18/30/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122),...

104/19/23 1

Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875

Lectures: Tues (CB 122), 7–10 PM

Office hours: Wed 3-5 pm (CSEB 3043), or by appointment.

Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J.

Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE

Learning, 2010, 4th Edition.

CSE 4482: Computer Security Management: Assessment and Forensics

2

Managing Firewalls

• Any firewall device must have its own configuration– Regulates its actions– Regardless of firewall implementation

• Policy regarding firewall use– Should be articulated before made operable

• Configuring firewall rule sets can be difficult– Each firewall rule must be carefully crafted,

placed into the list in the proper sequence, debugged, and tested

Management of Information Security, 3rd ed.

3

Managing Firewalls (cont’d.)

• Configuring firewall rule sets (cont’d.)– Proper sequence: perform most resource-

intensive actions after the most restrictive ones• Reduces the number of packets that undergo

intense scrutiny

• Firewalls deal strictly with defined patterns of measured observation– Are prone to programming errors, flaws in rule

sets, and other inherent vulnerabilities


4


• Firewalls are designed to function within limits of hardware capacity– Can only respond to patterns of events that

happen in an expected and reasonably simultaneous sequence


5


• Firewall best practices– All traffic from the trusted network allowed out– The firewall is never accessible directly from

the public network– Simple Mail Transport Protocol (SMTP) data is

allowed to pass through the firewall• Should be routed to a SMTP gateway

– All Internet Control Message Protocol (ICMP) data should be denied


6


• Firewall best practices (cont’d.)– Telnet (terminal emulation) access to all

internal servers from the public networks should be blocked

– When Web services are offered outside the firewall

• HTTP traffic should be handled by some form of proxy access or DMZ architecture


7

Next: dealing with intrusions

• Intrusion detection and prevention

• Intrusion: attacker attempts to gain entry or disrupt normal operation

• Examples: password cracking, unauthorized data access, unauthorized software installation, unauthorized configuration changes, denial of service attacks

8

Typical intrusion steps

• Initial reconnaissance (IP addrs, names, platforms…)

• Network probes: port scanning, ping

• Breaking in: gaining access to systems

• Take over the network: install rootkits,..

• Launch main attack: steal data, modify content, denial of service attacks,…

9

Intrusion detection

A possible scenario (http://flylib.com/books/4/213/1/html/2/images/fig04_13.jpg)

10

Intrusion Detection and Prevention Systems

• The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies

• Can detect an intrusion

• Can also prevent that intrusion from successfully attacking the organization by means of an active response


11

Intrusion Detection and Prevention Systems (cont’d.)

• IDPSs work like burglar alarms– Administrators can choose the alarm level– Can be configured to notify administrators via

e-mail and numerical or text paging

• Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired

• Active solutions!


12

• The newer IDPS technologies– Different from older IDS technologies

• IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding

– Types of response techniques:• The IDPS stops the attack itself• The IDPS changes the security environment• The IDPS changes the attack’s content



13

IDPSs are either • host based to protect server or host

information assets• network based to protect network

information assets, or

IDPS detection methods • Signature based • Statistical anomaly based



14



Figure 10-9 Intrusion detection and prevention systems

Source: Course Technology/Cengage Learning

15

Host-based IDPS

• Resides on a particular computer or server and monitors activity only on that system

• Benchmark and monitor the status of key system files and detect when intruder creates, modifies, or deletes files

• Most HIDPSs work on the principle of configuration or change management

• Advantage over NIDPS: can usually be installed so that it can access information encrypted when traveling over network

From Principles of Information Security, Fourth Edition

16

Host-Based IDPS (contd.)

• Configures and classifies various categories of systems and data files

• HIDPSs provide only a few general levels of alert notification

• Unless the HIDPS is very precisely configured, benign actions can generate a large volume of false alarms

• HIDPSs can monitor multiple computers simultaneously


17

Advantages of HIDPSs

• Can detect local events on host systems and detect attacks that may elude a network-based IDPS

• Functions on host system, where encrypted traffic will have been decrypted and is available for processing

• Not affected by use of switched network protocols

• Can detect inconsistencies in how applications and systems programs were used by examining records stored in audit logs


18

Disadvantages of HIDPSs

• Pose more management issues • Vulnerable both to direct attacks and attacks

against host operating system • Does not detect multi-host scanning, nor

scanning of non-host network devices • Susceptible to some denial-of-service attacks• Can use large amounts of disk space• Can inflict a performance overhead on its

host systems


19

Network-Based IDPS

• Resides on computer or appliance connected to segment of an organization’s network; looks for signs of attacks

