Transcript Computer Network Security

Computer Security
Instructor: Dr. Bo Sun
1
Course Objectives
• Understand basic issues, concepts, principles,
and mechanisms in computer network security
–
–
–
–
–
Basic security concept
Cryptography
Authentication
Standards
Network Security
2
Course Outline
• Basic Security Concepts:
– Confidentiality, integrity, availability
– others
• Cryptography
– Secret Key Cryptography: DES, IDEA, AES, etc.
– Public Key Cryptography: RSA, Diffi-Hellman, Digital signature,
Elliptic Curve, etc.
– Modes of Operation: ECB, CBC etc.
– Hashes and Message Digests: MD5, SHA-1 etc.
• Authentication
– Basic concepts of Authentication Systems
– Password Authentication
– Security handshake pitfalls
3
Course Outline cont’d
• Network and Distributed Systems
–
–
–
–
–
–
Kerberos
Public Key Infrastructure
IPsec
Secure Socket Layer /Transport Layer Security
Email security
Firewall
4
Introduction
5
Security Attacks
6
Security Attacks
7
Interruption
Security attacks can be classified in terms of Passive attacks and Active attacks as per X.800 and
RFC 2828
Different kinds of attacks are:
Interruption
Sender
Receiver
S
R
An asset of the system is destroyed or becomes unavailable or unusable. It is an attack on
availability.
Examples:
 Destruction of some hardware
 Jamming wireless signals
 Disabling file management systems
Interception
Interception
Sender
Receiver
S
R
H
Hacker
An unauthorized party gains access to an asset. Attack on confidentiality.
Examples:
 Wire tapping to capture data in a network.
 Illicitly copying data or programs
 Eavesdropping
Modification
Modification:
S
R
H
When an unauthorized party gains access and tampers an asset. Attack is on Integrity.
Examples:
 Changing data file
 Altering a program and the contents of a message
Fabrication
Fabrication
S
R
H
An unauthorized party inserts a counterfeit object into the system. Attack on
Authenticity. Also called impersonation
Examples:
 Hackers gaining access to a personal email and sending message
 Insertion of records in data files
 Insertion of spurious messages in a network
11
Classify Security Attacks as
• passive attacks –
– eavesdropping on, or monitoring of, transmissions to:
– obtain message contents, or
– monitor traffic flows
• active attacks – modification of data stream to:
–
–
–
–
masquerade of one entity as some other: man-in-the-middle
replay previous messages
modify messages in transit
denial of service
12
Information Security Concerns
• DDoS
• Worm Attacks (e.g. code red)
• Exploitation of software bugs (e.g. buffer
overflow)
• Monitoring and capture of network traffic
• Masquerade of authorized users
• …….
• http://www.cert.org/
13
Contributing Factors
• Lack of awareness of threats and risks of information
systems
• Wide-open network policies
– Many Internet sites allow wide-open Internet access
• Vast majority of network traffic is unencrypted
• Lack of security in TCP/IP
• Complexity of security management and
administration
• Exploitation of software bugs: e.g. Sendmail bugs
• Cracker skills keep improving
14
Security Objectives
Confidentiality (Secrecy):
Prevent/Detect/Deter improper disclosure of information
Availability:
Integrity:
Prevent/Detect/Deter improper
modification of information
Prevent/Detect/Deter
improper denial of access to
services provided by the
system
15
Security Mechanisms
Layered
Protection
Intrusion Prevention
(Encryption, Authentication,
etc.): Not Enough
Intrusion
Detection
Intrusion
Tolerance
Weakest Point
Security Failure
Access Control
16
Security Services
• Confidentiality: protection of any information from
being exposed to unintended entities.
– Information content
– Parties involved
– Where they are, how they communicate, how often, etc.
• Authentication: assurance that an entity of concern or
the origin of a communication is authentic - it’s what
it claims to be or from
• Integrity: assurance that the information has not been
tampered with
17
Security Services
• Non-repudiation: offer of evidence that a party is indeed the
sender or a receiver of certain information
• Access control: facilities to determine and enforce who is
allowed access to what resources, hosts, software, network
connections
• Security management: facilities for coordinating users’ service
requirements and mechanism implementations throughout the
enterprise network and across the internet
– Trust model
– Trust communication protocol
– Trust management infrastructure
18
The Internet
OSI of ISO
Internet Stack
Application
Presentation
Session
Upper Layers
Transport
Transport
Network
Internet
Data Link
Data Link
Physical
Physical
19
Layered Store-and-forward
User A
User B
Application
Transport
Network
Link
20
Virus, Worms, and Trojan Horses
• Trojan horse: instructions hidden inside an otherwise
useful program that do bad things
• Virus: a set of instructions that, when executed,
inserts copies of itself into other programs.
• Worm: a program that replicates itself by installing
copies of itself on other machines across a network.
• Trapdoor: an undocumented entry point, which can
be exploited as a security flaw
• Zombie: malicious instructions installed on a system
that can be remotely triggered to carry out some
attack with les traceability because the attack comes
from another victim.
• ….
21