Transcript Chapter 19
Chapter 19:
Computer and Network Security
Techniques
Business Data Communications, 6e
IPSec Functions
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Key exchange
2
ESP Transport and Tunnel Mode
• Transport mode: provides protection
primarily for upper-layer protocols.
Typically used for end-to-end
communications between two hosts.
Payload is encrytped but not the header.
• Tunnel mode: provides protection for the
entire IP packet. The entire packet is
placed within a new outer IP packet. Used
when one destination is a security gateway. 3
Scope of ESP Encryption and
Authentication
4
Key Management
• Manual: system administrator manually
configures each system with its own keys
and with the keys of other communicating
systems.
• Automatic: An automated system enables
the on-demand creation of keys and
facilitates the use of keys. Used in large
system configurations.
5
Advantages of IPSec
• Provides managers with a standard means
of implementing security for VPNs.
• Encryption and authentication algorithms
and security protocols are well studied.
• Users can be confident that IPSec provides
strong security.
• Can be implemented in firewalls and
routers owned by the organization, giving
network managers control over security.
6
SSL Architecture
• Provides reliable end-to-end secure service.
• Uses two layers of protocols.
• SSL Record Protocol provides basic security
services to higher layer protocols such as HTTP
• SSL includes:
-Handshake Protocol
-Change Cipher Spec Protocol
-Alert Protocol
7
SSL Protocol Stack
8
Key SSL Concepts
• Connection: a transport that provides a
suitable type of service. Every connection
is associated with one session.
• Session: an association between client and
server. Defien a set of sryptographic
security parameters which can be sharedby
multiple connections.
9
SSL Record Protocol Operation
10
SSL Protocols
• Change Cipher Spec Protocol: simplest
protocol, consists of a single byte with a
value of 1; causes the pending state to be
copied into the current state.
• Alert Protocol: used to convey SSL
related alerts to the peer entity. Each
message consisst of 2 bytes; the first
denotes a warning or fatal error.
11
Handshake Protocol
• The most complex part of SSL.
• Allows for servers and clients to
authenticate each other, negotiate an
encryption and MAC algorithm and
cryptographic keys to protect data.
• Used before any application data is
transmitted.
12
Handshake Protocol Phases
• Phase 1: Initiates logical connection
• Phase 2: passes certificate, additional key
information and request for client certificate.
Also passes server-done message.
• Phase 3: client sends message to server
depending on underlying public-key scheme.
• Phase 4: completes setting up the secure
connection.
13
802.11i Operational Phases
14
802.11i Architecture
• Authentication: protocol used to define an
exchange between a user and an AS
• Access control: function that enforces the use of
the authentication function, routes messages
properly and facilitates key exchange.
• Privacy with message integrity: MAC-level
data are encrypted along with a message integrity
code that ensures that the data have not been
altered.
15
802.11i Access Control
16
Intrusion Detection
• Security Intrusion: a security event, or a combination of
multiple security events, that constitutes a security incident in which
an intruder gains, or attempts to gain, access to a system (or system
resource) without having authorization to do so.
• Intrusion Detection: A security service that monitors and
analyzes system events for the purpose of finding and providing realtime or near-real-time warning of, attempts to access system
resources in an unauthorized manner.
• Intrusion Detection System Classification:
-Host-based IDS
-Network-based IDS
17
IDS Logical Components
• Sensors
• Analyzers
• User Interface
18
Approaches to Host-Based IDSs
• Anomaly Detection: involves the collection
of data relating to the behavior of legitimate users
over time.
-Threshold Detection
-Profile based
• Signature Detection: involves an attempt to
define a set of rules or attack patterns that can be
used to decide an intruders behavior.
19
Firewalls
• Provides an additional layer of defense
between internal systems and external
networks
• Firewalls use four techniques:
-Service Control
-Direction Control
-User Control
-Behavior Control
20
Firewall Capabilities
• Defines a single choke point that keeps
unauthorized users out of the protected
network.
• Provides a location for monitoring
security-related events.
• Provides a platform for several Internet
functions.
• Serves as a platform for IPSec.
21
Firewall Limitations
• Cannot protect against attacks that bypass
the firewall.
• May not protect against all internal threats.
• A wireless LAN may be accessed from
outside.
• A client (Laptop, PDA, portable storage
device, etc) may be infected outside and
then attached internally
22
Firewall Types
23
Antivirus Approaches
• Prevention: Do not all the virus to get into the
system.
• Detection: Once infection has occurred,
determine that it has occurred and locate the
virus.
• Identification: Once detection has been
achieved, identify the specific virus that has
infected a program.
• Removal: Remove all traces of the virus and
restore the program to its original state.
24
Generic Decryption
• Enables antivirus programs to detect
complex polymorphic viruses.
• Generic Decryption elements:
-CPU emulator
-Virus signature scanner
-Emulation control module
• The most difficult design issue is to
determine how long to run the scanner.
25
Digital Immune System
• Developed first by IBM, then refined by
Symantec.
• Provides a general purpose emulation and
virus detection system.
• Detects new viruses, analyze them, adds
detection and shielding for it, removes it
and passes information on about that virus
to other systems.
26
Digital Immune System
27
Behavior Backbone Software
• Integrates with the operating system and
monitors program behavior in real-time for
malicious actions.
• Blocks potentially malicious actions.
• Suspicious software is also blocked.
28
Behavior-Blocking Software
Operation
29
Requirements for Worm
Countermeasures
•
•
•
•
•
•
Generality
Timeliness
Resiliency
Minimal denial-of-service costs
Transparency
Global and local coverage
30
Classes of Worm Defense
• Signature-based worm scan filtering
• Filter-based worm containment
• Payload-classification-based worm
containment
• Threshold random walk (TRW) scan
detection
• Rate limiting
• Rate halting
31