


Learning Outcomes

By the end of this topic students will be able to:• Explain the most common types of cryptographic

algorithm (i.e. block ciphers, public-key ciphers and hash algorithms)


• Select and justify an appropriate algorithm for a particular purpose


Module Aims• This module will provide you with the underlying

theory and practical skills required to secure networks and to send data safely and securely over network communications (including securing the

t I t t i )


most common Internet services).


Module Syllabus - 1• Cryptography Fundamentals

• Public-Key Infrastructure

• Web Security

• Email Security


Email Security

• Data Protection

• Vulnerability Assessment

• Authentication




Module Syllabus - 2• Access Control

• Firewalls

• VPN

• Remote Access


Remote Access

• Wireless Security


Module Delivery• The teacher-led time for this module is comprised of

lectures and laboratory sessions.

• Lectures are designed to start each topic.- You will be encouraged to be active during lectures


by raising questions and taking part in discussions.

• Laboratory sessions are designed to follow the respective topic lecture.- During these sessions, you will be required to work

through practical tutorials and various exercises.


Private Study• You are also expected to

undertake private study to consolidate and extend your understanding.


• Exercises are provided in your Student Guide for you to complete during this time.




Assessment• This module will be assessed by:

- an examination worth 75% of the total mark

- an assignment worth 25% of the total mark



Computer Security – Definition• “The protection afforded to an automated

information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (i l d h d ft fi


(includes hardware, software, firmware, information/data, and telecommunications).”

National Institute of Standards and Technology, Special Publication 800-12, (October 1995).


Cryptography – Definition• “The discipline that embodies the principles, means,

and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected

difi ti ”


modification.”

National Institute of Standards and Technology, Special Publication 800-59, (August 2003).




Security Objectives• NIST gives three objectives (FIPS199):

- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information


proprietary information.

- Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity.

- Availability: Ensuring timely and reliable access to and use of information.


Loss of Security• The following defines a loss of security in each

objective:

- Loss of Confidentiality: Unauthorized disclosure of information


information.

- Loss of Integrity: Unauthorized modification or destruction of information.

- Loss of Availability: Disruption of access to or use of information or information systems.


The CIA Triad• These requirements (Confidentiality, Integrity,

Availability) are commonly known as the CIA triad.

• There are many critiques that suggest that this does not provide a complete picture of security requirements.


• The two most commonly cited “extra” requirements are:

- Authenticity

- Accountability




Authenticity• Being genuine, verified and trusted.

• Confidence in the validity of:- A transmission

A


- A message

- A message originator

• Verifying that users are who they say they are and that each message came from a trusted source.


Accountability• Actions of an entity can be traced uniquely to that

entity.

• Supports:- Non-repudiation


p

- Deterrence

- Fault isolation

- Intrusion detection and prevention

- Recovery

- Legal action


OSI Security Architecture• ITU-T Recommendation X.800, Security

Architecture for OSI, provides a systematic way for:- Defining the requirements for security

- Characterising the approaches to satisfying those


requirements

• ITU-T stands for ‘International Telecommunication Union Telecommunication Standardization Sector’

• OSI stands for ‘Open Systems Interconnection’




OSI Security Architecture• The following concepts are used:

- Security attack: Any actions that compromise the security of information owned by an organisation (or a person).

- Security mechanism: a mechanism that is designed f


to detect, prevent, or recover from a security attack.

- Security service: a service that enhances the security of the data processing systems and the information transfers of an organisation. The services make use of one or more security mechanisms to provide the service.


Security Attacks• It is useful to categorise attacks as:

- Passive attacks

- Active attacks

P i tt k k f i f ti f


• Passive attacks make use of information from a system but do not affect the system resources.

• Active attacks alter system resources or affect their operation.


Passive Attacks• Release of message contents: The information in

a message is read.

• Traffic analysis: message information cannot be


y gread but traffic patterns are analysed to glean information.




Active Attacks• Masquerade: one entity pretends to be another

entity.

• Replay: passive capture of data and its retransmission to produce an unauthorized effect.


et a s ss o to p oduce a u aut o ed e ect

• Message modification: a message is altered to produce an unauthorized effect.

• Denial of service: preventing or hindering the use of network resources.


Security Services• A security service is a service which ensures

adequate security of the systems or of data transfer.

• X.800 Recommendation divides security services into 5 categories:


- Authentication

- Access control

- Data confidentiality

- Data integrity

- Non-repudiation


Security Mechanisms• Security mechanisms are used to implement

security services. They include: - Encipherment

- Digital signature

- Access Control mechanisms


- Data Integrity mechanisms

- Authentication Exchange

- Traffic Padding

- Routing Control

- Notarisation




Number Theory• Many public-key cryptosystems use non-trivial

number theory.

• The RSA public-key cryptosystem is based on the difficulty of factoring large numbers


difficulty of factoring large numbers.

• We will outline the basic ideas of:- divisors

- prime numbers

- modular arithmetic


Divisors and Prime Numbers• Divisors

- Let a and b be integers where b is not equal to 0

- Then we say b is a divisor of a if there is an integer m such that a = mb;


• Prime numbers- An integer p is a prime number if its only divisors

are 1, -1, p, -p


GCD & Relatively Prime Numbers• Greatest Common Divisor (gcd)

- gcd(a,b) is a greatest common divisor of a and b (the largest number that divides into both numbers)

- Examples:


• gcd(12, 15) = 3

• gcd(49,14) = 7

• Relatively Prime Numbers- a and b are relatively prime if gcd(a,b) = 1

- Example: gcd (9,14) = 1




Modular Arithmetic• If a is an integer and n is a positive integer, we

define a mod n to be the remainder when a is divided by n: - Example, 10 mod3 = 1


• If (a mod n) = (b mod n), then a and b are congruent modulo n

• (a mod n) = (b mod n) if n is a divisor of a-b




Overview of Cryptography



Cryptography• A collection of mathematical techniques for

protecting information

• Most important technique is encryption/decryption

• Symmetric encryption (symmetric key encryption):


y yp ( y y yp )- encrypt/decrypt a message using the same key

- Key: a piece of information or sequence of bits

• Asymmetric encryption (asymmetric key encryption):- one key used for encryption (public key), another key

used for decryption (private key)




Symmetric Encryption



Elements of Symmetric Encryption• Plaintext

• Encryption algorithm

• Secret key

• Ciphertext (encrypted text)


Ciphertext (encrypted text)

• Decryption algorithm


Principle of Symmetric Encryption• Security of symmetric encryption depends on the

secrecy of the key.

• It does not depend on the secrecy of the algorithm.


Why?

• It is difficult to invent new algorithms and keep them secret.

• It is relatively simple to produce keys.




Requirements for Symmetric Encryption

• Strong encryption algorithm:- The attacker should be unable to decrypt encrypted

text, even if he/she knows several matching pairs of plaintext and encrypted plaintext


plaintext and encrypted plaintext.

• The private key must be kept secret:- Sender and receiver must have obtained copies of

the secret key (private key) in a secure way and must keep the key secure.


Classifying Cryptosystems• As well as classifying as symmetric or asymmetric

there are two other main classifications:

- Type of operations used:

• Substitutions

• Transpositions


Transpositions

- The way in which plaintext is processed:

• Block cipher where a block of elements is transformed to the output block in one go.

• Stream cipher where the input elements are processed continuously one element at a time.


Substitutions• Each element of the plaintext (bit, letter, group of

bits) is mapped to another element.

A B HELLO MISTER


B C becomes

…

Z A IFMMP NJTUFS




Transpositions• Elements of the plaintext are re-arranged.

HEL becomes

LO


LO

MIS HLMTEOIEL SR

TER


Real World Encryption• Modern algorithms have multiple stages in

converting the plaintext to ciphertext.

• They usually involve multiple substitutions and transpositions


transpositions.

• The encryption uses a key (unlike the simple examples on the previous slides).


Cryptanalysis• The main objective of an attacker is to recover the

key rather than the plaintext.

• Relies on knowledge of the nature of the algorithm plus knowledge of the plaintext or access to some plaintext/ciphertext pairs.


p p p

• An encryption scheme is computationally secure if: - The cost of breaking the scheme exceeds the value

of the encrypted information.

- The time required to break to the scheme is more than lifetime of the information.




Brute Force Attacks• Try every possible key until correct translation of

the encrypted text into plaintext is obtained.

• The problem is the time required to do this.

• On average, an attacker must try half of all possible keys before successfully translating a ciphertext


keys before successfully translating a ciphertext.

• For a key size of 32 bits:- there are 232 (4.3 x 109) alternative keys

- At 1 decryption per microsecond = 35.8 minutes

- At 1 million decryptions per microsecond = 2.15 ms!!


Brute Force Attacks – Increasing Key Size

• For a key size of 56 bits:- There are 256 (7.2 x 1016) alternative keys

- At 1 decryption per microsecond = 1142 yrs

- At 1 million decryptions per microsecond = 10 01 hours


At 1 million decryptions per microsecond = 10.01 hours

• For a key size of 128 bits:- There are 2128 (3.4 x 1038) alternative keys

- At 1 decryption per microsecond = 5.4 x 1024 yrs

- At 1 million decryptions per microsecond = 5.9 x 1030 yrs


Block Ciphers v Stream Ciphers• Block ciphers use algorithms to encrypt and

decrypt a fixed-size block of plaintext and ciphertext, respectively, usually a multiple of 64 bits.


• Stream ciphers continuously encrypt any amount of data as it is presented, usually by mathematically combining the data with a keystream, an infinitely long key sequence that is generated based on a finite key starting value.




The Feistel Cipher• A scheme used by almost all modern block ciphers.

- The input is broken into two equal size blocks, generally called left (L) and right (R), which are then repeatedly cycled through the algorithm.

- At each cycle, a function (f) is applied to the right block


y , ( ) pp gand the key, and the result is XORed into the left block.

- The blocks are then swapped.

- The XORed result becomes the new right block and the unaltered right block becomes the left block.

- The process is then repeated a number of times.


The Feistel Cipher



Data Encryption Standard (DES)• A standardized encryption algorithm approved by

the U.S. government in 1977.

• It uses a 56-bit key, which is sometimes stored with additional parity bits, extending its length to 64 bits.


• DES is a block cipher and encrypts and decrypts 64-bit data blocks.

• It is now considered insecure.

• In 1998, a cracker could crack the key in 3 days.




Advanced Encryption Standard (AES)• AES replaced DES.

• A fast block cipher, with variable key length and block sizes (each can be independently set to 128, 192 or 256 bits).

• An official U.S. government standard since 2002.


g

• Now widely used for commercial and private encryption purposes.

• The algorithm is public, and its use is unrestricted, with no royalties or license fees owed to the inventors or the government.


AES• Design uses theory of finite fields, a branch of

algebra.

• Every block of 128 bits is presented as 4 by 4 array of bytes.

E d d d h 4


• Every round except start and end has 4 steps:- Substitution

- Shift Rows

- Mix Columns

- Add Round Key


AES – The Algorithm - 1

• KeyExpansion - round keys are derived from the cipher key

• Initial Round


• Initial Round- AddRoundKey - each byte of the state is combined

with the round key using bitwise XOR.




AES – The Algorithm - 2• Rounds

- SubBytes - a non-linear substitution step where each byte is replaced with another according to a lookup table.

- ShiftRows - a transposition step where each row of the state is shifted cyclically a certain number of


the state is shifted cyclically a certain number of steps.

- MixColumns - a mixing operation which operates on the columns of the state, combining the four bytes in each column.

- AddRoundKey


AES – The Algorithm - 3• Final Round (no MixColumns)

- SubBytes

- ShiftRows

AddRoundKey


- AddRoundKey


AES – SubBytes• Each byte is replaced with another based on a

lookup table





AES – ShiftRows• A transposition step where each row of the state is

shifted cyclically a certain number of steps



AES – MixColumns• A mixing operation which operates on the columns

of the state, combining the four bytes in each column



AES – AddRoundKey• Each byte of the state is combined with the round

key using bitwise XOR







Asymmetric Algorithms



Public Key Cryptography - 1• Uses asymmetric key algorithms

• The key used to encrypt a message is not the same as the key used to decrypt it.

• Each user has a pair of cryptographic keys:


p yp g p y

- a public encryption key, publicly available and widely distributed.

- a private decryption key, known only to the recipient.


Public Key Cryptography - 2• Messages are encrypted with the recipient's public

key and can only be decrypted with the corresponding private key.

• The keys are related mathematically


• The keys are related mathematically.

• Parameters are chosen so that determining the private key from the public key is prohibitively expensive.




Public Key Cryptography – The Steps1. Each user generates a pair of keys to be used for

encryption/decryption.

2. Each user places one of the keys (the public key) in a public register – each user maintains a


collection of public keys obtained from others.

3. If Bob sends a message to Alice, he encrypts it using Alice’s public key.

4. Alice decrypts it using her private key that no-one else has access to.


Public Key Cryptography - Analogy• An analogy to public-key encryption is that of a

locked mailbox for an office. - The mail slot is exposed and accessible to the

public.


- Its location (the street address) is like the public key.

- Anyone knowing the street address can go to the door and drop a written message through the slot.

- Only the person who possesses the key can open the mailbox and read the message.


Public Key Cryptography





Public Key Cryptography -Applications

• Encryption/decryption: the sender encrypts a message with the recipient’s public key.

• Digital signature (authentication): the sender


“signs” the message with its private key; a receiver can verify the identity of the sender using sender’s public key.

• Key exchange: both sender and receiver cooperate to exchange a (session) key.


The RSA Algorithm• Stands for Rivest, Shamir and Adleman who first

publicly described it.

• The RSA algorithm involves three steps:


g p

- key generation

- encryption

- decryption


RSA – Key Generation - 11. Choose two distinct prime numbers p and q.

