Transcript Powerpoint Slides

Network/Information
Security
“The terms network security and
information security refer in a broad sense
to confidence that information and
services available on a network cannot be
accessed by unauthorized users.” (Comer
1995)
Need to protect
Physical resources (disks, computers, cables,
bridges, routers, etc.)
Abstract resources (information)
Security Requirements
Data integrity - protecting information
from unauthorized change.
Data availability - guaranteeing that
outsiders cannot prevent legitimate data
access.
Confidentiality/Privacy - preventing
unauthorized listening.
Security Requirements
(contd..)
Authentication - ensuring that a message
indeed originated from its apparent
source.
Non-repudiation - ensuring that a party to
a transaction cannot subsequently deny
that this transaction took place.
Internet Security
Mechanisms
Authentication Mechanisms: IP source
authentication, Public key encryption
Privacy Mechanism: Encryption
Access Control Mechanisms: Internet
firewall
Authentication and privacy mechanisms can be
added to application programs. Access control
requires basic changes to Internet infrastructure.
IP Source Authentication
Server maintains a list of valid IP source
addresses.
Weak because it can be broken easily.
An imposter can gain control of an
intermediate router and impersonate an
authorized client.
An imposter can also impersonate a
server.
Public Key Encryption System
Each end-entity has a cryptographic key pair
a private key that is kept secret at that endentity, and
a public key which is distributed.
Keys, which are large integers, are used to
encode and decode messages.
A message encoded using one key can be
decoded using the other.
Public Key Encryption
System (contd.)
Message encrypted by a public key can
only be decrypted by the holder of the
corresponding private key.
Private key can be used to generate a
digital signature and anyone knowing the
public key can authenticate it.
Guessing or calculating the secret private
key is an extremely difficult task.
Public Key Encryption
System (contd.)
Public key encryption scheme can also
handle the problem of privacy.
Sender uses the receiver’s public key to
encode the message. Receiver uses it’s
private key to decode the message.
Messages can be encoded twice to
authenticate the sender and to enforce
privacy. First with the sender’s private key
and then with the receiver’s public key.
Certificates and Certification
Authorities
To ensure authenticity, public keys are
generally distributed in the form of
certificates.
A certificate contains
a public key value
identity of the holder of the corresponding
private key
digital signature of the certification authority
(CA)
Certificates and Certification
Authorities (contd.)
A CA is a trusted party whose public key
is known, e.g., VeriSign, Inc.
The recipient uses the public key of the
CA, to decrypt the sender's public key in
the certificate.
The most vulnerable part of this method
is the CA’s private key, which is used to
digitally sign the certificate.
SSL Handshake

Messages exchanged in a typical SSL handshake
CLIENT
SERVER
ClientHello
A list of cipher
suites supported
ClientKeyExchange
A random challenge,
encrypted with the
server’s public key
ServerHello
Server selects a cipher suite,
usually RSA
Certificate
Server sends
its certificate
HTTP communication begins over the secure channel
Source: Abbott, S. 1999. The Debate for Secure E-Commerce.
Performance Computing, February 1999, p.p.. 37-42.
Secure Sockets Layer (SSL)
The leading security protocol on the
internet. Developed by Netscape.
At the start of an SSL session, the browser
sends its public key to the server.
Server uses the browser’s public key to
encrypt a secret key and sends it to the
browser.
During the session, the server and browser
exchange data via secret key encryption.
SSL (contd.)
SSL has merged with other protocols and
authentication methods to create a new
protocol known as Transport Layer
Security (TLS).
Typically only server authentication is
done. Authentication of browser’s (user’s)
identity requires certificates to be issued
to users.
Internet Firewalls
Firewall protects an organization’s internal
networks, routers, computers, and data
against unauthorized access.
Security perimeter involves installing a
firewall at each external connection.
For effective control all firewalls must use
exactly the same access restrictions.
Internet Firewall
Implementation
A firewall must handle datagrams at the
same speed as the connection to the
outside world.
To operate at network speeds, routers
include a high-speed filtering mechanism.
Filters form the basic building blocks of a
firewall.
Packet Filters
Provides a basic level of network security
at the IP level.
Filtering is based on any combination of
source IP address, destination IP address,
protocol, source protocol port number,
and destination protocol port number.
Packet filters do not maintain context or
understand the application they are
dealing with.
Packet Filters
Specifying the datagrams that should be
filtered is not very effective.
Instead we specify which datagrams to
admit.
Security concerns
IP spoofing (mimicing IP addresses of
trusted machines)
IP tunneling (one datagram is temporarily
encapsulated in another)
Packet Filters
“If an organization’s firewall restricts
incoming datagrams except for ports that
correspond to services the organization
makes available externally, an arbitrary
application inside the organization cannot
become a client of a server outside the
organization.” (Comer, 1995)
Proxy Firewalls
Most secure form of firewall
All incoming traffic is tunneled to the
appropriate proxy gateway for mail, HTTP,
FTP, etc.
Proxies then direct the information to the
internal network.
Proxies are applications that make decisions
based on context, authorization, &
authentication rules instead of IP addresses.
Proxy Firewalls (contd.)
Proxy firewall operates at the highest level
of the protocol stack.
Proxies are relays between the Internet
and the organization’s private network.
Proxy’s firewall address is the only one
available to the outside world.
Some firewalls combine router and proxy
techniques to provide more security.