Overview of network security

Download Report

Transcript Overview of network security

Overview of network security
Material derived from the
textbook (Pfleeger).
Chapter: 7.
Some statements are copied verbatim from the textbook.
Images are from textbook
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
What are some of the network security
controls you are familiar with?
• There are several network security controls ranging from
firewalls, VPNs, link to link encryption, intrusion detection
systems etc…
• Most of these techniques are based on encryption
technologies, security models, OS security.
• But first: network threat analysis.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Enumeration of threats to a network.
We looked at various network security vulnerabilities in our first few lectures…
Can you summarize some of the vulnerabilities and threats?
Slides
by
Prem
based
on material
from
various
sources.
ITEC
© Pfleeger
245.
Material
–Uppuluri
Material
mainly
on derived
this
slidefrom
from
Pfleeger;
the
textbook
Daswani
Security
or Stallings.
in Computing by
Pfleeger. Page 404 to 439.
Review: Threats to a network
• Here are some individual parts of a network:
• local nodes connected via
–
–
–
–
local communications links to a
local area network, which also has
local data storage,
local processes, and local devices.
• The local network is also connected to a
–
–
–
–
–
network gateway which gives access via
network communications links to
network control resources,
network routers, and
network resources, such as databases.
• Come up with a list of different types of threats.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Review: Threats to a network: Summary
(2)
•
•
•
•
•
•
•
•
•
•
intercepting data in traffic
accessing programs or data at remote hosts
modifying programs or data at remote hosts
modifying data in transit
inserting communications
impersonating a user
inserting a repeat of a previous communication
blocking selected traffic
blocking all traffic
running a program at a remote host
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Network security controls
• First we will discuss the various
network architectures and how they
effect security.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Security control 1: Architecture
• How should networks (LANs etc..) be
designed to reduce vulnerabilities?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Architecture 1: Segmented and separate architecture
Run the various network services on separate computers and separate LANs
Segmentation and separation mechanism:
• An organization’s network is divided into multiple local networks
("subnets" -- you can see this distinction with the IP addresses –
example on next slide)
• Network services (e.g., email/web) are distributed across the
local networks.
• Local networks are separated by routers that restrict/mediate
access from one local network to the other.
Figure 7-19 Segmented Architecture with separation.
Another way to segment: seperation..
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Architecture 1: Segmented Architecture
Example
Consider Radford University’s network.
The “main” network, i.e., all computers in RU’s network begin with
the IP address: 137.45.*
However, there are several “sub” networks or local networks:
E.g.,
1. 137.45.29.* (all machines in this subnetwork have IP address
that begins with 137.45.29.).
2. 137.45.192.* (all computers in Davis Hall begin with this IP)
3. Etc…
So RU distributes its network services across these networks. E.g.,
1. Email (Microsoft Exchange server): 137.45.130.60
2. The portal myru.radford.edu: 137.45.29.60
3. The library webserver is: 137.45.30.34
So how does distributing the
network services across different
local networks achieve security?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Architecture 1: Segmented Architecture (3)
We saw that RU distributes its network services across multiple
networks. E.g.,
1. Email (Microsoft Exchange server): 137.45.130.60
2. The portal myru.radford.edu: 137.45.29.60
3. The library webserver is: 137.45.30.34
So how does this increase security?
Limit the harm that can be done if …
•
one local network is compromised, or,
•
one service (e.g., email) is compromised
The other services are on a different local network and
access to those from the compromised service can be
restricted, and requires a new attack.
In summary, segmentation restricts the
damage that a single vulnerability can do.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Architecture 1: Segmented and separate architecture (4)
Question: Which design principles of security does a segmented and separated
architecture implement?
- Principle of least common mechanism (services do
not share the same workstation or server)
- Principle of complete mediation (access to local
networks mediated by routers)
- Principle of defense in depth
Figure 7-19 Segmented Architecture with separation.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Architecture 2: Redundancy
Another way to increase security.
• Having multiple copies of the same server possibly
distributed across multiple networks
– E.g., What are the IP addresses of google search engine’s
web servers?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Architecture 3: Single Point of
Failure
• Is there any component of the network whose
failure will cause the system to become insecure?
• Recognizing and avoiding such single points of
failure will help make network tolerant.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
So far…
• We looked at how network
architecture effects security.