- p and q should be chosen at random, and should be of similar bit-length

2. Compute n = pq.- n is used as the modulus for both the public and private


n is used as the modulus for both the public and private keys

3. Compute φ(n) = (p – 1)(q – 1)

4. Choose an integer e such that 1 < e < φ(n) and gcd(e,φ(n)) = 1, i.e. e and φ(n) are coprime.- e is released as the public key exponent




RSA – Key Generation - 25. Determine d = e–1 mod φ(n); i.e. d is

the multiplicative inverse of e mod φ(n).- This is more clearly stated as solve for d given (d*e)mod φ(n) = 1, d is kept as the private key exponent.


• The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the private (or decryption) exponent d which must be kept secret.


RSA Encryption• Alice transmits her public key (n,e) to Bob and keeps

the private key secret. Bob then wishes to send message M to Alice.

• He first turns M into an integer m, such that 0 < m < n by using an agreed-upon reversible protocol k ddi h


known as a padding scheme.

• He then computes the ciphertext c corresponding to c = me (mod n). Bob then transmits c to Alice.

• Note that at least nine values of m will yield a ciphertext c equal to m, but this is very unlikely to occur in practice.


RSA Decryption• Alice can recover m from c by using her private key

exponent d via computing m = cd (mod n).

• Given m, she can recover the original message M by reversing the padding scheme.


• A simplified example of the whole process is given in the laboratory exercises.




RSA Security

• Relies upon the complexity of the factoring problem.

• Nobody knows how to factor big numbers in a reasonable time.


• However, nobody has shown that the fast factoring is impossible!


Hash Functions• A hash function is a mathematical function that

converts a large, possibly variably-sized amount of data into a small datum.

• Hashing is a method of binding the file contents


• Hashing is a method of binding the file contents together to ensure integrity.- Like using sealing wax on an envelope.

- Only by breaking the seal can the contents be accessed, and any tampering is readily apparent.


Hash Function Requirements• To be suitable for message authentication, a hash

function H should have the following properties: - H can be applied to a block of data of any size

- H produces a fixed-length output

- H(x) is easy to compute for any given x


- For any value h it is very difficult (infeasible) to compute x such that H(x)=h

- For any given x, it is very difficult (infeasible) to find y (not equal to x) such that H(x) = H(y)

- It is very difficult (infeasible) to find any pair (x,y) such that H(x) = H(y)




One-Way Hash Functions• A method for message

authentication is to use one-way hash functions.

• “One-way” in the name refers t th t f h


to the property of such functions:- they are easy to compute

- but their reverse functions are very difficult to compute


The SHA-1 Secure Hash Algorithm• Takes as input a message with a maximum length

less than 2 to power 64 bits and produces as output a 160-bit message digest.

The input is processed in 512 bit blocks


• The input is processed in 512-bit blocks.

• Each bit of the output is computed using all bits of the input.


SHA-1 Examples• SHA1("The quick brown fox jumps over the lazy

dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12

• A small change in the message will, with


overwhelming probability, result in a completely different hash.

• SHA1("The quick brown fox jumps over the lazy cog") = de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3




References• NIST (Feb. 2004). Standards for Security

Categorization of Federal Information and Information Systems. FIPS 199. [Available Online] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB 199 fi l df


PUB-199-final.pdf

• Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education.


Topic 1 – Cryptography Fundamentals


Any Questions?

Topic 12 – Wireless Security Network Security and Cryptography

V1.0 Visuals Handout – Page 1




Topic 12:

Wireless Security





Introduction to Wireless Security & WEP

Wireless Security Topic 12 - 12.3

Scope and Coverage

This topic will cover:• Security issues specific to wireless networks

• Wireless security (WEP, WPA, WPA2)

• Secure network architectures for wireless


• Secure network architectures for wireless deployments




Learning Outcomes

By the end of this topic students will be able to:• Explain the vulnerabilities inherent in wireless

networks

• Deploy a secure network architecture for wireless


Deploy a secure network architecture for wireless access

• Configure Access Control Lists

• Encrypt and protect the wireless link


Wireless Networks• A wireless network typically has a number of

wireless-enabled devices connecting to an access point

• Each access point connects to a wider networkI h i l t k thi id t k


- In a home wireless network this wider network may be the Internet

- In a business network this wider network is typically a LAN

• Wireless networks are less secure than wired


WLAN





Wireless Network Security• Essentially a broadcast network between access

point and devices

• Boundary of network is limited by signal strength


• Signal can usually be received outside of the building in which the network is based

• Access to network must be restricted

• Transmissions must be encrypted


General Security Options• In closed networks (home or an organisation)

restrictions are put in place on access to the access point

• In open public networks there are no access


In open, public networks there are no access restrictions so the network is isolated from all networks that need a level of security

• End to end encryption may be used for secure traffic in wireless networks that are mixed


WLAN Access Control• In 1997, the IEEE approved the IEEE 802.11 WLAN

standard

• Access may be controlled via access to the access point (AP)


point (AP)

• Only authorised devices can connect to the AP

• One way: Media Access Control (MAC) address filtering




MAC Address Filtering• Usually implemented to permit rather than prevent



Wired Equivalent Privacy (WEP)• Original security component of 802.11

• Aim: only authorized parties can view transmitted wireless information

• Uses encryption to protect traffic


yp p

• Designed as an efficient and reasonably strong security

• Has numerous security flaws and has been superseded by Wi-Fi Protected Access (WPA)


WEP Encryption• Uses the RC4 stream cipher for confidentiality

• Uses the CRC-32 checksum for integrity

• Secret keys can be 64 or 128 bits long


- Some vendors do supply 256-bit key version

• Can hold up to four shared secret keys- One key is designated as the default key

• Key size is one of the security limitations in WEP




WEP Encryption Keys• A 64-bit WEP key has a 40-bit key (10 hexadecimal

characters) plus a 24-bit initialisation vector (IV)

• A 128-bit WEP key has a 104-bit key (26 hexadecimal characters) plus a 24-bit IV


hexadecimal characters) plus a 24-bit IV

• An IV is a continuously changing value used in combination with a secret key to encrypt data- Prevents sequences of identical text from producing

the same exact ciphertext when encrypted


Open System Authentication• Client device, e.g. laptop, does not provide any

authentication to the Access Point- Any wireless-enabled device within range can

authenticate with the Access Point


• The effect is that no real authentication occurs

• WEP encryption keys are used for encrypting data frames on the wireless network

• The client must have the correct keys at this point


Shared Key Authentication• A five step handshake process:

1.Authentication request from client to Access Point

2.Access Point replies with a clear-text challenge

3 Client encrypts challenge-text using the WEP key


3.Client encrypts challenge text using the WEP key

4.Client sends encrypted text back in another authentication request

5.AP decrypts the response – if it matches the challenge-text, AP sends a positive reply




Shared Key Authentication• After authentication the WEP key is used for

encryption using RC4

• Shared Key authentication is less secure than Open System authentication


System authentication

• The key used for the handshake can be derived by capturing the challenge frames

• Both authentication mechanisms are weak


WEP Weaknesses• The 24-bit IV is too short and repeats after some

time- there is a 50% probability the same IV will repeat

after 5000 packets


• Packets can be replayed so that the access point broadcasts Ivs

• With the right equipment, WEP can be cracked in a few minutes at most





WPA, WPA2 and Wireless Architecture




Wi-Fi Protected Access (WPA)• Aim: to protect present and future wireless devices

- Authentication

- Encryption

• Developed in response to the weaknesses in WEP


• WPA implements most of the IEEE 802.11i standard

• WPA2 is fully compliant with the IEEE 802.11i standard- This has been incorporated into IEEE 802.11-2007


IEEE 802.11i• Implemented as WPA2

• Uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol, also known as CCM mode Protocol (CCMP)


as CCM mode Protocol (CCMP)- AES based block cipher

- Replacing the RC4 stream cipher of WEP

• Has been mandatory for Wi-Fi certified devices since 2006


CCMP• More secure than the protocols in WEP & WPA

• Uses a 128-bit key

• Uses a 128-bit block size

• Provides:


• Provides: - Data Confidentiality - only authorized parties have

access

- Authentication – proves user identity

- Access control - in conjunction with layer management




Pre-shared Key (PSK) Mode• Also known as Personal mode

• Used for home and small office networks- No advanced server capabilities

• Does not require an authentication server

Wi l t k li t d i th ti t di tl


• Wireless network client devices authenticate directly with the access point

• They all use the same 256-bit key

• Keys are automatically changed and authenticated after a set period of time


PSK Mode Weaknesses• Keys sent via e-mail or other insecure methods

• Changing the PSK key is awkward:- Must type new key on every wireless device

- Must type new key on all access points

I d t ll t t h t


• In order to allow a guest user to have access to a network the key must be given to that guest

• PSK is a 64-bit hexadecimal number generated from a passphrase- Passphrase could be open to dictionary attack


Enterprise Mode• Designed for enterprise networks

• Provides authentication using IEEE 802.1X and Extensible Authentication Protocol (EAP)


• Requires a Remote Authentication Dial In User Service (RADIUS) authentication server or similar

• More complex but provides additional security- For example against dictionary attacks




IEEE 802.1X• IEEE Standard for Port-based Network Access

Control (PNAC)

• Requires three parties:- a supplicant – the client device wishing to connect


- an authenticator – the access point

- an authentication server – a host running software that supports RADIUS and EAP

• Client device only has access through the authenticator when validated and authorized


EAP• The authentication framework utilised by wireless

networks

• Supplies functions and negotiation of authentication methods


- Called EAP methods

• Provides a secure authentication mechanism

• Negotiates a secure private key between authenticator and client


IEEE 802.1X Authentication• Initialisation - when new supplicant detected, the

port on the authenticator is enabled and set to the unauthorised state

• Initiation


- Authenticator transmits EAP-Request Identity frames

- Supplicant listens and responds with an EAP-Response Identity frame containing an identifier, e.g. user ID

- Authenticator then encapsulates this in a RADIUS Access-Request packet and sends to authentication server




IEEE 802.1X Authentication• Negotiation

- Authentication server replies to the authenticator with EAP Request specifying the EAP Method

- Authenticator encapsulates the EAP Request and transmits to supplicant


• Authentication- If EAP Method is agreed, EAP Requests and Responses

are sent between supplicant and authentication server until the server responds with EAP-Success message

- Authenticator sets port to the authorised state and traffic is allowed


RADIUS• Protocol providing a centralised Authentication,

Authorization, and Accounting (AAA) service

• Management for the authorisation of computers wishing to connect to a network

Client/server protocol


• Client/server protocol

• Runs in the application layer of the OSI model

• Uses UDP for transport- assigned UDP ports 1812 for RADIUS

Authentication and 1813 for RADIUS Accounting


RADIUS Functions• A RADIUS Server has three main functions:

- Authenticating users and/or devices and providing permission for them to access the network

- Authorising users and/or devices for specific


Authorising users and/or devices for specific services on the network

- Accounting for usage of network services




WPA2 Sessions Key• WPA2 creates a new session key with every

association

• The encryption key for each client is unique and specific to that client


specific to that client

• Every packet is encrypted with a unique key

• Never reusing keys is good security practice


Wireless Network Architecture• When planning a wireless network you need to

determine which WLAN architecture to adopt

• Architecture comes in two main categories:- Standalone access points


- Standalone access points

- Centrally coordinated access points

• Both have benefits

• Suited to different environments.


Standalone Access Points • Functionality of each access point enables wireless

services, authentication and security

- All access points operate independently

- Encryption/decryption at the access point


Encryption/decryption at the access point

- Each access point has its own configuration file

- Large networks rely on a management application

- Network configuration is static and does not respond to changing network conditions




Standalone Access Points • Well suited in environments where:

- There is a small isolated wireless coverage area requiring only a few access points

- There is a need for wireless bridging from a main


building to another building

• The operational overhead to manage and maintain a wireless network increases with the size of the network


Co-ordinated Access Points • Has “thin” access points

• Centralized controller handles:- Roaming

- Authentication


- Encryption/decryption

- Load balancing

- RF monitoring

- Performance monitoring

- Location services


Co-ordinated Access Points • Configuration is done at the controller

• Adding additional APs is simple, just plug in to network


• Redundancy can be provided through extra redundant controllers - Become active if problems with a neighbouring AP




Co-ordinated Access Points • Ideal where:

- There are large wireless coverage areas• requiring multiple radio ports

• perhaps alongside smaller isolated coverage areas


- Network self-healing is required

- Redundancy is required


Benefits of Co-ordinated APs • Lower operational costs.

• Ease of deployment and management

• Greater availability

• Easier to respond to changes in the network


Easier to respond to changes in the network performance

• Better return on investment

• Fast client roaming

• Better Quality-of-Service


References• Tanenbaum, A.S. (2003). Computer Networks. 4th

Edition. Prentice Hall.

• Stallings, W. (2010). Cryptography and Network


g , ( ) yp g p ySecurity: Principles and Practice. 5th Edition. Pearson Education.




Topic 12 – Wireless Security


Any Questions?

Topic 2 – PKI Network Security and Cryptography





Topic 2:

PKI




The Public Key Infrastructure


PKI Topic 2 - 2.3

Scope and Coverage

This topic will cover:• The Public Key Infrastructure

• Digital Signatures

• Certification Authorities


• Certification Authorities

• Digital Certificates



PKI Topic 2 - 2.4

Learning Outcomes

By the end of this topic students will be able to:• Describe the Public Key Infrastructure

• Explain digital signatures

• Explain the role of Certification Authorities


• Explain the role of Certification Authorities

PKI Topic 2 - 2.5

Overview• This topic provides an overview to the key terms

and concepts used in a PKI including:

- Encryption

- Public keys


Public keys

- Private keys

- Digital signatures

- Digital certificates

PKI Topic 2 - 2.6

What is PKI?• Public Key Infrastructure (PKI) is a security

architecture that has been introduced to provide an increased level of confidence for exchanging information over the Internet.


