerprints

• Face prints

• Retina scans and iris scans

• Voice prints

• Ear prints

Passwords and ID Systems


Creating computer or paper audit can help detect wrongdoing.

Auditing can also be used as a deterrent.

Many network operating systems allow administrator to audit most types of transactions.

Auditing as Security


Auditing as Security, cont’d

Manual audits can be done by either internal or external personnel. Manual audits severe to verify effectiveness of policy development and implementation, and extent of security in overall corporate security policy. Automated audits depend on software able to assess weaknesses of network security and security standards.



Some automated audit tools are able to analyze network for vulnerabilities and make recommendationsOther tools merely capture events so that security people can figure out who did what and when after security breach has occurred.



Security probes test various aspects of enterprise network security and report results and suggest improvements.Intrusion detection systems test perimeter of enterprise network through dial modems, remote access servers, web servers, or Internet access.Network based intrusion detection systems use network traffic probes distributed throughout network to identify traffic patterns that may indicate some type of attack may be underway


Two basic questions to access rights: who and how?

Who do you give access rights to? No one, group of users, entire set of users?

What level of access does a user or group of users get? Read, write, delete, print, copy, execute?

Procedures set to remove people who leave or transfer.

Most network OS have method system for assigning access rights.

Access Rights as Security


SECURITY POLICY DEVELOPMENT LIFE CYCLE

SPDLC is depicted as cycle since evaluation processes validate the effectiveness of original analysis stages.Next slide shows SDLC.Look at this slide as management tool of steps that have to be taken.


Identify business related security issues

Analyze security risks, threats, and

vulnerabilities

Design the security architecture and the

associated processes

Implement security technology and

processes

Audit impact of security technology and

processes

Evaluate effectiveness of current architectures

and policies

GOLDMAN & RAWLES: ADC3e FIG. 13-01

Security Policy Development Life Cycle


Security Requirements Assessment

Start research by finding out if your friends in field can give you manuals of what they have done.Define needs requirements for users in organization.Security refers to restrictions of information upon users, and responsibilities of users for implementation and enforcement.


Scope and Feasibility of Studies

Define scope of security study.Realize that there is a balance between security and productivity.Optimal balance will protect resources while not impacting on worker productivity.


High risk Low cost Open access No productivity loss Open access may lead to data loss or data integrity problems which may lead to productivity loss.

High cost Low risk Restrictive access Productivity loss Overly restrictive security may lead to noncompliance with security processes which may lead to loss of security

Balanced risk and costs Restrictiveness of security policy balanced by people's acceptance of those policies

Lack of security may ultimately have

negative impact on productivity

No productivity loss occurs from access

restrictions

SECURITYPRODUCTIVITY


Overly restrictive security casues

productivity decline

Security needs take priority over user

access


Minimize negative impact on

productivity

Maximize security processes

BALANCE

Optimal Balance of Security and Productivity

Overly Restrictive Security

Lack of Security


Security vs. Productivity Balance


Assets, Threats, and Risks

Security methodologies have major steps; Identify assets – includes hardware,

software, and media used to store data.

Identify threats – anything that can pose a danger to assets.

Identify vulnerabilities – potential problems in security system


Assets, Threats, and Risks

Security methodologies- continued Consider risks – probability of

successfully attacking particular asset Identify risk domains – groups of

network systems sharing common functions and common elements of exposure.

Take protective measures – Virus protection, firewalls, authentication, encryption


System or combination of systems that supports an access control policy between two networks.

Firewall can limit types of transactions that enter system, as well as types of transactions that leave system.

Firewalls can be programmed to stop certain types or ranges of IP addresses, as well as certain types of TCP port numbers (applications).

Firewalls, cont’d


Firewalls


Packet filter firewall - essentially router that has been programmed to filter out or allow in certain IP addresses or TCP port numbers.

Proxy server - more advanced firewall that acts as doorman into corporate network. Any external transaction that requests something from corporate network must enter through proxy server.

Proxy servers are more advanced but make external accesses slower.

Firewalls, cont’d


Proxy Server


Attack Strategies

Attack strategies concentrate on weaknesses of specific systems.Two servers communicating with TCP set up three step exchange of address and confirmation.


