Compter Networks Chapter 9: Network Security



Similar documents
Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Content Teaching Academy at James Madison University

IY2760/CS3760: Part 6. IY2760: Part 6

Internet Security Firewalls

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Cornerstones of Security

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

What would you like to protect?

Tutorial 3. June 8, 2015

Overview. Firewall Security. Perimeter Security Devices. Routers

CMPT 471 Networking II

12. Firewalls Content

Message Authentication Codes

Chapter 10. Network Security

Client Server Registration Protocol

COSC 472 Network Security

Network Security. Chapter 1. Introduction

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Network Security. HIT Shimrit Tzur-David

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Network Security. Raj Jain. The Ohio State University. Columbus, OH Raj Jain 31-1

Chap. 1: Introduction

allow all such packets? While outgoing communications request information from a

Internet Security Firewalls

Proxy Server, Network Address Translator, Firewall. Proxy Server

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Cryptography and Network Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls, Tunnels, and Network Intrusion Detection

Computer System Management: Hosting Servers, Miscellaneous

Network Security. Chapter 1 Introduction. Network Security IN2101. Georg Carle. Course organization

Information Security

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

INTRODUCTION TO FIREWALL SECURITY

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

- Introduction to Firewalls -

FIREWALL AND NAT Lecture 7a

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Savitribai Phule Pune University

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Network Security and Firewall 1

CS5008: Internet Computing

CPSC 467b: Cryptography and Computer Security

Network Security Technology Network Management

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

VPN Lesson 2: VPN Implementation. Summary

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Guideline on Firewall

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

E-commerce Revision. Typical e-business Architecture. Routing and Addressing. E-Commerce Web Sites. Infrastructure- Packets, Routing and Addressing

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Security Technology: Firewalls and VPNs

A S B

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Firewalls. Ahmad Almulhem March 10, 2012

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Security Goals Services

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Firewalls, IDS and IPS

Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security

Notes on Network Security - Introduction

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

8. Firewall Design & Implementation

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Packet filtering and other firewall functions

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Protocol Security Where?

GregSowell.com. Mikrotik Security

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

How To Protect Your Network From Attack

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Overview. SSL Cryptography Overview CHAPTER 1

Transcription:

Goals of this chapter Compter Networks Chapter 9: Network Security Give a brief glimpse of security in communication networks Basic goals and mechanisms Holger Karl Slide set: Günter Schäfer, TU Ilmenau (slightly modified) Computer Networks Group Universität Paderborn WS 05/06, v 1.0 Computer Networks - Network security 2 Overview Basic concepts, terminology Cryptology What is a threat in a communication network? Abstract Definition: A threat in a communication network is any possible event or sequence of actions that might lead to a violation of one or more security goals The actual realization of a threat is called an attack Examples: A hacker breaking into a corporate computer Disclosure of emails in transit Someone changing financial accounting data A hacker temporarily shutting down a website Someone using services or ordering goods in the name of others WS 05/06, v 1.0 Computer Networks - Network security 3 WS 05/06, v 1.0 Computer Networks - Network security 4 1

Security goals technically defined Confidentiality: Data transmitted or stored should only be revealed to an intended audience Confidentiality of entities is also referred to as anonymity Data Integrity: It should be possible to detect any modification of data This requires to be able to identify the creator of some data Accountability: It should be possible to identify the entity responsible for any communication event Availability: Services should be available and function correctly Controlled Access: Only authorized entities should be able to access certain services or information Threats technically defined Masquerade: An entity claims to be another entity Eavesdropping: An entity reads information it is not intended to read Authorization Violation: An entity uses a service or resources it is not intended to use Loss or Modification of (transmitted) Information: Data is being altered or destroyed Denial of Communication Acts (Repudiation): An entity falsely denies its participation in a communication act Forgery of Information: An entity creates new information in the name of another entity Sabotage: Any action that aims to reduce the availability and / or correct functioning of services or systems WS 05/06, v 1.0 Computer Networks - Network security 5 WS 05/06, v 1.0 Computer Networks - Network security 6 Threats and technical security goals Technical Security Goals Masquerade Eavesdropping Authorisation Violation General Threats Loss or Modification of (transmitted) information Denial of Communication acts Forgery of Information Sabotage (e.g. by overload) Confidentiality x x x Data Integrity x x x x Accountability x x x x Availability x x x x Controlled Access x x x These threats are often combined in order to perform an attack! Communications security: Some terminology Security Service: An abstract service that seeks to ensure a specific security property A security service can be realised with the help of cryptographic algorithms and protocols as well as with conventional means: One can keep an electronic document on a floppy disk confidential by storing it on the disk in an encrypted format as well as locking away the disk in a safe Usually a combination of cryptographic and other means is most effective Cryptographic Algorithm: A mathematical transformation of input data (e.g. data, key) to output data Cryptographic algorithms are used in cryptographic protocols Cryptographic Protocol: A series of steps and message exchanges between multiple entities in order to achieve a specific security objective WS 05/06, v 1.0 Computer Networks - Network security 7 WS 05/06, v 1.0 Computer Networks - Network security 8 2