• It is defined in 2 ways:- The method, technology and technique used to

create a secure data infrastructure.

- The use of the public and private key pair to authenticate and for proof of content.



PKI Topic 2 - 2.7

Benefits of PKI• PKI aims to offer its users the following benefits:

- Certainty regarding the quality of information transmitted electronically

- Certainty of the source and destination of such


information

- Assurance of the time and timing of such information

- Certainty of the privacy of such information

- Assurance that such information may be used as evidence in a court of law

PKI Topic 2 - 2.8

Use of PKI• To support secure information exchange over

insecure networks.- e.g. the Internet where such features cannot be

provided easily

For information e change o er pri ate net orks


• For information exchange over private networks.- e.g. an organisation’s internal network

• To securely deliver cryptographic keys.

• To facilitate other cryptographically delivered security services.

PKI Topic 2 - 2.9

How Does PKI Work?• PKI uses a mathematical technique called public

key cryptography.

• A pair of related cryptographic keys are used.


• Verifies the identity of the sender (through signing)

• Ensures privacy (through encryption of data)



PKI Topic 2 - 2.10

Public Key Cryptography• Uses a pair of mathematically related cryptographic

keys.

• One key is used to encrypt information.


• Only the related key can decrypt that information.

• Knowledge of one key does not allow you to calculate the other.- Or it is extremely difficult

PKI Topic 2 - 2.11

Public Keys and Private Keys• The public key is made public - it is freely

distributed and can be seen by all users.

• A corresponding (and unique) private key is kept secret and is not shared amongst users


secret and is not shared amongst users.

• Your private key enables you to prove that you are who you claim to be.

PKI Topic 2 - 2.12

Asymmetric v SymmetricAsymmetric

• Two keys, one each for encrypting and decrypting

• Can identify sender or

Symmetric

• Same key for encrypting and decrypting

• Cannot be used to identify


yrecipient based on encryption/decryption using private key which is known to one entity in the communication

ysender or recipient as all parties involved know the same key



PKI Topic 2 - 2.13

Public Key Encryption• When a person wants to send confidential data to a

private key holder:

- They encrypt the data.• The data is encrypted using a secret key algorithm

(symmetric cryptography) which is much faster than


( y yp g p y)the asymmetric cryptography.

- A random session key is generated using a symmetric algorithm to encrypt the data.

- The public key is then used to encrypt that key and both are sent securely to the recipient.

PKI Topic 2 - 2.14

Private Key Decryption• When a private key holder receives confidential data:

- If the private key can decrypt the data, the user is certain that the data is meant for him/her but cannot identify the originator.

- The private key decrypts the session key.


The private key decrypts the session key.

- The decrypted session key is used to decrypt the actual data.

• This is more secure as the session key has to be decrypted first in order to proceed to the next process of decrypting the data.

PKI Topic 2 - 2.15

Digital Signature• A digital signature is a unique, encrypted

numerical value.

• It differs each time it is generated and is used to prove the ownership or copyright of data.


• A hashing algorithm is performed on the document to be signed producing a unique numerical value.- This is why it differs each time it is generated

• This is then encrypted using a private cryptographic key and links the result to the document.



PKI Topic 2 - 2.16

Using a Private Key for Signature• To prove you are the source of data, use a private

key to digitally sign it.

• The encrypted value is sent either at the end of the data or as a separate file with the message.


• The corresponding public key may also be sent either on its own or as a certificate.

• This does not prove anonymity as anyone receiving the protected or digitally signed data can easily check the signature, read and process the data.

PKI Topic 2 - 2.17

Using a Public Key for Signature - 1

The message receiver can use the correct public key to verify the digital signature as follows:

1.The correct public key is used by the receiver to decrypt the hash value which was calculated by the


decrypt the hash value which was calculated by the sender for the data.

2.Then, using the hashing algorithm, the hash value of the data received is calculated.

PKI Topic 2 - 2.18

Using a Public Key for Signature - 23. The newly calculated hash value is compared to

the hash value calculated by the sender. If the two values are the same, the receiver knows that the data was sent originally by the owner of the private key and the data has not been edited since


private key and the data has not been edited since it was signed.

4. If a public key certificate was sent together with the data, it is then validated with the Certificate Authority (CA) that issued the certificate.



PKI Topic 2 - 2.19

Receiving a Document• You receive a document via email.

• This was digitally signed by the sender by calculating a hash value for the document and encrypting it with their private key.

You calculate a hash value for the same document


• You calculate a hash value for the same document and decrypt the encrypted hash value.

- If the both values are the same, this verifies the sender and that the document has not been edited.

- If the two values don't match, then the document has been edited or the sender is not who they claim to be.

PKI Topic 2 - 2.20

Summary• Public Key Cryptography is the encryption &

decryption and signing/verification of data.

- Ensures privacy between sender and receiver of the data by directly preventing unintended disclosure of


y y p gthe data.

- Identifies the sender of the data by authentication.

- Ensures that the data has not been modified or tampered with.




The Public Key Infrastructure




PKI Topic 2 - 2.22

What is a Digital Certificate?• A digital document that binds your public key to an

identity that the issuing Certification Authority (CA) is willing to vouch for.

• Users of the popular encryption software Pretty


Good Privacy*(PGP) have the ability to generate their own digital certificates.

• Otherwise you will have to approach a Certification Authority (CA) in order to validate your identity.

* More on this in Topic 4

PKI Topic 2 - 2.23

Digital Certificate Usage• A digital certificate issued by one of the public CAs

will contain information in the key usage field of the certificate.

• This means that the private key may be used for specific purposes such as:


p p p- digital signatures

- certificate signing

- encipher or decipher only

- key encipherment

- data encipherment

PKI Topic 2 - 2.24

Checking Usage• Key usage may be set in the certificate but this

does not ensure that the software which uses the public key has done any checks on the content of the certificate.


• Someone receiving a digitally signed document needs to check if the key was authorized for what it has been used for.



PKI Topic 2 - 2.25

Certificate Standards• The data in a certificate usually conforms to the ITU

(IETF) standard X.509.

• Includes information about:- the identity of the owner of the corresponding private key


- the length of the key

- the algorithm used by the key

- the associated hashing algorithm

- dates of validity of the certificate

- the actions that the key can be used for

PKI Topic 2 - 2.26

The Components of a PKI• Certification Authority (CA)

• Revocation

• Registration Authority (RA)

• Certificate Publishing Methods


Certificate Publishing Methods

• Certificate Management System

• PKI-aware Applications

PKI Topic 2 - 2.27

Certification Authority (CA)• Issues and verifies certificates.

• Takes responsibility for identifying (to a stated extent) the correctness of the identity of the person asking for a certificate to be issued


asking for a certificate to be issued.

• Ensures that the information contained within the certificate is correct and digitally signs it.



PKI Topic 2 - 2.28

CA – Generating Key Pairs• The CA may generate a public key and a private

key for their client.

• Alternatively the person applying for a certificate may generate their own key pair and send a signed


may generate their own key pair and send a signed request containing their public key to the CA. - The person applying for a certificate may prefer to do

this to ensure that the private key never leaves their own control.

PKI Topic 2 - 2.29

CA – Issuing Digital Certificates• The CA will make a variety of checks to prove your

identity.

• The CA may state the quality of the checks that were carried out before the certificate was issued


were carried out before the certificate was issued.

• Different classes of certificate can be purchased that correspond to the different levels of these checks.

PKI Topic 2 - 2.30

CA –Digital Certificate Classes• Class 1 certificates can be easily acquired by

supplying an email address.

• Class 2 certificates require additional personal information to be supplied.


• Class 3 certificates can only be purchased after detailed checks have been made.

• A 4th class may be used by governments and organisations needing very high levels of checking.



PKI Topic 2 - 2.31

CA – Digital Certificates• A person may have many certificates issued by

many CAs.

• Some applications may insist that you use certificates issued by certain CAs.


• The CA may be:- part of your own organisation

- a company (e.g. a bank or a post office)

- or an independent entity (e.g. VeriSign)

PKI Topic 2 - 2.32

CA – Verifying Digital Certificates• The public key certificate is signed by the CA to

prevent its modification or falsification.

• This is used when checking the public key is valid.


• The signature is validated against a list of 'Root CAs' contained within various 'PKI aware' applications such as your browser.

• Certificate validation occurs automatically using the public certificate contained within the root CA list.

PKI Topic 2 - 2.33

Revocation• There is a system for making it known that

certificates are no longer valid (revoked).

• A system of revocation lists has been developed that exists outside the directory/database that


that exists outside the directory/database that stores certificates.- It is a list of certificates that are no longer valid.

• Revocation lists may be publicly available as certificates may have been widely distributed.



PKI Topic 2 - 2.34

Registration Authority (RA)• A registration authority is a third-party used by the

CA to perform checks on the person or company applying for the certificate to ensure that they are who they claim to be.


• RAs may appear to the requestor of the certificate as CAs but they don't digitally sign the certificate.

PKI Topic 2 - 2.35

Certificate Publishing Methods• PKI systems require the publishing of certificates so

that users can find them.

• There are two means of doing this:


- Publishing it in the equivalent of an electronic telephone directory

- Sending it to parties who might need it

PKI Topic 2 - 2.36

Publishing in Directories• Directories are databases that are X.500/LDAP

compliant.- The databases contain certificates in the X.509 format.

- They provide specific search facilities which are specified in the LDAP standards published by the IETF.


p y

• Directories can be public or remain private: - Private directories usually contain confidential data that

the owner does not wish to be publicly accessible.

- Public directories contain information which can be read by anyone with access to them.



PKI Topic 2 - 2.37

Publishing in Databases• Databases can be configured to accept X.509

format certificates.

• This can be done for private systems where search methods do not follow the LDAP structure


methods do not follow the LDAP structure.

• This method is not used for public directories because it is essentially a proprietary system.

PKI Topic 2 - 2.38

Sending to Potential Users• Certificates can be sent through email so that the

recipient can add them to their server or desktop.

• Certificates can also be carried in portable storage media such as:


media such as:- DVDs

- CDs

- USB storage devices

PKI Topic 2 - 2.39

Certificate Management System• Systems that manage certificates:

- publish

- suspend

- renew


- Revoke

• Do not usually delete certificates because they may be required for future legal reasons.

• Typically a CA will run these systems to keep track of their certificates.



PKI Topic 2 - 2.40

PKI Aware Applications• Applications are those that have had a particular CA

software supplier's toolkit added to them.- enables them to use the supplier's CA and

certificates to implement PKI functions.


• These applications have no knowledge base built in to them about what the security requirements really are, or which PKI services are relevant in their delivery.

PKI Topic 2 - 2.41

References• Stallings, W. (2010). Cryptography and Network

Security: Principles and Practice. Pearson Education.


• Network Working Group (1999). Internet X.509 Public Key Infrastructure [Available Online] http://www.ietf.org/rfc/rfc2459.txt

PKI Topic 2 - 2.42

Topic 2 – PKI


Any Questions?

Topic 3 – Web Security Network Security and Cryptography





Topic 3:

Web Security




Web Security and IPSEC


Web Security Topic 3 - 3.3

Scope and Coverage

This topic will cover:• Overview of web security

• IPSEC

• SSL/TLS


• SSL/TLS

• HTTPS




Learning Outcomes

By the end of this topic students will be able to:• Explain the concept of web security with SSL/TLS

• Demonstrate applying for and deploying a Digital Certificate


Certificate


Web Security• The Web presents us with some security issues that

may not be present in other networks:

- Two-way systems

- Multiple types of communication


Multiple types of communication

- Importance to business

- Complex software

- Multiple connections to a server

- Untrained users


Two-way Systems• The Web works on a client-server model that allows

communication in both directions:- Server sends files to clients

- Clients send files to servers


• Servers must be protected from malicious content uploaded by clients:- Deliberate upload

- Accidental upload, e.g. unwittingly uploading an infected file




Multiple Types of Communication• The web does not deal with a limited small number

of file types:- Text

- Image


- Video

- Sound …

• The web delivers real-time content.

• Multiple file types = multiple security threats


Importance to Business• Used to supply corporate information

• Used to supply product/service information

• Used for business transactions including financial transactions


- banking, online shops, ordering systems, etc.

• If web servers are compromised, there may be very serious consequences to a business.- Loss of money & trade

- Loss of reputation


Complex Software• Servers are relatively easy to set up and configure.

• It is simple to create web content.- Even complex looking web applications are often

simple to create


• This simplicity is made possible by complex underlying software.

• Complex software often has undetected security holes.- You can be sure that someone will detect them!




Multiple Connections• The Web works because there are multiple

connections to a server.

• Different servers are connected to each other.

• What happens if a server is subverted and a


ppmalicious attacker gains control?- How many clients will be affected?

- How many other servers will be affected?

• An attack could have widespread consequences.


Untrained Users• The Web is used by many, many clients with no

training or understanding of security issues.- How many people surf the Internet without antivirus

software?

- Add in the people who have out of date virus


Add in the people who have out of date virus definitions

• Many people do not have the tools or knowledge to deal with threats on the Web.

• These same people will be interacting with servers around the world.


Traffic Security• Maintaining the security of a server as a piece of

hardware is not fundamentally different to general computer security.

