Network Security

Download Report

Transcript Network Security

Introduction to
Network Security
Spring 2009
1
Outline
•
•
•
•
•
•
•
Introduction
Attacks, services and mechanisms
Security threats and attacks
Security services
Methods of Defense
A model for Internetwork Security
Internet standards and RFCs
2
Introduction
Goal
Information
Security
Services
Computer
Security
Automated tools
for protecting info
on the computer
Network
Security
Measures to protect
data during their
transmission on the network
3
Security Trends
spams
2009
4
Hacking
• Attack using the vulnerability of protocol
– DoS
– Sniffing
– Session Hijacking
– Spoofing
•
Malicious code
John Draper, Phone hacker
– Virus
– Trojan horse
– Back door
– Worm
5
Virus and Worm
• What is Virus?
– Self-replicating code
– Inserts itself into other executable code
– Contains a malicious function, called payload (can be
empty)
– Native code which infects executable files
– Distribution by Email and File sharing
– Often requires a trigger from a user
• e.g. execute infected application
– Virus is often used as a collective term for malware
6
Trojan Horse
• A destructive program that masquerades as a
benign application. Unlike viruses, Trojan
horses do not replicate themselves but they
can be just as destructive.
– A Trojan horse can be deliberately attached to
otherwise useful software by a cracker, or it can
be spread by tricking users into believing that it
is a useful program.
• The term comes from the a Greek story of
the Trojan War : between Greek and Troy
7
Virus and Worm
• What is Worm?
– First Internet worm in 1988
– Different to a virus
•
•
•
•
Stand-alone program
Does not infect an application
Spreads itself through the network automatically
Usually spread much faster than viruses
– Worms often use exploits to propagate
• SQL Slammer – MS SQL Server
• Slapper - Apache/Mod-SSL
• Code Red – MS Internet Information Server
8
Attacks, Services and
Mechanisms
• Security Attack: Any action that compromises
the security of information.
• Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from a
security attack.
• Security Service: A service that enhances the
security of data processing systems and
information transfers. A security service makes
use of one or more security mechanisms.
9
Security Threats & Attacks
• Threats
• A possible danger that might exploit a
vulnerability of given a Circumstance,
Capability by action, or event to breach security
and cause harm
• Attacks
• An assault on system security that derives from
an intelligent threat
10
Security Threats
11
Security Threats
• Interruption: This is a threat on availability
• Interception: This is a threat on confidentiality
• Modification: This is a threat on integrity
• Fabrication: This is a threat on authenticity
12
Security Attacks
•
Passive Attack : Attempts to learn or make use of info.
from the system, but no affect on
system resources
- Release of message contents
- Traffic analysis
• Active Attack : Attempts to data system resources or
affect their operations
- Masquerade
- Replay
- Modification of message
- Denial of service : 1.25 Internet Chaos
13
Release of Message Contents
Sensitive or confidential info needs to be prevented
from an opponent who will learn the contents of the
there transmissions
Darth
Bob
Read contents of
message from Bob
to Alice
Internet or
other comms facility
Alice
14
Traffic Analysis
If the contents of msgs are masked or protected by
encryption, and opponent might still be able to observe
the pattern of msgs,
• such as source and destination of communicating
hosts,
• frequency and length of msgs being exchanged.
Darth
Bob
Observe pattern of
messages from Bob
to Alice
Internet or
other communications
facility
Alice
15
Masquerade
• Taking place when one entity pretends to be a different entity
• Enabling an authorized entity with few privileges to obtain
extra privileges by impersonating an entity that has those
privileges.
Darth
Bob
Read contents of
message from
Bob to Alice
Internet or
other comms facility
Alice
16
Replay attack
The passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
Darth
Bob
Capture message from
Bob to Alice; later
replay message to Alice
Internet or
other comms facility
Alice
17
Modification of Message
Some portion of legitimate msg altered, delayed, or
reordered to produce an unauthorized effect.
Darth
Darth modifies
message from Bob
to Alice
Internet or
other comms facility
Bob
Alice
18
Denial of Service
The normal use of communications facilities
prevented or inhibited, such as
• Suppressing all msgs directed to a particular dest.
• The disruption of an entire network by disabling
the network
• The degradation of performance by overloading it
with msgs
19
Security Service
• A service that is provided by a protocol layer
of communicating open system and that