Attack Strategies, cont’d

Following attack strategies take negative advantage of three step exchange Denial of service attack – hacker

floods server with request to connect to non-existent servers

Land attack – hacker substitutes targeted server’s own address as address of server requesting connection


Signature-based scanners look for particular virus patterns or signatures and alert user.

Terminate-and-stay-resident programs run in background constantly watching for viruses and their actions.

Multi-level generic scanning is combination of antivirus techniques including intelligent checksum analysis and expert system analysis.

Guarding Against Viruses


Denial of service attacks - bombard computer site with many messages site is incapable of answering valid requests.

e-mail bombing - user sends an excessive amount of unwanted e-mail.

Smurfing - technique in which program attacks network by exploiting IP broadcast addressing operations.

Ping storm - Internet Ping program is used to send flood of packets to server.

Standard System Attacks, cont’d


Spoofing - user creates packet that appears to be something else or from someone else.

Trojan Horse - malicious piece of code hidden inside seemingly harmless piece of code.

Stealing, guessing, and intercepting passwords is also tried and true form of attack.

Standard System Attacks, cont’d


Web Specific Attack Strategies

Minimizing web attacks requires using following techniques: Eliminate unused user accounts and

default accounts (Guest) Remove/disable unused services such

as FTP, Telnet, etc. Remove unused Unix command shells

and interpreters


Web Specific Attack Strategies cont’d

Properly set permission levels on files and directoriesStay up to date with current attack strategies, and defenses.Beware of Common Gateway Interface programs extracting web server password files. Take corrective measures.


Management Role and Responsibility

Executive responsibilities Set Security Policy of the Organization Allocate sufficient resources – staff,

funding, etc. Information is corporate resource Assign responsibility for protecting

information resources Require computer security training for

staff


Management Role and Responsibility, cont’d

Hold employees responsibility for corporate resources in their care

Audit (internal and external) corporate security

Follow through with penalties for violations of corporate security


Management Role and Responsibility, cont’d

Management responsibility Assess responsibilities in your

corporate security area Assess balance between security and

productivity Assess vulnerabilities with your area

of responsibility Adhere and enforce corporate policies


Policy Development Process

Establish processes and policiesBe sure affected user groups are represented on policy development task force. Emphasis should be on corporate wide awareness relating to importance of protecting corporate information and network access.


Policy Implementation Process

Having been included in policy development process, users are expected to support policiesUser responsibilities Protect data you have Corporate resources are property of

company


Policy Implementation Process

Continued Inform supervisor of suspicious

actions, or people Never share your passwords Choose password that is impossible to

discover Log off before leaving your computer Lock up sensitive material backups Backup important data


Policy Implementation Process, cont’d

Policy implementation should force changes in people’s behaviors, which can cause resistance Use appropriate technology and associated processes to execute policy.Security architectures imply security solutions have been predefined for given corporation’s variety of computing and network platforms.


Policy Implementation Process, cont’d

If users involvement was substantial during policy development stage and if buy-in was assured at each stage of policy development, then process stands better chance of succeeding.


VIRUS PROTECTIONComprehensive protection plan must combine policy, people, processes, and technology to be effective.Virus - describes computer program that gains access to computer system or network with potential to disrupt normal activity of that system or network.


VIRUS PROTECTION, cont’d

Viruses triggered by passing of certain date or time is referred to as time bombs whereas viruses that require certain event to transpire are known as logic bombs.Trojan horse - actual virus is hidden inside program and delivered to target system or network to be infected.