• We will concentrate on the security of Web traffic


• We will concentrate on the security of Web traffic- At the Network level (IPSec)

- At the Transport level (SSL/TLS)




TCP/IP and the OSI Model



Network Level SecurityIPSec

HTTP FTP SMTP


TCP

IP/IPSec


Transport Level Security

SSL/TLS HTTP FTP SMTP

SSL or TLS


TCP

IP




IP Security (IPSec)• Provides security services at the IP layer for other

TCP/IP protocols and applications to use

• Provides the tools that devices on a TCP/IP network need in order to communicate securely


network need in order to communicate securely

- When two devices wish to securely communicate, they create a secure path between themselves that may traverse across many insecure intermediate systems.


Steps for an IPSec Connection1. Agree on a set of security protocols to use so that

data is in a format both parties can understand.

2. Decide on an encryption algorithm to use in encoding data.


3. Exchange the keys that are used to decrypt the cryptographically encoded data.

4. Use the protocols, methods and keys agreed upon to encode data and send it across the network.


IPSec Core Protocols• IPSec Authentication Header (AH)

- Provides authentication services

- Verifies the originator of a message

- Verifies that the data has not been changed on route

P id t ti i t l tt k


- Provides protection against replay attacks

• Encapsulating Security Payload (ESP)- AH ensures integrity but not privacy

- Datagram can be further protected using ESP

- Encrypts the payload of the IP datagram




Support Protocols & Mechanisms• The core protocols are quite generic and rely on

other protocols and mechanisms to be agreed.

• Common algorithms used are MD5 and SHA-1

• IPSec provides flexibility in letting devices decide


IPSec provides flexibility in letting devices decide how they want to implement security.

- Security policies and security associations are created.

• Devices need a way to exchange security information.

- The Internet Key Exchange (IKE) provides this.


IPSec Applications• Securing a company’s Virtual Private network

(VPN) over the Internet

• Securing remote access over the Internet


• Establishing connections with partners via an extranet

• Enhancing eCommerce security by adding to the security mechanism in the application layer


IPSec Advantages• Can be applied to a firewall or router and apply to

all traffic across that boundary

• It is transparent to applications.


• It is transparent to end users.

• It can provide security for individual users if required.






SSL/TLS and HTTPS



Secure Socket Layer (SSL)• Originally developed by Netscape in 1995 to

provide secure and authenticated connections between browsers and servers

• Provides transport layer security


• Provides transport layer security

• Transport Layer Security (TLS) Version 1 is essentially SSLv3.1


SSL Architecture• SSL uses TCP to provide a reliable and secure end-

to-end service.

• It is not a single protocol but two layers of protocols (see next slide)


(see next slide).

• The Hypertext Transfer Protocol (HTTP) used for server/client interaction on the Internet can operate on top of the SSL Record Protocol.




SSL Architecture

SSL Record Protocol

SSL Handshake Protocol

SSL Change Cipher Spec Protocol

SSL Alert Protocol

HTTP


IP

TCP


SSL Connections• A connection is a transport* that provides a suitable

service.

• SSL connections are peer-to-peer relationships.

• These SSL connections are transient.


- They only last for a certain length of time.

• Each connection is associated with a session.

*as defined by the OSI model


SSL Sessions• A session in SSL is an association between a client

and a server.

• Such sessions are created by the SSL Handshake Protocol.

A i d fi h i


• A session defines the security parameters.

• A session may be shared by multiple connections.- Allows the same settings to be used by many

connections without the need for repeatedly sending the security parameters




SSL Record Protocol - 1• Provides two services for SSL connections

- Confidentiality

- Integrity

T itt d d t


• Transmitted data:- Fragmented into manageable blocks

- Compressed (optional)

- Encrypted

- Header added and transmitted in a TCP segment


SSL Record Protocol - 2• Received data:

- Decrypted

- Verified

Decompressed


- Decompressed

- Reassembled

- Delivered to higher level users


SSL Change Cipher Spec Protocol• Very simple

• One single byte containing the value 1

• Has one single purpose:- Causes the pending state to be copied into the


Causes the pending state to be copied into the current state

- This updates the cipher suite to be used on a connection.




SSL Alert Protocol• Used to convey SSL alerts to the peer entity

• Alert messages are compressed and encrypted as specified by the session.

• Each message consists of two bytes:


- The first values indicates a warning or fatal alert

- The second indicates the type of alert

• A fatal alert will cause SSL to immediately terminate the connection, but not other connections on the same session.


SSL Alert Types• There are a number of alerts including the following.

The top four are fatal:- unexpected_message

- decompression_failure

h d h k f il


- handshake_failure

- illegal_parameter

- close_notify

- no_certificate

- certificate_revoked


SSL Handshake Protocol - 1• The most complex part of SSL

• Allows server and client to authenticate each other

• Allows server and client to negotiate the encryption algorithms and keys that be used to protect data in


g y pan SSL record

• This protocol is used before any application data is sent.




SSL Handshake Protocol - 2• Consists of a series of messages, all with the same

format

• Each message has 3 fieldsType (1 byte) indicates 1 of 10 message types


- Type (1 byte) – indicates 1 of 10 message types

- Length (3 bytes) – the length of the message in bytes

- Content (0 or more bytes) – parameters associated with the message


Messages• The series of messages are initiated by the client.

• The first phase establishes the security credentials.

• The second phase involves authenticating the server and exchanging keys.


g g y

• The third phase involves authentication the client and exchanging keys.

• The fourth phase is completing the exchange.


HTTPS• HTTP over SSL/TLS

• Used to create secure communications between a Web browser and Web server

• Built into modern browsers


• Requires server to support HTTPS communication- For example, at the time of writing, the Google

search engine does not support connections via HTTPS




HTTPS Compared to HTTP• URL begins with https:// rather than http://

• HTTPS connections use port 443 whereas HTTP uses port 80.

Port 443 invokes SSL


- Port 443 invokes SSL

• If all is well, the browser will typically show a padlock or some other symbol to indicate the use of SSL/TLS.


HTTPS and Encryption• The following elements of an HTTPS communication

are encrypted:- URL of the requested document

- Contents of the document

- Contents of browser forms


Contents of browser forms• The fields filled in by the user in the browser

- Cookies• From server to browser

• From browser to server

- Contents of the HTTP header


SSL Advantages• It is independent of the applications once a

connection has been created.- After the initiating handshake, it acts as a secure

tunnel through which you can send almost anything.


• Has several implementation packages, both commercial and freely available- All major platforms (Windows, Linux, etc.) support

SSL

- No requirement for extra software packages




SSL Disadvantages• The extra security comes with extra processing

overhead.

• This overhead is largely at the server end.

• Means communications using SSL/TLS are a


gslower than those without it- Some sources suggest that HTTPS communication

can be up to three time slower than HTTP.

- With modern browsers, servers and connection speeds, this should not cause significant problems.


SSL/TLS Broken

• September 2011 - appears SSL/TLS cryptography has been broken by researchers

• This has major implications for the secure


• This has major implications for the secure communications via the Internet

Reference for news emerging (September 2011):

http://www.computerweekly.com/Articles/2011/09/22/247969/Researchers-claim-to-have-broken-SSLTLS-encryption.htm




• Thomas, S.A. (2000). SSL & TLS Essentials:


Securing the Web. Wiley.




Topic 3 – Web Security


Any Questions?

Topic 4 – Email Security Network Security and Cryptography





Topic 4:

Email Security




Email Security Threats


Email Security Topic 4 - 4.3

Scope and Coverage

This topic will cover:• Email security threats

• Email security solutions

• PGP


• PGP

• S/MIME




Learning Outcomes

By the end of this topic students will be able to:• Describe email security mechanisms

• Digitally sign an email



Importance of Email• Business has come to rely on email as a means of

communication:

- fast

- cost-effective


cost effective

- easy collaboration and information-sharing

• Email has become the primary method for corresponding with colleagues, customers, and business partners


Email Security Threats• Viruses can corrupt mission-critical documents and

applications

• Hackers will try to obtain confidential information


• Spam can greatly deteriorate the performance of other components within the communications infrastructure

• Threats can stop business systems and mission-critical activities




Viruses• Viruses are very sophisticated and often appear to

be harmless correspondence:

- personal communication

- jokes

marketing promotions


- marketing promotions

• Most viruses require recipients to download attachments in order to spread

• Some are designed to launch automatically, with no user action required


Protection from Viruses• Email security solutions offer highly advanced virus

protection:

- automatically scan all ingoing and outgoing messages


g

- automatically scan all attachments

- automatic update capabilities

• New threats emerge all the time and updates offer protection from all the latest threats


Spam• A large proportion of all corporate email is spam

• Spam costs US business billions of dollars in lost productivity and system slow-downs annually


• Most spam is annoying and slows down the network

• Hackers may sometimes disguise viruses, spyware, and malware as innocent-looking spam




Protection from Spam• Email security packages usually contain spam filters

that:- Identify non-relevant communications

- Use key words and phrases


- May also use format, size, or ratio of graphics to text

- Spam is moved to a separate folder or deleted from email server

- May also block email addresses that are known to have sent spam, preventing further disruptive emails


Phishing• Used for identity theft and fraud

• Posing as authorised emails from trustworthy institutions


• Attempt to get recipients to surrender personal information such as bank account details

• Most are aimed at individuals

• Some have targeted smaller businesses


Protection from Phishing• Email security packages provide anti-phishing

protection

• Combination of methods:- Authentication


- Detection

- Prevention

- Reporting

• Enables threat analysis, attack prioritisation and response to minimise risk and impact of phishing




Spyware• Enables hackers to record activities and data from

the infected computer

• Done via a program that dynamically gathers information and transmits it via an Internet


information and transmits it via an Internet connection

• Often bundled in with shareware and freeware programs

• Usually installs and runs without user knowledge


Protection from Spyware

• Firewalls alone are insufficient

• Email security packages will scan devices regularly for spyware programs


for spyware programs

• Blocks known spyware programs before they can be downloaded and installed


Email Authentication• Aims to provide enough information to the recipient

so that they know the nature of the email

• A valid identity on an email is a vital step in stopping spam, forgery, fraud, and other serious crimes


crimes

• SMTP was not designed with security in mind and thus had no formal verification of the sender

• Signing emails identifies the origin of a message, but not if it should be trusted




Authenticating Source IP Address• TCP allows an email recipient to automatically verify

the message sender’s IP address

• This does not verify the identity of the sender


• Forged headers can be used to create a spam message that appears to be real

• The sending IP address may belong to a zombie machine under the control of a hacker


Blacklisting IP Addresses• The IP addresses originating spam and phishing

emails can be blacklisted so that future email from them is not received but either quarantined or deleted

• Many IP addresses are dynamic


- Change frequently

- An organisation has a block of IP addresses

- IP addresses are allocated when needed

- May get a new address every time a connection is made

• Therefore, spammer will not have a permanent IP address


Controlling Traffic• Some ISPs use techniques to prevent spamming by

their customers:- Port 25 can be blocked so that port 587 is used and

that requires authentication

- Limiting the number of received headers in relayed


- Limiting the number of received headers in relayed mail

- Infected computers can be cleaned and patched

- Outgoing email can be monitored for any sudden increase in flow or in content (a typical spam signature)




Other Email Threats• So far we have not even mentioned the following

issues:- Sensitive information transmitted unencrypted

between mail server and client may be intercepted


- All popular email communication standards default to sending usernames, passwords, and email

messages unencrypted

- Information within email messages may be altered at some point between the sender and recipient


Securing Email Content

• The next lecture deals with securing the content of email

• It will include the techniques for:


- Digitally signing an email

- Encrypting the content of an email

- Encrypting the header of an email





PGP and S/MIME




Cryptography in Email Systems• Cryptography can be used in email to:

- Sign an email message to ensure its integrity and confirm the identity of its sender

- Encrypt the body of an email message to ensure its


Encrypt the body of an email message to ensure its confidentiality

- Encrypt the communications between mail servers to protect the confidentiality of both the message body and message header


Digitally Sign & Encrypt• Signing a message and encrypting the body are

often used together to provide authentication and privacy

• When a message needs to be encrypted to protect its confidentiality it is usually digitally signed


its confidentiality, it is usually digitally signed- so that the recipient can ensure the integrity of the

message and also verify the identity of the signer

• Digitally signed messages are usually not encrypted if the confidentiality does not need to be protected


Encrypting Transmission• Encrypting the transmissions between mail servers

is used only when two organisations want to protect emails regularly sent between themselves

• The organisations could establish a virtual private


network (VPN) to encrypt the communications between their mail servers over the Internet

• A VPN can be used encrypt entire messages including header information- E.g. senders, recipients, subject lines




Individual Emails• Most email messages are protected individually

rather than along a secure VPN

• Each message is protected by digitally signing and optionally encrypting it


• Widely used standards for signing and encrypting message bodies are:- Open Pretty Good Privacy (OpenPGP)

- Secure/Multipurpose Internet Mail Extensions (S/MIME)


OpenPGP• A protocol for encrypting and signing messages and

creating certificates using public key cryptography

• Based on an earlier protocol, PGP

• First released in June 1991


First released in June 1991

• The original PGP protocol used some encryption algorithms with intellectual property restrictions

• OpenPGP was developed as a standard protocol based on PGP Version 5


OpenPGP Algorithms• A number of OpenPGP based products fully support

cryptographic algorithms recommended by NIST including:

- 3DES and AES for data encryption


- Digital Signature Algorithm (DSA) and RSA for digital signatures

- SHA for hashing

• Other implementations of OpenPGP support other encryption schemes




OpenPGP Cryptography

• OpenPGP use both public key cryptography and symmetric key cryptography

• Public key cryptography is used to create digitally


y yp g p y g ysigned message digests

• Encryption of the message body is performed using a symmetric key algorithm


OpenPGP – Signing & Encrypting - 1

• The plaintext is compressed

• A random session key is created

• A digital signature is generated for the message


g g g gusing the sender’s private key and then added to the message

• The message and signature are encrypted using the session key and a symmetric algorithm


