Network Security Basics

1

Network Security Basics

2

What is Network Security? Threats and Attacks Defenses Cryptography

Outline of Network Security Basics

3

What is Security?

“The quality or state of being secure—to be free from danger”

A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Network security Information security

4

What is Network Security?

Network security refers to any activities designed to protect your network, which protect the usability, reliability, integrity, and safety of your network and data. Effective network security targets a variety of threats and stops them from entering or spreading on your network

5

Balancing Security and Access

Impossible to obtain perfect security—it is a process, not an absolute

Security should be considered balance between protection and availability

To achieve balance, level of security must allow reasonable access, yet protect against threats

6

Figure 1-6 – Balancing Security and Access

7



8

Threats

Threat: an object, person, or other entity that represents a constant danger to an asset

Management must be informed of the different threats facing the organization

By examining each threat category, management effectively protects information through policy, education, training, and technology controls

9

Threats to Information Security

10

Acts of Human Error or Failure

Includes acts performed without malicious intent

Causes include:

Inexperience

Improper training

Incorrect assumptions

Employees are among the greatest threats to an organization’s data

11

Acts of Human Error or Failure (continued) Employee mistakes can easily lead to:

Revelation of classified data

Entry of erroneous data

Accidental data deletion or modification

Data storage in unprotected areas

Failure to protect information

Many of these threats can be prevented with controls

12

Forces of Nature

Forces of nature are among the most dangerous threats

Disrupt not only individual lives, but also storage, transmission, and use of information

Organizations must implement controls to limit damage and prepare contingency plans for continued operations

13

Deviations in Quality of Service

Includes situations where products or services not delivered as expected

Information system depends on many interdependent support systems

Internet service, communications, and power irregularities dramatically affect availability of information and systems

14

Internet Service Issues

Internet service provider (ISP) failures can considerably undermine availability of information

Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software

15

Attacks

Act or action that exploits vulnerability (i.e., an identified weakness) in controlled system

Accomplished by threat agent which damages or steals organization’s information

16

Table 2-2 - Attack Replication Vectors

New Table

17

Attacks (continued)

Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information

Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism

18

Attacks (continued)

Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address

Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network

Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks

20

Attacks (continued)

Denial-of-service (DoS): attacker sends large number of connection or information requests to a target

Target system cannot handle successfully along with other, legitimate service requests

May result in system crash or inability to perform ordinary functions

Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously

21

Figure 2-9 - Denial-of-Service Attacks

25

What Makes DDoS Attacks Possible? Internet was designed with functionality &

not security in mind Internet security is highly interdependent Internet resources are limited Power of many is greater than power of a few

26

Summary on Threats and Attacks

Threat: object, person, or other entity representing a constant danger to an asset

Attack: a deliberate act that exploits vulnerability

27



28

Firewalls

Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network)

May be separate computer system; a software service running on existing router or server; or a separate network containing supporting devices

29

Firewall Categorization

Processing mode Development era Intended deployment structure Architectural implementation

30

Firewalls Categorized by Processing Modes

Packet filtering Application gateways Circuit gateways MAC layer firewalls Hybrids

32

Packet Filtering

Packet filtering firewalls examine header information of data packets

Most often based on combination of: Internet Protocol (IP) source and destination address Direction (inbound or outbound) Transmission Control Protocol (TCP) or User

Datagram Protocol (UDP) source and destination port requests

Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses

33

Packet Filtering (continued)

Three subsets of packet filtering firewalls:

Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed

Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event

Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table

38

Application Gateways

Frequently installed on a dedicated computer; also known as a proxy server

Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks

Additional filtering routers can be implemented behind the proxy server, further protecting internal systems

39

Screened Subnet Firewalls (with DMZ)

Dominant architecture used today is the screened subnet firewall

Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: Connections from outside (untrusted network)

routed through external filtering router Connections from outside (untrusted network) are

routed into and out of routing firewall to separate network segment known as DMZ

Connections into trusted internal network allowed only from DMZ bastion host servers

41

Virtual Private Networks (VPNs)

Private and secure network connection between systems; uses data communication capability of unsecured and public network

Securely extends organization’s internal network connections to remote locations beyond trusted network