ensures adequate security of the systems or
of data transfer
• Security services implement security policies
and are implemented by security mechanisms
• Classification of the services
– Authentication
- Data Integrity
– Access control
- Nonrepudiation
– Data confidentiality - Availability
20
Authentication
• This service is concerned with assuring that a communication is
authentic
• Data origin authentication (in the case of a single message)
– The function of the authentication service is to assure the
recipient that the message is from the original source.
– No service on duplication or modification.
• Peer entity authentication (in a connection-oriented transmission
i.e TCP)
– At the time of connection initiation, the service assures that
the two entities are authentic
– On the way of transmissions, the service assures that the
connection is not interfered by a third party to masquerade as
21
one of the entities.
Access Control
• The prevention of unauthorised use of a
resource
• In the context of network security, this service
is the ability to limit and control the access to
host systems and applications via
communications links.
• Each entity must be identified or
authenticated then, access rights can be
tailored to the individual.
22
Data Confidentiality
• The protection of transmitted data from passive
attacks.
• Types of data confidentiality
– Connection confidentiality (all user data on a
connection)
– Connectionless confidentiality (all user data in a single
msg.)
– Selective field confidentiality (specific fields within a
use data)
– Traffic-flow confidentiality (information for traffic flow)
23
Data Integrity
• To provide the assurance that the received data are exactly
the same as the data transmitted by an authorised entity.
※ no modification, insertion, deletion, or replay
• A connection-oriented / connectionless integrity service
– Connection-oriented : deals with a stream of messages
& assures no duplication, alteration, or replays on the
messages.
– Connectionless : deals with individual messages & may
provide protection on data modification
• Integrity service with / without recovery
– The automated recovery mechanism is more attractive.
24
Nonrepudiation
• To prevent either sender or receiver
from denying a transmitted message.
– Origin (sender): Proof that the message was
sent by the specified party.
– Destination (receiver): Proof that the
message was received by the specified
party.
25
Availability
• Provides the normal use of a system or
system resource
• Addresses the security concerns raised
by denial-of-service attack.
26
Security Mechanisms
• Specific Security Mechanisms
– Implemented in a specific protocol layer.
• Pervasive Security Mechanisms
– Not specific to any particular protocol layer
or security service.
27
A Model for Network Security
Secret
information
Security-related
transformation
Message
Information
channel
Secure
Message
Security-related
transformation
Secure
Message
Message
Trusted third party
(e.g., arbiter, distributer
of secret information)
Secret
information
Opponent
28
29
Methods of Defence
• Encryption
• Software Controls (access limitations in
a data base, in operating system protect
each user from other users)
• Hardware Controls (smartcard)
• Policies (frequent changes of
passwords)
• Physical Controls
30
Internet standards and
RFCs
• The Internet society
– Internet Architecture
Board (IAB)
– Internet Engineering
Task Force (IETF)
– RFC (request for
comments)
– Internet Engineering
Steering Group
(IESG)
31
Internet RFC Publication
Process
Internet
Draft
Proposed
Standard
Best current
Practice
Experimental
Informational
Draft
Standard
Internet
Standard
Historic
32
Summary
• We deals with
– security trends
– Security attacks such as passive attacks and active
attacks
– Security services such as authentication, access
control, data confidentiality, data integrity,
nonrepudiation and availability service
– A model for network security including
Opponent, Access Channel, Gatekeeper Function
and Information System
33
Outline of the Course
• This chapter serves as an introduction to the entire course. The
remainder of the book is organized into three parts:
• Part One : Provides a concise survey of the cryptographic
algorithms and protocols underlying network security
applications, including encryption, hash functions, digital
signatures, and key exchange.
• Part Two : Examines the use of cryptographic algorithms and
security protocols to provide security over networks and the
Internet. Topics covered include user authentication, e-mail, IP
security, and Web security.
• Part Three : Deals with security facilities designed to protect a
computer system from security threats, including intruders,
viruses, and worms. This part also looks at firewall technology.
34
Thank you
35