SECURITY THREATS FOR TELEMATIC COMMUNICATIONS. SECURITY IN WIRELESS NETWORKS Carlos Rey-Moreno

Transcription

1 SECURITY THREATS FOR TELEMATIC COMMUNICATIONS SECURITY IN WIRELESS NETWORKS Carlos Rey-Moreno

2 Introduction to Security Services How secure are our data networks? What is a Threat? What is an Attack? What is a Vulnerability? Common types of network attacks Eavesdropping Masquerading Man-in-the-middle Denial of service What is a Security Service? ITU-T Definition Services to reduce design vulnerabilities X.800 Security Services for Open Systems Confidentiality Integrity Authentication Access Control Non Repudiation Anonymity Availability

3 How secure are we on a data What is a Threat? network? A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm.

4 How secure are we on a data What is a Threat? network? A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm. Something that can be wrong!!!

5 How secure are we on a data network? Why do we have to minimize the threats? Because the threats lead to attacks An intentional act by which an entity attempts to evade security services and violate the security policy of a system. That is, an actual assault on system security that derives from an intelligent threat. (See: penetration, violation, vulnerability.)

6 How secure are we on a data network? Why do we have to minimize the threats? Because the threats lead to attacks An intentional act by which an entity attempts to evade security services and violate the security policy of a system. That is, an actual assault on system security that derives from an intelligent threat. (See: penetration, violation, vulnerability.) Actions to damage a system!!!

7 How secure are we on a data network? How is implemented an attack? Attacks are implemented through vulnerabilities A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.

8 How secure are we on a data network? How is implemented an attack? Attacks are implemented through vulnerabilities A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. The ways to damage a system!!!

9 How secure are we on a data network? Threats Vulnerabilities Attacks The threats are exploited by attacks. The attacks are designed taking advantage of the vulnerabilities of the network protocols and systems (one attack can involve several vulnerabilities). If the attack succeeds the systems may get down. Success HARM

10 Vulnerabilities database gov/home.cfm How secure are we on a data network? Example 1: e-commerce web server attack Threat. Attacker impersonating a customer Vulnerability. Check the vulnerabilities of the web server (brand, version, operating system ). For example we discovered that the users database is opened to LDAP queries in the current web server version. Attack. The attacker designs an attack based on the discovered vulnerabilities. He/She makes thousands of queries to users database to get potential targets. Try the most popular passwords with all the gathered users until gets a valid user/password credential. Finally the attacker can make a purchase with charge to the victim.

11 How secure are we on a data network? So we have to know the threats of a system in order to define the appropriate security services to avoid or minimize the consequences of attacks We have to know the threats We have to discover the potential attacks (the way that the threats become reality) We have to incorporate security services in the systems to minimize (or avoid) the harm caused by attacks

12 Common Types of Network Attacks Eavesdropping An attacker who has gained access to the data path in the network listen or read the traffic. Alice Information for Bob Information for Bob Bob Attacker Information for Bob The attacker gets the information sent to Bob illegally

13 Common Types of Network Attacks Masquerading The attacker impersonates one of the participants in the communication. Attacker Alice Hello Bob, I am Alice, could you please send me the money to this address: XXX? Bob Hello Alice, of course I will send you the money to that address

14 Common Types of Network Attacks Man-in-the-middle The attacker controls the communication transparently. The participants believe that they are communicating directly with each other. I need 5 I need 10 Alice I need 5 I need 10 Attacker Bob The attacker modifies the information and nobody knows

15 Common Types of Network Attacks Denial of service The attacker prevents the normal use of the network resources. Alice Bob Attacker The attacker turns the network down

16 We already know the threats and now what? What can we do? How can we protect the networks? First Step: To remove the design vulnerabilities Deploying Security Services

17 What is a security service? A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Recommendation X.800

18 What is a security service? A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Recommendation X.800 What does it mean? What is a layer of an open system? What is the adequate security?

19 What is a security service? Layered communication model: What is that? The model of layered architecture is the dominant paradigm to design final telecommunication solutions

20 What is a security service? Layered communication model: Why is widely accepted? L5 You can face the big problem through small problems Divide and Conquer strategy!!! Big Layer L4 L3 L2 L1 F(x) = Functionality of x F(Big Layer) = F(L5) + F(L4) + F(L3) + F(L2) + F(L1) C(x) = Complexity of x C(Big Layer) >> C(L5) + C(L4) + C(L3) + C(L2) + C(L1) R (x) = Reutilization of x R(Big Layer) <<< R(L5) or R(L4) or R(L3) or R(L2) or R(L1)

21 What is a security service? Development of a telematic solution Security of the Design State L5 L4 L3 L2 L1 S3 S1 S5 S2 S4 L5 L4 L3 L2 L1 Security services are functionalities added to the layers to reduce the number of vulnerabilities (implies the reduction of threats too) What are these functionalities to provide security? Number of vulnerabilities: N Number of vulnerabilities: S S<<N

22 X.800 Security Services for Open Systems The ITU-T X.800 Recommendation defines five security services Confidentiality Integrity Authentication Non-repudiation Access Control Currently there are two more common security services widely accepted Anonymity Availability

23 X.800 Security Services for Open Systems Confidentiality When it is provided, it protects the network users from attacks of eavesdropping. Only the authorized recipient of the information will access the information. Eavesdropping attack Alice Information for Bob Information for Bob Bob Confidentiality Service Attacker Information for Bob The attacker gets the information sent to Bob illegally

24 X.800 Security Services for Open Systems Integrity When it is provided, it guarantees that the data received by the authorized receiver is the same as the data sent by the authorized sender. MIMT attack I need 5 I need 10 Integrity Service Alice I need 5 I need 10 Attacker Bob The attacker modifies the information and nobody knows

25 X.800 Security Services for Open Systems Authentication When it is provided, it guarantees the identity of the users involved in the communication. Authentication Service Masquerading attack Attacker Alice Bob

26 X.800 Security Services for Open Systems Non repudiation When it is provided, it avoids that either the issuer or the receiver can deny the participation in a communication. Alice Attacker Notification 1 Non repudiation Service Have you got the notification? NO You can not deny that you have signed the message

27 X.800 Security Services for Open Systems Access Control When it is provided, it guarantees that only the authorized people can access to protected resources. Access Control Service Bob Attacker Shared between Bob and Alice Bob Bob s resources

28 Security Services <=> Layers Now we know the common security services to protect the layers from attacks, but What services do we have to provide in each layer? It depends on the layer that we are considering let s go to talk about wireless layer - Wifi (link level according to ITU-T X.200 Recommendation) Confidentiality Access Control Authentication How do we implement those services?

29 How to implement Security Services Security Services Security Protocols Security Mechanism Tools for providing security Cryptographic Mechanism With cryptography we can build security mechanisms (e.g. with RSA we build Digital Signatures) With security mechanisms we can build security Protocols (e.g. with digital signatures we build IPSec or SSL) With security protocols we can build security services (e.g. with IPSec we provide integrity, confidentiality and authentication) With security services we can build secure services (e.g. with integrity, confidentiality and authentication we build e- commerce solution)

30 The content of this presentations has used materials from: - Iván Pau de la UPM, Spain Thanks to him!