ANTIVIRUS STRATEGIESEffective antivirus policies and procedures must first focus on use and checking of diskettes/files. Antivirus strategies Identify vulnerabilities Keep antivirus updated


ANTIVIRUS STRATEGIES, cont’d

Antivirus strategies, continued Install virus scanning software Non employees should be prohibited

from installing laptops to system. Install virus scanning software on

commonly used laptops Write protect diskettes

with .exe, .com files


Client PC ServerHub

Router

INFECTION

Infected file is spread through database replication

and/or Infected file is spread by being attached to multiclient conference

Infected

Client PC ServerHub

Router

RE-INFECTION

Modification of infected document on any client or server will cause replication and reinfection of other servers Inclusion of infected documents in multiclient conference will reinfect all clients

Disinfected

Client PC with original infected

document

re-infection


Collaborative Software Infection/Reinfection Cycle


ANTIVIRUS TECHNOLOGIES

Virus scanning is primary method for successful detection and removal. Emulation technology - detect unknown viruses by running programs with software emulation program known as a virtual PC. Execution program can be examined in environment for symptoms of viruses. Advantage of such programs is they identify potentially unknown viruses based on behavior rather than by relying on natures of known viruses.


ANTIVIRUS TECHNOLOGIES, cont’d

CRC checkers or hashing checkers creates and saves unique cyclical redundancy check character each file to be monitored. Each time that file is subsequently saved, new CRC is checked against the reference CRC.If CRCs do not match, then file has been changed. Shortcoming of technology - only able to detect viruses after infection.Active control monitors is able to examine transmissions from Internet in real time and identify known malicious content based on contents of definition libraries.


Router

Point of Attack: Client PC Vulnerabilities

Infected diskettes Groupware conferences with infected documents

Protective Measures Strict diskette scanning policy Autoscan at system start-up

Point of Attack: Internet Access Vulnerabilities

Downloaded viruses Downloaded hostile agents

Protective Measures Firewalls User education about the dangers of downloading

Point of Attack: Server Vulnerabilities

Infected documents stored by attached clients Infected documents replicated from other groupware servers

Protective Measures Autoscan run at least once a day Consider active monitoring virus checking before allowing programs to be loaded onto server Rigorous backup in case of major outbreak Audit logs to track down sources

Point of Attack: Remote Access Users Vulnerabilities

Frequent up/downloading of data and use of diskettes increase risk Linking to customer sites increases risk

Protective Measures Strict diskette scanning policy Strict policy about the connection to corporate networks after linking to other sites.

INTERNET

hub

Client PC

Remote Access Users

Server


Virus Infection Points of Attack and Protective

Measures


FIREWALLSTo prevent unauthorized access from Internet into company’s confidential data, specialized software known as firewall is often deployed.Firewall software usually runs on dedicated server that is connected to, but outside of, corporate network. All network packets entering firewall are filtered, or examined, to determine whether or not those users have authority to access requested files.


Firewall Architecture Difficulty with firewalls is there are no standards for firewall functionality, architectures, or interoperability.Firewall architecture 1. Packet filtering 2. Application gateway 3. Internet firewalls


PACKET FILTERINGPackets of data on Internet are identified by source address of computer that issued message and destination address of Internet server.Filter - program that examines source address and destination address of incoming packet to firewall server. Filter tables - lists of addresses whose data packets and embedded messages are either allowed or prohibited from proceeding through the firewall.Filter tables can limit access of certain IP addresses to certain directories.


PACKET FILTERING, cont’dFiltering time introduces latency to overall transmission time. Packet filter gateways can be implemented on routers. Existing piece of technology can be used for dual purposes. Packet filters can be breached by hackers in technique known as IP spoofing.If hacker can make packet appear to come from an unauthorized or trusted IP address, then it can pass through firewall.


Application GatewaysAlso called application level filtersPort level filters determine legitimacy of party asking for information, application level filters assures validity of what they are asking for.Application level filters examine entire request for data rather than source and destination addresses.


Application Gateways, cont’d

Application gateways are concerned with what services or applications message is requesting in addition to who is making request.Once legitimacy of request has been established, only proxy clients and servers actually communicate with each other.