• Next: how to use encryption in
network security.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Security Control 2: Using Encryption for
Confidentiality and Integrity
• We have already looked at encryption.
• However, a few things to note:
– Encryption is not the end-all solution.
• Question: Where to apply encryption?
– Consider two computers A, B that need to communicate
across the internet.
– There are several other computers between them. So the
question is where should encryption be applied:
• Between the two computers A and B (called end to end encryption),
or,
• Between all the individual computers (link encryption).
• Next: To understand this you need to have a basic
understanding of what a “layered” model of network is.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Digression:Layered network architecture
Example: How does a letter get transported?
• Goal: you want to send a letter from Radford, U.S.A to
Barcelona, Spain.
• First you put two addresses on the letter.
– One to the sender and the other to receiver.
• Next, you drop it in the local post office.
• Local post office checks destination address (Spain).
– Problem: Can the Radford post office directly send the
letter to Barcelona, Spain? This would require each post
office to have a airplane!!
• This is wasteful!
– Solution: Radford post office sends to a central location (a
bigger location), e.g., New York.
– Hence, goal of Radford post office is now limited: simply
“route” all non-U.S destination letters to New York.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
How does a letter get transported (2)?
• Goal of Radford post office is now limited: simply “route” all
non-U.S destination letters to New York.
• Now, New York has to worry about sending letters to Spain.
• For efficiency, New York may send all European letters to
London, UK.
• And London, UK then takes care of delivering to Spain.
• So multiple “routers” were involved in delivering the letter.
• Suppose the letter had delivery confirmation – then: the
post office in Radford is the one that tracks the delivery by
calling up Barcelona, Spain.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
From Radford to Spain
Responsibility of
Radford post office
Radford,
VA
(24142)
Responsibility of
Responsibility of
New York post office London post office
New York,
NY
(10013)
London, UK
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Barcelona,
Spain
•
•
•
•
Computer networks are similar:
protocols are layered.
Suppose we want to send data from Host A to Host B.
Each computer is running a series of network protocols (the software part).
Protocols have layers. Each layer performs some function for higher layer.
In the example below:
–
–
–
Top layer (called transport layer) is responsible for overall communication.
Internet layer is responsible for finding the best way to send the data from A to B.
Network interface is the network card (that decides whether to use WiFi vs. regular network). This
layer is responsible for actually putting the network data onto the physical medium.
Host A
Top layer
protocol
Host B
Transport
Layer
Router
Router
Router
Routing
Internet
Layer
Internet
Layer
Internet
Layer
Internet
Layer
Network
Interface
Network
Interface
Network
Interface
Network
Interface
Network
Interface
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Question on encryption
• So should the intermediate
computers be responsible for
encryption or should the host A and B
be responsible for it?
• Depends.
– The first option is called link to link
encryption.
– The second is end to end encryption.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Applying Encryption from link to link.
Data is encrypted just before the data is placed on the physical
medium. Each intermediate host is responsible for
encryption/decryption. E.g., The intermediate host in the figure
below has to decrypt any message that it receives from the
sender and again encrypt it before sending to the receiver.
Figure 7-20 Link Encryption.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
An example of a message using encryption at the link.
Network data is in the form of small messages called “packets”.
Each packet contains many parts: source IP address, destination IP
address. When using link to link encryption – the complete packet
except the address of the next computer in the network is
encrypted.
Figure 7-21 Message Under Link Encryption.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Applying Encryption from link to link (2).
What are some advantages of this type of encryption?
• Main advantage: Transparent: Encryption/decryption is
automatic and always there; (say) email software doesn’t have to
worry about encryption/decryption; the link will take care of it.
• This results in complete mediation – all network traffic is fully
encrypted.
Figure 7-20 Link Encryption.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Applying Encryption from link to link (2).
Disadvantages of this type of encryption?
• Encrypted messages can be “read” by every intermediate
router. Intermediate routers are expected to be “trusted”.
• Usually used: by ISPs or in local networks.
•E.g., CISCO TrustSec Fibre channel – can be used to create link
to link encryption in a local network.
• Another example: Government/Military networks (see this
solicitation:
https://www.fbo.gov/?s=opportunity&mode=form&id=cf64ad1cb8b
976ab3d4e34ce12c4968b&tab=core&_cview=0).
