Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security"

Transcription

1 Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security Ch 7 - Security 1

2 Confidentiality and privacy: Protect business and personal information from unauthorized disclosure. Integrity: Protect information from unauthorized modification. Availability: Protect information and processing services from disruption and destruction. Accountability and non-repudiation: Ensure that individuals can be held responsible for their actions. Ch 7 - Security 2

3 Applications NT Security Features Enabling Technologies Basic Principles Ch 7 - Security 3

4 Authentication Access control Cryptography Firewall System Integrity Auditing Ch 7 - Security 4

5 CryptoAPI P-Store, Wallet, PFX Smart Cards Security Support Provider, Secure RPC, DCOM Certificate Server Authenticode, Java Security Ch 7 - Security 5

6 IIS Proxy Server SQL Server IE Exchange, Outlook SNA Server Ch 7 - Security 6

7 User Authentication Access Control Refs: hdetails/prodarch/cooperslybrand.asp Ch 7 - Security 7

8 A domain is a logical group of computers that share a set of common user accounts The Domain Controller, a NT server, keeps the domain user account database, which is visible to all computers. Each local computer has its own isolated user account database. Local user accounts are not necessarily domain user accounts and vice versa. Ch 7 - Security 8

9 Local Logon: how - check the local user account database. only the hashed password is stored. Remote logon: types - Remote Access Service (RAS): Dial-up Virtual Private Network (VPN): Internet-based logon from local computer as a domain user Ch 7 - Security 9

10 1. The domain controller is requested to set up a secure RPC session. 2. The controller issues a 16-byte one-time randomly generated number as the challenge. 3. The local computer produces a response by encrypting the hashed password and challenge together and sends it back a response. 4. The controller uses the challenge and the hashed password from the domain user account database to produce its own response. 5. The logon is granted if the two responses match. Ch 7 - Security 10

11 Each user ID is associated with an security ID (SID). Each user may belong to one or more user s groups, and is given group SID. For simplicity, group SID are ignored from here on. An access token is created upon a user logon, which is attached to any process (or thread) the user invoked. An access token is mainly comprised of two parts: the SID User Rights: privileges of the process associated with the token; mostly related to the computer, e.g. shut down the computer Ch 7 - Security 11

12 Similar to Daemon in UNIX It runs forever unless otherwise halted. Users may log on to an NT service without logon to the NT system. Examples: SQL Server, MS Exchange, IIS and other operating system functions such as WINS (Windows Internet Name Service). User may supply his/her own application as a service. Ch 7 - Security 12

13 An NT service may use the access token of the client to acquire resources. An NT service may not logon to another NT machine on the behalf of the client, because NetLogon does not authenticate with any access token. Ch 7 - Security 13

14 Each NT object is associated with an ACL which has two components: Discretionary ACL: specifies the access permissions for each user. System ACL: for security logging and auditing NTFS ACL permissions for each directory and file object: Read, Write, Execute, Delete, Change Permissions, Take Ownership Ch 7 - Security 14

15 An ACE determines whether an entity X is allowed or not allowed to do activity Y (DACL) an attempt by entity X to do activity Y is or is not to be logged in the security event logs (SACL) Components in an ACE: SID (for entity X) Type (for action) Access permissions (for entity Y) Ch 7 - Security 15

16 Ch 7 - Security 16

17 If DACL is empty, then no one is allowed access to the object If DACL is deleted, then everyone is allowed access to the object In traversing a DACL, the system stops looking as soon as access is explicitly granted or denied. For safety, denial ACEs should appear in the ACL. Ch 7 - Security 17

18 Three major concerns: Privacy tool: Encryption/Decryption Authentication tool: digital certificate Integrity tool: digital signature (digital timestamp) Ref: ml Ch 7 - Security 18

19 Cipher is the procedure of encrypting a message. Cipher usually has one or more parameters, that are considered keys, i.e. the values may be generated randomly. Cipher is not usually not the object to protect; keys are. Ch 7 - Security 19

20 Ch 7 - Security 20

21 Symmetric: encryption key = decryption key key is private Asymmetric: encryption key not equal to decryption key one public key and one secret key Ch 7 - Security 21