OpenPGP – Signing & Encrypting - 2

• The session key is encrypted using the recipient’s public key and added to the encrypted message

• The encrypted message is sent to the recipient


• The recipient reverses these steps




Using OpenPGP• Many popular mail clients require the installation of

a plug-in in order to operate OpenPGP, e.g.:

- Mozilla Thunderbird,

- Apple Mail


Apple Mail

- Microsoft Outlook

• There are a number of OpenPGP distribution websites that contain instructions on how to use OpenPGP with various mail client applications


MIME• Multipurpose Internet Mail Extensions - an Internet

standard that extends the format of email to support:

- Text that uses character sets other than ASCII


Text that uses character sets other than ASCII

- Attachments that are not text based

- Message bodies with multiple parts

- Header information in non-ASCII character sets


S/MIME• Secure/MIME is a version of the MIME protocol

• It supports encryption of email messages and their contents via public-key encryption technology


• Created in 1995 by a group of software vendors to prevent interception and forgery of email

• Builds on the existing MIME protocol standard

• Is easily integrated into existing email products




S/MIME Functions• Provides cryptographic security services for

electronic messaging applications, including:

- Authentication (via digital signatures)

- Message integrity (via digital signatures)


Message integrity (via digital signatures)

- Non-repudiation of origin (via digital signatures)

- Privacy (using encryption)

- Data security (using encryption)


S/MIME Interoperability• Based on widely supported standards

- likely to continue to be widely implemented across a variety of operating systems and email clients

• Is supported by many email clients and can be used to securely communicate between them


to securely communicate between them- Not always simple

• For example, a Windows operating system user with the Outlook email client can send a secure, digitally signed email to a Unix operating system user without installing any additional software


S/MIME Certificates• An individual key/certificate must be obtained from

a Certificate Authority (CA)

• Accepted best practice is to use separate private keys for signature and encryption


- permits escrow of the encryption key without compromise to the non-repudiation property of the signature key

• Encryption requires having the destination party's certificate stored




S/MIME Process• S/MIME-enabled mail clients send messages in a

similar way to OpenPGP

• S/MIME version 3.1 supports two recommended symmetric key encryption algorithms:


symmetric key encryption algorithms:

- AES

- 3DES

• AES is considered a stronger algorithm than 3DES


Key Management• OpenPGP and S/MIME use digital certificates to

manage keys

• A digital certificate identifies:- the entity that the certificate was issued to


- the public key of the entity’s public key pair

- other information, such as the date of expiration, signed by some trusted party

• There are differences in how the two protocols manage trust


Key Management in OpenPGP• Uses the web of trust which has no central key

issuing or approving authority:- The web of trust relies on the personal decisions of

users for management and control

- Suitable for individual users and very small


- Suitable for individual users and very small organisations

- Unworkable in most medium to large organisations

- Some organisations deploy keyservers that users can access to get others’ keys and store their own keys




Key Management in S/MIME• Has a hierarchical structure:

- Typically, there is a master registration and approving authority, the root Certificate Authority (CA), that issues a public key certificate for itself and any subordinate CAs

- Subordinate CAs normally issue certificates to users and C


also to any other subordinate CAs

- They in turn sanction to users and their subordinate CAs, forming a hierarchy

- This public key infrastructure can be used to establish a chain of trust between two users holding valid certificates


Third Party Services• Third-party services are available that allow

organisations to exchange encrypted email

• Removes the need to establish trust relationships

• No worries about mail application compatibility


pp p y

• But the use of such services means placing sensitive messages on third-party servers- This is also a security concern




• NIST (2007). Guidelines on Electronic Mail Security.


NIST.




Topic 4 – Email Security


Any Questions?

Topic 6 – Vulnerability Assessment Network Security and Cryptography





Topic 6:

Vulnerability Assessment





An Overview of Vulnerability

Vulnerability Assessment Topic 6 - 6.3

Scope and Coverage

This topic will cover:• Overview of network vulnerability

• Port scanners

• Password crackers


• Password crackers




Learning Outcomes

By the end of this topic students will be able to:• Use port scanners to highlight open ports

• Perform password cracking using dictionary and brute-force methods


brute force methods


Security Vulnerability - 1• A security vulnerability is a flaw or a weakness in a

system or network that allows an attack to harm the system or network in some way, such as:

- Allowing an unauthorised user to access the system


Allowing an unauthorised user to access the system or network

- Causing a deterioration in the performance of the system or network

- Damaging or altering the data held by a system or network


Security Vulnerability - 2• The vulnerability may be inherent in the system

- E.g. new software includes a vulnerability when it is deployed, even if installed and operated correctly

• The vulnerability may be as a result of the implementation of a system


implementation of a system- E.g. the configuration of new software

• The vulnerability may be as a result of the operation and management of a system

- E.g. poor security procedures




Causes• Software - flaws in new software, not tested

sufficiently before deployment

• Hardware – dust

• Organisation procedures – poor password policy, lack of audits


lack of audits

• Personnel – not training staff properly

• Physical environment – no physical access controls, risks from flooding

• Combinations of the above


Complex Systems• Computer networks in large businesses are usually

large and also complex

• A larger system is more likely to have security holes


• A complex system is more likely to have security holes

• Complete testing of large, complex networks is very difficult and extremely time consuming


Common Components• Modern networks will use common components:

- Software used by many others (sometimes open-source)

- Hardware used by many others

- Operating systems used by many others


p g y y y

• Attackers will have access to these components and be familiar with any security flaws they have

• The Internet rapidly spreads the knowledge of these flaws and increases the likelihood of them being quickly exploited




Many Services• A typical modern network will provide numerous

services to an organisation

• More services means:M t l


- More protocols

- More ports

- More connections

• The network is therefore more open to attack


Password Vulnerability• Vital to enforce the use of strong passwords

• Vital to regularly change passwords- And ensure this is a real change not ‘abc1’ changed

to ‘abc2’

• Most users will use a really weak password if they


Most users will use a really weak password if they can as it is easier to remember- A 2006 UK survey gave the top 3 passwords as:

• 123

• Password

• Liverpool


Operating Systems (OS)• Default settings can leave system open to attack

- E.g. granting full access rights to any user – this gives every program, including any malware on the network, full administration privileges


p g

• Even where an OS has no inherent flaws the network administrator must set suitable permissions in order to protect the network.




Surfing the Internet• The Internet is awash with viruses, spyware and

other malware

- And, of course, a lot of very useful and high quality content!


• The web browsing policy of an organisation, plus its firewall etc. is vital in protecting the whole network

• Acceptable use policies and staff training form a vital part of the protection


Software Bugs• New software may contain security flaws that can

be exploited by a hacker

• This is not a malicious act but the complexity and amount of code in modern software applications make this inevitable


• Updates and regular patches are issued by software providers to fix these vulnerabilities as they are discovered- One of the many reasons for using genuine

software


User Input• Programs that allow user input must check that

input to prevent malicious code inclusion

• Common attacks on systems are:- SQL Injection attacks

Buffer Overflow attacks


- Buffer Overflow attacks

- (See Private Study Exercises for more on these)

• Human error is the biggest threat to security: - May be malicious or not

- Includes designers, programmers and users




Repeating Mistakes• It is important to learn from past mistakes

• Modern programming code reuses old programming libraries

• Must ensure that any vulnerabilities that have been


discovered are removed

• The Open Web Application Security Project (OWASP) publishes known vulnerabilities to help system designers and programmers from repeating past mistakes


Prevention• Vulnerabilities have been found in every operating

system- Hence the updates and patches that appear and

should be installed

• The best prevention is sound security practices:


p y p- System maintenance

- Firewalls and anti-virus

- Staff training

- Access controls

- Audits


Testing Your Own Security• Software is available to test your own network for

security vulnerabilities

• In some instance it will remove the vulnerabilityThe vulnerability scanner will be covered in more


- The vulnerability scanner will be covered in more detail in the next lecture

• No matter how good the software is it is still important to have trained staff who follow sound security practices and report any potential threats







Managing Vulnerability, Port Scanners & Password Cracking


Vulnerability Management• All networks will contain vulnerabilities

• Therefore managing these vulnerabilities and the risks associated with them is a key task of network management


• Managing vulnerability includes:- Prioritising vulnerabilities

- Fixing vulnerabilities

- Reducing the effects of potential breeches

- Monitoring for new/unknown vulnerabilities


Known and Unknown• Known vulnerabilities in software, operating

systems and networks are well documented

• Tools (vulnerability scanners) are available to test for know vulnerabilities (penetration testing)


• Networks will also have unknown vulnerabilities that have not yet been discovered

• The implementation of sound security policies and the use of best practise is the best defence




Penetration Testing• A penetration test mimics the actions of a malicious

attack on a network

• The aim is to discover the vulnerabilities that exist and that could be discovered by an attacker


• Provides information on:- Threats to the system

- Strength of defensive measures in place

- Possible effects of successful attacks

- Areas of security requiring upgrade and investment


Vulnerability Scanner• A vulnerability scanner can be used in a penetration

test

• It is software that tests a system or network for weaknesses


• Different types are available

• Each type focuses on a particular area of potential weakness

• Can only discover known vulnerabilities


Vulnerability Scanners• Types are available for scanning:

- Ports

- Networks

- Databases


- Web applications

- Individual computers

• We will take a closer look at Port Scanners




Port Scanners• Software that probes for open ports

• Used by network administrators to test the network

• Used by attackers to look for vulnerabilities

• The TCP/IP protocol suite has services being


• The TCP/IP protocol suite has services being supplied by a host through a port

• There are 65536 different port numbers available

• Most services use only a very limited number of ports


Port Status• A port scan will generally give one of three results:

- Open – there is a service using the port and the host has replied with a message that it is listening for communications on this port


p

- Filtered – no reply is received meaning that there is some filtering occurring on this port, typically via a firewall

- Closed – a reply is received stating that communication is denied on this port


Port Scan Types• There are several types of scan, including:

- TCP connect scan

- TCP SYN scan

- TCP FIN scan

TCP Xmas Tree scan


- TCP Xmas Tree scan

- TCP Null scan

- TCP ACK scan

- TCP Windows scan

- TCP RPC scan

- UDP scan




TCP Connect Scan• Connects to the target port and performs the TCP

three-way handshake

- Sends a synchronise (SYN) packet to host

- Host returns a synchronise acknowledgement (SYN/ACK)


(SYN/ACK)

- Sends an acknowledgement (ACK) to host

- SYN and ACK are indicated by a bit in the TCP header

• This scan is easily detected by the target system


TCP Three-Way Handshake

Scanner System port

SYN


SYN/ACK

ACK


TCP SYN Scan• A full TCP connection is not made

• Also known as a half-open scanning- SYN packet sent to host port

- Either SYN/ACK or RST/ACK


(reset/acknowledgement) received

- This tells the scanner whether it is open or closed

- RST/ACK sent to port so full connection is never made

• May not be detected by host




TCP FIN scan• A FIN packet is sent to the port

• This means no more data from sender


• The targeted host should send back a reset RST packet for all closed hosts

• Usually only works on Unix based hosts


TCP Xmas Tree and Null scans• Xmas Tree sends FIN, URG and PSH packets to

the target port- Finished, urgent and push buffered data to receiving

application

S f


• The target system should send RST for all closed ports

• Null turns off all flags in the packet to the target system

• This should return RST for all closed ports


TCP ACK Scan• Used to map the rulesets associated with firewalls

• By sending an ACK packet the aim is to determine the type of firewall.

• A simple packet filter firewall will only allow established connections (with the ACK bit set)


established connections (with the ACK bit set)

• More complex stateful firewalls use more complex rules with advanced packet filtering

(We look at firewalls in more detail later in the course)




TCP Windows & RPC Scans• TCP Windows scan may be able to detect open

ports on some operating systems

• This is due to an anomaly in the way TCP window size is reported


p

• TCP RPC scans detect remote procedure call (RPC) ports on Unix systems

• They can also detect associated programs and version numbers


UDP Scans• Sends a UDP packet to the target port

• If it receives a “ICMP port unreachable” message the port is closed

• If the message is not received it may be assumed


If the message is not received it may be assumed that the port is open

• UDP scans are slow

• Results are unreliable as no message may be received for other reasons


Password Cracking• Cracking a password can enable an attacker to gain

access to:- A network

- A computer


- Individual files

• Does not necessarily require intelligent techniques- May involve reading the note the user has kept,

sometimes stuck on the monitor!




Dictionary Attack• A simple and fast way to crack a password

• A text file contains a set of dictionary words (the dictionary file)

Thi i l d d i t th ft k


• This is loaded into the software package

• It runs against user accounts in the application the hacker is attacking

• Most passwords are simple and easy to crack


Brute Force Attack• May take a long time to work

- Depends upon password complexity

• All possible combinations of characters are used until the correct combination is found


• Software packages do the work for you but it can still take weeks to crack a password this way

• Best defence is to use cryptographic methods allied to strong passwords


Password Cracking Software• Many packages available, popular ones are:

- Cain and Abel

- John the Ripper

Hydra


- Hydra

- ElcomSoft

- Lastbit




References• Scambrey, J., McClure, S. and Kurtz, J. (2001).

Hacking Exposed: Network Security Secrets & Solutions. 2nd Edition. McGraw Hill.


• The Open Web Application Security Project (OWASP) website: https://www.owasp.org/index.php/Main_Page


Topic 6 – Vulnerability Assessment


Any Questions?

Topic 7 – Authentication Network Security and Cryptography





Topic 7:

Authentication





An Overview of Authentication and Passwords

Authentication Topic 7 - 7.3

Scope and Coverage

This topic will cover:• Overview of Authentication

• Passwords

• Multi-factor Authentication


• Multi-factor Authentication

• Biometrics




Learning Outcomes

By the end of this unit students will be able to:• Explain the different authentication mechanisms;

• Describe multifactor authentication;

• Describe biometrics and their issues


• Describe biometrics and their issues.