INTERNET or nonsecure

network

Protected Network

Packet-filtering firewall (router)

Incoming IP packets examined Incoming IP source and destination addresses compared to filter tables Outgoing packets have direct access to Internet

Packet Filter Firewall


network

Protected Network

Trusted Gateway

Proxy application 2

Client Server


Trusted applications establish connections directly Applications gateway is single-homed

Information servers WWW servers

Proxy application 1

Client Server

Application Gateway

trusted application


network

Protected Network

Application Gateway

Proxy application: FTP

Proxy FTP

Client

Proxy FTP

Server

Proxy application: TELNET

Proxy TELNET Server

Proxy TELNET

Client

Other proxy applicationsclient

server

server

client


network

Protected Network

Dual-Homed Gateway

Proxy application 2

Client Server


All traffic goes through application gateway


Proxy application 1

ClientServer

Dual-Homed Application

Gateway

WWW requestScreened

Subnet


Packet Filters and Application Gateways



network

Protected Network


Incoming IP packets examined Incoming IP source and destination addresses compared to filter tables Outgoing packets have direct access to Internet

Packet Filter Firewall


network

Protected Network

Trusted Gateway

Proxy application 2

Client Server


Trusted applications establish connections directly Applications gateway is single-homed


Proxy application 1

Client Server

Application Gateway

trusted application


network

Protected Network

Application Gateway

Proxy application: FTP

Proxy FTP

Client

Proxy FTP

Server

Proxy application: TELNET

Proxy TELNET Server

Proxy TELNET

Client

Other proxy applicationsclient

server

server

client


network

Protected Network

Dual-Homed Gateway

Proxy application 2

Client Server


All traffic goes through application gateway


Proxy application 1

ClientServer

Dual-Homed Application

Gateway

WWW requestScreened

Subnet


Proxies, Trusted Gateways, and Dual-Homed Gateways


INTERNET FIREWALLSCategory of software known as internal firewalls has begun to emerge.Internal firewalls include filters that work on data link, network, and application layers to examine communications that occur only on a corporation’s internal network, inside reach of traditional firewall.Internal firewalls act as access control mechanisms, denying access to applications user does not have specific access approval.


Authentication and Access Control

Authentication products break down into three overall categories: What you know - single sign-on (SSO)

access to multiple network attached servers and resources via passwords.

What you have - requires user to posses type of smart card or token authentication device to generate single use passwords.

What you are - validates users based on physical characteristic, i.e. fingerprints, hand geometry, or retinal scans.


Token Authentication Provides one-time use session passwords authenticated by associated server software. Hardware based smart cards are

about size of credit card with or without numeric keypad.

In-line token authentication devices connect to serial port of computer for dial-in authentication through modem.

Software tokens are installed on the client PC and authenticated with server portion of token authentication product transparently to end user.


Challenge-response token authentication

Challenge-response token authentication involves following steps: User enters an assigned user ID and

password at client. Token authentication server software

returns numeric string known as challenge.

Challenge number and PIN are entered on smart card.


Challenge-response token authentication, cont’d

Smart card displays response number on LCD screen.

Response number is entered on client workstation and transmitted back to token authentication server.

Token authentication server validates response against expected response from user and this particular smart card.


Smart Card

76731270

Client

PSTN

Authentication Server

Personal ID and smart card display are entered

into client PC

Authentication server compares received smart card generated

number to current time-synchronous server-generated number. If they match, the user is authenticated.

Personal ID and current number displayed on smart card (ie. 76731270)

Time Synchronous

Smart Card

11266542

Client

PSTN


Response number from smart card display is entered into client PC and transmitted to authentication server

Authentication server compares received response number to

expected response number. If they match, the user is authenticated.

Response number displayed on smart card (ie. 11266542)

Challenge - Response

Smart Card

76731270

Client

PSTN


Smart card ID is entered into

client PC

User ID and personal smart card ID number (ie. 76731270)

modem modem

Challenge number is returned to client (ie. 65490873)

Smart Card

65490873 Returned challenge number is entered into

smart card keypad


Challange-Response vs. Time-Synchronous Token

Authentication


Biometric Authentication Biometric authentication can authenticate users based on fingerprints, palm prints, retinal patterns, voice recognition, or other physical characteristics.Biometric authentication devices require valid users first register by storing copies of fingerprints, voice, or retinal patterns in validation database.


Authorization vs. Authentication

Authorization is concerned with assuring that properly authorized uses are able to access particular network resources.Authentication - ensures that only legitimate users are able to log into network.