• Installed at specific place in the network where it can watch traffic going into and out of particular network segment

• Monitor network traffic– When a predefined condition occurs, notifies

the appropriate administrator


20

Network-Based IDPS - contd

• Looks for patterns of network traffic

• Match known and unknown attack strategies against their knowledge base to determine whether an attack has occurred

• Yield many more false-positive readings than host-based IDPSs


21

Advantages of NIDPSs

• Good network design and placement of NIDPS can enable organization to use a few devices to monitor large network

• NIDPSs are usually passive and can be deployed into existing networks with little disruption to normal network operations

• NIDPSs not usually susceptible to direct attack and may not be detectable by attackers


22

Disadvantages of NIDPSs

• Can become overwhelmed by network volume and fail to recognize attacks

• Require access to all traffic to be monitored

• Cannot analyze encrypted packets• Cannot reliably ascertain if attack was

successful or not• Some forms of attack are not easily

discerned by NIDPSs, specifically those involving fragmented packets


23

Signature-Based IDPS

• Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures– Also called knowledge-based IDPS– The signatures must be continually updated as

new attack strategies emerge– A weakness of this method:

• If attacks are slow and methodical, they may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events


24

Statistical Anomaly-Based IDPS

• Also called behavior-based IDPS • First collects data from normal traffic and

establishes a baseline– Then periodically samples network activity, based on

statistical methods, and compares the samples to the baseline

– When activity falls outside the baseline parameters (clipping level), The IDPS notifies the administrator


25

Statistical Anomaly-Based IDPS-2

Advantages:

• Able to detect new types of attacks, because it looks for abnormal activity of any type

• IDPS can detect new types of attacks

Disadvantages

• Requires much more overhead and processing capacity than signature-based

• May generate many false positives


26

Selecting IDPS Approaches and Products

• Technical and policy considerations– What is your systems environment?– What are your security goals and

objectives?– What is your existing security policy?

• Organizational requirements and constraints– What are requirements that are levied from

outside the organization?– What are your organization’s resource

constraints?

Principles of Information Security, Fourth Edition

27

Selecting IDPS Approaches and Products - contd

• IDPSs product features and quality– Is the product sufficiently scalable for your

environment? – How has the product been tested? – What is the user level of expertise targeted

by the product? – Is the product designed to evolve as the

organization grows?– What are the support provisions for the

product?


28

IDPS: Strengths

• IDPSs perform the following functions well:– Monitoring and analysis of system events and user

behaviors– Testing security states of system configurations– Baselining security state of system and tracking

changes– Recognizing system event patterns matching

known attacks– Recognizing activity patterns that vary from normal

activity

Principles of Information Security, Fourth Edition 28

29

IDPS: Strengths - contd

• IDPSs perform the following functions well: (cont’d.)– Managing OS audit and logging mechanisms and

data they generate– Alerting appropriate staff when attacks are

detected– Measuring enforcement of security policies

encoded in analysis engine– Providing default information security policies– Allowing non-security experts to perform important

security monitoring functions


30

IDPSs: LimitationsIDPSs cannot perform the following functions:• Compensating for weak/missing security

mechanisms in protection infrastructure • Instantaneously detecting, reporting,

responding to attack when there is heavy network or processing load

• Detecting new attacks or variants of existing attacks

• Effectively responding to attacks by sophisticated attackers

• Investigating attacks without human intervention


31

IDPSs: Limitations (contd.)

IDPSs cannot perform the following functions (cont’d.):

• Resisting attacks intended to defeat or circumvent them

• Compensating for problems with fidelity of data sources

• Dealing effectively with switched networks


32

Deployment and Implementation of an IDPS

An IDPS can be implemented as• Centralized: all IDPS control functions are

implemented and managed in a central location

• Fully distributed: all control functions are applied at the physical location of each IDPS component

• Partially distributed: combines the two; while individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable organization to detect widespread attacks


33Principles of Information Security, Fourth Edition

Figure 7-4 Centralized IDPS Control13


Figure 7-5 Fully Distributed IDPS Control14


Figure 7-6 Partially Distributed IDPS Control15

36

Deployment and Implementation of an IDPS (cont’d.)