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Another option End-to-End Encryption – the application (or transport layer)
Encrypts the data at the source (Sender) – the data can only be decrypted
at the destination (Receiver). Intermediate routers can only see “encrypted”
Data. However, the Sender’s IP address and the Receivers IP address are not
Encrypted (otherwise the intermediate routers will not know what the destination is.
Figure 7-22 End-to-End Encryption.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Another option: End-to-End Encryption (2).
As you may notice, only the message data is encrypted. The addresses are not –
So intermediate routers can know who the sender and receiver are but cannot
decipher the message.
Figure 7-23 End-to-End Encrypted Message.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Figure 7-24
Encrypted Message Passing Through a Host in end to end encryption.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Link to Link. Vs. End to End.
• Table 7-5, Comparison of Link vs. End-to-End
Encryption.
Link Encryption
End-to-End Encryption
Security within hosts
Data exposed in sending host
Data exposed in intermediate nodes
Role of user
Applied by sending host
Invisible to user
Host maintains encryption
One facility for all users
Typically done in hardware
All or no data encrypted
Data encrypted in sending host
Data encrypted in intermediate nodes
Applied by sending application
User applies encryption
User must find algorithm
User selects encryption
Either software or hardware implementation
User chooses to encrypt or not, for each item
Implementation concerns
Requires one key per host pair
Requires one key per user pair
Provides node authentication
Provides user authentication
Requires capable network interfaces
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Examples of end to end encryption
• SSH (Secure Shell, including sftp, scp) use a
protocol called TLS (transport layer security) that
imposes end to end communication.
• VPNs (virtual private networks, e.g., CISCO VPN)
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
SSH (secure shell)
•
Uses a protocol called TLS (transport layer security). Some Steps in TLS:
– User’s computer and Server’s computer exchange public keys. (Notice –
when you first SSH to a computer, you see a message such as:
The authenticity of host 'seguridad (137.45.192.121)' can't be
established. RSA key fingerprint is
05:eb:d9:2f:e4:e1:af:75:96:2f:7c:2c:5e:26:28:7e.
Are you sure you want to continue connecting (yes/no)?
•
This step is asking the user if the user can trust the public key provided by the server.
(This way it dispenses with the need for Certification authorities to establish trust).
– The public key of the host and user’s machine is used to exchange a
secret key.
– The secret key is then used to encrypt the “login” information
(username/password) sent over the network, using (say) AES.
– Secret key is temporary and limited to the session.
• All communication through SSH (whatever you type in putty)
is encrypted at the source (your computer) and decrypted at
the destination (the computer) you are connected to.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Virtual Private Networks (VPN): more secure
VPNs also use TLS but provide more security
than an SSH session…
In a VPN, the user connects to a VPN server in
the company using TLS (see previous slide) just
like in SSH, but:
The VPN server is connected to internal server
through a firewall.
Also, the internal server’s IP address is not
exposed.
Figure 7-25 Establishing a Virtual Private Network.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Access
Control
device
Virtual Private Networks (VPN): more secure (2)
Also, the internal server’s IP address is not
exposed. …How?
Data sent from user is encrypted till the VPN
server.
The destination IP address on every item of data
is the VPN server – this is exposed to the
intermediate routers. However, the actual
destination (which is some internal server) is
encrypted. Only the VPN server can decrypt this
and route it to the appropriate internal
Server.
Principle of complete mediation, for client's net.
Figure 7-25 Establishing a Virtual Private Network.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Access
Control
device
Figure 7-26 VPN to Allow Privileged Access.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Security Control: Network
Authentication.
• A much more difficult problem than confidentiality and integrity
• More difficult to achieve in networks compared with stand-along
workstations.
– Why? simple passwords are not sufficient:
• Potential for wiretapping.
• Hard because of number of network servers.
– E.g., consider the Radford University environment.
• Solution: Authentication systems that factor in: time
limits and ease of use. Examples:
• Challenge-response system (fixes issues with one-time
password)
• Kerberos (Example: Radford university’s single sign-on: myru
allows access to email, advising info, and (outsourced) D2L).
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Authentication Applications: Kerberos.
• Kerberos: authentication in distributed
systems.
