Transcript Here`s

Internet Security
Based on Learning Tree Course #468:
Internet and Intranet Security: A Comprehensive Introduction
2/24/2000
1
Will Lennon
Security Model
Objectives vs. Threats
Normal Flow
Information
Source
Information
Destination
Authenticity vs. Masquerade
Privacy vs. Interception
Integrity vs. Modification
Availability vs. Interruption
February 20, 2001
2
Will Lennon
Authenticity vs. Masquerade
• Personal Authenticity (Logins)
restrict access to unauthorized users
• Interior Authenticity (DHCP, IPSec)
restrict access to unauthorized hosts
• Exterior Authenticity (firewalls)
restrict access to internal services
February 20, 2001
3
Will Lennon
Authenticity vs Masquerade
3 ways to establish personal identity:
• Something you know (Passwords)
• Something you have (Keys)
• Something you are (Biometrics)
February 20, 2001
4
Will Lennon
Personal Authenticity vs. Masquerade
Passwords attacks:
•
•
•
•
•
Guessing (spouse, pets, child)
Cracking passwords (dictionary attacks)
Snooping passwords (network analyzers)
Social Engineering (Deception)
Trojan Horses
February 20, 2001
5
Will Lennon
Personal Authentication methods
•
•
•
•
One-time lists
Repeated hashing (S/Key, OPIE)
Electronic tokens
Challenge-Response Schemes (CHAP)
February 20, 2001
6
Will Lennon
Interior Authentication: IPSec
• Generic security mechanism for IPv6
• A security association is created between two
parties
• Provides privacy services as well as
authentication
• Included in most modern O.S.s
February 20, 2001
7
Will Lennon
Exterior Authentication: Firewalls
Packet Filters
• Stateless Packet Filters
• State-full Packet Filters
Proxies
• Application Proxy
• Circuit-Level Gateways
February 20, 2001
8
Will Lennon
Sanity Check
Network 1:
147.117.xx.xx
Network 2:
192.168.88.xx
From: 192.168.88.11
To: 192.168.88.33
Insane: blocked
Router
From: 147.117.32.65
To: 192.168.88.33
Sane: Pass
February 20, 2001
9
Will Lennon
Stateless Packet Filters
Network 1:
147.117.xx.xx
Network 2:
192.168.88.xx
Telnet
Telnet (port 23): Block
Router
SMTP
SMTP (port 25): Pass
February 20, 2001
10
Will Lennon
Stateless Packet Filter Refinements: TCP
• Block incoming packets
without ACK to block
connections initiated by
external hosts
• Doesn’t work for UDP
TCP Handshake
Client
Server
SYN
SYN + ACK
ACK
February 20, 2001
11
Will Lennon
Problems with Stateless Packet Filtering
• IP Fragmentation
• Protocols with variable port numbers
• Non-standard use of standard ports
February 20, 2001
12
Will Lennon
Circuit-Level Gateway
1: Inside Host connects to TCP
port on Gateway
2: Gateway connects to Outside
Host
3: Gateway passes messages
transparently
Inside
Host
1
2
Gateway
Outside
Host
3
February 20, 2001
13
Will Lennon
Screened Subnet Topology
FTP
Server
WWW
Server
WWW
Proxy
Screening Router
(Packet Filter)
Internal
Network
DWOS
DMZ
February 20, 2001
14
Will Lennon
Chapman Architecture
FTP
Server
WWW
Server
Bastion
Host
WWW
Internal
Network
Screening Router
(Packet Filter)
Screening Router
DWOS
DMZ
February 20, 2001
15
Will Lennon
Privacy vs. Interception
3 ways to maintain information privacy:
• Hide the existence -> steganography
• Hide the content -> access control
• Hide the meaning -> encryption
February 20, 2001
16
Will Lennon
Cryptography / Encryption
Two types of cryptographic algorithms exist:
1) Secret Key (aka Symmetrical) Key A == Key B
DES, 3DES, Blowfish, RC5, IDEA, Skipjack
2) Public Key (aka Symmetrical) Key A != Key B
RSA, DSA
Hash Functions: MD5, SHA
Hello
a#k3Wj
Encryptor
Decryptor
Key A
February 20, 2001
Hello
Key B
17
Will Lennon
Public Key Encryption Example
Alice: “I want to send you a secret message.”
Ahab: “Encrypt it with my public key: s6sd2KlUq.”
Alice: “Here’s the message: iqm3k2lsjesk
Ahab: “Got it.”
?
Alice
Ahab
February 20, 2001
18
Will Lennon
Virtual Private Networks (VPNs)
• VPN is an encrypted tunnel through which all
data passes between two endpoints
• Endpoints are usually firewalls
• Encryption technology varies, often negotiated
using IPSec
Net 1
VPN
Net 2
Internet
February 20, 2001
19
Will Lennon
Integrity vs. Modification
Use a Hash Function to assure Integrity.
A Hash Sum or message digest is:
Message
• data dependent
• irreversible
• collision free
Hash
Function
Hash Sum
February 20, 2001
20
Will Lennon
Cryptography for Personal Messages
Sender’s
Private Key
Message
MD5 Hash
(Integrity)
Hash Sum
Encrypt
(Privacy)
Digital Signature
February 20, 2001
(Authenticity)
Digital Signature
Receiver’s
Public Key
Message
Encrypt
Encrypted
Private
Message
21
Will Lennon
Availability vs. Interruption
Bombs:
• Files that have undesirable behavior
Viruses:
• Designed to propagate themselves
• Limited to a particular OS or application
• Must be attached to another piece of software
Worms:
• Similar to viruses but are stand-alone software
February 20, 2001
22
Will Lennon
Availability vs. Interruption
• Electro-Magnetic Pulse (EMP)
HERF gun: High Energy Radiated Frequency
• Data Flood: -->traceOn(“”)
• Broadcast Storms: “Smurf Attack”
• Bombardment Attacks: SYN flood
• Duplicate IP Address problem
February 20, 2001
23
Will Lennon
SYN Flood
Client
Server
SYN
Server opens a new port,
sends response, and waits
for client to acknowledge
SYN + ACK
ACK
Client repeated sends SYN messages.
Client never sends the ACK message.
Server’s ports quickly become full.
February 20, 2001
24
Will Lennon
Smurf Attack
Attack Station
Start
Zombies
Zombies
Zombies
Zombies
Zombies
Ping
To: 255.255.255.255
From: 1.2.3.4
Relays
Relays
Relays
Relays
Relays
Ping Response
To: 1.2.3.4
From: w.x.y.z
Victim
1.2.3.4
February 20, 2001
25
Will Lennon
Requirements for Good Security
•
•
•
•
•
Security Policy
Security Technology
Activity Logging
Incidence Response Plan
Enforcement
February 20, 2001
26
Will Lennon