network security - cse.tkk.fi · — access to the computer can be used to access the data on...
TRANSCRIPT
![Page 1: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/1.jpg)
Nixu Oy
PL 21
(Mäkelänkatu 91)
00601 Helsinki, Finland
tel. +358 9 478 1011
fax. +358 9 478 1030
http:/ /www.nixu.fi
Internetsolutions
Network Security
![Page 2: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/2.jpg)
Copyright © 2000 Nixu Oy 2/37 Network Security
Internetsolutions
Contents
• Why security?
• Basic information security concepts
• Threats in network environment
• Solutions— Security perimeter— Firewalls— Intrusion detection— Cryptography
![Page 3: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/3.jpg)
Copyright © 2000 Nixu Oy 3/37 Network Security
Internetsolutions
What is Information Security?
• Organizations and individuals have information, which has value
• This value must be protected against threats— Protection causes costs
• Computer and network threats are only one part of all threats— Physical threats— Logical threats
![Page 4: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/4.jpg)
Copyright © 2000 Nixu Oy 4/37 Network Security
Internetsolutions
Terms of Data Security
• Confidentiality (We keep our secrets)
• Integrity (Nobody changes our data)
• Availability (We have access to our data)
• Authentication (We recognize another entity on the network)
• Non-repudiation (We can prove that something happened)
• Authorization (We control access to our data)
![Page 5: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/5.jpg)
Copyright © 2000 Nixu Oy 5/37 Network Security
Internetsolutions
Different Kinds of Threats
• Physical breakdowns
• Operating mistakes
• Planning mistakes
• Intentional attacks for fun and profit
• Own personnel is usually considered the larges security threat
![Page 6: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/6.jpg)
Copyright © 2000 Nixu Oy 6/37 Network Security
Internetsolutions
Typical Network Threats
• Eavesdropping — Easy on most LANs with physical access to media— More difficult on backbone networks
• Break ins— Network is a two way medium— Scripted tools make exploiting known faults easier— Access to the computer can be used to access the data on computer or to use the compu-
ter as a base for further attacks
• Connection capture— TCP connections can be captured and used (software is available)
• Replay
![Page 7: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/7.jpg)
Copyright © 2000 Nixu Oy 7/37 Network Security
Internetsolutions
More Network Threats
• Denial of service— Overloading a server— Faulty data packets
• Pretension— Fake E-mail— IP address forgery (IP spoofing)
• Masquerade and man in the middle— Attacker can pretend to be a service
• Compund attacks— IP traffic can be rerouted to a different path and then eavesdropped or captured
![Page 8: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/8.jpg)
Copyright © 2000 Nixu Oy 8/37 Network Security
Internetsolutions
Typical Attack from Outside
• First scan the internal network addresses for hosts and services— Can be done in a stealthy slow and low mode
• Then attack found targets— Known weaknesses, exploits— Scripted attacks, over in less than minute
• Get the data and run or
• Prepare a base for further attacks— Hide tracks— Install Rootkit
![Page 9: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/9.jpg)
Copyright © 2000 Nixu Oy 9/37 Network Security
Internetsolutions
Viruses and other Malware
• Viruses are self-replicating programs
• Trojan horses are benig-looking programs that do something harmful, too
• Worms are network viruses
• Viruses spread mostly because of user’s misplaced trust and carelessness
• Modern viruses are often network aware
![Page 10: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/10.jpg)
Copyright © 2000 Nixu Oy 10/37 Network Security
Internetsolutions
Solutions
• Security planning
• Personnel selection and training
• Physical security
• Technical solutions— Host based security— Firewalls— Cryptographic solutions
![Page 11: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/11.jpg)
Copyright © 2000 Nixu Oy 11/37 Network Security
Internetsolutions
Cost of SecurityCosts
Level of security
Risks Security solutions
![Page 12: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/12.jpg)
Copyright © 2000 Nixu Oy 12/37 Network Security
Internetsolutions
Risk Analysis
• Risk analysis is the assesment and evaluation of risks, to see what kind of protection is needed and where
• Risk analysis usually gives an rough estimate, which can still be used to direct security efforts
• A trivial example— A hard disk has information worth $10 000
> A customer address database, which can be regenerated— Mean life time of a hard disk is 4 years— It makes sense to use $2 500 yearly to protect the information
![Page 13: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/13.jpg)
Copyright © 2000 Nixu Oy 13/37 Network Security
Internetsolutions
Modern Network Security Perimeter
• Firewalls limit acces to the network that they protect
• Encryption protetcts data in transit
• Cryptographic identification provides strong authentication
• Intrusion detection monitors the integrity
![Page 14: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/14.jpg)
Copyright © 2000 Nixu Oy 14/37 Network Security
Internetsolutions
Conventional Network Security
InternetFirewall Internal
networkDMZ
Protectedoff-sitenetwork
VPNserver
WWWserver
VPNgateway
&Threats