KERBEROSKerberos – combination of authentication and authorization software.Kerberos architecture consists of three key components: Kerberos client software Kerberos authentication server

software Kerberos application server software


Personal computers running Kerberos client

software

Applications servers with at least one running Kerberos server software

Kerberos Server

Kerberos Realm A

router

Kerberos Realm C

Kerberos Realm DKerberos Realm B


Ticket-Granting Server

Kerberos Database


software


Kerberos server

router



Kerberos Database


software


Kerberos server

router



Kerberos Database


software


Kerberos server

router



Kerberos Database

Enterprise Network


Kerberos Architecture


KERBEROS, cont’dKerberos must communicate directly with application.Kerberos enforces authentication and authorization through use of ticket based system. Encrypted ticket is issued for sever to client session and is valid for preset amount of time. From network analyst’s perspective, concern is centered on amount of network bandwidth consumed by addition of Kerberos security.


Cryptography - creating and using encryption and decryption techniques.

Plaintext - data before any encryption has been performed.

Ciphertext - data after encryption has been performed.

Key is unique piece of information used to create ciphertext and decrypt ciphertext back into plaintext.

Basic Encryption and Decryption Techniques


Encryption/Decryption


CiphersA few ciphers to be examined: Monoalphabetic Substitution-based

Ciphers Polyalphabetic Substitution-based

Ciphers Transposition-based Ciphers


Monoalphabetic substitution-based ciphers replace character or characters with different character or characters, based upon some key.

Replacing: abcdefghijklmnopqrstuvwxyz

With: POIUYTREWQLKJHGFDSAMNBVCXZ

The message: how about lunch at noon

encodes into EGVPO GNMKN HIEPM HGGH

Monoalphabetic Substitution-based Ciphers


Similar to monoalphabetic ciphers except multiple alphabetic strings are used to encode the plaintext.

For example, matrix of strings, 26 rows by 26 characters or columns can be used.

Key such as COMPUTERSCIENCE is placed repeatedly over the plaintext.

COMPUTERSCIENCECOMPUTERSCIENCECOMPUTER

thisclassondatacommunicationsisthebest

Polyalphabetic Substitution-based Ciphers


To encode the message, take the first letter of the plaintext, t, and the corresponding key character immediately above it, C. Go to row C column t in the 26x26 matrix and retrieve the cipher text character V. See next slide for 26 x 26 matrix.

Continue with other characters in plaintext.

Polyalphabetic Substitution-based Ciphers


26 x 26 Cipher Character Matrix


In transposition-based cipher, order of plaintext is not preserved.

As simple example, select key such as COMPUTER.

Number letters of word COMPUTER in order they appear in alphabet.

1 4 3 5 8 7 2 6

C O M P U T E R

Transposition-based Ciphers


Transposition-based Ciphers

Now take the plaintext message and write it under the key.

1 4 3 5 8 7 2 6

C O M P U T E R

t h i s i s t h

e b e s t c l a

s s i h a v e e

v e r t a k e n

Transposition-based Ciphers, cont’d


Then read ciphertext down the columns, starting with the column numbered 1, followed by column number 2.

TESVTLEEIEIRHBSESSHTHAENSCVKITAA

Transposition-based Ciphers, cont’d


Powerful encryption technique in which two keys are used: first key (public key) encrypts message while second key (private key) decrypts message.

Not possible to deduce one key from other.

Not possible to break code given public key.

If you want someone to send you secure data, give them your public key, you keep private key.

Secure sockets layer on Internet is common example of public key cryptography.

Public Key Cryptography and Secure Sockets Layer


Combination of encryption techniques, software, and services that involves all necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management.

Digital certificate is an electronic document, similar to passport, that establishes your credentials when you are performing transactions.

Public Key Infrastructure


Digital certificate contains your name, serial number, expiration dates, copy of your public key, and digital signature of certificate-issuing authority.

Certificates are usually kept in registry so other users may check them for authenticity.

Public Key Infrastructure, cont’d


Certificates are issued by certificate authority (CA). CA is either specialized software on company network or trusted third party.

Let’s say you want to order something over Internet. Web site wants to make sure you are legitimate, so web server requests your browser to sign order with your private key (obtained from your certificate).



