Network Security Fundamentals



Similar documents
APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Internet and Network Security Fundamentals

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

CS5008: Internet Computing

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

How To Understand And Understand The Security Of A Key Infrastructure

General Network Security

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Lecture 10: Communications Security

(d-5273) CCIE Security v3.0 Written Exam Topics

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security vulnerabilities in the Internet and possible solutions

Chapter 10. Network Security

Computer Networks. Secure Systems

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Networking: EC Council Network Security Administrator NSA

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Security + Certification (ITSY 1076) Syllabus

Network Access Security. Lesson 10

Exam Questions SY0-401


Chapter 7 Transport-Level Security

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Chapter 8 Security Pt 2

A Very Incomplete Diagram of Network Attacks

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Network Security. Lecture 3

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Certified Ethical Hacker Exam Version Comparison. Version Comparison

IINS Implementing Cisco Network Security 3.0 (IINS)

Domain 6.0: Network Security

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Chapter 1 Network Security

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Securing Cisco Network Devices (SND)

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

CCIE Security Written Exam ( ) version 4.0

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Overview. Protocols. VPN and Firewalls

EXAM questions for the course TTM Information Security May Part 1

Security Engineering Part III Network Security. Security Protocols (II): IPsec

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Firewalls, Tunnels, and Network Intrusion Detection

Introduction to Computer Security

Transport Level Security

CTS2134 Introduction to Networking. Module Network Security

Description: Objective: Attending students will learn:

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Post-Class Quiz: Telecommunication & Network Security Domain

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Computer security Lecture 9

Chapter 8 Phase3: Gaining Access Using Network Attacks

Chapter 32 Internet Security

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Chapter 17. Transport-Level Security

Implementing Cisco IOS Network Security

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Network Security Essentials Chapter 5

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CS 4803 Computer and Network Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Introduction to Computer Security

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Securing IP Networks with Implementation of IPv6

Network Security Tutorial

Cornerstones of Security

Network Security and Firewall 1

Case Study for Layer 3 Authentication and Encryption

Gigabit SSL VPN Security Router

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

A S B

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Virtual Private Networks

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

How To Pass A Credit Course At Florida State College At Jacksonville

Standards and Products. Computer Security. Kerberos. Kerberos

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Security issues with Mobile IP

Application Note: Onsight Device VPN Configuration V1.1

Internet Security and the Advantages of Different Models

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Virtual Private Networks

Internet Privacy Options

Transcription:

APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6 DNS/DNSSEC Internet Resource Mgmt Reminder: Please take time to fill-up the survey 1

Overview Goals of Information Security Attacks on Different Layers Attack Examples Trusted Network Access Control Cryptography Public Key Infrastructure VPN and IPSec Security Management Whois Database 1 Goals of Information Security Confidentiality Integrity Availability prevents unauthorized use or disclosure of information safeguards the accuracy and completeness of information authorized users have reliable and timely access to information SECURITY 2

Why Security? The Internet was initially designed for connectivity Trust assumed We do more with the Internet nowadays Security protocols are added on top of the TCP/IP Fundamental aspects of information must be protected Confidential data Employee information Business models Protect identity and resources We can t keep ourselves isolated from the Internet Most business communications are done online We provide online services We get services from third-party organizations online Attacks on Different Layers Application Presentation Session Transport Network Data Link Physical OSI Reference Model Layer 5: SMB, NFS, Socks Layer 2: PPTP, Token Ring Application Layer 7: DNS, DHCP, HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, TFTP DNS Poisoning, Phishing, SQL injection, Spam/Scam Transport Layer 4: TCP, UDP TCP attacks, Routing attack, SYN flooding, Sniffing Layer 3: IPv4, IPv6, ICMP, Internet IPSec Ping/ICMP Flood Network Access ARP spoofing, MAC flooding TCP/IP Model 3

TCP Attacks Exploits the TCP 3-way handshake Attacker sends a series of SYN packets without replying with the ACK packet Finite queue size for incomplete connections SYN SYN+ACK ACK CONNECTION ESTABLISHED Server TCP Attacks Exploits the TCP 3-way handshake Attacker sends a series of SYN packets without replying with the ACK packet Finite queue size for incomplete connections SYN SYN+ACK Attacker ACK? Server (Victim) OPEN CONNECTIONS 4