Authentication Overview• We are taking a network-based view of user

authentication

• User authentication is the first line of defence of a network


• It aims to prevent unauthorised access to a network

• It is the basis of setting access controls

• It is used to provide user accountability


Verifying User Identity• User authentication has two steps:

- Identification – presenting the user to the security system

- Verification – providing information that binds the


entity to the identity

• Identification is the means by which a user claims to be a specific identity

• Verification is the method used to prove that claim




Means of Authentication• Something the individual knows

- E.g. password, PIN

• Something the individual possesses (tokens)- E.g. cryptographic key, smartcard


• Something the individual is- E.g. fingerprint, retina

• Something the individual does- E.g. handwriting pattern, speech pattern


Authentication Problems• Guess or steal passwords, PIN, etc

• Forget passwords, PIN

• Steal or forge smartcards

• Lose smartcard


• False positives in biometrics

• False negatives in biometrics

• The most common method of network authentication uses passwords and cryptographic keys


Smartcards• Tamper-resistant devices

• Have a small amount of memory

• Have a small processor- Simple computations, e.g. encryption/decryption,


p p , g yp yp ,digital signatures

• Difficult to duplicate

• Easily transferable

• Can be used with PIN/password




Smartcard Examples

• Bank/ATM cards

• Credit cards


• Travel cards

• Pass cards for a workplace


Passwords• Most common means of authentication

• Require no special hardware

• Typical authentication by password


1. User supplies a username and password

2. System looks up the username in the relevant database table

3. Checks that username, password pair exists

4. Provides system access to the user


Password Strength• Users tend to pick weak passwords if allowed

• Easy to crack via dictionary attack

• Users can be forced to create more complex passwords


passwords

• System can supply users with a strong password

• Many users will write down a stronger password and this can be a greater security risk than a weak password




Attacks on Password Security• Eavesdropping may allow an attacker to “listen” in

and gain password information- Encrypting messages will prevent this

• A direct attack on the database storing passwords can be used to discover or change passwords


can be used to discover or change passwords

• Sessions can be hijacked the attacker disconnects the user but remains connected themselves

• Never use the same password for different applications


Losing Passwords• Not uncommon for a user to lose or forget a

password

• Can be dealt with by regularly changing passwords


• Password generators can be used to change passwords- Automatically generate new passwords based upon

a master secret


Challenge - Response• Systems are used that request specific characters

in a password rather than the whole password.

• Commonly used in online banking

• Example“ ”


- The password is “MyPassword”

- The system asks for the 2nd, 3rd and 8th characters

- The user enters “y”, “P” and “o”

• The idea is that it would take an eavesdropper many sessions to determine the whole password




Hash Functions• A database of plaintext passwords makes stealing

all passwords more likely- Sony!!

• A level of protection is supplied by using a one-way hashing function on the passwords


g p- Public function

- Easy to compute

- Hard to invert

• All passwords stored in the database are encrypted


Hashing Passwords• MD5 and SHA-1 are commonly used hashing

algorithms

• User sends a username, password pair to the system


• The system hashes the password

• The database stores a username, h(password) pair- h(password) is the result of applying the hashing

function to the password


Cracking Hashed Passwords• Hashing works on the principal that it would take a

very long time to crack the hashed password via trial and error

If users use short and simple passwords this is not


• If users use short and simple passwords this is not the case

• Strong passwords are still required for the hashing function to provide a good level of security







Multifactor Authentication and Biometrics


Multi-Factor Authentication• An identity is verified and authenticated using more

than one verification method

• User/password authentication is single factor authentication

O l ifi ti th d th d


- Only one verification method, the password

• A stronger form of identity verification

• Used for applications where security is more important- E.g. bank ATM – card and PIN


Multi-Factor Systems• This does not mean using two or three different

passwords but two or three different methods

• ATM – Two-factor authentication- Something you possess – bank card

- Something you know – PIN


Something you know PIN

• Three-factor systems exist for financial transactions via mobile phone

- Something you possess – mobile phone

- Something you know – PIN

- Something you do – voice recognition




Disadvantages• Cost

- Cost of supplying smartcards, USB tokens, etc.

- Cost of hardware/software to read the tokens

• Inconvenience


- Users may not like the inconvenience of having to carry around a token

• A balance has to be made between the cost and inconvenience of security and the sensitivity of the data and transactions being protected


Increased Security - Probability• Combining two or more verification methods greatly

decreases the probability of randomly producing the correct verification information

• VoiceprintTh i d 1 i 10000 h f t hi


- There is around a 1 in 10000 chance of matching

• PIN- There is a 1 in 10000 chance of guessing a PIN

• Combined- There is a 1 in 100,000,000 chance of matching both


Biometrics• Automated methods used to recognise the unique

characteristics of humans

• Uses one or more traits:- Physical traits (static biometrics)

B h i l t it (d i bi t i )


- Behavioural traits (dynamic biometrics)

• Biometric authentication aims to provide a non-transferable authentication method- Someone else could use your ATM card

- Can someone else use your finger?




Biometric Types• Physical characteristics:

- Fingerprints

- Retinas

- Irises

- Facial patterns


Facial patterns

- Hand measurements

• Behavioural characteristics- Signature

- Typing patterns

- Voice recognition


Registering Biometric Data• User registers with the biometric system

• Measurements of biometric data are taken

• Can take several measurements of biometric data if


required

• Algorithm is applied to the measurement to obtain a template

• Template is stored in a database


Authenticating Biometric Data• User identifies themself to the system (e.g.

username)

• Biometric data measurement of the user is taken

• Again processed into a digital template


• This template is compared to template in database

• See if there is a match

• Matching process is approximate

• If biometric data matches the stored template the user is authenticated




Matching Biometric Data• Not an exact science

- No two measurements of biometric data will match exactly

• Multiple measurements are taken when a user first


penrols in the system

• Matching with template is a success

• Tolerances are built into the algorithm that matches the templates


Fingerprints• Fingertips have ridges and valleys that are unique

to that fingertip

- Used by police for a long time


• Most common biometric method

• Available for laptops and PCs

• Access to systems provided via touch technology


Face Recognition• Capture facial image in the visible spectrum

- Use a standard camera

- Use central portion of face

- Extract features that remain constant over time


- Avoid changing features, e.g. hair

• An alternative version captures an infra-red image of the heat emitted by a face

• Most users accept use of such systems

• Problems caused by lighting, masks, etc.




Speech Recognition• Some features of speech differ between individuals

• These patterns produced reflect the anatomy of the speaker


• These patterns reflect the patterns of speech learned as a result of:- Location

- Peers

- Language


Iris Recognition• Iris is the coloured area around the pupil

• Iris patterns are thought to be unique

• Video systems are used to capture an image of the


iris

• Becoming economically viable as equipment prices have lowered

• Works with glasses and contact lenses


Hand Geometry

• Can utilise measures of fingers or whole hands

- Length

- Width

Thickness


- Thickness

- Surface area

• Used for access control in commercial and residential premises




Written Signatures• Uses measurement of the way the signature is

written not just the final signature

• Can measure a range of parameters:- Speed


Speed

- Pressure

- Angle of writing

• Used in business applications where a signature is commonly used to identify a user


Typing Patterns• Similar to the recognition of written signatures

• Uses a standard keyboard

• Recognises the password that is typed


• Recognises the password that is typed

• Recognises the way the password is typed:- Intervals between characters

- Speed of typing


Errors in Biometric Systems• Has a false accept rate (FAR): measures the rate

at which an invalid user is accepted by the system

• Has a false rejection rate (FRR): measures the rate at which a valid user is rejected by the system


rate at which a valid user is rejected by the system

• In many systems it is possible to adjust both rates by changing some variables

• In modern systems both rates are low




Concerns with Biometric Systems• Privacy

- All transactions in different systems are linked to a real identity

- For passwords etc. different identities can be presented to different systems


• Injury- Hygiene concerns about equipment

- Criminals chopping off fingers to use!!

• Exclusion- An amputee may have no fingers


The Market Leader• Fingerprint authentication is widely used

• Laptops and computer peripherals come with built-in fingerprint readers

• They are relatively inexpensive


They are relatively inexpensive

• Allow user to authenticate by putting finger on the reader

• May be used with a password or PIN for two-factor authentication.


References

• Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education.


• Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions, 2nd Edition. McGraw Hill.




Topic 7 – Authentication


Any Questions?

Topic 8 – Access Control Network Security and Cryptography





Topic 8:

Access Control





Packet Filters & Access Control Lists

Access Control Topic 8 - 8.3

Scope and Coverage

This topic will cover:• Packet filtering

• Access control lists

• NAT


• NAT

• IDS




Learning Outcomes

By the end of this topic students will be able to:• Configure access control mechanisms

• Apply and manage port forwarding rules



Access Control• Network traffic is in the form of IP/TCP/UDP packets

• The headers of these packets contain information as to source and destination of the packets

• Routing devices uses the source and destination addresses to route traffic through the network


addresses to route traffic through the network

• These addresses can be used to create access control rules

• We will examine methods for determining if traffic is allowed on a network or section of a network


Packet Filtering• Routing devices examine a packet's destination

address and decide where to send it

• Packet filtering adds an extra layer to this process

• First the destination address is examined


• If the router determines that it should process the packet it then applies a set of rules to determine what happens to it

• Can apply these rules to both incoming and outgoing packets




Filtering Rules• Implement security policies as services that are

allowed or disallowed

• Examples:- Packets for particular machines can be blocked


- Packets for particular machines can be blocked

- Specific types of packets can be blocked

- Packets going out of your network can be blocked

• Packet filtering rules can be very general or can be applied to specific machines or ports


Use of Packet Filtering• Commonly used to protect a network from attack

from machines outside of the network

• Most routing devices have packet filtering capabilities


• An inexpensive option as no extra equipment required

• Very powerful tool

• Does not provide full protection


Packet Filtering Possibilities• Can be applied to:

a. Machines

b. Ports

c. Combinations of machines and ports


p

• Examples:a. Block all traffic to machine A

b. Block all traffic to port 80 (http)

c. Block all traffic to port 80 except on machine A




Stateless Filtering - 1• Simple rules

• Easy to implement

• Not flexible


• For example:- If all traffic to port 80 is blocked a static filter will

block all http traffic

- It cannot be set to block all traffic to port 80 except that from http://campus.nccedu.com in a single rule


Stateless Filtering - 2• Filtering process is “dumb”

- Applies a set of static rules to every packet

- Does not store any results from previous packets

- No intelligence or learning built into the filtering system


system

• The set of rules is an Access Control List (ACL) - Rules are checked in a specific order

- The first matching rule found is applied to the packet

- If there are no rules matching the packet is blocked


Stateful Filtering• Also known as Dynamic Packet Filtering

• Uses a state table that stores detail of legitimate traffic requests:- IP addresses

P t


- Ports

- Handshake status

- Route/Time

• Compare packets with previous valid traffic

• Allows traffic based upon connections




Configuring Static Packet Filters• There are three main steps to correctly configuring

static packet filters

1.Decide what traffic to permit and what traffic to block- Determined by nature of business and assessment of

security risks


y

2.Define this as a set of rules that includes IP addresses and port numbers

3.Translate these rules into a language that the router or other device understands

- May be vendor specific so we do not cover this


What is Permitted?• This is done at a conceptual level

- Is internet access allowed

- Can individual machines accept email from the Internet or will it all come through a central mail server

Are all messages from a specific location blocked


- Are all messages from a specific location blocked

• A good general rule is to block all packets except those that have been specifically allowed

- Default is to block all packets not processed by the rule list


Access Control Lists - 1• A simple tabular template should be used that has

one rule for each line of the table

• The following columns should be included:- Source IP address

- Source port


p

- Destination IP address

- Destination port

- Action (block/allow)

- Comments (allow a brief text explanation)

• Protocol can be included in this




Access Control Lists - 2• The order of the rules is important

• The first rule that matches with the packet being inspected will be implemented


• All remaining rules will be ignored


Access Control Lists - 3• What happens when 81.109.47.141 sends an email

message to 192.37.22.01?

• What happens if 81.109.47.142 sends an email message to 192.37.22.01?

f 81 109 1 2


• What happens if 81.109.47.142 sends a telnet message to 192.37.22.01?

• What if the rule order is swapped?