Security services Overview Authentication The most fundamental security service which ensures, that an entity has in fact the identity it claims to have Integrity In some kind, the small brother of the authentication service, as it ensures, that data created by specific entities may not be modified without detection Confidentiality The most popular security service, ensuring secrecy of protected data Access Control Controls that each identity accesses only those services and information it is entitled to Non-Repudiation Protects against that entities participating in a communication exchange can later falsely deny that the exchange occurred Overview Basic concepts, terminology Cryptology WS 05/06, v 1.0 Computer Networks - Network security 9 WS 05/06, v 1.0 Computer Networks - Network security 10 Cryptology Definition and terminology Cryptology: Science concerned with communications in secure and usually secret form The term is derived from the Greek kryptós (hidden) and lógos (word) Cryptology encompasses: Cryptography (gráphein = to write): the study of the principles and techniques by which information can be concealed in ciphertext and later revealed by legitimate users employing a secret key Cryptanalysis (analýein = to loosen, to untie): the science (and art) of recovering information from ciphers without knowledge of the key Cipher: Method of transforming a message (plaintext) to conceal its meaning Also used as synonym for the concealed ciphertext Ciphers are one class of cryptographic algorithms The transformation usually takes the message and a (secret) key as input (Source: Encyclopaedia Britannica) WS 05/06, v 1.0 Computer Networks - Network security 11 Cryptographic algorithms For network security two main applications of cryptographic algorithms are of principal interest: Encryption of data: transforms plaintext data into ciphertext in order to conceal its meaning Signing of data: computes a check value or digital signature to a given plain- or ciphertext that can be verified by some or all entities being able to access the signed data Some cryptographic algorithms can be used for both purposes, some are only secure and / or efficient for one of them. Principal categories of cryptographic algorithms: Symmetric cryptography using 1 key for en-/decryption or signing/checking Asymmetric cryptography using 2 different keys for en-/decryption or signing/checking Cryptographic hash functions using 0 keys (the key is not a separate input but appended to or mixed with the data). WS 05/06, v 1.0 Computer Networks - Network security 12 3

Symmetric encryption General description: The same key K A,B is used for enciphering and deciphering of messages: Encrypt Decrypt Notation: If P denotes the plaintext message E(K A,B, P) denotes the ciphertext and it holds D(K A,B, E(K A,B, P)) = P Alternatively we sometimes write {P} KA,B for E(K A,B, P) Examples: DES, 3DES, IDEA,... WS 05/06, v 1.0 Computer Networks - Network security 13 Asymmetric cryptography (1) General idea: Use two different keys -K and +K for encryption and decryption Given a random ciphertext c = E(+K, m) and +K it should be infeasible to compute m = D(-K, c) = D(-K, E(+K, m)) This implies that it should be infeasible to compute -K when given +K The key -K is only known to one entity A and is called A s private key K A The key +K can be publicly announced and is called A s public key +K A Encrypt +K Decrypt -K WS 05/06, v 1.0 Computer Networks - Network security 14 Asymmetric cryptography (2) Applications: Encryption: If B encrypts a message with A s public key +K A, he can be sure that only A can decrypt it using K A Signing: If A encrypts a message with his own private key K A, everyone can verify this signature by decrypting it with A s public key +K A Attention: It is crucial that everyone can verify that he really knows A s public key and not the key of an adversary! Practical considerations: Asymmetric cryptographic operations are about magnitudes slower than symmetric ones Therefore, they are often not used for encrypting / signing bulk data Symmetric techniques are used to encrypt / compute a cryptographic hash value and asymmetric cryptography is just used to encrypt a key / hash value Overview Basic concepts, terminology Cryptology WS 05/06, v 1.0 Computer Networks - Network security 15 WS 05/06, v 1.0 Computer Networks - Network security 16 4