22 Stream Cipher Block Cipher Input:a fixed-length block of plaintext Parameter: the encryption key Output: a block of encrypted text of the same length Deciphers work in a reverse way, with the same key. Ch 7 - Security 22

23 If a party intends to communicate with 5 other parties, it needs 5 different keys. Transmitting a private key over an insecure communication channel is problematic. Ch 7 - Security 23

24 Lengths: 128/40 bits (North America/Export) Strength: DES 56-bit key (the Data Encryption Standard) is too small for safety. US Govt. recommends 40/512 for adequate and strategic strengths RSA, the most well-known vendor, recommends 80/768 Safe transport of key Well known secret: password Public-key cryptography Ch 7 - Security 24

25 E and D are the cipher and decipher respectively, and M is the message. D(E(M)) = M Both E and D are easy to compute. D is a one-way function, if by revealing E in public, there is no easy way for others to compute D. Ch 7 - Security 25

26 E is a cipher with n as the parameter, where n is the product of two larger prime numbers p, and q. D is a decipher with p and q as the parameters. Both D and E are well-known, albeit patented algorithms. n is the public key The p and q together is the private key The one-way function here is the multiplication of p and q. Ch 7 - Security 26

27 A product of 2 large prime numbers is 129- digit long (about 435-bits) In early 90 s, it took eight months using 1,600 computers to derive the two prime factors of this product. Ch 7 - Security 27

28 A (Alice) gets B s (Bob) public key from the directory, with which to encrypt the message. The cipher-text is transmitted over an insecure channel to Bob. Bob receives the message, and use his own secret private key to decrypt the cipher-text. Ch 7 - Security 28

29 Public key cryptography offers increased security and convenience Symmetric algorithms are much faster. In practice, public key cryptography is used to pass the private key needed to run symmetric algorithms. Ch 7 - Security 29

30 Ch 7 - Security 30

31 the output has a fixed length, H(x) is relatively easy to compute for any given x, H(x) is one-way, H(x) is collision-free. Ch 7 - Security 31

32 Bob computes the message digest MG, of the message M using a cryptographic hash function H, i.e. MG=H(M). Bob encrypts MG with his private key D B, and sends D B (MG) to Alice, together with the un-ciphered M. Alice uses Bob s public key E B to decipher D B (MG) obtain MG. Alice applies the same H to M, to obtained MG. If MG is equal to MG, Alice now has proof the Bob signs the message. Ch 7 - Security 32

33 SHA = A well-known cryptographic hash Ch 7 - Security 33

34 Hashing is not strictly necessary, but it will save time in the encryption. It may be extremely difficult to crack a one-way hash function, but it is (slightly) easier to produce a different message that is hashed to the same result. Birthday Attack : for a group of 23 or more people the probability that two or more people share the same birthday > 50%. If a message M may be found such H(M )=H(M), Bob may be perceived to have signed the message M as well. Ch 7 - Security 34

35 Bob computes his signature S for the message M using his private key D B, i.e. S=D B (M) Bob encrypts the signature with Alice s public key, E A, and sends E A (S) to Alice, together with the unciphered M. Alice uses her own private key D A to decrypt the ciphertext, and then use Bob s public key E B to obtain M. If M is not equal to M, some one must have tempered the message, and/or Bob did not sign it. If M is equal to M, Alice now has the proof the Bob sends the message to Alice. Ch 7 - Security 35

36 Certificate Authorities are created to certify the authenticity of a public key. A certificate contains at least the following: the public key the name of the owner the issuing CA digital signature CA keeps a list of revoked certificates which are declared invalid before they expire. Ch 7 - Security 36

37 To be effective, the user must have a high level of trust in the CA which issues. CA may rely on its own certification by other CA s to establish a level of trust, hence a hierarchy of trust. An organization may become a CA for issuing certificates to its employees. Ch 7 - Security 37

38 Ch 7 - Security 38

39 1. Key generation: the individual generates key pairs of public and private keys. 2. Matching of policy information: the applicant packages up the additional information necessary for the CA to issue the certificate 3. Sending of public keys and information: the applicant sends the public keys and information to the CA. Ch 7 - Security 39

