Chapter 07 - Regis University: Academic Web Server for Faculty
Download
Report
Transcript Chapter 07 - Regis University: Academic Web Server for Faculty
Chapter 7
Security in Networks
Figure 7-1 Simple View of Network.
Terminology
Node: single computing system in a
network.
Link: connection between two hosts.
Workstation: end user computing device
for a single user.
System: collection of processors and a
mixture of workstations.
More Complex Network
Media
Cable:
◦ UTP unshielded twisted pair
Cat 5 uses pins 1, 2, 3 & 6.
Cat 6 uses all 4-pairs of wires.
Optical: fiber gigabit, 2.5 mile limit.
Microwave: line of sight.
Infrared: up to 9 miles.
◦ Portable devices.
Wireless Media
Wireless: interference at the 2.4Ghz
range.
Wireless 802.11
Type
Top Speed (mbps)
Frequency (Ghz)
802.11
2
2.4
802.11a
54
5
802.11b
11
2.4
802.11g
54
2.4
802.11.n
144+
2.4 & or 5
Figure 7-3 Microwave Transmission.
Line-of-sight
Figure 7-4 Satellite Communication.
Geosynchronous orbit.
OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
OSI Layers
Application – access to OSI
environment and distributed IS
Presentation – Hides implementation
details of the data
Session – controls communication
between applications, setsup/connects/terminates connections
Source: Stallings, W. (2007). Data and computer communications (8th ed.). Upper
Saddle River, NJ: Pearson Prentice Hall.
OSI Layers (Cont’d)
Transport – reliable communications,
end-to-end recovery and flow control
Network – isolates upper layers from
connectivity details
Data Link – controls block transmission
(error, flow, synchronization)
Physical – unstructured data
transmission
Source: Stallings, W. (2007). Data and computer communications (8th ed.). Upper
Saddle River, NJ: Pearson Prentice Hall.
Sample Flow
Application
Presentation
Session
Transport
Server
Network
Data Link
Physical
Data
Data
Data
Data
Data
Data
Data
Data
Data
Application
Presentation
Data
Session
Data
Server
Transport
Data
Network
Data
Data Link
Data
Physical
Internet Protocol Stack
Application
Transport
Network/Internet
Data Link Control
Physical
OSI vs. IP
Application
Presentation
Application
Session
Transport
Transport
Network
Network/Internet
Data Link
Data Link Control
Physical
Physical
Internet Protocols
Protocols at OSI Layers
Figure 7-6 Transformation.
Figure 7-7 Network Layer Transformation.
Figure 7-8 Data Link Layer Transformation.
Figure 7-9 Message Prepared for Transmission.
Local Area Network LAN
Covers a small distance: less than 2 miles,
fewer than 100 users.
Locally controlled: owned and managed by
on site personnel.
Physically protected: at the business
location.
Limited scope: single group, department or
activity.
Figure 7-10 Typical LAN.
Wide Area Network
Larger than a LAN in size and distance.
Can cover cities, states or countries.
Physically exposed: use publically available
communications media which is exposed.
Wide Area Network
Network Vulnerabilities
Anonymity: unknown users on the Internet.
Many points of attack.
Sharing: access to many systems.
Complexity: connections between many
different types of systems and operating
systems.
Unknown Perimeter: bridging issues.
Participation on the Internet.
Figure 7-11 Unclear Network Boundaries.
Figure 7-12 Uncertain Message Routing in a Network.
Cannot predict path packets will take.
Figure 7-13 Path of Microwave Signals.
Why Attacks Networks
Challenge: prove your skills.
Money and espionage: steal trade secrets.
Organized Crime: botnets, bank thefts.
Cyberterrorism: local and remote.
Hacktivism: politically motivated.
How to Attack Networks
Reconnaissance
◦ Port scans: NMAP, fingerprint hosts, Apps.
◦ Social Engineering: trash, phone, phishing.
Maltego: track a persons connections.
Impersonation: gain physical access.
◦ Intelligence: Media, employee lists.
Way back machine: old web postings.
◦ Online documentation or posting.
Default usernames in applications, etc.
Wiretapping / Man in the Middle
TEMPEST
◦ all electromagnetic transmissions have
emanations.
Packet Sniffing: Wireshark
◦ Encrypt transmisisons.
Microwave/Satellite: easily accessible.
Fiber: quantum cryptography
Wireless: firesheep, wardriving.
Figure 7-14 Wiretap Vulnerabilities.
Exposure points.
Figure 7-15 Key Interception by a Man-in-the-Middle Attack.
Attacker acts as a proxy. Intercept and change messages. Defense: encryption and
endpoint authentication.
Figure 7-16 Smurf Attack.
Directed broadcast IP addresses.
Forged source address.
Response traffic larger than query traffic.
1 request = 1 reply per host on a network.
Forged source will reply with a reset packet,
if the remote IP address exists.
Figure 7-17 Three-Way Connection Handshake.
Normal connection setup.
Figure 7-18 Distributed Denial-of-Service Attack.
Multiple (thousands) remote IP addresses attacking a site.
Overwhelm servers and networks.
Usually the source is a bot network.
Figure 7-19 Segmented Architecture.
Reduce number of threats and single points of failure.
Isolate business functions.
Figure 7-20 Link Encryption.
Encrypt as you go on the wire.
