1 chapter 13 network security data communications and computer networks: a business user’s...
TRANSCRIPT
![Page 1: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/1.jpg)
1
Chapter 13
Network Security
Data Communications andComputer Networks: A Business User’s Approach
![Page 2: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/2.jpg)
2
What we will cover
• Security measures
• Firewalls
• Business on the internet - Encryption
![Page 3: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/3.jpg)
3
![Page 4: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/4.jpg)
4
IntroductionWhile computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms
encryption algorithms
access to facilities
digital signatures
fingerprints and face scans as passwords.
Where do most security breaches come from?
![Page 5: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/5.jpg)
5
What is network security?
• Network security is preventing attackers from achieving objectives through unauthorized access or unauthorized use of computers and networks.
www.cert.org
![Page 6: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/6.jpg)
6
Basic Security Measures
The basic security measures for computer systems fall into eight categories:
External security Operational security
Surveillance Passwords/authentication
Auditing Access rights
Standard system attacks Viruses/worms
![Page 7: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/7.jpg)
7
External Security
Protection from environmental damage such as floods, earthquakes, and heat.
Physical security such as locking rooms, locking down computers, keyboards, and other devices.
Electrical protection from power surges.
Noise protection from placing computers away from devices that generate electromagnetic interference.
![Page 8: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/8.jpg)
8
Personnel security
• Most security violations have one common characteristic:– They are caused by people!
• Training, Auditing, Least Privilege, ...
![Page 9: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/9.jpg)
9
Operational Security
Deciding who has access to what.
Limiting time of day access.
Limiting day of week access.
Limiting access from a location, such as not allowing a user to use a remote login during certain periods or any time.
![Page 10: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/10.jpg)
10
Sample dialog box from a network operating systemfor the setting the time of day restrictions
![Page 11: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/11.jpg)
11
Surveillance
Proper placement of security cameras can deter theft and vandalism.
Cameras can also provide a record of activities.
Intrusion detection is a field of study in which specialists try to prevent intrusion and try to determine if a computer system has been violated.
![Page 12: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/12.jpg)
12
Passwords and ID Systems
Passwords are the most common form of security and the most abused.
Simple rules help support safe passwords, including:
• Change your password often.
• Pick a good, random password (minimum 8 characters, mixed symbols).
• Don’t share passwords or write them down.
• Don’t select names and familiar objects as passwords.
• Most common password?
![Page 13: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/13.jpg)
13
List of common passwords
!@#$% !@#$%^ !@#$%^& !@#$%^&* 000000 00000000 0007 007 007007 0246 0249 1022 10sne1 111111 121212 1225 123 123123 1234 12345 123456 1234567 12345678 1234qwer 123abc 123go 1313 131313 13579 14430 1701d 1928 1951 1a2b3c 1p2o3i 1q2w3e 1qw23e 1sanjose 2112 21122112 2222 2welcome 3 369 4 4444 4runner 5 5252 54321 5555 5683 654321 666666 6969 696969 777 7777 80486 8675309 888888 90210 911 92072 99999999 @#$%^& a a12345 a1b2c3 a1b2c3d4 aaa aaaaaa aaron abby abc abc123 abcd abcd1234 abcde abcdef abcdefg abigail about absolut academia access action active acura adam adams adg adidas admin adrian advil aeh aerobics after again aggies aikman airhead airplane alan alaska albany albatross albert alex alex1 alexande alexander alexandr alexis alfred algebra aliases alice alicia aliens alison all allen allison allo alpha alpha1 alphabet alpine always alyssa ama amanda amanda1 amber amelie america america7 amiga amorphous amour amy an analog anchor and anderson andre andrea andrew andromache andy angel angela angela1 angels angie angus animal animals ann anna anne annie answer anthony anthropogenic antonio anvils any anything apache apollo apollo13 apple apple1 apples april archie arctic are aria ariadne ariane ariel arizona around arrow arthur artist as asdf asdfg asdfgh asdfghjk asdfjkl asdfjkl; ashley ask aspen ass asshole asterix at ate ath athena atmosphere attila august austin
![Page 14: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/14.jpg)
14
Authentication
• Authentication is the process of reliably verifying the identity of someone (or something) by means of:– A secret (password [one-time], ...)
– An object (smart card, ...)
– Physical characteristics (fingerprint, retina, ...)
– Trust
• Do not mistake authentication for authorization!
![Page 15: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/15.jpg)
15
Controlling a user password with Novell Netware
![Page 16: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/16.jpg)
16
Passwords and ID Systems - Authentication?