42

Virtual Private Networks (VPNs) (continued)

VPN must accomplish:

Encapsulation of incoming and outgoing data

Encryption of incoming and outgoing data

Authentication of remote computer and (perhaps) remote user as well

43

Transport Mode

Data within IP packet is encrypted, but header information is not

Allows user to establish secure link directly with remote host, encrypting only data contents of packet

Two popular uses: End-to-end transport of encrypted data Remote access worker connects to office network over

Internet by connecting to a VPN server on the perimeter

45

Tunnel Mode

Organization establishes two perimeter tunnel servers

These servers act as encryption points, encrypting all traffic that will traverse unsecured network

Primary benefit to this model is that an intercepted packet reveals nothing about true destination system

Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server

47

Summary of Firewalls and VPNs

Firewall technology

Four methods for categorization

Firewall configuration and management

Virtual Private Networks

Two modes

48

Defenses against Intrusion

Intrusion: type of attack on information assets in which instigator attempts to gain entry into or disrupt system with harmful intent

Intrusion detection: consists of procedures and systems created and operated to detect system intrusions

Intrusion reaction: encompasses actions an organization undertakes when intrusion event is detected

Intrusion correction activities: finalize restoration of operations to a normal state

Intrusion prevention: consists of activities that seek to deter an intrusion from occurring

49

Intrusion Detection Systems (IDSs)

Detects a violation of its configuration and activates alarm

Many IDSs enable administrators to configure systems to notify them directly of trouble via e-mail or pagers

Systems can also be configured to notify an external security service organization of a “break-in”

50

IDS Terminology

Alert or alarm False negative

The failure of an IDS system to react to an actual attack event.

False positive An alarm or alert that indicates that an attack is in progress

or that an attack has successfully occurred when in fact there was no such attack.

Confidence value Alarm filtering

51

IDSs Classification

All IDSs use one of two detection methods:

Signature-based

Statistical anomaly-based

IDSs operate as:

network-based

host-based

application-based systems

52

Signature-Based IDS

Examine data traffic in search of patterns that match known signatures

Widely used because many attacks have clear and distinct signatures

Problem with this approach is that as new attack strategies are identified, the IDS’s database of signatures must be continually updated

53

Statistical Anomaly-Based IDS

The statistical anomaly-based IDS (stat IDS) or behavior-based IDS sample network activity to compare to traffic that is known to be normal

When measured activity is outside baseline parameters or clipping level, IDS will trigger an alert

IDS can detect new types of attacks

Requires much more overhead and processing capacity than signature-based

May generate many false positives

55

Network-Based IDS (NIDS)

Resides on computer or appliance connected to segment of an organization’s network; looks for signs of attacks

When examining packets, a NIDS looks for attack patterns

Installed at specific place in the network where it can watch traffic going into and out of particular network segment

56

Advantages and Disadvantages of NIDSs

Good network design and placement of NIDS can enable organization to use a few devices to monitor large network

NIDSs are usually passive and can be deployed into existing networks with little disruption to normal network operations

NIDSs not usually susceptible to direct attack and may not be detectable by attackers

57

Advantages and Disadvantages of NIDSs (continued)

Can become overwhelmed by network volume and fail to recognize attacks

Require access to all traffic to be monitored

Cannot analyze encrypted packets

Cannot reliably ascertain if attack was successful or not

Some forms of attack are not easily discerned by NIDSs, specifically those involving fragmented packets

58

Host-Based IDS

Host-based IDS (HIDS) resides on a particular computer or server and monitors activity only on that system

Benchmark and monitor the status of key system files and detect when intruder creates, modifies, or deletes files

Most HIDSs work on the principle of configuration or change management

Advantage over NIDS: can usually be installed so that it can access information encrypted when traveling over network

59

Advantages and Disadvantages of HIDSs

Can detect local events on host systems and detect attacks that may elude a network-based IDS

Functions on host system, where encrypted traffic will have been decrypted and is available for processing

Not affected by use of switched network protocols

Can detect inconsistencies in how applications and systems programs were used by examining records stored in audit logs

60

Advantages and Disadvantages of HIDSs (continued)