DNS Cache Poisoning 1 I want to access www.example.com Client 2 DNS Caching Server 3 www.example.com 192.168.1.99 QID=64571 QID=64569 QID=64570 QID=64571 match! (pretending to be the authoritative zone) Root/GTLD QID=64571 www.example.com 192.168.1.1 3 Webserver (192.168.1.1) ns.example.com 1 Common Types of Attack Ping sweeps and port scans - reconnaissance Sniffing capture packet as they travel through the network Man-in-the-middle attack intercept messages that are intended for a valid device Spoofing - set up a fake device and trick others to send messages to it Hijacking take control of a session Denial of Service (DoS) and Distributed DoS (DDoS) 5

Trusted Network Standard defensive-oriented technologies Firewall first line of defense Intrusion Detection Build TRUST on top of the TCP/IP infrastructure Strong authentication Two-factor authentication something you have + something you know Public Key Infrastructure (PKI) Access Control Access control - ability to permit or deny the use of an object by a subject. It provides 3 essential services (known as AAA): Authentication (who can login) Authorization (what authorized users can do) Accountability (identifies what a user did) 6

Cryptography Has evolved into a complex science in the field of information security Encryption process of transforming plaintext to ciphertext using a cryptographic key Symmetric key cryptography uses a single key to encrypt and decrypt information. Also known as private key. Includes DES, 3DES, AES, IDEA, RC5 Asymmetric key cryptography separate keys for encryption and decryption (public and private key pairs) Includes RSA, Diffie-Hellman, El Gamal 2 Cryptography Plaintext ENCRYPTION ALGORITHM Ciphertext DECRYPTION ALGORITHM Plaintext Encryption Key Decryption Key Symmetric Key Cryptography Shared Key Shared Key Asymmetric Key Cryptography Public Key Private Key 7

Public Key Infrastructure Combines public key cryptography and digital signatures to ensure confidentiality, integrity, authentication, nonrepudiation, and access control Digital certificate basic element of PKI; secure credential that identifies the owner Basic Components: Certificate Authority (CA) Registration Authority (RA) Repository Archive Security on Different Layers Application Presentation Session Transport Network Data Link Physical Layer 7: DNS, DHCP, HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, TFTP DNS HTTPS, Poisoning, DNSSEC, Phishing, PGP, SQL SMIME injection, Layer 5: Spam/Scam SMB, NFS, Socks Layer 4: TCP, UDP TCP attacks, TLS, SSL, Routing SSH attack, SYN flooding, Sniffing Layer 3: IPv4, IPv6, ICMP, IPSec Ping/ICMP IPSecFlood Layer 2: VTP, PPTP, Token Ring ARP IEEE 802.1X, spoofing, PPP MAC & PPTP flooding 8

Virtual Private Network Creates a secure tunnel over a public network Client-to-firewall, router-to-router, firewall-to-firewall VPN Protocol Standards PPTP (Point-to-Point tunneling Protocol) L2F (Layer 2 Forwarding Protocol) L2TP (Layer 2 Tunneling Protocol) IPSec (Internet Protocol Security) Different Layers of Encryption Application Layer SSL, PGP, SSH, HTTPS Source Destination Network Layer - IPSec Link Layer Encryption 9

IPSec Provides Layer 3 security Tunnel or Transport mode Tunnel mode entire IP packet is encrypted Transport mode IPSec header is inserted in to the packet Combines different components: Security associations, Authentication headers (AH), Encapsulating security payload (ESP), Internet Key Exchange (IKE) A security context for the VPN tunnel is established via the ISAKMP Internet Security Protocols Layer 4 security: TLS, SSL, SSH SSL/TLS (Secure Socket Layer / Transport Layer Security) Session-based encryption and authentication for secure communication (prevent eavesdropping) TLS is the IETF standard succeeding SSL Uses RSA asymmetric key system Secure Shell (SSH2) secure channel between devices, replaces telnet and rsh 10

Security Management Network security is a part of a bigger information security plan Policies vs. Standards vs. Guidelines Must develop and implement comprehensive security policy Minimum password length, frequency of password change Access of devices, host firewalls User creation/deletion process Data signing/encryption Encrypting all communication (remote access) Use of digital certificates Disaster Recovery and Attack Mitigation Plan Whois Database Public network management database Tracks network resources IP addreses, ASNs, reverse domains, routing Records administrative info Contacts (person/role), authorization (maintainer) All Members must register their resources in the Whois database Must keep records up to date at all times 11

Questions Please remember to fill out the feedback form http://surveymonkey.com/s/ apnic-20131127-el4 Slide handouts will be available after completing the survey APNIC Helpdesk Chat 12

Thank You! End of Session 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information