![Page 15: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/15.jpg)
Copyright © 2000 Nixu Oy 15/37 Network Security
Internetsolutions
Practical Reality
Internet
VPNserver
VPNgateway
Directconnection
Modemconnection
PPP overSSH
Quake2station
![Page 16: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/16.jpg)
Copyright © 2000 Nixu Oy 16/37 Network Security
Internetsolutions
Host Based Security
• A host on the network is always a potential target
• Threats can be countered by:— Limiting available services— Limiting access to services (TCP wrapper)
• Once the attacker is inside the host, gaining additional priviledges is easier
![Page 17: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/17.jpg)
Copyright © 2000 Nixu Oy 17/37 Network Security
Internetsolutions
Firewalls
• Firewalls limit access between networks
• Typically used to protect internal networks from external threats
• Two basic types— Filtering firewall— Application level firewall
• Usually both features combined to a hybrid product
![Page 18: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/18.jpg)
Copyright © 2000 Nixu Oy 18/37 Network Security
Internetsolutions
Filtering Firewalls
• Each IP packet is inspected and passed on or dropped based on— Sender and receiver IP address— Protocol type (TCP, UDP, other)— Sender and receiver port address— IP or TCP options, SYN/ACK bits etc— Stateful knowledge of connections (TCP connections may be opened from internal to
external networks)
• Many routers have most of the basic functionality of a filtering firewall
• Network address translation is an additional feature
![Page 19: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/19.jpg)
Copyright © 2000 Nixu Oy 19/37 Network Security
Internetsolutions
Application Level Firewalls
• Application must connect to the firewall— Eg. HTTP proxy server— Application must be aware of the firewall
• Firewall can inspect application data— Prevent ActiveX— Search for viruses
• Firewall can also be transparent to applications and still work on application level— More demanding for software
![Page 20: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/20.jpg)
Copyright © 2000 Nixu Oy 20/37 Network Security
Internetsolutions
Intrusion Detection
• Intrusion detection is the art of detecting security break-ins and attempts— Network based ID can detect attempts before the break-in— Host based ID usually detects breaches after the fact— Intrusion detection demands active monitoring— Intrusion detection is expensive— Most people are already doing basic ID by reading logs
• In practise Intrusion Detection is often too expensive expect for special cases— High risk targets (banks, military networks)— Network/host behavior is well known
![Page 21: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/21.jpg)
Copyright © 2000 Nixu Oy 21/37 Network Security
Internetsolutions
Network Based ID
• Traffic analysis— Internal profiling— External profiling— Detecting anomalies— Detecting changes in usage
• Content analysis— Detecting exploits by key strings
• External traffic at or near firewall
• Internal traffic from LAN— Switches present a problem for ID
![Page 22: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/22.jpg)
Copyright © 2000 Nixu Oy 22/37 Network Security
Internetsolutions
Host Based ID
• Log analysis
• File verification— Eg. Tripwire, http://tripwiresecurity.com/
• Anomaly analysis— System calls— Statistical analysis— Software behavior patterns
![Page 23: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/23.jpg)
Copyright © 2000 Nixu Oy 23/37 Network Security
Internetsolutions
Secret Key (Symmetric) Cryptography
• Encryption and decryption are based on the same key
• Algorithm is usually based on bit pattern transformations and bit transponations
• Usually efficient and fast: suitable for encryption of large amounts of data
• Main problem is how to transport the secret key to both participants
S SMessage X#9Z Message
![Page 24: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/24.jpg)
Copyright © 2000 Nixu Oy 24/37 Network Security
Internetsolutions
Public Key (Asymmetric) Crypto
• Encryption and Decryption use separate keys
• Keys are related to each other with a mathematical relation— Public key can be literally published, no way to find the private key
• Whatever is encrypted with one key, can be decrypted with the other key
• Encrypting with the private key proves the identity of the sender
Pub SecMessage X#9Z Message
Pub SecMessage G804 Message
![Page 25: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/25.jpg)
Copyright © 2000 Nixu Oy 25/37 Network Security
Internetsolutions
Hash Functions
• A cryptographic checksum of the data (one way function)
• Difficult (impossible) to forge
![Page 26: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/26.jpg)
Copyright © 2000 Nixu Oy 26/37 Network Security
Internetsolutions
Cryptographic Combinations
• Confidentiality is usually provided by encrypting the data with a secret key algorithm and by encrypting the secret key with a public key algorithm
• A message can be signed by encrypting the hash of the message with the private key, this can be used for non-repudiation
• An user can be authenticated by proving the posession of the private key by encrypting a message
• Hashes protect the integrity of data
![Page 27: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/27.jpg)
Copyright © 2000 Nixu Oy 27/37 Network Security
Internetsolutions
PGP & SSH
