Lecture 7

Overview of Network Security

Mohamed Sharif

4/19/2012 ms

Presentation Content

2

What is Internet? What do we need to protect? Threat Motivation Attack Types Security Objectives Security mechanisms References
4/19/2012 ms

What is Internet?
The Internet is a worldwide IP network, that links collection of different networks from various sources, governmental, educational and commercial.

4/19/2012 ms

What do we need to protect

Data Resources Reputation

4/19/2012 ms

Threat Motivation

5

Spy Joyride Ignorance Score Keeper Revenge Greed Terrorist

4/19/2012 ms

Types of Attacks

Passive Active
Denial of Services Social Engineering

4/19/2012 ms

TCP 3 way handshake

Client SYN(X) Server

SYN(Y), ACK(X) Half open

ACK(Y) Full open X, Y are sequence numbers

7 4/19/2012 ms

TCP Session Hijack

Attacker

Valid TCP Connection

Server

Initiate TCP with 146.135.12.1 as source Complete TCP Connection

SYN(X) Half open SYN(Y), ACK(X)

Client, 146.135.12.1
8 4/19/2012 ms

Security Objectives
Identification Authentication Authorization Access Control Data Integrity Confidentiality Non-repudiation

4/19/2012 ms

Identification
Something which uniquely identifies a user and is called UserID. Sometime users can select their ID as long as it is given too another user. UserID can be one or combination of the following:
User Name User Student Number User SSN
10 4/19/2012 ms

Authentication
The process of verifying the identity of a user Typically based on
Something user knows
Password

Something user have

Key, smart card, disk, or other device

Something user is
fingerprint, voice, or retinal scans

11

4/19/2012 ms

Authentication Cont.
Authentication procedure
Two-Party Authentication
One-Way Authentication Two-Way Authentication

Third-Party Authentication
Kerberos X.509

Single Sign ON
User can access several network resources by logging on once to a security system.
12 4/19/2012 ms

Client

Server

UserID & Password

One-way Authentication Authenticated

ServerID & Password

Two-way Authentication

Authenticated

Two-Party Authentications

13

4/19/2012 ms

Security Server

Se

or

er rv

as sw

,P ID

nt ic at ed

ID ,P

sw as

e th Au

Cl ie

nt

Au th e

d or

ed at ic nt

Exchange Keys Client Exchange Data Server

Third-Party Authentications

14

4/19/2012 ms

Authorization
The process of assigning access right to user

15

4/19/2012 ms

Access Control
The process of enforcing access right and is based on following three entities
Subject
is entity that can access an object

Object
is entity to which access can be controlled

Access Right
defines the ways in which a subject can access an object.

16

4/19/2012 ms

Access Control Cont.

Access Control is divided into two
Discretionary Access Control (DAC)
The owner of the object is responsible for setting the access right.

Mandatory Access Control (MAC)

The system defines access right based on how the subject and object are classified.

17

4/19/2012 ms

Data Integrity.
Assurance that the data that arrives is the same as when it was sent.

18

4/19/2012 ms

Confidentiality
Assurance that sensitive information is not visible to an eavesdropper. This is usually achieved using encryption.

19

4/19/2012 ms

Non-repudiation
Assurance that any transaction that takes place can subsequently be proved to have taken place. Both the sender and the receiver agree that the exchange took place.

20

4/19/2012 ms

Security Mechanisms
Web Security Cryptographic techniques Internet Firewalls

21

4/19/2012 ms

Web Security
Basic Authentication Secure Socket Layer (SSL)

22

4/19/2012 ms

Basic Authentication
A simple user ID and password-based authentication scheme, and provides the following:
To identify which user is accessing the server To limit users to accessing specific pages (identified as Universal Resource Locators, URLs

23

4/19/2012 ms

Secure Socket Layer (SSL)

Netscape Inc. originally created the SSL protocol, but now it is implemented in World Wide Web browsers and servers from many vendors. SSL provides the following
- Confidentiality through an encrypted connection based on symmetric keys - Authentication using public key identification and verification - Connection reliability through integrity checking

There are two parts to SSL standard, as follows:

The SSL Handshake is a protocol for initial authentication and transfer of encryption keys. The SSL Record protocol is a protocol for transferring encrypted data

24

4/19/2012 ms

Secure Socket Layer Cont..