NAT and IDS




Network Address Translation

• NAT provides a means to connect multiple computers to an IP network using only one IP address

Three reasons this is useful:


• Three reasons this is useful:- Shortage of IP addresses (under IPv4)

- Security

- Flexible network administration


The Number of IP Addresses• A typical IP address is written as dotted quad

- E.g. 81.109.47.141

• In IPv4 there was theoretical limit on the number of available IP addresses

4 b t 232 4 294 967 296 ibl dd


- 4 bytes = 232 = 4,294,967,296 possible addresses

• Method was required to create “extra” IP addresses or the Internet would reach capacity

• The main reason for the use of NAT originally was to create “extra” IP addresses


The IP Address• An IP address has two parts:

- a network number

- a host number

• Computers on one physical network have the same t k b


network number- Think street name in a postal address

• The rest of the IP address defines an individual computer- Think house number in a postal address




IP Address Classes - 1• The network size determines the class of IP

address

• There is a network and host part in each IP address


• IP addresses come in 4 classes (A, B, C and D)

• Each class suits a different network size


IP Address Classes - 2• Network addresses with first byte between 1 and

126 are class A with approx.17 million hosts each

• Network addresses with first byte between 128 and 191 are class B with approx. 65000 hosts each


• Network addresses with first byte between 192 and 223 are class C with 256 hosts

• All other networks are class D, used for special functions, or class E which is reserved


Dynamically Assigning Addresses• Internet Service Providers (ISPs) usually allocate a

single address to a single customer

• This is assigned dynamically- every time a client connects to the ISP a different


- every time a client connects to the ISP a different address is provided

• Large companies can buy several addresses

• It is more economic for small businesses to use a single address




Connecting Multiple Computers• In theory one IP address means only one computer

can connect to the Internet

• By using a NAT gateway running on a single computer, multiple local computers can connect


using the single IP address

• To the Internet this appears as a single computer

• End-to-end connections are not created and this can prevent some protocols from working


Dynamic NAT• A small number of public IP addresses are

dynamically assigned to a large number of private IP addresses

• Port Address Translation (PAT) is a variant of NAT:


( )- Allows one or more private networks to share a

single public IP address

- Commonly used in small businesses

- Remaps both source and destination addresses and source and destination ports of packets


NAT and Security• NAT only allows connections that come from inside

the network

• Internal servers can allow connections from outside via inbound mapping

- Specific ports are mapped to specific internal addresses


Specific ports are mapped to specific internal addresses

- Makes services such as FTP or the Internet available but in a highly controlled way

• NATs use their own protocol stack not that of the host machine

- Protects against some attacks




NAT and Network Administration• Can aid network administration in several ways:

- May contain a dynamic host configuration protocol (DHCP) server

Provide methods for restricting Internet access


- Provide methods for restricting Internet access

- Have traffic logging capabilities

- Can divide a network into sub-networks


NAT Operation• Changes the source address on every outgoing

packet to the single public address

• Renumbers source ports to be unique- Used to keep track of each client connection

H t i t bl t d t f h


• Has a port mapping table to record ports for each client computer

- Relates real local IP address and source port to translated port number, destination address and port

- Allows the process to be reversed for incoming packets so they are routed to the correct client


PAT Operation• An example of how IP and port are changed





Intrusion Detection Systems (IDS)• Monitors network traffic for suspicious activity

• Alerts the network administrator if suspicious activity discovered

• May also respond to suspicious traffic by:


• May also respond to suspicious traffic by:- blocking the user from accessing the network

- blocking the IP address from accessing the network

• Different types that use different methods to detect suspicious activity


IDS Types

• Network based intrusion detection systems (NIDS)

• Host based intrusion detection systems (HIDS)


• IDS that look for signatures of known threats

• IDS that compare traffic patterns against a network baseline and look for anomalies in the patterns


NIDS• Positioned in strategic locations in the network

• Monitor all traffic to and from network devices


• In a perfect world all traffic would be monitored

• This would create a bottleneck in the network with a huge processing overhead- It would deteriorate network speed




HIDS• Operate on individual hosts or network devices

• Monitors all inbound and outbound packets but only to and from the device it operates on


p

• If suspicious activity is detected it usually alerts the user and/or network administrator of that activity


Signature-based IDS• Monitors packets on the network

• Compare packets against a stored database of known malicious threats

- Similar to the operation of antivirus software


• When a new threat appears there is a period of time before this is added to the database

• Any new threat is undetected until such time as the database is updated to include this threat

- Similar to the operation of antivirus software


Anomaly-based IDS• Monitors network traffic

• Compare network traffic with a baseline

• Baseline is “normal” traffic for that network:- Bandwidth


- Protocols

- Ports

- Devices

• User and/or network administrator is alerted if there is a significant change from the baseline




IDS Overview• Ideal for monitoring and protecting a network

• Can be prone to false alarms

• Must be correctly set up to recognize what is normal traffic on the network


traffic on the network

• Network administrators and users must:- Understand the alerts

- Know the most effective course of action upon receiving an alert



Hacking Exposed: Network Security Secrets & Solutions. 2nd Edition. McGraw Hill.



Topic 8 – Access Control


Any Questions?

Topic 9 – Firewalls Network Security and Cryptography

V1.0 Visuals Handout - Page 1




Topic 9:

Firewalls





Firewall Operation

Firewalls Topic 9 - 9.3

Scope and Coverage

This topic will cover:• Firewall architectures and their limitations

• The DMZ firewall and its limitations





Learning Outcomes

By the end of this topic students will be able to:• Describe the components of a firewall

• Configure a DMZ firewall

• Evaluate the limitations of firewalls


• Evaluate the limitations of firewalls


Network Firewall• A firewall is the first line of defence for your network

• The purpose of a firewall is to keep intruders from gaining access to your network

U ll l d t th i t f t k t t


• Usually placed at the perimeter of network to act as a gatekeeper for incoming and outgoing traffic

• It protects your computer from Internet threats by erecting a virtual barrier between your network or computer and the Internet


How Does a Firewall Work?• Examines the traffic sent between two networks

- e.g. examines the traffic being sent between your network and the Internet

• Data is examined to see if it appears legitimate:


- if so the data is allowed to pass through

- If not, the data is blocked

• A firewall allows you to establish certain rules to determine what traffic should be allowed in or out of your private network




Creating Rules• Traffic blocking rules can be based upon:

- Words or phrases

- Domain names

- IP addresses


- Ports

- Protocols (e.g. FTP)

• While firewalls are essential, they can block legitimate transmission of data and programs


Common Firewall Types• In general there are software firewalls

and hardware firewalls- Even in home networks

• Hardware firewalls are typically found in routers,


which distribute incoming traffic from an Internet connection to computers

• Software firewalls reside in individual computers

• Ideally a network has both


Software Firewall• Protect only the computer on which they are

installed

• Provide excellent protection against threats ( i )


(viruses, worms, etc.)

• Have a user-friendly interface

• Have flexible configuration




Router Firewall• Protect your entire network or part of a network

• Located on your router


• Protect network hardware which cannot have a software firewall installed on it

• Allows the creation of network-wide rules that govern all computers on the network


Firewall Operation• Can be divided into three main methods:

- Packet filters (see last topic)

- Application gateways

- Packet inspection


p

• Individual vendors of firewalls may provide additional features- You should look at their products for details


Application Gateways• Application-layer firewalls can understand the traffic

flowing through them and allow or deny traffic based on the content

• Host-based firewalls designed to block bj ti bl W b t t b d k d


objectionable Web content based on keywords are a form of application-layer firewall

• Application-layer firewalls can inspect packets bound for an internal Web server to ensure the request isn’t really an attack in disguise




Advantages of Application Gateways

• Provide a buffer from port scans and application attacks

- if an attacker finds a vulnerability in an application, the attacker would have to compromise the application/proxy


p pp p yfirewall before attacking devices behind the firewall

• Can be patched quickly in the event of a vulnerability being discovered

- This may not be true for patching all the internal devices


Disadvantages• Needs to know how to handle traffic to and from

your specific application- If you have an application that's unique, your application

layer firewall may not be able to support it without making some significant modifications


some significant modifications

• Application firewalls are generally much slower than packet-filtering or packet-inspection firewalls

- They run applications, maintain state for both the client and server, and also perform inspection of traffic


Packet Inspection Firewalls• Examine the session information between devices:

- Protocol

- New or existing connection

- Source IP address


- Destination IP address

- Port numbers

- IP checksum

- Sequence numbers

- Application-specific information




Outbound Internet Traffic• Client initiates connection to IP address of the web

server destined for port 80 (HTTP)

• Firewall determines whether that packet is allowed through the firewall based on the current rule-set


• Firewall looks into the data portion of the IP packet and determine whether it is legitimate HTTP traffic

• If all the requirements are met, a flow entry is created in the firewall based on the session information, and that packet is allowed to pass


Inbound Internet Traffic• Web server receives the packet and responds

• Return traffic is received by the firewall

• Firewall determines if return traffic is allowed by comparing the session information with the


comparing the session information with the information contained in the local translation table

• If return traffic matches the previous requirements, payload is inspected to validate appropriate HTTP

• Then it is forwarded to the client


Advantages• Generally much faster than application firewalls

- They are not required to host client applications

• Most of the packet-inspection firewalls today also offer deep-packet inspection


- The firewall can dig into the data portion of the packet and also:

- Match on protocol compliance

- Scan for viruses

- Still operate very quickly




Disadvantages

• Open to certain denial-of-service attacks

• These can be used to fill the connection tables with illegitimate connections


illegitimate connections





Firewall Architecture


Firewall Architecture• Firewalls are used to protect the perimeter of a

network and the perimeter of sections of networks

• A key question for a network administrator is where firewalls should be located


• The positioning of firewalls in relation to other network elements is the firewall architecture

• We will only look at the position of firewalls and the consequences of this- Other security devices should also be used




Firewall Architecture• The following are common firewall architectures:

- Screening router

- Screened host

Dual homed host


- Dual homed host

- Screened subnet

- Screened subnet with multiple DMZs

- Dual firewall


Screening Router• Simplest of firewall architectures

• Traffic is screened by a router- Packet filtering

- Using ACLs


- Using ACLs

• Traffic is screened according to:- Source or destination IP address

- Transport layer protocol

- Services requested


Screening Router• Usually deployed at the perimeter of the network

• May be used to control access to a Demilitarized Zone (DMZ) – see later

• More often used in conjunction with other firewall


jtechnologies




Advantages & Disadvantages• Advantages

- Simple

- Cheap


• Disadvantages- No logging

- No user authentication

- Difficult to hide internal network structure


Demilitarised Zones (DMZ)• A DMZ is part of the internal network but separated

from the rest of the internal network

• Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall


goes through the firewall

• This traffic has firewall protection policies applied

• Common to put public-facing servers on the DMZ:- Web servers

- Email servers


Demilitarised Zones (DMZ)





Screened Host Firewall• Adds an extra layer of protection in comparison to a

screening router

• Has a Bastion Host/Firewall between networks

B ti H t/Fi ll h t NIC


• Bastion Host/Firewall has two NICs

• Bastion Host/Firewall connects the trusted network to the untrusted network - Stateful and proxy technologies are used to filter

traffic up to the application layer


Bastion Host• A special purpose computer specifically designed

and configured to withstand attacks


• The router is the first line of defence- packet filtering/access control is carried out at the router

• The bastion host is the server that connects to the unsecure network through the router



- Security is distributed between two points

- Greater security than screening router

- Transparent outbound access/restricted inbound


paccess

• Disadvantages- Difficult to hide internal structure

- There is a single point of failure in the network




Dual-Homed Host• A Bastion Host/Firewall is surrounded with packet

filtering routers- Dual-homed - outside world and protected network

- Multi-homed - outside world and multiple protected


networks

• Routers filter traffic to the Bastion Host

• Bastion Host adds additional filtering capabilities

• Bastion Host has no routing capabilities



- Hides internal network structure

• Disadvantages- Requires users to log onto bastion host or the use of


- Requires users to log onto bastion host or the use of proxy servers


Screened Subnet DMZ• Bastion Host is surrounded with packet filtering

routers

• These control traffic into and out of the trusted and untrusted network sections


untrusted network sections

• Has an extra layer of functionality with a DMZ

• Traffic from DMZ to trusted network must go through Bastion Host and packet filtering router





- Provides services to outside without compromising inside

- Internal network hidden

• Disadvantages


Disadvantages- Single point of failure


Screened Subnet Multiple DMZs• Allows configuration of varying levels of security

between:- DMZs and the untrusted network

- Different DMZs

- DMZs and the trusted network


DMZs and the trusted network


Dual Firewall Architecture• Using two or more firewalls enhances security

• Can be used to create DMZs

• Using technology from multiple vendors can enhance security


y





Hacking Exposed: Network Security Secrets & Solutions, 2nd Edition. McGraw Hill.

• Zwicky, E.D. (2000). Building Internet Firewalls, 2nd


Edition. O’Reilly Media.


Topic 9 – Firewalls


Any Questions?

Topic 10 - Virtual Private Networks Network Security and Cryptography





Topic 10:

Virtual Private Networks





Introduction to VPN

Virtual Private Networks Topic 10 - 10.3

Scope and Coverage

This topic will cover:• Virtual Private Network technologies

• Issues with Virtual Private Networks





Learning Outcomes


• Explain Virtual Private Networks



What is VPN?• A private network that uses public

telecommunication, such as the Internet, instead of leased lines to communicate

• Remote network communication via the Internet

/


• Used by companies/organisations who want to communicate confidentially

• Two parts:- Protected or “inside” network

- “Outside” network or segment (less trustworthy)


The User’s Perspective• From the user’s perspective, it appears as a

network consisting of dedicated network links

• These links appear as if they are reserved for the VPN clients only


VPN clients only - Hence it appears to be a private connection

• Because of encryption, the data appears to be private




How VPN Works• Two connections - one is made to the Internet and

the second is made to the VPN

• Datagrams - contain data, destination and source information


• Firewalls - VPNs allow authorised users and data to pass through the firewalls

• Protocols - protocols create the VPN tunnels that allow a private connection over a public network


How VPN Works



Key Functions• Authentication - validates that the data was sent

from the sender

• Access Control - preventing unauthorised users from accessing the network


• Confidentiality - preventing the data from being read or copied as the data is being transported

• Data Integrity - ensuring that the data has not been altered




Encryption & Tunnelling• Encryption – public key encryption techniques are

used

• Authentication – digital signatures

• A virtual connection is made through the Internet


A virtual connection is made through the Internet

• Datagrams are sent along the virtual connection

• The outer part of the datagram contains a header and may or may not be encrypted

• The inner part is encrypted


A Network• Multiple VPN connections can be made to create a

genuine network



Protocols• There are three main protocols used:

- IP Security (IPsec)

- Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)


- Layer 2 Tunneling Protocol (L2TP)




IPsec• An open standard protocol suite

• Provides privacy and authentication services

• Has two modes of operation

• Transport Mode encrypts data but not the header


• Tunnel Mode encrypts both data and header

• Each connection is a security association (SA)- Has one security identifier for each direction

- Each security identifier is carried in packets and used to look up keys, etc.


