Security in Networks

• Single point of failure

• Resillence or fault tolerance

• CS model

Computer Security Objectives

• Data confidentiality• Assures that private or confidential information is not made available

or disclosed to unauthorized individuals• Privacy

• Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed

Confidentiality

• Data integrity• Assures that information and programs are changed only in a

specified and authorized manner• System integrity

• Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

Integrity

• Assures that systems work promptly and service is not denied to authorized users

Availability

CIA Triad

4

Securing data

Possible additional concepts:

Authenticity• Verifying that

users are who they say they are and that each input arriving at the system came from a trusted source

Accountability• The security goal

that generates the requirement for actions of an entity to be traced uniquely to that entity

Security in Networks caracteristica

• Environment of use

• Shape and size

• Mode of communication

• Media

• Protocols

• Type of networks

• Topologies

Security in Networks caracteristica

• Environment of use• Anonymity• Automation• Distance• Opaqueness• Routing diversity

Security in Networks caracteristica

• Shape and size• Boundary• Ownership• Control

Security in Networks caracteristica

• Mode of communication• Digital• Analog

Security in Networks caracteristica

• Media• Cable• Optical fiber• Wireless• Microwave• Infrared• Satellite

Security in Networks caracteristica

• Protocols• ISO OSI• TCP/IP• Adressing Scheme• Routing Concept

Security in Networks caracteristica

• Type of network• LAN• MAN• WAN• Internetworks (Internets)

Security in Networks caracteristica

• Topologies• Common bus• Star or Hub• Ring• Tree structure

• Distributed system• API’s

Security in Networks caracteristica

• Advanteges of computer networks• Ressource sharing• Distribution of the workload• Increased reliability• Expandability

Security in Networks Threats

• What makes a network vulnerable• Anonymity• Many points of attack – both targets and

origins• Sharing• Complexity of system• Unknown perimeter• Unknown path

Security in Networks Threats

• Who attacks networks• Challenge• Fame• Money and espionage• Ideology

• Hactivism• Cyberterrorism

Security in Networks Threats

• Areas• Precursors• Authentication Failure• Programming flaws• Confidentiality• Integrity• Avaliability

Security in Networks Controls

• Areas• Security threat analysis• Design and implementation• Architecture• Encryption• Content integrity• Strong authentication• Acess controls• Alarm and alerts• Traffic flow • Control review

Security in Networks Controls

• Security threat analysis• Read communication• Modify communication• Forge communication• Inhibit communication• Read data• Modify or destroy data at C

Security in Networks Controls

• Architecture• Segmentation• Redundancy• Single point of failure

Security in Networks Controls

• Encryption• Link encryption• End to end encryption• Comparison of encryption methods• Virtual Private Networks (VPN)• Public Key Infrastructure (PKI) and certificates• SSH encryption• SSL encryption• IPSec• Signed code• Encrypted e-mail

Security in Networks Controls

• Content integrity• Error correction codes• Cryptographic checksum

Security in Networks Controls

• Strong Authentication• One time password• Challenge response systems• Digital distributed authentication• Kerberos

Security in Networks Controls

• Access controls• ACL’s on routers• Firewall

Security in Networks Controls

• Alarm and alerts• Intrusion detection systems (IDS)• Intrusion prevention systems (IPS)• Honey pots

PrecursorsTable 7-7. Network Vulnerabilities and Controls.

Target Vulnerability Control

Precursors to attack

Port scan Firewall

Intrusion detection system

Running as few services as possible

Services that reply with only what is necessary

Social engineering Education, user awareness

Policies and procedures

Systems in which two people must agree to perform certain security-critical functions

Reconnaissance Firewall

"Hardened" (self-defensive) operating system and applications

Intrusion detection system

OS and application fingerprinting

Firewall

"Hardened" (self-defensive) applications

Programs that reply with only what is necessary

Intrusion detection system

Authentication

Authentication failures

• Impersonation Strong, one-time authentication

Guessing • Strong, one-time authentication

• Education, user awareness

Eavesdropping Strong, one-time authentication

Encrypted authentication channel

Spoofing Strong, one-time authentication

Session hijacking Strong, one-time authentication

Encrypted authentication channel

Virtual private network

Man-in-the-middle attack Strong, one-time authentication

Virtual private network

Protocol analysis

Programming flawsProgramming flaws

Buffer overflow Programming controls

Intrusion detection system

Controlled execution environment

Personal firewall

Addressing errors Programming controls

Intrusion detection system

Controlled execution environment

Personal firewall

Two-way authentication

Parameter modification, time-of-check to time-of-use errors

Programming controls

Intrusion detection system

Controlled execution environment

Intrusion detection system

Personal firewall

Server-side include Programming controls

Personal firewall

Controlled execution environment

Intrusion detection system

Programming flaws cont.

Cookie Firewall

Intrusion detection system

Controlled execution environment

Personal firewall

Malicious active code: Java, ActiveX

Intrusion detection system

Programming controls

Signed code

Malicious code: virus, worm, Trojan horse

Intrusion detection system

Signed code

Controlled execution environment

Intrusion detection system

Malicious typed code Signed code

Intrusion detection system

Controlled execution environment

Confidentiality

Confidentiality Protocol flaw Programming controls

Controlled execution environment

Eavesdropping Encryption

• Passive wiretap Encryption

Misdelivery Encryption

Exposure within the network

End-to-end encryption

• Traffic flow analysis • Encryption

• Traffic padding

• Onion routing

• Cookie Firewall

Intrusion detection system

Controlled execution environment

IntegrityIntegrity Protocol flaw Firewall

Controlled execution environment

Intrusion detection system

Protocol analysis

Audit

Active wiretap Encryption

Error detection code

Audit

Impersonation Firewall

Strong, one-time authentication

Encryption

Error detection code

Audit

Falsification of message Firewall

Encryption

Strong authentication

Error detection code

Audit

Integrity cont.

Noise Error detection code

Web site defacement Error detection code

Intrusion detection system

Controlled execution environment

Hardened host

Honeypot

Audit

DNS attack Firewall

Intrusion detection system

Strong authentication for DNS changes

Audit

AvaliabilityAvailability Protocol flaw Firewall

Redundant architecture

Transmission or component failure

Architecture

Connection flooding, e.g., echo-chargen, ping of death, smurf, syn flood

Firewall

Intrusion detection system

ACL on border router

Honeypot

DNS attack • Firewall

• Intrusion detection system

• ACL on border router

• Honeypot

Traffic redirection Encryption

Audit

Distributed denial of service

• Firewall

• Intrusion detection system

• ACL on border router

• Honeypot