Many new forms of “passwords” are emerging:
• Fingerprints
• Face prints
• Retina scans and iris scans
• Voice prints
• Ear prints
![Page 17: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/17.jpg)
17
Auditing
Creating a computer or paper audit can help detect wrongdoing.
Auditing can also be used as a deterrent.
Many network operating systems allow the administrator to audit most types of transactions.
Many types of criminals have been caught because of computer-based audits.
![Page 18: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/18.jpg)
18
Windows NT Event Viewer example
![Page 19: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/19.jpg)
19
Access Rights
Two basic questions to access right: who and how?
Who do you give access right to? No one, group of users, entire set of users?
How does a user or group of users have access? Read, write, delete, print, copy, execute?
Most network operating systems have a powerful system for assigning access rights.
![Page 20: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/20.jpg)
20
Novell Netware assigning access rights to a resource
![Page 21: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/21.jpg)
21
Viruses
Many different types of viruses, such as parasitic, boot sector, stealth, polymorphic, and macro.
A Trojan Horse virus is a destructive piece of code that hides inside a harmless looking piece of code.
Sending an e-mail with a destructive attachment is a form of a Trojan Horse virus.
![Page 22: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/22.jpg)
22
Virus Detection and Scanning
Signature-based scanners look for particular virus patterns or signatures and alert the user.
Terminate-and-stay-resident programs run in the background constantly watching for viruses and their actions.
Multi-level generic scanning is a combination of antivirus techniques including intelligent checksum analysis and expert system analysis.
http://www.symantec.com/avcenter/
![Page 23: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/23.jpg)
23
http://www.symantec.com/avcenter/
![Page 24: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/24.jpg)
24
![Page 25: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/25.jpg)
25
What is the difference between a computer virus and a computer worm?• Viruses are computer programs that are designed to spread themselves
from one file to another on a single computer. A virus might rapidly infect every application file on an individual computer, or slowly infect the documents on that computer, but it does not intentionally try to spread itself from that computer to other computers. In most cases, that's where humans come in. We send e-mail document attachments, trade programs on diskettes, or copy files to file servers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computer, and so on.
• Worms, on the other hand, are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others.
• The computer worm is a program that is designed to copy itself from one computer to another over a network (e.g. by using e-mail). The worm spreads itself to many computers over a network, and doesn't wait for a human being to help. This means that computer worms spread much more rapidly than computer viruses.
![Page 26: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/26.jpg)
26
HOAXES
![Page 27: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/27.jpg)
27
Standard System Attacks
Denial of service attacks, or distributed denial of service attacks, bombard a computer site with so many messages that the site is incapable of answering valid request.
In e-mail bombing, a user sends an excessive amount of unwanted e-mail to someone.
Smurfing is a nasty technique in which a program attacks a network by exploiting IP broadcast addressing operations.
Ping storm is a condition in which the Internet Ping program is used to send a flood of packets to a server.
![Page 28: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/28.jpg)
28
Standard System Attacks
Spoofing is when a user creates a packet that appears to be something else or from someone else.
Trojan Horse is a malicious piece of code hidden inside a seemingly harmless piece of code.
Stealing, guessing, and intercepting passwords is also a tried and true form of attack.
![Page 29: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/29.jpg)
29
Web Spoofing• Web Spoofing is a security attack that allows an
adversary to observe and modify all web pages sent to the victim's machine, and observe all information entered into forms by the victim. Web Spoofing works on both of the major browsers and is not prevented by "secure" connections. The attacker can observe and modify all web pages and form submissions, even when the browser's "secure connection" indicator is lit. The user sees no indication that anything is wrong.
• The attack is initiated when the victim visits a malicious Web page, or receives a malicious email message (if the victim uses an HTML-enabled email reader).
![Page 30: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/30.jpg)
30
Smurfing to cripple a web server
![Page 31: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/31.jpg)
31
Smurfing• Smurfing is the attacking of a network by exploiting Internet Protocol
(IP) broadcast addressing and certain other aspects of Internet operation. Smurfing uses a program called Smurf and similar programs to cause the attacked part of a network to become inoperable. The exploit of smurfing, as it has come to be known, takes advantage of certain known characteristics of the Internet Protocol (IP) and the Internet Control Message Protocol (ICMP). The ICMP is used by network nodes and their administrators to exchange information about the state of the network. ICMP can be used to ping other nodes to see if they are operational. An operational node returns an echo message in response to a ping message. A smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. The echo responses to the ping message are sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.