Pose more management issues

Vulnerable both to direct attacks and attacks against host operating system

Does not detect multi-host scanning, nor scanning of non-host network devices

Susceptible to some denial-of-service attacks

Can use large amounts of disk space

Can inflict a performance overhead on its host systems

61

Honey Pots, Honey Nets, and Padded Cell Systems

Honey pots: decoy systems designed to lure potential attackers away from critical systems and encourage attacks against the themselves

Honey nets: collection of honey pots connecting several honey pot systems on a subnet

Honey pots designed to: Divert attacker from accessing critical systems Collect information about attacker’s activity Encourage attacker to stay on system long enough for

administrators to document event and, perhaps, respond

62



63

Cipher Methods

Plaintext can be encrypted through bit stream or block cipher method

Bit stream: each plaintext bit transformed into cipher bit one bit at a time

Block cipher: message divided into blocks (e.g., sets of 8- or 16-bit blocks) and each is transformed into encrypted block of cipher bits using algorithm and key

64

Cipher Methods (continued) Substitution cipher: substitute one value for another

Monoalphabetic substitution: uses only one alphabet

Polyalphabetic substitution: more advanced; uses two or more alphabets

Transposition cipher: rearranges values within a block to create ciphertext

Exclusive OR (XOR): function of Boolean algebra; two bits are compared

If two bits are identical, result is binary 0

If two bits not identical, result is binary 1

65

Table 8-1 Exclusive OR Operations

66

Cryptographic Algorithms

Often grouped into two broad categories, symmetric and asymmetric; today’s popular cryptosystems use hybrid combination of symmetric and asymmetric algorithms

Symmetric and asymmetric algorithms distinguished by types of keys used for encryption and decryption operations

67

Cryptographic Algorithms (continued) Symmetric encryption: uses same “secret

key” to encipher and decipher message

Encryption methods can be extremely efficient, requiring minimal processing

Both sender and receiver must possess encryption key

If either copy of key is compromised, an intermediate can decrypt and read messages

68

Figure 8-3 Symmetric Encryption Example

69

Cryptographic Algorithms (continued) Data Encryption Standard (DES): one of most

popular symmetric encryption cryptosystems 64-bit block size; 56-bit key

Adopted by NIST in 1976 as federal standard for encrypting non-classified information

Triple DES (3DES): created to provide security far beyond DES

Advanced Encryption Standard (AES): developed to replace both DES and 3DES

70

Cryptographic Algorithms (continued) Asymmetric Encryption (public key

encryption)

Uses two different but related keys; either key can encrypt or decrypt message

If Key A encrypts message, only Key B can decrypt

Highest value when one key serves as private key and the other serves as public key

71

Figure 8-4 Using Public Keys

Symmetric Key Crypto: DES

DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext input Block cipher with cipher block chaining How secure is DES?

DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force) in less than a day

No known good analytic attack To make DES more secure:

3DES: encrypt 3 times with 3 different keys

72

Symmetric Key Crypto: DES

Initial permutation

16 identical “rounds” of function application, each using different 48 bits of key

Final permutation

DES Operation

73

AES: Advanced Encryption Standard

Symmetric-key NIST standard, replaced DES (Nov 2001)

Processes data in 128 bit blocks 128, 192, or 256 bit keys Brute force decryption (try each key) taking 1

sec on DES, takes 149 trillion years for AES

74

Public Key Cryptography

Symmetric Key Crypto Requires sender, receiver

know shared secret key Q: How to agree on key in

first place (particularly if never “met”)?

Public Key Crypto Radically different

approach [Diffie-Hellman76, RSA78]

Sender, receiver do not share secret key

Public encryption key known to all

Private decryption key known only to receiver

Public Key Cryptography

Plaintextmessage, m

CiphertextEncryptionalgorithm

Decryption algorithm

Bob’s public key

PlaintextmessageK (m)

B+

K B+

Bob’s privatekey

K B-

m = K (K (m))B

+B-

76

Public Key Encryption Algorithms

Need K ( ) and K ( ) such thatB B. .