• IDPS deployment– Like decision regarding control strategies, decision

about where to locate elements of intrusion detection systems can be art in itself

– Planners must select deployment strategy that is based on careful analysis of organization’s information security requirements but, at the same time, causes minimal impact

– NIDPS and HIDPS can be used in tandem to cover both individual systems that connect to an organization’s networks and networks themselves


37

Deploying network-based IDPSs

• Location 1: Behind each external firewall, in the network DMZ

• Location 2: Outside an external firewall

• Location 3: On major network backbones

• Location 4: On critical subnets


NIST recommends four locations for NIDPS sensors

38

Deploying host-based IDPSs

• Proper implementation of HIDPSs can be a painstaking and time-consuming task

• Deployment begins with implementing most critical systems first

• Installation continues until either all systems are installed or the organization reaches planned degree of coverage it is willing to live with


39

Measuring IDPS Effectiveness

• IDPSs are evaluated using four dominant metrics: thresholds, blacklists and whitelists, alert settings, and code viewing and editing

• Evaluation of IDPS might read: at 100 Mb/s, IDS was able to detect 97% of directed attacks

• Since developing this collection can be tedious, most IDPS vendors provide testing mechanisms that verify systems are performing as expected


40

Measuring IDPS Effectiveness - 2

• Some of these testing processes will enable the administrator to:– Record and retransmit packets from real

virus or worm scan– Record and retransmit packets from a real

virus or worm scan with incomplete TCP/IP session connections (missing SYN packets)

– Conduct a real virus or worm scan against an invulnerable system


41

Managing IDPS

• If there is no response to an alert, then an alarm does no good

• IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats

• A properly configured IDPS can translate a security alert into different types of notifications– A poorly configured IDPS may yield only noise


42

Managing IDPS – contd.

• Most IDPSs monitor systems using agents– Software that resides on a system and reports

back to a management server

• Consolidated enterprise manager– Software that allows the security professional

to collect data from multiple host- and network-based IDPSs and look for patterns across systems and subnetworks

• Collecting responses from all IDPSs • Used to identify cross-system probes and intrusions


43

Wireless Networking Protection

• Most organizations that make use of wireless networks use an implementation based on the IEEE 802.11 protocol

• The size of a wireless network’s footprint– Depends on the amount of power the

transmitter/receiver wireless access points (WAP) emit

– Sufficient power must exist to ensure quality connections within the intended area

• But not allow those outside the footprint to connect


44

Wireless Networking Protection - 2

• War driving– Moving through a geographic area or building,

actively scanning for open or unsecured WAPs

• Common encryption protocols used to secure wireless networks– Wired Equivalent Privacy (WEP) – Wi-Fi Protected Access (WPA)


45

Wired Equivalent Privacy (WEP)

• Provides a basic level of security to prevent unauthorized access or eavesdropping

• Does not protect users from observing each others’ data

• Has several fundamental cryptological flaws– Resulting in vulnerabilities that can be

exploited, which led to replacement by WPA


46

Wi-Fi Protected Access (WPA)

• WPA is an industry standard– Created by the Wi-Fi Alliance

• Some compatibility issues with older WAPs

• IEEE 802.11i – Has been implemented in products such as

WPA2 • WPA2 has newer, more robust security protocols

based on the Advanced Encryption Standard

– WPA /WPA 2 provide increased capabilities for authentication, encryption, and throughput


47

Wi-Max

• Wi-Max (WirelessMAN)– An improvement on the technology developed

for cellular telephones and modems – Developed as part of the IEEE 802.16

standard– A certification mark that stands for Worldwide

Interoperability for Microwave Access


48

Bluetooth

• A de facto industry standard for short range (approx 30 ft) wireless communications between devices

• The Bluetooth wireless communications link can be exploited by anyone within range– Unless suitable security controls are implemented

• In discoverable mode devices can easily be accessed– Even in nondiscoverable mode, the device is

susceptible to access by other devices that have connected with it in the past


49

Bluetooth (cont’d.)

