Scribd Logo
Upload

Welcome to Scribd!

  • IT3004 - Operating Systems and Computer Security 08 - Security in Networks

    Uploaded by

    Maajith Marzook
    14 views35 pages
    perating Systems and

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    perating Systems and

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views35 pages

    IT3004 - Operating Systems and Computer Security 08 - Security in Networks

    Uploaded by

    Maajith Marzook
    perating Systems and

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 35

    Security in Networks

    Anonymity

    Disguise the attack's origin

    Many points of attack

    Targets
    Origins
    All the hosts may not in the control of administrator

    Sharing
    Access

    Complexity of system
    Deferent networks
    Deferent Systems
    Not visible- abstraction

    Unknown path
    Routing
    Unsecure paths

    Unknown perimeter

    Network boundary
    Wireless
    Accessibility
    Malicious users

    Earn in illegally
    Prove themselves with challenge
    Organized criminals
    Steel information
    Sabotage
    Terrorists

    Script kiddies

    People who download and run attack scripts


    Not creative

    Reconnaissance / Investigation
    Port Scan

    Gather network information


    Running services
    Running applications
    Responding ports for the system
    Versions

    Social Engineering

    Impressed by the high-level person

    Intelligence

    eavesdropping

    Bulletin Boards and Chats


    Knowledge sharing

    Documentation

    Eavesdropping
    Interception
    Impersonation
    Denial of Service
    Connection Flooding
    ICMP

    Wiretap
    Passive wiretapping
    Active wiretapping

    Inductance
    Radiation

    Microwave interception

    Satellite, wireless
    Impersonate
    Interfere

    Optical fiber

    Completely exposed
    Visible code

    Able to download
    Buffer overflow
    Incomplete mediation
    Editors & utilities
    Code errors
    Server side programs
    Denial of Service

    Flood
    Smurf

    Teardrop
    datagrams that cannot fit together

    Traffic Redirection
    DNS Attacks

    Distributed Denial of Service


    Trojan Horse
    Zombie
    Computer

    Same time

    Active or Mobile Code


    Save
    Server resources
    Band width
    Better execution of components

    Download from Server to client for execution


    Active X Controls
    Java applets

    Cookies

    Not active code


    Temp data files, expires
    Machine name, connection details, date

    Downloaded to client, read by server


    Intercept and impersonate as user

    Scripts
    Common Gateway Interface (CGI)
    Active server pages (ASP)

    Bots
    Malicious code under remote control
    network of bots, called a botnet
    distributed denial-of-service attacks

    Good principles of

    System analysis
    Design
    Implementation
    Maintenance

    Architecture Design
    Segmentation

    limits the level of damage a single vulnerability


    Web server - handle HTTP sessions
    Application code
    Databases

    Redundancy
    Multiple Servers
    If one fails, the other takes over processing
    Application / DB

    Encryption

    Link Encryption
    Data are encrypted just before send to physical link

    Link Encryption

    End-to-End Encryption
    Software
    Hardware

    End-to-End Encryption

    Link Encryption

    End-to-End Encryption

    Security within hosts


    Data exposed in sending host
    Data encrypted in sending host
    Data exposed in intermediate nodes Data encrypted in intermediate nodes
    Role of user
    Invisible to user
    User applies encryption
    Host maintains encryption
    User must find algorithm
    One facility for all users
    User selects encryption
    Typically done in hardware
    Either software or hardware implementation
    All or no data encrypted
    User chooses to encrypt or not, for each data item
    Requires one key per host pair
    Provides node authentication

    Implementation concerns
    Requires one key per user pair
    Provides user authentication

    Network established by using public network


    for secure communication

    Tunnel mode

    SSH Encryption
    Provides an authenticated and encrypted path

    SSL Encryption
    TLS
    Encrypted channel between client and server

    SSL Encryption
    Client requests an SSL session
    Server responds with its public key certificate
    Server authenticity

    Both the server and client compute the session key


    Use servers public key

    Secure commutation start

    IP Security
    Version 6 of the IP protocol suite
    Spoofing
    Eavesdropping
    Session hijacking

    Similar to SSL
    Encapsulated security payload

    Attracting
    Monitoring the actions of an attacker
    Actual system should be safe

    Device or component that is


    placed inside a protected network to
    monitor what occurs within the network
    identify malicious or suspicious events

    Host based
    Network based
    Stealth Mode

    Functions

    Monitoring users and system activity


    Auditing

    system configuration for vulnerabilities


    Misconfigurations

    Assessing the integrity of critical system and data


    Recognizing known attack patterns
    Identifying abnormal activity through statistical
    analysis
    Managing audit trails
    Highlighting user violation
    Correcting system configuration errors

    Signature-Based Intrusion Detection


    pattern-matching
    Statistical analysis

    Heuristic Intrusion Detection

    Anomaly based
    Model of expected behavior
    Unexpected behaviors are flagged
    Administrator can change the flags

    Alarm network is separated

    You might also like