Figure 7-21 Message Under Link Encryption.
Figure 7-22 End-to-End Encryption.
Encryption performed at highest level.
Figure 7-23 End-to-End Encrypted Message.
Figure 7-24
Encrypted Message Passing Through a Host.
Message protected from disclosure.
Figure 7-25 Establishing a Virtual Private Network.
Secure authentication, cryptographic hashes for integrity
and ciphers for confidentiality.
Figure 7-26 VPN to Allow Privileged Access.
Virtual dedicated link between entities on a public network.
Figure 7-27 Packets: (a) Conventional Packet; (b) IPSec Packet.
Encapsulated security payload (ESP) provides authentication, integrity & confidentiality.
Figure 7-28 Encapsulated Security Packet.
Kerberos Authentication
Authentication, Authorization,
Accountability (AAA).
Use secret key encryption.
Provide mutual authentication of clients
and servers.
Protect against network sniffing and
replay attacks.
Kerberos Operational Steps
1.
2.
3.
4.
5.
Kerberos principle (user’s client) contacts the Key Distribution
Center (KDC) to authenticate.
KDC sends a session key to the user encrypted with the user’s secret
key.
1. KDC sends a Ticket Granting Ticket (TGT) encrypted with Ticket
Granting Service’s (TGS) secret key.
User’s client decrypts the session key and uses it to request
permission to print from the TGS.
The TGS verifies user’s session key and sends the user a C/S Client
Server session key to use to print. The TGS also sends a service ticket,
encrypted with the printers private key.
Client connects to printer. Printer sees a valid C/S session key and
knows the user has permission to print and knows the user is an
authentic user.
Figure 7-29 Initiating a Kerberos Session.
Figure 7-30 Obtaining a Ticket to Access a File.
Figure 7-31 Access to Services and Servers in Kerberos.
Firewalls
Firewall: permit or deny transmissions between networks
based upon a set of rules.
Packet Filter Firewall: rule based, stateless, fast.
◦ Each packet must be investigated.
Stateful Firewall: tracks active sessions
◦ Maintain state table of sessions
◦ Slower than packet filtering but more secure.
Application: works at application layer L7
◦ inspecting all packets for improper content, can restrict
or prevent outright the spread of networked computer
worms and trojans.
Proxy: intercept service requests and make the request on
the internal network for external client.
Figure 7-32 Layered Network Protection.
Figure 7-33 Onion Routing.
A has a message for B.
Wrap message for B in a package to D.
Wrap message for D in a package to C.
“Disguise traffic flows”.
A sends package to C.
Figure 7-34 Packet Filter Blocking Addresses and Protocols.
Use a screening router (packet filtering gateway) to block traffic.
Simple and sometimes most effective type of firewall.
Figure 7-35 Three Connected LANs.
One inside network, two outside.
Create screening router to only allow traffic between networks.
Figure 7-36 Filter Screening Outside Addresses.
Packet filter firewall, screen out fake network traffic.
Outside is trying to act as coming from internal network.
Figure 7-37 Actions of Firewall Proxies.
Intercepts service requests and then makes
requests internal on behalf of external clients.
Figure 7-38 Firewall with Screening Router.
Use ACLs to limit traffic.
Figure 7-39 Firewall on Separate LAN.
Proxy firewall example.
Figure 7-40 Firewall with Proxy and Screening Router.
Router: ACL
Firewall: rules
Internal network, IDS, Host-based IDS, honeypot.
Figure 7-41 Common Components of an
Intrusion Detection Framework.
SNORT & Honey Pot IDS
Snort® is an open source network intrusion
prevention and detection system (IDS/IPS)
developed by Sourcefire. Combining the
benefits of signature, protocol, and anomalybased inspection.
Honey Pot
◦ Watch for suspicious traffic.
◦ Learn what attackers are trying to do.
◦ Acts as a diversion and can lure attackers
Figure 7-42 Stealth Mode IDS Connected to Two Networks.
Use two network interfaces, one to watch network the other for sending alerts.
Avoid being knocked off network by DOS attacks.
Intrusion Prevention (IPS)
Identify malicious activity, log information about activity, attempt to
block/stop activity, and report activity.
Intrusion prevention systems can be classified into four different
types:[6][7]
◦ Network-based Intrusion Prevention (NIPS): monitors the
entire network for suspicious traffic by analyzing protocol activity.
◦ Wireless Intrusion Prevention Systems (WIPS): monitors a
wireless network for suspicious traffic by analyzing wireless
networking protocols.
◦ Network Behavior Analysis (NBA): examines network traffic to
identify threats that generate unusual traffic flows, such as distributed
denial of service (DDoS) attacks, certain forms of malware, and policy
violations.
◦ Host-based Intrusion Prevention (HIPS): an installed software
package which monitors a single host for suspicious activity by
analyzing events occurring within that host.
Email Security
Pretty Good Privacy
◦
◦
◦
◦
◦
◦
Asymmetric encryption
Confidentiality
Integrity
Authentication
Nonrepudiation
Web of Trust
You trust all the the digital certificates that I trust.
Figure 7-43 Overview of Encrypted E-Mail Processing.
Figure 7-44 Encrypted E-Mail–Secured Message.
Figure 7-45 Encrypted E-Mail Processing in
Message Transmission.