• Does not authenticate connections– It does implement some degree of security

when devices access certain services like dial-up accounts and local-area file transfers

• To secure Bluetooth enabled devices: – Turn off Bluetooth when you do not intend to

use it – Do not accept an incoming communications

pairing request unless you know who the requestor is


50

Managing Wireless Connections

• One of the first management requirements is to regulate the size of the wireless network footprint– By adjusting the placement and strength of the

WAPs

• Select WPA or WPA2 over WEP

• Protect preshared keys


51

Honeypots, Honeynets, and Padded Cell Systems

• Honeypots: decoy systems designed to lure potential attackers away from critical systems

• Honeypots are designed to:– Divert attacker from accessing critical systems– Collect information about attacker’s activity– Encourage attacker to stay on system long

enough for administrators to document event and, perhaps, respond

• Honeynets: collection of honeypots connecting several honey pot systems on a subnet


52

Honeypots, Honeynets, and Padded Cell Systems (contd.)

• Padded cell: honeypot that has been protected so it cannot be easily compromised

• In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDPS

• When the IDPS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no harm—the nature of this host environment is what gives approach the name padded cell


53

Honeypots, Honeynets, and Padded Cell Systems (contd.)

Advantages• Attackers can be diverted to targets they

cannot damage• Administrators have time to decide how to

respond to attacker• Attackers’ actions can be easily and more

extensively monitored, and records can be used to refine threat models and improve system protections

• Honeypots may be effective at catching insiders who are snooping around a network


54

Honeypots, Honeynets, and Padded Cell Systems (cont’d.)

Disadvantages• Legal implications of using such devices are

not well defined• Honeypots and padded cells have not yet

been shown to be generally useful security technologies

• Expert attacker, once diverted into a decoy system, may become angry and launch a more hostile attack against an organization’s systems

• Administrators and security managers need a high level of expertise to use these systems


55

Trap and Trace Systems

• Use combination of techniques to detect an intrusion and trace it back to its source

• Trap usually consists of honeypot or padded cell and alarm

• Legal drawbacks to trap and trace– Enticement: process of attracting attention to

system by placing tantalizing bits of information in key locations

– Entrapment: action of luring an individual into committing a crime to get a conviction

– Enticement is legal and ethical, entrapment is not


56

Active Intrusion Prevention

• Some organizations implement active countermeasures to stop attacks

• One tool (LaBrea) takes up unused IP address space to pretend to be a computer and allow attackers to complete a connection request, but then holds connection open


57

Scanning and Analysis Tools

• Used to find vulnerabilities in systems– Holes in security components, and other

unsecured aspects of the network

• Conscientious administrators frequently browse for new vulnerabilities, recent conquests, and favorite assault techniques

• Security administrators may use attacker’s tools to examine their own defenses and search out areas of vulnerability


58

Scanning and Analysis Tools (contd.)

Scanning tools: Collect the information that an attacker needs

• Footprinting– The organized research of the Internet

addresses owned by a target organization

• Fingerprinting – The systematic examination of all of the

organization’s network addresses– Yields useful information about attack targets



Figure 7-9 Sam Spade

60

Scanning and Analysis Tools

• Port mappers

• Network mappers

• Firewall analysis

• OS detection tools

• Vulnerability scanners

• Packet sniffers

• Wireless sniffers

• Password crackers

61

Port Scanners

• A port is a network channel or connection point in a data communications system

• Port scanning utilities (port scanners) – Identify computers that are active on a

network, as well as their active ports and services, the functions and roles fulfilled by the machines, and other useful information


62


Table10-5 Commonly used port numbers

Source: Course Technology/Cengage Learning

Port Scanners (cont’d.)

63

Port Scanners (contd.)

• Well-known ports– Those from 0 through 1023– Registered ports are those from 1024 through

49151– Dynamic and private ports are those from

49152 through 65535

• Open ports must be secured– Can be used to send commands to a

computer, gain access to a server, and exert control over a networking device


64

Network mappers

• Mostly use ICMP ping

• Most port scanners can be used as network mappers, e.g. Nmap, LanState

65

Firewall Analysis• Several tools automate remote discovery of

firewall rules and assist the administrator in analyzing them

• Administrators who feel wary of using the same tools that attackers use should remember: – It is intent of user that will dictate how information

gathered will be used– In order to defend a computer or network well, it is

necessary to understand ways it can be attacked

• A tool that can help close up an open or poorly configured firewall will help network defender minimize risk from attack


66

Firewall Analysis – contd.