• One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. This is one of several suggestions provided by the CERT Coordination Center.
![Page 32: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/32.jpg)
32
What is SSH?
• SSH (Secure Shell) is a full replacement for rsh, rlogin, rcp, telnet, rexec, and ftp
• Automatic authentication (?) of users, no passwords are sent in clear text
• Secure remote login, file copying, and tunneling X11 and TCP connections (POP, IMAP, SMTP, HTTP)
![Page 33: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/33.jpg)
33
www.cert.org
![Page 34: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/34.jpg)
34
What is a firewall?
• Used to control the flow of traffic (both inflows and outflows, but primarily inflows) between networks
• The connected networks can be internal or a combination of internal and external networks
![Page 35: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/35.jpg)
35
Firewalls
A system or combination of systems that supports an access control policy between two networks.
A firewall can limit the types of transactions that enter a system, as well as the types of transactions that leave a system.
Firewalls can be programmed to stop certain types or ranges of IP addresses, as well as certain types of TCP port numbers (applications such as ftp, telnet, etc.)
![Page 36: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/36.jpg)
36
Transmission Control Protocol/ Internet Protocol - TCP/IP
• A conglomeration of underlying protocols designed to enable communications between computers across networks
![Page 37: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/37.jpg)
37
4 Basic Layers of TCP/IP
• Physical/Network Layer - Accepts and transmits network packets over the physical network. Physical networking protocols, such as Ethernet, and logical protocols, such as Address Resolution Protocol (ARP), are run at this layer.
• IP Layer - Responsible for routing packets across the network. Routing protocols, such as Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP), are run at this layer.
![Page 38: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/38.jpg)
38
4 Basic Layers of TCP/IP (cont.)
• Transport Layer - Manages the virtual session between two computers for TCP for providing end-to-end communication.
• Application Layer - Manages the networking applications and formats data for transmission.
![Page 39: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/39.jpg)
39
Open Systems Interconnect (OSI)
• Developed by the International Organization for Standardization
• A seven layer model that further divides the layers from the TCP/IP model
![Page 40: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/40.jpg)
40
APPLICATION HTTP the desired programLAYER
TRANSPORT TCP provides theLAYER or connection
UDP
NETWORK IP locates the destinationLAYER IP address
& routes message
LINK Ethernet physical devicesLAYER
TCP/IP
Application-basedfiltering- firewall
Packet-filtering-routers
![Page 41: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/41.jpg)
41
PHYSICAL
DATA LINK
NETWORK
NETWORKINTERFACE
TRANSPORT
SESSION
PRESENTATION
APPLICATION
INTERNET (IP)
TRANSPORT
APPLICATION
TCP/IP MODEL OSI MODEL
![Page 42: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/42.jpg)
42
Characteristics of Good Firewalls
• All traffic from inside the corporate network to outside the network, and vice-versa, must pass through it;
• Only authorized traffic, as defined by the security policy, is allowed to pass through it; and the system itself is immune to penetration.
![Page 43: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/43.jpg)
43
A firewall as it stops certain internet and external transactions
![Page 44: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/44.jpg)
44
Firewalls – 2 types
A packet filter firewall is essentially a router that has been programmed to filter out or allow to pass certain IP addresses or TCP port numbers.
A proxy server is a more advanced firewall that acts as a doorman into a corporate network. Any external transaction that request something from the corporate network must enter through the proxy server.
Proxy servers are more advanced but make external accesses slower.
![Page 45: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/45.jpg)
45
Firewall Filtering• Firewall features that are standard on
routers.– Separate input and output filters on:
• Source and destination address
• Protocol (TCP/IP, IPX, UDP, ICMP, RIP, OSPF, BGP)
• Protocol service (Web, e-mail, FTP)
• Established sessions
– Packet logging – Extended Frame Relay filtering (variable-
length packet switching data transmission)www.lucent.com
![Page 46: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/46.jpg)
46
Static Firewalls
• Pre-configured rulebases are used for traffic passing decisions
• Default permit - the firewall allows all traffic except that which is explicitly blocked by the firewall rulebase
• Default deny - the firewall denies all traffic except that which is explicitly allowed by the firewall rulebase
![Page 47: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/47.jpg)
47
Dynamic Firewalls
• Also uses rulebases, but the denial and permission of any service can be established for a given time period
• Stateful inspection is also a dynamic configuration– A stateful inspection firewall also monitors the state of
the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall.