Given public key K , it should be impossible to compute private key K

B

B

Requirements:

1

2

RSA: Rivest, Shamir, Adelson algorithm

+ -

K (K (m)) = m BB

- +

+

-

77

Prerequisite: Modular Arithmetic

x mod n = remainder of x when divided by n Facts:

[(a mod n) + (b mod n)] mod n = (a+b) mod n[(a mod n) - (b mod n)] mod n = (a-b) mod n[(a mod n) * (b mod n)] mod n = (a*b) mod n

Thus (a mod n)d mod n = ad mod n Example: x=14, n=10, d=2:

(x mod n)d mod n = 42 mod 10 = 6xd = 142 = 196 xd mod 10 = 6

78

RSA: Getting Ready

Message: just a bit pattern Bit pattern can be uniquely represented by an integer number Thus, encrypting a message is equivalent to encrypting a

number.

Example: m=10010001 . This message is uniquely represented by the

decimal number 145. To encrypt m, we encrypt the corresponding number, which

gives a new number (the ciphertext).

79

RSA: Creating Public/Private Key Pair

1. Choose two large prime numbers p, q. (e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors with z (e, z are “relatively prime”).

4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

K B+ K

B-

80

RSA: Encryption, Decryption

0. Given (n,e) and (n,d) as computed above

1. To encrypt message m (<n), compute

c = m mod n e

2. To decrypt received bit pattern, c, compute

m = c mod n d

m = (m mod n)e mod ndMagichappens!

c

81

RSA ExampleBob chooses p=5, q=7. Then n=35, z=24.

e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z).

bit pattern m me c = m mod ne

0000l000 12 24832 17Encrypt:

Encrypting 8-bit messages.

c m = c mod nd

17 481968572106750915091411825223071697 12

cdDecrypt:

82

Why Does RSA Work?

Must show that cd mod n = m where c = me mod n

Fact: for any x and y: xy mod n = x(y mod z) mod n where n= pq and z = (p-1)(q-1)

Thus, cd mod n = (me mod n)d mod n

= med mod n

= m(ed mod z) mod n

= m1 mod n

= m

83

RSA: Another Important Property

The following property will be very useful later:

K (K (m)) = m BB

- +K (K (m))

BB+ -

=

use public key first, followed by

private key

use private key first, followed by

public key

result is the same!

84

Follows directly from modular arithmetic:

(me mod n)d mod n = med mod n

= mde mod n

= (md mod n)e mod n

K (K (m)) = m BB

- +K (K (m))

BB+ -

=Why ?

85

Why Is RSA Secure?

Suppose you know Bob’s public key (n,e). How hard is it to determine d?

Essentially need to find factors of n without knowing the two factors p and q Fact: Factoring a big number is hard

86

RSA In Practice: Session Keys

Exponentiation in RSA is computationally intensive

DES is at least 100 times faster than RSA Use public key crypto to establish secure

connection, then establish second key – symmetric session key – for encrypting data

Session key, KS

Bob and Alice use RSA to exchange a symmetric key KS

Once both have KS, they use symmetric key cryptography

87

88

Cryptography Tools

Public Key Infrastructure (PKI): integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely

PKI systems based on public key cryptosystems; include digital certificates and certificate authorities (CAs)

89

Digital Signatures

Encrypted messages that can be mathematically proven to be authentic

Created in response to rising need to verify information transferred using electronic systems

Asymmetric encryption processes used to create digital signatures

90

Digital Certificates

Electronic document containing key value and identifying information about entity that controls key

Digital signature attached to certificate’s container file to certify file is from entity it claims to be from

91

Figure 8-5 Digital Signatures

92

Summary of Cryptography

Cryptography and encryption provide sophisticated approach to security

Many security-related tools use embedded encryption technologies

Encryption converts a message into a form that is unreadable by the unauthorized

Many tools are available and can be classified as symmetric or asymmetric, each having advantages and special capabilities

93

Acknowledgement

These slides are partially from our course reference texts:

James Kurose and Keith Ross, Computer Networking: A Top-Down Approach Featuring the Internet, Addison Wesley, 2010, ISBN 13:978-0-13-607967-5 (5th edition or later)

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, Thomson/Course Technology, ISBN 0-619-21625-5, Fourth Edition, 2012

Network Security Basics

Documents

Transcript of Network Security Basics