``Firewalking’’ steps• Network discovery – apply traceroute to a

host inside network (finds TTL count to firewall)

• Scanning – TCP/UDP packets with TTL of 1-hop past firewall sent; if the firewall allows packets in, ICMP TTL Expired message will be sent by binding host

• E.g. Firewalk

67

OS Detection Tools

• Detecting a target computer’s operating system (OS) is very valuable to an attacker

• There are many tools that use networking protocols to determine a remote computer’s OS, e.g. Nmap, Xprobe

• Strategies: passive fingerprinting, active fingerprinting


68

Active fingerprinting• Find out more about host from TCP/IP

characteristics• TCP FIN probing: TCP RFC specifies that a FIN packet

to an open port should be ignored. MS Windows responds with a RST packet

• TCP Initial Sequence Number: Some OS choose random values. Windows generates it from the system clock

• TCP Initial window size: Linux 2.4 5840 bytes, 2.2 32120 bytes

• IP ID sampling: MSWin uses a predictable sequence, Linux chooses random numbers.

• ICMP Error message quoting: Linux quotes more than required

69

Passive fingerprinting

Information gathered through sniffing• TTL in IP packets: normally Linux TTL= 64, MS

Windows TTL = 128• Don’t fragment bit in IP header: most OS 1,

OpenBSD 0• Type of service field in IP header: normally 0,

some OS non-zero

Generally less useful. Dependent on traffic pattern

70

OS detection countermeasures

• Modify responses to various network events/packets

• Morph, IP Scrubber: “scrubs” clean any outgoing packets of OS relates information

• IP personality (http://ippersonality.sourceforge.net)

(patch for Linux kernel)

http://ippersonality.sourceforge.net/

71

Vulnerability Scanners

• Capable of scanning networks for very detailed information

• Variants of port scanners

• Identify exposed user names and groups, show open network shares, and expose configuration problems and other server vulnerabilities


72

Vulnerability Scanners - 2

• Nessus – freeware

• Used by over 75000 companies

• Different versions for Unix, Mac, Windows

• Detects open ports, mis-configurations (e.g. missing patches), default passwords, presence of viruses, back-door programs


73

Packet Sniffers

• A network tool that collects and analyzes packets on a network– It can be used to eavesdrop on network traffic

• Connects directly to a local network from an internal location

• To use a packet sniffer legally, you must:– Be on a network that the organization owns– Be directly authorized by the network’s owners– Have the knowledge and consent of the users– Have a justifiable business reason for doing so


74

Packet Sniffers - 2

• Any network card can be switched to “promiscuous” mode to sniff all LAN packets

• Simply tapping into the Internet is a violation of wiretapping laws

• Example: Wireshark


75

Wireless Sniffers

• Wireless sniffing is much easier than wired sniffing

• Very difficult to detect – leaves no traceable evidence

• Example: NetStumbler


76

Password Crackers

Most systems store encrypted passwords. • MS Windows typically uses C:\Windows\

System32\config folder• Cannot be accessed directly by users, BUT

can be accessed by installing LCP, pwdump or FGDUMP (require Admin privilege to install).

• Encryption algorithm known (NT LAN Manager in Win 7)

• Case sensitive (unlike older versions of MSWin), applies MD4

77

Password Crackers – contd.

Attack types • Brute force – very slow• Dictionary attack – only common disctionary

words used• Precomputed dictionary attack – saves time

required for encryption• E.g. Cain and Able or “Cain” (some virus

scanners detect it as malware! Microsoft Security Essentials “Tool: This program has potentially unwanted behavior”)

78

Managing Scanning and Analysis Tools

• The security manager must be able to see the organization’s systems and networks from the viewpoint of potential attackers– The security manager should develop a

program to periodically scan his or her own systems and networks for vulnerabilities with the same tools that a typical hacker might use

• Using in-house resources, contractors, or an outsourced service provider


79

Managing Scanning and Analysis Tools (cont’d.)

• Drawbacks:– Tools do not have human-level capabilities– Most tools function by pattern recognition, so

they only handle known issues – Most tools are computer-based, so they are

prone to errors, flaws, and vulnerabilities of their own

– Tools are designed, configured, and operated by humans and are subject to human errors


80

Managing Scanning and Analysis Tools (cont’d.)

• Drawbacks: (cont’d.)– Some governments, agencies, institutions, and

universities have established policies or laws that protect the individual user’s right to access content

– Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide for valid exceptions


81

Other measures

• Content filters

• Cryptographic tools

82

Content Filters

• Protect systems from misuse – And unintentional denial-of-service conditions

• A software program or a hardware/software appliance that allows administrators to restrict content that comes into a network

• Common application of a content filter– Restriction of access to Web sites with non-

business-related material, such as pornography, or restriction of spam e-mail

– Content filters ensure that employees are using network resources appropriately


83

Using Cryptographic Controls

• Modem cryptosystems can generate unbreakable ciphertext– Possible only when the proper key

management infrastructure has been constructed and when the cryptosystems are operated and managed correctly


84

Using Cryptographic Controls (cont’d.)