• PGP (Pretty Good Privacy) encrypts e-mail— Sender must know receiver’s public key— Users can certify each other’s keys
• SSH (Secure SHell) provices an encrypted TCP connection between two hosts on the network— Replaces Berkeley R-tools (rlogin, rcp, rsh)— Any TCP-connection can be tunneled over SSH
• Both are vulnerable to "Man in the Middle" -attack— PGP key must be verified— SSH client does not know the host key until first connection
![Page 28: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/28.jpg)
Copyright © 2000 Nixu Oy 28/37 Network Security
Internetsolutions
SSH 2.0 in action
• Client contacts a server (a TCP connection is initiated)
• Server sends two public keys (server and host) and available algotihms
• Client simultaneously sends available algorithms
• Client creates a session key (symmetric), encrypts it with server’s public keys and sends it to server
• A shared secret is now formed and a session is started
• Either side may request a renegotiation of keys
• User authentication is done after this
![Page 29: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/29.jpg)
Copyright © 2000 Nixu Oy 29/37 Network Security
Internetsolutions
Certificates
• A certificate is a cryptographically signed formal statement, which certifies a public key with some properties, like identity or access permissions
• To verify the certificate the end user must have the public key of the signer— Or a certificate loop must be formed, with unbroken chain of trust, starting from the veri-
fyer
• Certificates can be issued by trusted third parties
![Page 30: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/30.jpg)
Copyright © 2000 Nixu Oy 30/37 Network Security
Internetsolutions
S/MIME & SSL
• Certificate based authentication from a trusted third party— Why should we trust the third party?
• S/MIME (Secure/Multipurpose Internet Mail Extensions)— E-mail encryption and signature
• SSL (Secure Socket Layer)— Encrypted TCP connection, with server side authentication— Used mostly for WWW services
![Page 31: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/31.jpg)
Copyright © 2000 Nixu Oy 31/37 Network Security
Internetsolutions
IPSec
• A protocol suite designed by the Internet Engineering Task Force (IETF) in 1995 - 1999
• Describes a standard architecture for securing Internet traffic at the IP layer
• A fixed part of IPv6, optional for the current IP protocol, IPv4
• Documented by the IETF as a set of Request For Comments (RFC) papers— main document is RFC 2401: "Security Architecture for the Internet Protocol"
• Independent of cryptographical algorithms used
• Independent of a key management protocol
![Page 32: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/32.jpg)
Copyright © 2000 Nixu Oy 32/37 Network Security
Internetsolutions
IPsec Security Services
• Access control
• Connectionless (per-packet) integrity
• Data origin authentication
• Anti-replay service
• Confidentiality
• Limited traffic flow confidentiality
![Page 33: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/33.jpg)
Copyright © 2000 Nixu Oy 33/37 Network Security
Internetsolutions
IPSec SummaryIn short, the most important features of IPSec are:
• Cryptographical protection of Internet traffic for all protocols and applications running over IP
• IPSec security services are transparent for applications and users
• IPSec enables construction of Virtual Private Networks
• Good support for implementing and maintaining an organization’s security policy
• High level of flexibility allows IPSec to be run over various types of public key infrastructure.
![Page 34: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/34.jpg)
Copyright © 2000 Nixu Oy 34/37 Network Security
Internetsolutions
Certificate based Policy Management
• Certificates express trust
• Authorization can be bound to a public/private key with a certificate— Identity is not important
• Authorization certificates can be chained
![Page 35: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/35.jpg)
Copyright © 2000 Nixu Oy 35/37 Network Security
Internetsolutions
SPKI Certificates
• Simple Public Key Infrastructure
• Being published as Experimental RFC
• The most important fields of a SPKI certificate— Issuer— Subject — Delegation— Tag (i.e. authorization)— Validity— Signature
![Page 36: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/36.jpg)
Copyright © 2000 Nixu Oy 36/37 Network Security
Internetsolutions
Creating trust with a certificate loop
issuer
subject
(Self key, Trusted Party’s key,trusted for signalling)
Some
TPV keytrusted party
Another
TPP keytrusted party
Self keyVerifier
Peer key
Signalling
(Trusted Party’s key,Another Party’s key,trusted for signalling
(Another Party’s key,Peer key,trusted for signalling)
Proves possession of User keypeer
![Page 37: Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on computer or to use the compu-ter as a base for further attacks • Connection capture](https://reader031.vdocument.in/reader031/viewer/2022011903/5f0fd0537e708231d44602fd/html5/thumbnails/37.jpg)
Copyright © 2000 Nixu Oy 37/37 Network Security
Internetsolutions
Summary
• Data security requires planning— Implementing technology without a security policy is useless
• Firewalls limit the effects of attacks
• Intrusion detection is a possible, but expensive solution
• Cryptography is the fast developing area— Cryptography can be applied to different uses at different network levels— Certificate based policy management is the newest area