firewalls A network firewall can be compared to a castle moat It restricts people to entering at one carefully controlled point It prevents attackers from getting close to other defenses It restricts people to leaving at one carefully controlled point Usually, a network firewall is installed at a point where the protected subnetwork is connected to a less trusted network Example: Connection of a corporate local area network to the Basically firewalls realize access control on the subnetwork level s: Terminology (1) A component or a set of components that restricts access between a protected network and the or between other sets of networks Packet Filtering The action a device takes to selectively control the flow of data to and from a network Packet filtering is an important technique to implement access control on the subnetwork-level for packet oriented networks, e.g. the A synonym for packet filtering is screening Bastion Host A computer that must be highly secured because it is more vulnerable to attacks than other hosts on a subnetwork A bastion host in a firewall is usually the main point of contact for user processes of hosts of internal networks with processes of external hosts Dual-homed host A general purpose computer with at least two network interfaces WS 05/06, v 1.0 Computer Networks - Network security 17 WS 05/06, v 1.0 Computer Networks - Network security 18 s: Terminology (2) Proxy: A program that deals with external servers on behalf of internal clients Proxies relay approved client requests to real servers and also relay the servers answers back to the clients Network Address Translation (NAT): A procedure by which a router changes data in packets to modify the network addresses This allows to conceal the internal network addresses (even though NAT is not actually a security technique) Perimeter Network: A subnetwork added between an external and an internal network, in order to provide an additional layer of security A synonym for perimeter network is de-militarized zone (DMZ) s architecture: Simple packet filter The most simple architecture just consists of a packet filtering router It can be either realized with: A standard workstation (e.g. Linux PC) with at least two network interfaces plus routing and filtering software A dedicated router device, which usually also offers filtering capabilities Denied Traffic Packet Filtering Router Permitted Traffic WS 05/06, v 1.0 Computer Networks - Network security 19 WS 05/06, v 1.0 Computer Networks - Network security 20 5

architecture: Screened host The packet filter: Allows permitted IP traffic between the screened host and the Blocks all direct traffic between other internal hosts and the The screened host provides proxy services: Despite partial protection by the packet filter the screened host acts as a bastion host architecture: Screened subnet A perimeter network is created between two packet filters The inner packet filter serves as additional protection in case the bastion host is ever compromised For example, this avoids a compromised bastion host to sniff on internal traffic The perimeter network is also a good place to host a publicly accessible information server, e.g. a WWW server Bastion Host WS 05/06, v 1.0 Computer Networks - Network security 21 Bastion Host WS 05/06, v 1.0 Computer Networks - Network security 22 s: Packet filtering What can be done with packet filtering? Theoretically speaking everything, as all information exchanged in a communication relation is transported via packets In practice, efficiency tradeoffs against proxy approaches have to be considered Basic packet filtering enables to control data transfer based on: Source IP Address Destination IP Address Transport protocol Source and destination application port Potentially, specific protocol flags (e.g. TCP s ACK- and SYN-flag) The network interface a packet has been received on s: An example packet filtering ruleset This ruleset specifies that incoming and outgoing email is the only allowed traffic into and out of a protected network Email is relayed between two servers by transferring it to an SMTP daemon on the target server (server port 25, client port > 1023) Rule A allows incoming email to flow to the bastion host and rule B allows the bastion host s acknowledgements to exit the network Rules C and D are analogous for outgoing email Rule E denies all other traffic Rule Direction Src. Addr. Dest. Addr. Protocol Src. Port Dest. Port ACK Action A Inbound External Bastion TCP >1023 25 Any Permit B Outbound Bastion External TCP 25 >1023 Yes Permit C Outbound Bastion External TCP >1023 25 Any Permit D Inbound External Bastion TCP 25 >1023 Yes Permit E Either Any Any Any Any Any Any Deny WS 05/06, v 1.0 Computer Networks - Network security 23 WS 05/06, v 1.0 Computer Networks - Network security 24 6

Conclusion Network security is an important, but extremely complicated and complex topic We have not even scratched the surface, we just know that there is an iceberg out there Security WS 05/06, v 1.0 Computer Networks - Network security 25 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information