![Page 48: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/48.jpg)
48
Components of Firewalls
• Chokes - limit the flow of packets between networks. Read packets and determine, based on the rules, if the traffic should pass
• Gates - act as a control point for external connections. They control the external connections.
![Page 49: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/49.jpg)
49
GATECHOKE
DEFAULTDENY
Application LevelFiltering Rule -Deny everything exceptTelnet & FTP
HTTP TELNET F
TP FTP S
MTP H
TTP
PACKETS
TE
LN
ET
FT
P S
MT
P S
MT
P
SMTP FTP FTP SM
TP TELNET
FT
P F
TP
TE
LN
ET
CorporateInternalNetwork
SMTP HTTP SMTP
Rejected Packets
![Page 50: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/50.jpg)
50
Firewall Functions
• Packet Filtering
• Network Address Translation
• Application-level Proxies
• Stateful Inspection
• Virtual Private Networks
• Real-time Monitoring
![Page 51: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/51.jpg)
51
Proxy Server sitting outside the protection of the corporate network
![Page 52: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/52.jpg)
52
Last time
• Security issues
• Firewalls
This time
• Business over the internet
• Cryptography
![Page 53: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/53.jpg)
53
So you want to do businessover the internet
• What do you have to worry about?
![Page 54: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/54.jpg)
54
Message originatingfrom Point A
Intended destinationis Point B
Message is split intopackets and may travelalong different paths
Message is reassembledat destination
A B
?? ??Did Point B receive the message? Was the message really sent by Point A?
?? ??Did anyone else see the message?If Point B did in fact receive the message -
Is it exactly the same message or could it have been altered in any way?Was it delivered promptly or could it have been stalled?
![Page 55: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/55.jpg)
55
Important Techniques used to prevent/detect data interception
• Message Origin Authentication
• Proof of Delivery (non-repudiation)
• Message Integrity– Same message– Not seen by others
• Timely Delivery of Messages
![Page 56: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/56.jpg)
56
Encryption….
• Is the best device for ensuring message (and data) confidentiality
• involves transforming plaintext into ciphertext using a KEY
• the level of secrecy is a function of– strength of the algorithm– key length– key management policies
![Page 57: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/57.jpg)
What is cryptography?• “hidden writing”
– versus steganography (hiding the message)
• Until recently: military tool• Like any military technology: methods
change over time• Two sides: designing codes
breaking codes (cryptanalysis)• Computers have changed both
![Page 58: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/58.jpg)
58
Basic Encryption and Decryption TermsCryptography is the study of creating and using encryption and decryption techniques.
Encryption vs decryption
Plaintext (sometimes called cleartext) is the the data that exists before any encryption has been performed.
Ciphertext is the data after encryption has been performed.
The key(s) is(are) the unique piece of information that is used to create ciphertext and decrypt the ciphertext back into plaintext. Key is also called the cryptovariable.
The cipher is the algorithm for encrypting and decrypting; also called the protocol or scheme.
![Page 59: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/59.jpg)
59
Uses of Cryptography
• Besides confidentiality, cryptography provides– Authentication: knowing who sent the message
actually sent it.– Integrity: message has not been tampered with
and/or the message is legit– Nonrepudiation: a user should not be able to
deny that he sent the message
![Page 60: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/60.jpg)
60
Basic encryption and decryption procedure
The Cipher
![Page 61: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/61.jpg)
61
Simple encryption methods
• Pig Latin
• Decoder rings
![Page 62: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/62.jpg)
62
Monoalphabetic Substitution-based CiphersMonoalphabetic substitution-based ciphers replace a character or characters with a different character or characters, based upon some key.
Replacing: abcdefghijklmnopqrstuvwxyz
With the key: POIUYTREWQLKJHGFDSAMNBVCXZ
The message: how about lunch at noon
encodes into EGVPO GNMKN HIEPM HGGH
![Page 63: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/63.jpg)
63
Simple example: Caesar Shift
• Protocol: shift each letter by the same amount
• Key: amount to shift
-1
IBM HAL
Veni, vidi, vici
10Foxs, fsns, fsms
• Decryption: shift back the same amount
![Page 64: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/64.jpg)
64
Caesar Cipher
ABCDEFGHIJKLMNOPQRSTUVWXYZ
NOPQRSTUVWXYZABCDEFGHIJKLM
THE GOTHS COMETH
rotate 13 positions
FUR TAFUE PAYRFU
Plaintext
Key
Ciphertext
13
![Page 65: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/65.jpg)
65
Example: Caesar Shift
• What is:– ozqsx shld
![Page 66: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/66.jpg)
70
Types of Keys
• Symmetric (one key)
• Asymmetric (two keys)
![Page 67: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/67.jpg)
71
PlaintextMessage
EncodedMessage
PlaintextMessage
encrypt decrypt
identical keys
TransmittedMessage
Sender Receiver
SYMMETRIC ENCRYPTION METHOD
Same key for encryption and decryption.How is key shared?