IPsec Transport Mode• IPsec header is inserted just after the IP header

• Protocol field of IP header is modified to indicate that the IPsec header follows


• IPsec header contains security information:- SA identifier

- Sequence number

- Possibly an integrity check on the payload


IPsec Tunnel Mode• Whole IP packet including header is encapsulated

in a new IP packet with a IPsec header

• Useful when the tunnel end is not the final destination

E t l d t fi ll


- E.g. tunnel ends at company firewall

- Firewall deals with encapsulating IP packets into IPsec packets and decapsulating

- Machines on internal network do not have to be aware of IPsec as they receive and send IP packets




PPTP• A data link protocol

• Used to establish a direct connection between two networking nodes

• Creates the virtual connection across the Internet


Creates the virtual connection across the Internet

• Can provide:- Connection authentication

- Transmission encryption

- Compression


L2TP• A tunnelling protocol

• Does not provide encryption or confidentiality but relies on an encryption protocol that it passes within h l


the tunnel

• The entire L2TP packet, including payload and header, is sent within a UDP datagram


Protocols Working Together• It is common to carry PPTP sessions within an

L2TP tunnel

• L2TP does not provide confidentiality or strong authentication by itself


• IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity

• The combination of these two protocols is generally known as L2TP/IPsec




Advantages• Cost effective

• Greater scalability

• Easy to add/remove users


• Easy to add/remove users

• Mobility

• Security


Disadvantages

• Understanding of security issues

• Unpredictable Internet traffic


• Difficult to accommodate products from different vendors





VPN Connections




VPN Connections• A VPN is a secure, private communication tunnel

between two or more devices across a public network (e.g. the Internet)

• VPN devices can be:- a computer running VPN software


- a computer running VPN software

- a special device like a VPN enabled router

• Remote computer can connect to an office network

• Two computers in different locations can connect over the Internet


VPN Categories• There are several types of VPN

• There are different ways of classifying VPNs


• We use two broad categories based upon architecture:- Client-initiated VPNs

- Network access server (NAS)-initiated VPNs


Client-Initiated VPNs• Users establish a tunnel across the ISP shared

network to the customer network

• Customer manages the client software that initiates the tunnel


• Advantage is that they secure the connection between the client and ISP

• Disadvantage is that they are not as scalable and are more complex than NAS-initiated VPNs




NAS-Initiated VPNs• Users connect to the ISP NAS which establishes a

tunnel to the private network

• More robust than client-initiated VPNs

• Do not require the client to maintain the tunnel-creating software


creating software

• Do not encrypt the connection between the client and the ISP

- not a concern for most customers because the Public Switched Telephone Network (PSTN) is much more secure than the Internet


VPNs and the Workplace• VPNs can run from a remote client PC or remote

office router across the Internet or an IP service provider network to one or more corporate gateway routers (remote access)


• VPNs between a company’s offices are a company intranet

• VPNs to external business partners are extranets


Extranet• An extranet is where the Internet or one or two

Service Providers are used to connect to business partners

• Extends network connectivity to:Customers


- Customers

- Business partners

- Suppliers

• Security policy is very important as potentially the VPN could be used for large orders or contracts




Intranet• Intranet VPNs extend a basic remote access VPN

to other corporate offices

• Connectivity is across the Internet or across the Service Provider IP backbone

S


• Service levels are likely to be maintained and enforced within a single Service Provider

• For VPNs across the Internet (multiple Service Providers) there are no performance guarantees- no one is in charge of the Internet!


Remote Access VPN• Encrypted connections between mobile or remote

users and their corporate networks

• Remote user can make a local call to an ISP, as opposed to a long distance call to the corporate


pp g premote access server

• Ideal for a telecommuter or mobile sales people

• VPN allows mobile workers & telecommuters to take advantage of broadband connectivity


Remote Access VPN• Utilises access technologies to allow remote users

to become part of a corporate VPN

• Usually involves the use of the Point-to-Point Protocol (PPP) and tunnels that extend the PPP


connection from the access server to the corporate network

• In Microsoft’s Point-to-Point Tunneling Protocol (PPTP) it also extends the tunnel from the access server out to the end-user PC




Virtual Private Dial-Up Networking• Virtual private dial-up networking (VPDN) enables

users to configure secure networks that rely upon ISPs to tunnel remote access traffic

• Remote users can connect using local dial-up

Dial up service provider forwards the traffic


• Dial-up service provider forwards the traffic

• Network configuration and security remains in the control of the client

• The dial-up service provider provides a virtual pipe between the sites


VPN in Industry• Healthcare: transferring confidential patient

information within a health care provider

• Manufacturing: suppliers can view inventories & allow clients to purchase online safely


• Retail: securely transfer sales data or customer info between stores & headquarters

• Banking: enables account information to be transferred safely within departments & branches


VPN in Small Businesses• Operating systems often have built-in VPN

protocols

• These often rely on usernames and passwords- Not very secure or private


• Standard VPNs require the deployment of software and clients- Costs money and time

• SSL VPNs are easy to install and use ports already available for secure traffic over the Internet




SSL VPNs• Connect securely via a standard Web browser

• No special software required on client computers

• Traffic between Web browser and the SSL VPN device is encrypted with the SSL protocol


device is encrypted with the SSL protocol

• Support access control by:- User

- Device

- Location


SSL & Data Protection• SSL encrypts data

• Each SSL certificate uses public key encryption techniques


• The SSL handshake either authenticates the server and client or blocks unauthorized users

• Keeps data confidential and protected


SSL Portal VPN• Allows a single SSL connection to a website

• User securely accesses multiple network services from the website

• Can use any modern browser


Can use any modern browser

• User is authenticated via method supported by the portal

• User then has access to a web page that acts as the portal to other services




SSL Tunnel VPN• Allows a web browser to securely access multiple

network services through a tunnel running under SSL- Includes applications and protocols that are not web-


based

• Requires a web browser that can run active content

• Can provide functionality not accessible via SSL portal VPNs


SSL Costs• Initial costs are higher

- Requires purchase of SSL Certificate

• Can save money in the long run


• Can save money in the long run

- Reduced management/administration costs

- Plus the savings from having secure communications


References

• Sybex, (2001). Hacking Exposed: Networking Complete. 2nd Edition. John Wiley & Sons.

• Tanenbaum A S (2003) Computer Networks 4th


Tanenbaum, A.S. (2003). Computer Networks. 4Edition. Prentice Hall.




Topic 10 – Virtual Private Networks


Any Questions?

Topic 11 – Remote Access Network Security and Cryptography





Topic 11:

Remote Access





Introduction to Remote Access & Web Applications

Remote Access Topic 11 - 11.3

Scope and Coverage

This topic will cover:• Alternative remote access technologies:

- Web applications

- Remote desktops


Remote desktops




Learning Outcomes


• Select an appropriate remote access solution



What is Remote Access?• Accessing a computer where the user does not

have physical access to it- Remote control of a computer

- Using another device


- Over a network, e.g. the Internet

• A common example is the remote troubleshooting services offered by computer manufacturers


Why Have Remote Access?• Allows staff to work from any location – they are no

longer required to be physically in the office- Home working

- Out of hours working


- Mobile staff

• Has become a critical part of many modern businesses




Uses of Remote Access• Comes under two categories:

- Accessing files remotely

- Accessing applications remotely

• By accessing files a remote user can transfer any


individual files they need whilst working remotely

• By accessing applications the remote user can use software on the network and therefore also process files and data in the same way as if they were in the workplace


Remote Application Architecture• In order to create remote access facilities an

understanding of the application architecture is necessary

Th l d l


• Three general models:- Client/Database

- Client/Server

- Web-based


Client/Database Architecture• Complete applications are installed on the client

computer- Fat clients

• Client connects to a database via a network


• Client connects to a database via a network

• Data for applications is held on the database

• Usually used where there is only a small number of clients




Client/Server Architecture• Typically has a stripped down version of

applications installed on the client- Sufficient to connect to the server application

• A full version of the software is installed on the


server

• Business logic rules are applied at the server and a connection created to the database

• Example is mail client such as MS Outlook


Web-based Architecture• Web browser is used as the client

• Requires minimal software on the client computer

• Interacts with web server

• Provides web-based user interface


• Server may communicate with other application servers to provide functionality- These are usually on other hardware

• Results are displayed in the web browser

• E.g. webmail


Remote Access Technologies• A number of means of gaining remote access, for

example:- Virtual Private Network (VPN)

- Remote Desktop Connection (RDC)

Application Hosting


- Application Hosting

- Web-based applications

• There are implications to consider:- Security

- Bandwidth requirements




Virtual Private Network (VPN)• Secure tunnel between remote user and internal

network

• Once session is created user can pass data in/out of network


of network

• Limits due to available bandwidth- User or network end

• Works well with web-based applications


Remote Desktop Connection (RDC)• Applications are hosted on a remote server

• Appears as though screenshots have been sent to the client

• Keyboard and mouse inputs are forwarded to the server


server

• Results are shown in the screenshots that are returned to the client

• Uses a constant and relatively small amount of bandwidth


Application Hosting• Application hosting involves using an external

partner to host applications on their servers

• Removes the need for internal IT departments to manage the architecture, servers and applications


• Use of software and hosting management is via the external partner who charges for this service

• The remote access is to this external partner’s servers, whether from inside the office or from a remote location




Web-based Applications• Clients do not require any dedicated software other

than a standard web browser

• Data passes over the Internet


• Data transfer is encrypted

• Can be provided as Software-as-a-Service (SaaS)- Software vendors provide access to the software via

the Internet


General Security Considerations• Security best practice should be followed:

- Firewalls

- Anti-virus software

- Updates and patches


- Security policies and procedures

- Staff training

- IDS

- Vulnerability scanning

- Separating web server, database server, etc.





Remote Desktops




Remote Desktop• Allows applications to be run on a remote server but

displayed locally

• Can be achieved via software installed on the client or via a feature provided by the OS


• May be command line applications

• May be applications with a graphical user interface (GUI)

• There are many OS that provide this functionality


Display Data Remotely• The controlling computer displays the image

received from the controlled computer

• This image is updated:- At regular intervals

- Or when a change on screen is noted by the


g ysoftware

• The controlling computer transmits input from its own keyboard or mouse to the controlled computer

• The software implements these actions on the controlled computer


Display Data Remotely• The controlled computer acts as though these input

actions were operated directly on itself

• Any changes to the display as a result of these actions are transmitted back to the controlling computer


computer

• The controlling computer then displays this new display image on its screen

• Input devices and screen on the controlled computer may be disabled




A Warning!!• Attackers have used remote access software to

gain control of many computers

• A typical scenario involves the user receiving a telephone call from someone pretending to be a


legitimate corporation

• They offer to fix your computer remotely

• Once the remote access is allowed they use the computer for other purposes


Remote Desktop Protocols• There are a number of protocols that may be used

for remote desktop applications, including:- Virtual Network Computing (VNC)

- Remote Desktop Protocol (RDP)


- Apple Remote Desktop (ARD)

- Independent Computing Architecture (ICA)

- Appliance Link Protocol (ALP)

• We will look at the first two in a little detail


Virtual Network Computing (VNC)• A graphical desktop sharing application

• Provides remote access to a GUI

• Transmits keyboard and mouse actions in one direction


• Transmits graphical screen updates in the other direction

• Original source code and many derivative packages are open source




Platform Independence• VNC is platform independent

• A VNC viewer can connect to a VNC server using a different operating system


• Multiple clients can connect to the same VNC server at the same time

• VNC clients and servers are available for most GUI based operating systems


VNC Components• VNC server is the program on the server that allows

the client to take control of it

• VNC client (also known as the viewer) is the program that controls the server


• The remote framebuffer (RFB) protocol sends simple graphic messages to the client and input actions to the server

• The machine with the VNC server does not have to have a physical display


Framebuffer• A memory buffer

• Drives video output display

• Stores information on the colour value of every pixel


in a display

• Used in all systems that use windows

• Information can be transmitted storing the colour and position of each pixel in a rectangle




The RFB Protocol• RFB sends information regarding rectangles of

screen display

• The colour information of rectangles for display are transmitted as a framebuffer

Incl des compression techniq es and sec rit


• Includes compression techniques and security features

• Client uses port 5900 for server access

• Server may connect in listening mode on port 5500


VNC Security• VNC does not use plaintext passwords

• But it is not very secure

• Open to sniffing attacks


• Can be tunnelled over SSH or VPN connection for enhanced security

• There are SSH clients for most platforms


Remote Desktop Protocol (RDP)• Microsoft protocol

• Provides a GUI to another computer- Remote display

- Remote input


• Supports a number of technologies

• Supports a number of LAN protocols

• An extension of the ITU T.120 family of protocols

• Clients exist for most operating systems




RDP Operation• RDP uses its own video driver to convert rendering

information into packets

• Sends them to the client via the network

• RDP receives rendering data at client and converts into Windows graphics device interface (GDI) calls


into Windows graphics device interface (GDI) calls

• Mouse/keyboard events are sent from client to server

• RDP uses its own on-screen events driver to receive these events


RDP Features• RDP offers many features:

- Encryption

- Bandwidth reduction

- Roaming disconnect

Cli b d i


- Clipboard mapping

- Print redirection

- Sound redirection

- Support for 24 bit colour

- Smart Card authentication


References• Sybex, (2001). Networking Complete. 2nd Edition.

John Wiley & Sons.

• Tanenbaum, A.S. (2003). Computer Networks. 4th




• Microsoft Developer Network, http://msdn.microsoft.com/en-us/library/aa383015.aspx




Topic 11 – Remote Access


Any Questions?

NCC Network Security Handout

Documents

Transcript of NCC Network Security Handout