40 4. Verification of information: the CA applies whatever policy rules it might require to verify that the applicant should receive a certificate. 5. Certificate creation: the CA creates a digital document with the appropriate information (public keys, expiration date, other data) and signs it using the CA's private key. 6. Sending/posting of certificate: The CA may send the certificate to the applicant, or post it publicly as appropriate. Ch 7 - Security 40

41 Man-in-the-middle attack: garbled message Integrity of messages in plaintext (e.g. stock price) Need to authenticate the message, but not the sender or receiver: Digital coupon, digital ticket, Ch 7 - Security 41

42 Use cryptographic hash function to produce a message digest Encrypt the digest with a secret key to produce the MAC. The message may be optionally encrypted. The MAC can be decrypted only by the same secret key. Ch 7 - Security 42

43 SSL is the most popular protocol for secure communication over insecure channel. SSL is a layered protocol. SSL is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently. SSL imposes a performance penalty. Ch 7 - Security 43

44 The connection is private: Encryption is used after an initial handshake to define a secret key. Symmetric cryptography is used for data encryption The peer's identity are authenticated: Digital certificates are examined. The connection is reliable. Message transport includes a message integrity check using a keyed MAC. Cryptographic hash functions are used. Ch 7 - Security 44

45 SSL Record Protocol is used for encapsulation of various higher level protocols, the Handshake Protocol. manages the CipherSpec, the state of SSL protocol SSL Handshake Protocol: It allows the server and client to authenticate each other to negotiate an encryption algorithm to negotiate cryptographic keys before the application protocol transmits or receives its first byte of data. Ch 7 - Security 45

46 Ch 7 - Security 46

47 Web server needs 3 to 4 threads to process the protocol set-up. During the message transmission, it takes on average tens of instructions to process each byte of the message. The window size for SSL is only 16K. SSL runs only in user mode. Ch 7 - Security 47

48 A firewall is a system that enforces an access control policy between two networks. It blocks or permits traffic one network to another. Firewall acts a single choke point where security and audit can be imposed. Ch 7 - Security 48

49 Firewall is a generic name for hardware, software, or its combination that used to protect internal network from intruders. Two types of firewalls: Network level Application level application-level proxy service circuit-level gateway proxy (SOCKS) Ref: Ch 7 - Security 49

50 A router is a hardware that can perform simple packet filtering at the network level. It implements rules that blocks or permit IP packets, based on a number of factors: destination address source address port number service types (e.g. DNS queries, SMPT mail) Ch 7 - Security 50

51 Bastion host architecture Filtering host architecture Filtering subset architecture Ch 7 - Security 51

52 Ch 7 - Security 52

53 Bastion host is usually a proxy server on NT platform. A bastion may have two network interface cards (with different IP addresses), which allows to be a dual-homed host, i.e. running on two networks. The proxy server will relay the authorized traffic between the two interfaces and block traffic that is denied. The host is able to provide extensive logging of transactions for auditing purposes. Ch 7 - Security 53

54 Ch 7 - Security 54

55 SSL provides a secure end-to-end session between the client and original server. The proxy server will become a tunnel, or a byteforwarder in both directions. It cannot, and need not act as the application level proxy. Benefits: URL is hidden from the proxy server Minimize the chance of man-in-the-middle attack. Downside: no protection for other security risks. Ch 7 - Security 55

56 The proxy server is sent a HTTP request with a CONNECT method on a HTTP header. The proxy server will response either positively, or negatively. The tunneling ceases to work when one side drops the connection. Ch 7 - Security 56

57 Ch 7 - Security 57

58 The router can be configured to make the proxy server as the only host that accesses the router. All internal hosts will be forced to use the proxy server to reach external hosts. This architecture is more secure than the bastion host one because it provides two layers of protection. Ch 7 - Security 58

59 Ch 7 - Security 59

60 The internal network is considered as a subnet. The perimeter network is considered as a filtering subnet. There is no internal information on the filtering subnet. Benefits: Provides specific security requirements to a subset of an organization (CSIL) Provides three layers of protection. Ch 7 - Security 60

