8. managing data resources
Download
Report
Transcript 8. managing data resources
Security in Networks—
Their design, development, usage…
Barbara Endicott-Popovsky
CSSE592/491
In collaboration with:
Deborah Frincke, Ph.D.
Director, Center for Secure and Dependable
Systems
University of Idaho
Text Book
Both broad survey and focused
Chapters 1-2 lay groundwork
Chapters 3 –7 Software
• Chapter 7
–
–
–
–
Contrast to standalone environments
Threats
Controls
Tools: Firewalls, Intrusion detection, Secure e-mail
Chapter 9 Privacy, ethics, the law
Chapter 10 Cryptography – the how
In this section of the course we
will look at…
Networks—their design, development, usage
•
•
•
•
The Basics
Threats
Controls
Tools
• Firewalls
• Intrusion Detection
• Secure e-mail
Source: Pfleeger & Pfleeger
Agenda
I.
The Basics
II. Threats
III. Controls
IV. Tools
Source: Pfleeger & Pfleeger
I. The Basics
Terms
• Topology
• Media
• Analog/digital
• Protocols
• LAN/WAN
• Internet
• Distributed System
• API’s
Source: Pfleeger & Pfleeger
ISO/OSI Model
OSI
Layer
7
6
Name
Application
Presentation
5
Session
4
3
2
Transport
Network
Data Link
1
Physical
Activity
User-level data
Standardized data
appearance
Logical connection
among parts
Flow control
Routing
Reliable data
deliver6y
Actual
communication across
physical medium
Source: Pfleeger & Pfleeger
TCP/IP vs. OSI
OSI
Layer
7
6
Name
Application
Presentation
5
Session
4
3
2
Transport
Network
Data Link
1
Physical
Activity
User-level data
Standardized data
appearance
Logical connection
among parts
Flow control
Routing
Reliable data
deliver6y
Actual
communication across
physical medium
Source: Pfleeger & Pfleeger
TCP/IP
Layer
Action
Responsibilities
Application Prepare messages User interaction,
addressing
Transport
Convert messages
to packets
Sequencing, reliability,
error connection
Internet
Convert messages
to datagrams
Flow control, routing
Physical
Transmit
datagrams as bits
Data communication
Source: Pfleeger & Pfleeger
Issues
ISO/OSI:
Slows things down
TCP/IP:
More efficient
Open
NOTE:
Study this part of the Chapter
Results:
TCP/IP used over Internet
Introduces security issues
Source: Pfleeger & Pfleeger
II. Threats
Vulnerabilities
Attackers
Threats
•
•
•
•
•
•
•
•
•
•
•
Precursors
In transit
Protocol flaws
Impersonation
Spoofing
Message Confidentiality / Integrity threats
Web Site Defacement
Denial of Service (DOS)
Distributed Denial of Service (DDOS)
Active or Mobile Code Threats
Complex Attacks
Source: Pfleeger & Pfleeger
Vulnerabilities
Anonymity
Many points of attacks—targets and origins
Sharing
Complexity of system
Unknown perimeter
Unknown path
Source: Pfleeger & Pfleeger
Attackers
Kiddiescripters
Industrial spies
Information warfare
Cyber terrorists
“Hactivists”
Wardrivers, etc.
Profile—see Mittnick
Source: Pfleeger & Pfleeger
Threat Spectrum
Source: Deb Frincke
From CSI/FBI Report 2002
• 90% detected computer security breaches
• 80% acknowledged financial losses
• 44% (223) were willing / able to quantify losses: $455M
• Most serious losses: theft of proprietary information and fraud
• 26 respondents: $170M
• 25 respondents: $115M
• 74% cited Internet connection as a frequent point of attack
• 33% cited internal systems as a frequent point of attack
• 34% reported intrusions to law enforcement. (up from 16%-1996)
Source: Deb Frincke
More from CSI/FBI 2002
40% detected external penetration
40% detected DOS attacks.
78% detected employee abuse of Internet
85% detected computer viruses.
38% suffered unauthorized access on Web sites
21% didn’t know.
12% reported theft of information.
6% reported financial fraud (up from 3%-- 2000).
Source: Deb Frincke
Threats: Precursors
Port Scan
Social Engineering
Reconnaissance
OS Fingerprinting
Bulletin Boards / Chats
Available Documentation
Source: Pfleeger & Pfleeger
Threats: In Transit
Packet Sniffing
Eavesdropping
Wiretapping
Microwaves
Satellites
Fiber
Wireless
Source: Pfleeger & Pfleeger
Threats: Protocol Flaws
Public protocols
Flaws public
Human errors
Source: Pfleeger & Pfleeger
Threats: Impersonation
Guessing
Stealing
Wiretapping
Eavesdropping
Avoid authentication
Nonexistent authentication
Known authentication
Trusted authentication
Delegation
MSN Passport
Source: Pfleeger & Pfleeger
Threats: Spoofing
Masquerade
Session hijacking
Man-in-the Middle attack
Source: Pfleeger & Pfleeger
Threats:
Message Confidentiality/Integrity
Misdelivery
Exposure
Traffic flow analysis
Falsification of messages
Noise
Source: Pfleeger & Pfleeger
Threats: Web Site Defacement
Buffer overflows
Dot-Dot and address problems
Server-Side include
Source: Pfleeger & Pfleeger
Threats: Denial of Service (DOS)
Transmission failure
Connection flooding
Echo-chargen
Ping of death
Smurf attack
Service
Syn flood
Traffic redirection
DNS attack
BIND
Source: Pfleeger & Pfleeger
Threats:
Distributed Denial of Service (DDOS)
Trojan horses planted
Zombies attack
Source: Pfleeger & Pfleeger
Threats: Active/Mobile Code
(Code Pushed to the Client)
Cookies
Per-session
Persistent
Scripts
Active code
Hostile applet
Auto Exec by type
Source: Pfleeger & Pfleeger
Threats: Complex Attacks
Script Kiddies
Building Blocks
Source: Pfleeger & Pfleeger
III. Controls
Design
Architecture
• Segmentation
• Redundancy
• Single points of failure
Encryptions
•
•
•
•
•
•
•
•
Link encryption
End-to-end encryption
VPN’s
PKI and Certificates
SSH and SSL encryption
IPSec
Signed code
Encrypted e-mail
Source: Pfleeger & Pfleeger
Controls
(cont’d.)
Content Integrity
• Error correcting codes
• Cryptographic Checksum
Strong Authentication
•
•
•
•
One-time password
Challenge-Response systems
Digital distributed authentication
Kerberos
Access controls
• ACL’s on routers
• Firewalls
Alarms and Alerts
Honeypots
Traffic Flow Security
• Onion routing
Source: Pfleeger & Pfleeger
IV. Tools
Firewalls
Intrusion Detection Systems
Secure e-Mail
Source: Pfleeger & Pfleeger
Firewalls
Packet filtering gateway
Stateful inspection firewall
Application proxy gateway
Guard
Personal firewalls
Source: Pfleeger & Pfleeger
Intrusion Detection Systems
Signature-based IDS
Heuristic IDS
Stealth mode
Source: Pfleeger & Pfleeger
IDS Characteristics
Goals
• Detect all attacks
• Little performance impacts
Alarm response
• Monitor and collect data
• Protect
• Call administrator
Limitations
• Avoidance strategies
• Sensitivity
• Only as good as the process/people
Source: Pfleeger & Pfleeger
Secure e-Mail
Designs
• Confidentiality—encryption
• Message integrity checks
Examples
• PGP
• S/MIME
Source: Pfleeger & Pfleeger