The client sends a "hello" message to the Web server, and the server responds with a copy of its digital certificate. The client decrypts the server's public key using the wellknown public key of the Certificate Authority such as VeriSign. The client generates two random numbers that will be used for symmetric key encryption, one number for the receiving channel and one for the sending channel. These keys are encrypted using the server's public key and then transmitted to the server. The client issues a challenge (some text encrypted with the send key) to the server using the send symmetric key and waits for a response from the server that is using the receive symmetric key. Optional, server authenticates client Data is exchanged across the secure channel.

25

4/19/2012 ms

Cryptographic Techniques
Secret Key Algorithm Public Key Algorithm Secure Hash Function Digital Signature Certificate Authority

26

4/19/2012 ms

Secret Key Algorithm

27

4/19/2012 ms

Public Key Algorithm

28

4/19/2012 ms

Secure Hash Function

29

4/19/2012 ms

Digital Signature

30

4/19/2012 ms

Certificate Authority

Request Bob's Public Key

Certificate Authority

Publish Public Key

Bob's Public Key Alice Cipher Text Bob

31

4/19/2012 ms

X.509 Certificate
Is a ITU-T Recommendation. Specifies the authentication service for X.500 directories X.500 specifies the directory services. Version 1 was published in 1988. Version 2 was published in 1993. Version 3 was proposed in 1994 and approved in 1997. Binds the subject (user's) name and the user's public key.
32 4/19/2012 ms

X.509 Certificate (cont..)

X09 certificate consists of the following fields:

33

Version Serial Number Algorithm Identifier Issuer name Validity period Subject name Subject public key information Issuer unique identifier (Version 2 & 3 only) Subject unique identifier (Version 2 & 3 only) Extensions (Version 3 only) Signature
4/19/2012 ms

X.509 Certificate (Cont..)

Version 1
Basic

Version 2
Adds unique identifier to prevent reuse of X.500

Version 3
Adds extension to carry additional information and some of them are

34

Distinguish different certificates Alternative to X.500 name Limit on further certification by subject Policy and Usage
4/19/2012 ms

X.509 Certificate Revocation List (CRL)

Is to prevent fraud and misuse. A certificate may be revoked for one the following reason:
The users private is compromised The user is no longer certified by this CA The CAs private key a compromised

Version 1 was published in 1988. Version 2 was published in 1997.

35

4/19/2012 ms

X.509 CRL (cont..)

X09 CRL consists of the following fields:
Version Serial Number Revocation Date Algorithm Identifier Issuer name Last update Next update Extensions (Version 2 only) Signature

36

4/19/2012 ms

Internet Firewall
A firewall is to control traffic flow between networks. Firewall uses the following techniques:
Packet Filters Application Proxy Socks servers Secure Tunnel Screened Subnet Architecture

37

4/19/2012 ms

Packet Filtering
Most commonly used firewall technique Operates at IP level Checks each IP packet against the filter rules before passing (or not passing) it on to its destination. Very fast than other firewall techniques Hard to configure

38

4/19/2012 ms

Packet Filter Cont..

Non-Secure Network

Packet Filtering Server

Secure Network

39

4/19/2012 ms

Application Proxy
Application Level Gateway The communication steps are as follows
User connects to proxy server From proxy server, user connects to destination server

Proxy server can provide

Content Screening Logging Authentication

40

4/19/2012 ms

Application (telnet) Proxy Cont..

Non-Secure Network

Telnetd Telnet Telnetd

Telnet

Secure Network

Porxy Server

41

4/19/2012 ms

SOCKS Server
Circuit-level gateways Generally for outbound TCP traffic from secure network Client code must be installed on the users machine. The communication steps are as follows:
User starts application using destination server IP address SOCKS server intercepts and authenticates the IP address and the userID SOCKS creates a second session to non-secure system

42

4/19/2012 ms

Socks Servers Cont..