61 CryptoAPI is an API that provides core cryptographic functionality to application developers. Features: cryptographic hashing, encrypting and decrypting data, private and public key cryptography authentication using digital certificates, managing certificates in certificate stores. Ch 7 - Security 61

62 A CSP contains implementations of cryptographic standards and algorithms. Microsoft works with vendors such as RSA Data Security Inc. to develop programs that implements the features of CryptoAPI. Ch 7 - Security 62

63 Ch 7 - Security 63

64 Secure Support Provider Interface MS Certificate Server MS Authenticode Ch 7 - Security 64

65 SSPI makes common network authentication schemes available to application developers via simplified software libraries. A SSP is a library that manages a particular scheme. User of SSPI may call its SSP directly or use the secure options in DCOM or RPC. Ch 7 - Security 65

66 Kerberos NTLM (NT Lan Manager) SSL DPA (password-based) Ch 7 - Security 66

67 Certificate Server is a toolkit for building a Certificate Authority (CA) for large networks. It enables an organization to issue, renew, and revoke certificates without having to rely on external certificate. Each site building a CA with Certificate Server may supply its own approval module to verify the certificate applicant, or use a market standard modules (like software publishing). Ch 7 - Security 67

68 It uses simple cryptographic integrity features to help ensure the authenticity of a software module. Digital signature is generated by the Authenticode software which is attached to the code. This technology may be used to sign script, COM objects, and programs in C++ or VB. Ch 7 - Security 68

69 Grant or deny access for both inbound and outbound connections by: user service / port IP domain Each port can be enabled or disabled for communications by a specific list of users or user groups. Ch 7 - Security 69

70 Local Address Table: A system table containing the IP internal IPs. Use by Proxy Server to prevent IP spoofing. Packet alert: issue alerts for specific events, such as for dropped packets or packets sent to an unused service port. IP address aggregation: requests to external hosts will use proxy s external IP. SSL Tunnelling Ch 7 - Security 70

71 Anonymous User: an NT user account IUSR_xxxx, where xxxx is the server name, will be assigned to the user. NT User: Basic authentication Challenge/Response Ch 7 - Security 71

72 The access permission to objects in the Web application is determined by the user s access token. The request by anonymous user to access the requested object will be denied if its ACL does not permit access by IUSER. HTTP will response with a failure return-code (HTTP Error 401), with an authenticate header: WWW-Authenticate: Basic WWW-Authenticate: NTLM The browser will choose one of the two methods. Ch 7 - Security 72

73 Procedure: The browser will gather the user account and password from the user. The information will be sent to the server in BASE64 code. Given a choice, Netscape browser will pick this method over NTLM, because it does not do NTLM IE will by default use NTLM. Ch 7 - Security 73

74 IIS will impersonate the user when accessing resources in the server. When IIS attempts to logon to a remote database server: In case of the basic authentication, IIS will be able to do because it has the user id and password. In case of NTLM, IIS can t because domain controller, instead of IIS, did the authentication. Ch 7 - Security 74

75 <%If request.servervariables("remote_addr") = " " then Response.Buffer = TRUE Response.Status = ("401 Unauthorized") Response.End End If%> Ch 7 - Security 75

76 <% Response.Clear Response.Buffer = True Response.Status = 401 Unauthorized Response.AddHeader WWW-Authenticate, NTLM Response.End %> Ch 7 - Security 76

77 User may set different levels of security for the following classes of sites: Internet Local Intranet Trusted sites Restricted sites Major differences: Prompt/No-prompt signature of ActiveX Control required/not required. Cookies allowed/not allowed Ch 7 - Security 77

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002 INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before

More information

Chapter 8. Network Security

Chapter 8. Network Security Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-layer protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY) E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system

More information

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS 356 Lecture 27 Internet Security Protocols. Spring 2013 CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Security: Focus of Control. Authentication

Security: Focus of Control. Authentication Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

Transport Layer Security Protocols

Transport Layer Security Protocols SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