![Page 68: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/68.jpg)
72
Enigma MachineKey changed daily3 scramblers in one of 6 orders
In 1938: 3 of 5, so 60 arrangements
263 = 17,576 settings for scramblersBillions of plugboard settingsAlan Turing: bypassed plugboardUsed known plaintext, exhausted over spaceBritish were able to read traffic!
![Page 69: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/69.jpg)
73
Paradigm Shift!
• Alice wants to mail Bob a letter securely
• If they share a “key”, Alice locks, Bob unlocks
• If not: Alice puts on padlock, sends box to Bob
• Bob adds his padlock, sends box back to Alice
• Alice removes her padlock, sends box to Bob
• Bob unlocks box, reads letter
• Problem: how to translate this to a protocol?
![Page 70: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/70.jpg)
74
Public Key CryptographyVery powerful encryption technique in which two keys are used:
• first key (the public key) encrypts the message
• second key (the private key) decrypts the message
Not possible to deduce one key from the other.
Not possible to break the code given the public key.
If you want someone to send you secure data, give them your public key, you keep the private key.
Secure sockets layer (SSL) on the Internet is a common example of public key cryptography
Connection between application layer and transport layer (TCP)
S-HTTP another method
![Page 71: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/71.jpg)
75
![Page 72: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/72.jpg)
By encrypting his message with his Professor’s publiclyavailable key, Johnny B. can be assured that no one besides that professor can read his message.Confidentiality
Professor’sPublic Key
Professor’s Private Key
Sender – Johnny B. Receiver - Professor
EncodedMessage
TransmittedMessage
decrypt
Plaintextmessage from
Johnny B.explaining
his personalmedical
condition
encrypt
Plaintextmessage from
Johnny B.explaining
his personalmedical
condition
![Page 73: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/73.jpg)
Plaintextmessage from
Professorrequesting
a conferencewith Johnny B.
Because the professor encrypted the message with his privatekey, Johnny B. can be assured that the message reallyis from that professor by decrypting it with the professor’s public key.Authenticate sender
Professor’s Private Key
Professor’s Public Key
Sender - Professor Receiver – Johnny B.
EncodedMessage
TransmittedMessage
decryptencrypt
Plaintextmessage from
Professorrequesting
a conferencewith Johnny B.
![Page 74: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/74.jpg)
Message from
Professorrequesting
a conferencewith
Johnny B. and
disclosinghis grade.
By decrypting the message with the professor’s private key and Johnny’s publicly available key, Johnny can be assured that the message really is from that professor and that no oneelse can read the message containing his grade.Authenticate and confidentiality of sender
Sender - Professor Receiver – Johnny B. Professor’s Private Key
Professor’s Public Key
Johnny’sPublic Key
Johnny’sPrivate Key
encryptDouble
encodedmessage
TransmittedMessage
decrypt decrypt
Message from
Professorrequesting
a conferencewith
Johnny B. and
disclosinghis grade.
encrypt
![Page 75: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/75.jpg)
79
Data Encryption Standard (DES) – making good keysGOT TO HAVE GOOD KEYS!
Created in 1977 and in operation into the 1990s, the data encryption standard took a 64-bit block of data and subjected it to 16 levels of encryption.
The choice of encryption performed at each of the 16 levels depends on the 56-bit key applied.
Even though 56 bits provides over 72 quadrillion combinations, a system using this standard has been cracked.
Larger keys is the answer to better security.
![Page 76: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/76.jpg)
80
Basic operations of the data encryption standard
![Page 77: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/77.jpg)
81
Triple-DES
A more powerful data encryption standard.
Data is encrypted using DES three times: the first time by the first key, the second time by a second key, and the third time by the first key again.
While virtually unbreakable, triple-DES is CPU intensive.
With more smart cards, cell phones, and PDAs, a faster (and smaller) piece of code is highly desirable.
![Page 78: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/78.jpg)
82
Advanced Encryption Standard (AES)Selected by the U.S. government to replace DES.
National Institute of Standards and Technology selected the algorithm Rijndael (pronounced rain-doll) in October 2000 as the basis for AES.