• Cryptographic controls can be used to support several aspects of the business: – Confidentiality and integrity of e-mail and its

attachments Authentication, confidentiality, integrity, and nonrepudiation of e-commerce transactions

– Authentication and confidentiality of remote access through VPN connections

– A higher standard of authentication when used to supplement access control systems


85


• Secure Multipurpose Internet Mail Extensions (S/MIME) – Builds on Multipurpose Internet Mail Extensions

(MIME) encoding format• Adds encryption and authentication via digital signatures

based on public key cryptosystems

• Privacy Enhanced Mail (PEM)– Proposed by the Internet Engineering Task Force

(IETF) as a standard that will function with public key cryptosystems

– Uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures


86

• Pretty Good Privacy (PGP) – Developed by Phil Zimmerman – Uses the IDEA Cipher

• A 128-bit symmetric key block encryption algorithm with 64-bit blocks for message encoding

– Like PEM, it uses RSA for symmetric key exchange and to support digital signatures



87


• IP Security (IPSec)– The primary and dominant cryptographic authentication

and encryption product of the IETF’s IP Protocol Security Working Group

– Combines several different cryptosystems: • Diffie-Hellman key exchange for deriving key material between

peers on a public network• Public key cryptography for signing the Diffie-Hellman

exchanges to guarantee the identity of the two parties • Bulk encryption algorithms, such as DES, for encrypting the

data• Digital certificates signed by a certificate authority to act as

digital ID cards


88


• IPSec has two components: – The IP Security protocol

• Specifies the information to be added to an IP packet and indicates how to encrypt packet data

– The Internet Key Exchange, which uses asymmetric key exchange and negotiates the security associations


89


• IPSec works in two modes of operation:– Transport

• Only the IP data is encrypted, not the IP headers themselves

• Allows intermediate nodes to read the source and destination addresses

– Tunnel• The entire IP packet is encrypted and inserted as

the payload in another IP packet

– Often used to support a virtual private network


90


• Secure Electronic Transactions (SET)– Developed by MasterCard and VISA to provide

protection from electronic payment fraud– Encrypts credit card transfers with DES for

encryption and RSA for key exchange

• Secure Sockets Layer (SSL)– Developed by Netscape in 1994 to provide

security for e-commerce transactions– Uses RSA for key transfer

• On IDEA, DES, or 3DES for encrypted symmetric key-based data transfer


91

• Secure Hypertext Transfer Protocol– Provides secure e-commerce transactions and

encrypted Web pages for secure data transfer over the Web, using different algorithms

• Secure Shell (SSH)– Provides security for remote access connections over

public networks by using tunneling, authentication services between a client and a server

– Used to secure replacement tools for terminal emulation, remote management, and file transfer applications



92

• Cryptosystems provide enhanced and secure authentication– One approach is provided by Kerberos, which

uses symmetric key encryption to validate an individual user’s access to various network resources

• Keeps a database containing the private keys of clients and servers that are in the authentication domain that it supervises



93

• Cryptosystems provide enhanced and secure authentication (cont’d.)– Kerberos system knows these private keys and

can authenticate one network node (client or server) to another

– Kerberos also generates temporary session keys—that is, private keys given to the two parties in a conversation



94

Managing Cryptographic Controls

• Don’t lose your keys• Know who you are communicating with• It may be illegal to use a specific encryption

technique when communicating to some nations

• Every cryptosystem has weaknesses• Give access only to those with a business

need• When placing trust into a certificate

authority, ask “Who watches the watchers?”


95

Managing Cryptographic Controls (cont’d.)

• There is no security in obscurity• Security protocols and the cryptosystems

they use are installed and configured by humans– They are only as good as their installers

• Make sure that your organization’s use of cryptography is based on well-constructed policy and supported with sound management procedures


96

Summary

• Introduction

• Access controls

• Firewalls

• Intrusion detection and prevention systems

• Wireless network protection

• Scanning and analysis tools

• Cryptography


18/30/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122),...

Documents

Transcript of 18/30/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122),...