Security IIS Service Lesson 6

Security IIS Service Lesson 6 Security IIS Service Lesson 6 Skills Matrix Technology Skill Objective Domain Objective # Configuring Certificates Configure SSL security 3.6 Assigning Standard and Special NTFS Permissions Enabling and

More information

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Topics Single Sign-on Kerberos v5 integration Active Directory security Delegation of authentication

More information

ISM/ISC Middleware Module

ISM/ISC Middleware Module ISM/ISC Middleware Module Lecture 13: Security for Middleware Applications Dr Geoff Sharman Visiting Professor in Computer Science Birkbeck College Geoff Sharman Sept 07 Lecture 13 Aims to: 2 Show why

More information

Java / ActiveX Security. David Gristwood Senior Consultant Microsoft Ltd

Java / ActiveX Security. David Gristwood Senior Consultant Microsoft Ltd Java / ActiveX Security David Gristwood Senior Consultant Microsoft Ltd Security Issues Covers many areas: Transact business securely Ensure privacy of conversations Authenticate users in communications

More information

Savitribai Phule Pune University

Savitribai Phule Pune University Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

More information

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Subject Code Department Semester : Network Security : XCS593 : MSc SE : Nineth Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Part A (2 marks) 1. What are the various layers of an OSI reference

More information

CS 348: Computer Networks. - Security; 30 th - 31 st Oct 2012. Instructor: Sridhar Iyer IIT Bombay

CS 348: Computer Networks. - Security; 30 th - 31 st Oct 2012. Instructor: Sridhar Iyer IIT Bombay CS 348: Computer Networks - Security; 30 th - 31 st Oct 2012 Instructor: Sridhar Iyer IIT Bombay Network security Security Plan (RFC 2196) Identify assets Determine threats Perform risk analysis Implement

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Transport Level Security

Transport Level Security Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Module 8. Network Security. Version 2 CSE IIT, Kharagpur Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication

More information

Chapter 4 Virtual Private Networking

Chapter 4 Virtual Private Networking Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between

More information

Network Security Essentials Chapter 5

Network Security Essentials Chapter 5 Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

7.1. Remote Access Connection

7.1. Remote Access Connection 7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to

More information

Compter Networks Chapter 9: Network Security

Compter Networks Chapter 9: Network Security Goals of this chapter Compter Networks Chapter 9: Network Security Give a brief glimpse of security in communication networks Basic goals and mechanisms Holger Karl Slide set: Günter Schäfer, TU Ilmenau

More information

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

More information

Chapter 37. Secure Networks

Chapter 37. Secure Networks Chapter 37 Network Security (Access Control, Encryption, Firewalls) Secure Networks Secure network is not an absolute term Need to define security policy for organization Network security policy cannot

More information

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

More information

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Module 8. Network Security. Version 2 CSE IIT, Kharagpur Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls

More information

Computer System Management: Hosting Servers, Miscellaneous

Computer System Management: Hosting Servers, Miscellaneous Computer System Management: Hosting Servers, Miscellaneous Amarjeet Singh October 22, 2012 Partly adopted from Computer System Management Slides by Navpreet Singh Logistics Any doubts on project/hypo explanation

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012 Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

RemotelyAnywhere Getting Started Guide

RemotelyAnywhere Getting Started Guide April 2007 About RemotelyAnywhere... 2 About RemotelyAnywhere... 2 About this Guide... 2 Installation of RemotelyAnywhere... 2 Software Activation...3 Accessing RemotelyAnywhere... 4 About Dynamic IP Addresses...

More information

Module 7 Security CS655! 7-1!