AES has more elegant mathematical formulas, requires only one pass, and was designed to be fast, unbreakable, and able to support even the smallest computing device.
Key size of AES: 128, 192, or 256 bitsEstimated time to crack (assuming one machine could try 255 keys per second (NIST)) : 149 trillion years
Very fast execution with very good use of resourcesAES should be widely implemented by 2004
![Page 79: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/79.jpg)
83
![Page 80: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/80.jpg)
84
• PGP is a digital data encryption program created by Phil Zimmerman.
• Provides confidentiality, authentication, and compression for email and data storage.
• Its building blocks are made of the best available cryptographic algorithms: RSA, DSS, Diffie-Hellman.
• It is independent of operating system and processor.
• It has a small set of easy-to-use commands
![Page 81: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/81.jpg)
85
PGP
• Because PGP is freely available via the Internet, and has a fully compatible low-cost commercial version it is now widely used.
• It has a wide range of applicability from corporations to individuals who wish to communicate worldwide securely over the Internet and other networks.
• It is not controlled by any government which makes it attractive to many.
![Page 82: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/82.jpg)
86
Digital Signatures
• A digital signature is much like a hand signature in that it provides proof that you are the originator of the message (Authentication); assigns a code to a document.
• Used to bound the message originator with the exact contents of the message through the use of key pairs. This allows for the feature of non-repudiation to be achieved - this is crucial for electronic commerce.
• Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data.
• The private key of the sender is used to compute a message digest.
![Page 83: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/83.jpg)
87
Digital SignaturesReason for digital signatures? integrity of transactions
How they work:
Document to be signed is sent through a complex mathematical computation that generates a hash, called the message digest.
(reduces the size of the message)
Hash is encoded with the owner’s private key.
To prove future ownership, the hash is decoded using the owner’s public key and the hash is compared with a current hash of the document.
If the two hashes agree, the document belongs to the owner.
The U.S.A. approved legislation to accept digitally signed documents as legal proof.
![Page 84: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/84.jpg)
88
PlaintextMessage
Sender ReceiverTransmittedMessage &
digital signature
Computedigestfrom
hashingalgorithm
Digest
EncryptDigest
DigitalSignature(encrypted
digest)
Digest
Sender’sPrivateKey
DecryptDigest
Sender’sPublicKey
Computeexpected
digestfrom
hashingalgorithm
ExpectedDigest
Confirmor denyintegrity
ofmessage
PlaintextMessage
Notconfidential
![Page 85: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/85.jpg)
89
Public Key InfrastructurePutting it all together!!
The combination of encryption techniques, software, and services that involves all the necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management.
A certificate, or digital certificate, is an electronic document, similar to a passport, that establishes your credentials when you are performing transactions.
![Page 86: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/86.jpg)
90
Public Key Infrastructure (PKI)
Applications that benefit from PKI:
• World Wide Web transactions
• Virtual private networks
• Electronic mail
• Client-server applications
• Banking transactions
![Page 87: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/87.jpg)
91
Security Policy Design Issues
What is the company’s desired level of security?
How much money is the company willing to invest in security?
If the company is serious about restricting access through an Internet link, what about restricting access through all other entry ways?
The company must have a well-designed security policy.
![Page 88: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/88.jpg)
92
Network Security In Action: Banking and PKI
If you want to perform online banking transactions, how does the system know you are a legitimate user?
ScotiaBank uses a PKI system designed by Entrust.
Each customer is assigned a digital certificate.
Whenever a customer wants to perform an online transaction, they “present” their certificate.
![Page 89: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/89.jpg)
93
What did we cover?
• Security for internet communications– Message Origin Authentication
– Proof of Delivery (non-repudiation)
– Message Integrity• Same message
• Not seen by others
• Cryptography– Keys
– PKI
![Page 90: 1 Chapter 13 Network Security Data Communications and Computer Networks: A Business User’s Approach](https://reader036.vdocument.in/reader036/viewer/2022081504/56649f2e5503460f94c47fcb/html5/thumbnails/90.jpg)
94
SECURITY ISSUE SECURITY OBJECTIVE SECURITY TECHNIQUES
Confidentiality Privacy of Message Encryption
Message Integrity Detecting Message Hashing (Digest)Tampering
Authentication Origin Verification Digital SignaturesBiometric Devices
Non-repudiation Proof of Origin, Receipt, Digital Signaturesand Contents Transaction Certificates
Time StampsConfirmation ServicesBi-Directional Hashing
Access Controls Limiting entry to Firewallsauthorized users Passwords
Biometric devices