Web server then requests your certificate from third party CA, validates that certificate by verifying third party’s signature, then uses that certificate to validate signature on your order.

User can do same procedure to make sure web server is not bogus operation.

Certificate revocation list is used to “deactivate” user’s certificate.



Applications that could benefit from PKI:

• World Wide Web transactions

• Virtual private networks

• Electronic mail

• Client-server applications

• Banking transactions



More powerful data encryption standard.

Data is encrypted using DES three times: the first time by first key, second time by second key, and third time by first key again. (Can also have 3 unique keys.)

While virtually unbreakable, triple-DES is CPU intensive.

With more smart cards, cell phones, and PDAs, a faster (and smaller) piece of code is highly desirable.

Triple-DES


Selected by U.S. government to replace DES.

National Institute of Standards and Technology selected the algorithm Rijndael (pronounced rain-doll) in October 2000 as basis for AES.

AES has more elegant mathematical formulas, requires only one pass, and was designed to be fast, unbreakable, and able to support even smallest computing device.

Advanced Encryption Standard (AES)


Key size of AES: 128, 192, or 256 bits.

Estimated time to crack (assuming a machine could crack a DES key in 1 second) : 149 trillion years.

Very fast execution with very good use of resources.

AES should be widely implemented by 2004.

Advanced Encryption Standard (AES)


ENCRYPTION

Encryption - changing of data into indecipherable form before transmission.Decryption - changing unreadable text back into its original form. Types of encryption DES-Private Key RSA – Public key Digital signature Key Management Alternatives


DES – Private Key Encryption

Decrypting device must use same algorithm to decode or decrypt data as encrypting device used to encrypt data. DES allows encryption devices manufactured by different firms to interoperate successfully. Encryption key customizes commonly known algorithm to prevent anyone without private key from decrypting documents.


RSA – Public Key Encryption

Public key - combines usage of both public and private keys.In public key encryption, sensing encryption device encrypts document using intended recipient’s public key and originating party’s private key. To decrypt the document, receiving encryption/decryption device must be programmed with intended recipient’s own private key and sending party’s public key.


Digital Signature Encryption

Digital signature encryption - electronic means of guaranteeing authenticity of sending party and assurance that encrypted documents have not been altered during transmission.Original document is processed by hashing program to produce a mathematical string unique to exact content of original document.Unique mathematical string is encrypted using originator’s private key.Encrypted digital signature is appended to and transmitted with encrypted original document.


Digital Signature Encryption, cont’d

To validate authenticity of received document, recipient uses public key associated with apparent sender to regenerate digital signature from received encrypted document.Transmitted digital signature is compared by recipient to regenerated digital signature produced by using public key and received document.


Company A client

INTERNET -or-

nonsecure network

Company B client

The private key must be distributed across nonsecure network.

Private Key -or- Symmetric

Original document

Private key

Encrypted document

Original documentPrivate

key

Encryption Decryption

Private key

Company A client

INTERNET -or-

nonsecure network

Company B client

Company B gets Company A's public key from Company A or from certificate authority.

Public Key

Original document

Private key

Encrypted document

Original document

encryption Decryption

Public key

A B+

Public key

Private key

A B+

Company A gets Company B's public key from Company B or from certificate authority.

Company A client

INTERNET -or-

nonsecure network

Company B client

Digital Signature

Original document

Private key

Encrypted document

Original document

Encryption decryption

Public key

A B+

Public key

Private key

A B+

Locally regenerated digital signature is compared to original

transmitted digital signature

A private

Digital signature encrypted OriginalA

publicdigital signature digital signatures

Regenerated

=


Private, & Public, and Digital Signature Encryption


Key Management Alternatives

Key Management - Before computers can communicate in secure manner, they must be able to agree on encryption and authentication algorithms and establish keys.Standards for key management: ISAKMP (Internal Security Association and

Key Management Protocol) from IETF. Largely replaced by IKE (Internet Key Exchange).