Module 7 Security CS655! 7-1! Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed

More information

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173 Security & Privacy on the WWW Briefing for CS4173 Topic Outline 1. Information Security Relationship to safety Definition of important terms Where breaches can occur Web techniques Components of security

More information

Authentication Application

Authentication Application Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

Chapter 32 Internet Security

Chapter 32 Internet Security Chapter 32 Internet Security Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 32: Outline 32.1 NETWORK-LAYER SECURITY 32.2 TRANSPORT-LAYER SECURITY 32.3

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security Chapter 12 Network Security Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security policy development life cycle (SPDLC). Network Security

More information

Proxy Server, Network Address Translator, Firewall. Proxy Server

Proxy Server, Network Address Translator, Firewall. Proxy Server Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

More information

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used

More information

Proxy firewalls. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/

Proxy firewalls. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Proxy firewalls thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Proxy Firewalls How Proxy Firewalls Work Forward / Reverse Proxies Application-Level Proxies Gateways (Circuit-Level

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Citrix MetaFrame XP Security Standards and Deployment Scenarios Citrix MetaFrame XP Security Standards and Deployment Scenarios Including Common Criteria Information MetaFrame XP Server for Windows with Feature Release 3 Citrix Systems, Inc. Information in this document

More information

Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Information Security

Information Security Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked

More information

z/os Firewall Technology Overview

z/os Firewall Technology Overview z/os Firewall Technology Overview Mary Sweat E - Mail: sweatm@us.ibm.com Washington System Center OS/390 Firewall/VPN 1 Firewall Technologies Tools Included with the OS/390 Security Server Configuration

More information

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

More information

Xerox DocuShare Security Features. Security White Paper

Xerox DocuShare Security Features. Security White Paper Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a

More information

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon 1 Common security requirements Basic security tools Secret-key cryptography Public-key cryptography Example Online shopping with Amazon 2 Alice credit card # is xxxx Internet What could the hacker possibly

More information

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key Friends and Enemies Security Outline Encryption lgorithms Protocols Message Integrity Protocols Key Distribution Firewalls Figure 7.1 goes here ob, lice want to communicate securely Trudy, the intruder

More information

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks Decryption Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Chapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Chapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All

More information

Network Security and Firewall 1

Network Security and Firewall 1 Department/program: Networking Course Code: CPT 224 Contact Hours: 96 Subject/Course WEB Access & Network Security: Theoretical: 2 Hours/week Year Two Semester: Two Prerequisite: NET304 Practical: 4 Hours/week

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security

More information

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Authentication Types. Password-based Authentication. Off-Line Password Guessing Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:

More information

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 16 th lecture Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 1 25 Organization Welcome to the New Year! Reminder: Structure of Communication Systems lectures

More information

CRYPTOGRAPHY IN NETWORK SECURITY

CRYPTOGRAPHY IN NETWORK SECURITY ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

More information

How to Secure a Groove Manager Web Site

How to Secure a Groove Manager Web Site How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,

More information

As enterprises conduct more and more

As enterprises conduct more and more Efficiently handling SSL transactions is one cornerstone of your IT security infrastructure. Do you know how the protocol actually works? Wesley Chou Inside SSL: The Secure Sockets Layer Protocol Inside

More information

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

More information

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004 Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004 White Paper Published: June 2004 For the latest information, please see http://www.microsoft.com/isaserver/ Contents

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Understanding the Cisco VPN Client

Understanding the Cisco VPN Client Understanding the Cisco VPN Client The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is a software program that runs on a Microsoft Windows -based PC. The VPN Client on a

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

Fig. 4.2.1: Packet Filtering

Fig. 4.2.1: Packet Filtering 4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the

More information

A Guide to New Features in Propalms OneGate 4.0

A Guide to New Features in Propalms OneGate 4.0 A Guide to New Features in Propalms OneGate 4.0 Propalms Ltd. Published April 2013 Overview This document covers the new features, enhancements and changes introduced in Propalms OneGate 4.0 Server (previously

More information

12. Firewalls Content

12. Firewalls Content Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall

More information

SiteCelerate white paper

SiteCelerate white paper SiteCelerate white paper Arahe Solutions SITECELERATE OVERVIEW As enterprises increases their investment in Web applications, Portal and websites and as usage of these applications increase, performance

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

TLS and SRTP for Skype Connect. Technical Datasheet

TLS and SRTP for Skype Connect. Technical Datasheet TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security

More information

VPN SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region

VPN SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region VPN SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the

More information

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Network Layer: IPSec Transport Layer: SSL/TLS Chapter 4: Security on the Application Layer Chapter 5: Security

More information