NonSecure Network

Standard Server

Socks server

SockSified Client

Secure Network

43

4/19/2012 ms

Secure Tunnel Cont..

Remote Access

Business Partner Coporate Intranet

N VP
Workstation

Workstation Laptop

VPN

Router

Laptop

Router

Internet
server

server

Branch Office
VPN
Workstation

Router

Laptop

server

44

4/19/2012 ms

Secure IP Tunnel
A secure channel between the secure network and an external trusted server through a nonsecure network (e.g., Internet) Encrypts the data between the Firewall and the external trusted host Also identifies of the session partners and the messages authenticity

45

4/19/2012 ms

VPN Solutions
IP Security (IPSec) Layer 2 Tunnel Protocol (L2TP) Virtual Circuits Multi Protocol Label Switching (MPLS)

46

4/19/2012 ms

IPSec Solution
IPSec is an Internet standard for ensuring secure private communication over IP networks, and it was developed by IPSec working group of IETF IPSec implements network layer security

47

4/19/2012 ms

Principle of IPSec protocols

Authentication Header (AH)
Provides data origin authentication, data integrity and replay protection

Encapsulating Security Payload (ESP)

Provides data confidentiality, data origin authentication, data integrity and replay protection

Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE)
Provides a method for automatically setting up security association and managing their cryptographic key.

Security Association (SA)

Provides all the relevant information that communicating systems need to execute the IPSec protocols.

48

4/19/2012 ms

Operation Modes of IPSec

Transport Mode
The IP payload is encrypted and the IP headers are left alone

IP Header

Payload

The IP datagram is encrypted

49

4/19/2012 ms

Operation Modes of IPSec Conti...

Tunnel Mode
The entire original IP datagram is encrypted and it becomes the payload in the new IP

New IP Header IP Header

Payload

The original IP datagram is the encrypted and is payload for the new IP header

50

4/19/2012 ms

IPSec Example
This example combines IPSec protocols and is AH in tunnel mode protecting ESP traffic in transport mode. This example assume that the SAs for communicates points have set up.
Coporate Intranet Branch Office

Workstation Workstation Laptop

G1

G2

Laptop

Internet
se rv e r H1 se rv e r H2

AH in Tunnel Mode

ESP in Transport Mode

51 4/19/2012 ms

IP Header H1 to H2

Payload

IP Header H1 to H2

ESP Hdr.

Payload Encrypted

ESP Trl. ESP Auth.

New IP Hdr. IP Header AH Hdr. H1 to H2 G1 to G2

ESP Hdr.

Payload
Encrypted

ESP Trl. ESP Auth.

Authenticated

52

4/19/2012 ms

New IP Hdr. IP Header AH Hdr. H1 to H2 G1 to G2

ESP Hdr.

Payload Encrypte d

ESP Trl. ESP Auth.

Authenticated

IP Header H1 to H2

ESP Hdr.

Payload Encrypte d

ESP Trl. ESP Auth.

IP Header H1 to H2

Payload

53

4/19/2012 ms

Screened Subnet Architecture Cont..

FTP Proxy Server

Socks Server

NonSecure Network

Packet Filtering

Screened D Subnet

Packet Filtering

Secure Network

HTTP Proxy Server

Telent Proxy Server

Demilitarized Zone (DMZ)

54

4/19/2012 ms

Screened Subnet Architecture

The DMZ (perimeter network) is set up between the secure and non-secure networks It is accessible from both networks and contains machines that act as gateways for specific applications

55

4/19/2012 ms

Firewall Conclusion
Not the complete answer
The fox is inside the henhouse Host security + User education

Cannot control back door traffic

any dial-in access Management problems

Cannot fully protect against new viruses

Antivirus on each host Machine

Needs to be correctly configured The security policy must be enforced

56

4/19/2012 ms