SKIP (Simple Key Management for IP)


Key Management Alternatives, cont’d

Public key dissemination must be managed so users are assured public keys received are actually public keys of companies or organizations they are alleged to be.Public key infrastructures that link user to are implemented through use of server based software known as certificate services.Certificate server software supports encryption and digital signatures while flexibility supporting directory integration, multiple certificate types, and variety of request fulfillment options.


Document to be signed is sent through complex mathematical computation that generates hash.

Hash is encoded with owner’s private key.

To prove future ownership, hash is decoded using owner’s public key and hash is compared with current hash of document.

If two hashes agree, document belongs to owner.

U.S. has just approved legislation to accept digitally signed documents as legal proof.

Digital Signatures


Applied Security Scenarios Install only software/hardware need. Allow only essential traffic into/out of

network. Eliminate other traffic by blocking with routers or firewalls.

Investigate outsourcing web-hosting services so corporate web server is not physically on same network as rest of corporate information assets.

Use routers to filter traffic by IP addresses.


Applied Security Scenarios, cont’d

Make sure router OS software has been patched to prevent attacks by exploiting TCP vulnerabilities.

Identify information assets most critical to corporation, and protect those servers first.

Implement physical security constraints to hinder physical access to critical resources such as servers.


Applied Security Scenarios, cont’d

Develop effective, and enforceable security policy. Monitor its implementation and effectiveness.

Consider installing proxy server or application layer firewall.

Block incoming DNS queries and requests for zone transfers.

Disable all TCP ports and services not essential so hackers are not able to exploit and use services.


Integration with Information Systems and Application

Development Authentication products must be integrated with existing information systems and applications development efforts.APIs (Application Program Interfaces) are means by which authentication products are able to integrate with client/server applications.Application development fits combine an application development language with supported APIs.


Remote Access Security Protocol and associated architecture known as remote authentication dial-in user (RADIUS) offers potential to enable centralized management of remote access users and technology.RADIUS enables communication between following three tiers of technology: Remote access devices such as remote

access servers and token authentication technology from variety of vendors.

Enterprise databases that contain authentication and access control information.

RADIUS authentication server.


Remote access server BRAND B

Remote access server BRAND A

Remote access server BRAND C

RADIUS server

RADIUS management

console

Remote user

Remote user

Modem

Modem

INTERNET or nonsecure network users

PC

PC Modem

Modem

modem

User authentication

database

Accounting and authentication

information

Secure network

Firewall

A wide variety of remote access servers and firewalls from numerous vendors can all be managed by RADIUS Large numbers of remote access users accessing the network from numerous different points and using different authentication techniques can all be managed by RADIUS


RADIUS


Remote Access Security, cont’d

RADIUS allows network managers to centrally manage remote access users, access methods, and logon restrictions.RADIUS allows centralized auditing capabilities such as keeping track of volume of traffic sent and amount of time on-line.For authentication, it supports password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), and SecurID token authentication.


Password Authentication Protocol (PAP),

PAP is designed for dial in communication.PAP repeatedly sends user ID and password to authenticating system in clear text pairs until it is acknowledged or connection is dropped.


Challenge Handshake Authentication Protocol

(CHAP)CHAP provides secure means for establishing dial in communication.CHAP uses three-way challenge or handshake that includes user ID, password, and key encryption for ID and password. Problem with system is some mechanism must be in place for both receiver and sender to know and have access to key.


E-Mail, Web, and Internet/Intranet Security

Two primary standards for encrypting traffic on the WWW S-HTTP (Secure Hypertext Transport

Protocol) – secure version of HTTP requires both client and server S-HTTP versions to be installed for secure end-to-end encrypted transmission.

SSL – SSL is described as wrapping an encrypted envelope around HTTP transmissions. SSL is connection-level encryption method providing security to network link itself.


E-Mail, Web, and Internet/Intranet Security,

cont’d

Secure Courier and is offered by Netscape.Secure Courier is based on SSL and allows users to create a secure digital envelope for transmission of financial transactions over Internet.


E-Mail, Web, and Internet/Intranet Security,

cont’d

Additional forms of security are: PCT PEM PGP SET S/MIME Virtual Private Network Security


Private Communications Technology (PCT)

Microsoft’s version of SSLPCT supports secure transmissions across unreliable (UDP rather TCP based) connections by allowing decryption of transmitted records independently from each other, as transmitted in individual datagrams. Targeted primarily toward on-line commerce and financial transactions


Privacy Enhanced Mail (PEM)

PEM - encryption technique for e-mail use on Internet used in association with SMTP (Single Mail Transport Protocol).PEM was designed to use both DES and RSA encryption techniques, but it would work with other encryption algorithms as well.


Pretty Good Privacy (PGP)

An Internet e-mail specific encryption standard that also uses digital signature encryption to guarantee the authenticity, security, and message integrity PGP over-comes inherent security loopholes with public/private key security schemes by implementing Web of trust in which e-mail users electronically sign each other’s public keys to create an interconnected group of key users.


Secure Electronic Transactions (SET)

SET - series of standards to assure confidentiality of electronic commerce transactions.Standards are becoming promoted by credit card giants VISA and MasterCard.A single SET compliant electronic transaction could require as many as six cryptographic functions, taking from one-third to one-half of second on high-powered UNIX workstation.An important aspect of SET standards is incorporation of digital certificates or DIgital IDs


Secure Multipurpose Internet Mail Extension (S/MIME)

S/MEME secures e-mail in e-mail applications that have been S/MEME enabled.S/MEME enables different e-mail systems to exchange encrypted messages and encrypt multimedia as well as text based e-mail.


Virtual Private Network (VPN) Security

To provide virtual private networking capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols needed to be developed that could establish private, secure channels between connected systems.Two rival standards are examples of such tunneling protocols: Microsoft’s point-to-point tunneling protocol

(PPTP) Cisco’s layer two forwarding (L2F)


Virtual Private Network (VPN) Security, cont’d

Unification of two rival standards is known as layer 2 tunneling protocol (L2TP). One shortcoming of proposed specification is that it does not deal with security issues such as encryption and authentication.Next slide illustrates use of tunneling protocols to build VPN using Internet as enterprise network backbone.


VIRTUAL PRIVATE NETWORK

INTERNET

Tunneling protocol:PPTP L2F L2TP

CORPORATE HEADQUARTERS

REMOTE CLIENT

ADSL, ISDN, or modem connection

ROUTER at corporate headquarters strips off tunneling protocols and forwards transmission to corporate LAN

Local Internet Service Provider creates a virtual private tunnel using tunneling protocol.


Tunneling Protocols Enable Virtual Private Networks


Virtual Private Network (VPN) Security, cont’d

IPsec - protocol that ensures encrypted communications across Internet via VPN through use of manually exchange.IPsec supports only IP-based communications.IPsec is standard that should enable interoperability between firewalls supporting protocol.


PPTP

PPTP is essentially tunneling protocol that allows managers to choose whatever encryption or authentication technology they wish to hang off either end of the established tunnel.PPTP Microsoft tunneling protocol specific to Windows NT and remote access servers.PPTP concerned with secure remote access in that PPP-enabled clients would be able to dial into corporate network by Internet.


Enterprise Network Security

To maintain proper security over widely distributed enterprise network, it is essential to be able to conduct certain security-related processes from single, centralized security management location.


Enterprise Network Security, cont’d

Among these processes or functions are Single point of registration (SPR) allows

network security manager to enter new user (or delete terminated user) from single centralized location and assign all associated rights, privileges, etc.

Single sign-on (SSO) also sometimes known as secure single sign-on (SSSO), allows users to log into enterprise network and be authenticated from client PC location.


Enterprise Network Security, cont’d

Single access control view allows users access from client workstation to only display resources user actually has access too.

Security auditing and intrusion detection is able to track and identify suspicious behaviors from both internal employees and potential intruders. Detection and response to such events must be controlled from centralized security management location.


Government Impact

Government agencies play major role in area of network security. Two primary functions of government agencies are: Standards making organizations that set

standards for the design, implementation, and certification of security technology and systems.

Regulatory agencies that control export of security technology to company’s international locations.

Chapter13 - Network Security

Documents

Transcript of Chapter13 - Network Security