• Motivation: In large organizations, users
are provided with various servers. E.g., in
Radford:
– Exchange server (for email)
– WebCT (for course information)
– DegreeWorks (for course auditing)
• Problem: how can a user authenticate
him/herself when accessing these
services?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Possible solutions
• Options for students to authenticate:
– For each service provide user name and
password. Also, require servers to prove
identity for each service invoked
• Problem?
– Authenticate using the IP address of
the client. E.g., all machines on-campus
are allowed.
• Each client machine authenticates the user.
• Problem?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Possible solutions
• Options for students to authenticate:
– For each service provide user name and
password. Also, require servers to prove
identity for each service invoked
• Problem: every time you check email, you have to
provide username/password. TEDIOUS!
– Authenticate using the IP address of the client.
E.g., all machines on-campus are allowed.
• Each client machine authenticates the user.
• Problem of forgery or alteration. How?
• Solution: Kerberos.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Kerberos is…
• (a) a scalable, secure
multi-service
authentication
protocol
• (b) a three-headed
guard dog of Hades,
with one head for
each of { past,
present, future }
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Source: http://en.wikipedia.org/wiki/File:RomanCerberus.JPG
Requirements
• The Goals of Kerberos:
– Secure: prevent user impersonation by
wiretapping.
– Reliability: Kerberos is designed to be a
central server. If it is not available, a
user cannot access other services.
– Transparent: users should not know
Kerberos is running in the background!
– Scalable: must be able to support large
number of clients
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Kerberos V4.0
• There are 2 versions: V4.0 and V5.0.
• Understanding Kerberos is difficult. So we
will strip down the protocol and approach
the problem step by step. In network
security course (455), we will discuss this
in detail and try to understand certain
protocol implications.
• Let us start with a simple authentication
protocol.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
A Conceivable, Simple Authentication Dialogue:
have a central authentication server.
Let us say the client wants to check multiple emails from the Exchange server.
(1) Client sends to the Authentication Server the following information in
plain text:
Client-ID, Password and Identity of the Server from which the service is sought. E.g.,
ibarland/butterflies/Exchange Server (where "butterflies" is the password).
(2)
The Authentication server then checks the client id (user name) and
password and sends to the client a single “ticket”.
The “ticket” contains: the IP address of the client or user name, the
identity of the client, and the identity of the server (“Exchange
server”).
Why are all these three pieces of information part of the ticket??
(3)
Client sends to the Exchange server this ticket as proof that he/she can
download email.
Can you think of any security issues with this approach?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Two problems with our simple authentication
dialogue:
Problems
(1) A ticket is bound to a particular “service”.
E.g., if the user wants to access two
servers: Exchange and WebCT, the user
will need to have two tickets.
(1) Why? Each ticket has the identity of the
server, e.g., Exchange or WebCT .
(2) The password is being sent by the user in
plain text. An attacker can easily capture
this.
How would you solve these two problems.?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Solving the first problem: A ticket is bound to a
particular “service”.
How about having two servers:
an authentication server (AS) which authenticates a user
and provides him/her with a "ticket-granting ticket" (TGT).
A ticket granting server (TGS), that accepts the ticket
obtained by the user from AS and provides him with
additional tickets to other servers.
The TGS does not ask for password again and again. It only asks
for the ticket provided to the user. Hence, the client (the
software) the user is running (e.g., email client) can send
the username to the server without prompting the user for
a password.
Tickets will expire (include a timestamp; requires all servers
know the current time, approximately.)
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Solving the second problem: The password is being
sent by the user in plain text. An attacker can
easily capture this
Solution:
Use public private key cryptography. The user
encrypts the password using authentication
server’s public key.
A minor problem with this is added complexity of the
AS maintaining a public key storage (Key
distribution center).
Can there be a simpler way for a user to
authenticate with the Authentication Server
(AS)?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Simpler way to solve the second problem.
One solution:
How about this:
The user does not send the password to the AS. Instead,
the user only sends his/her identity (username).
The AS has a list of all usernames/password. The AS can
then read the user’s password, use that password as a
secret key and encrypt the ticket with it.
It then sends it back to the user.
Now, The only way the user can read the ticket is by
supplying his/her password!!!
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
One more problem
(1) Give me a ticket to
access the TGS; Here’s
my ID and the IP addr. Of
the TGS
Client
Authentication
Server
Here is the ticket to the
TGS. The ticket is
encrypted with your
password.
Here is the ticket I got
from AS, now give me a
ticket to access exchange
server.
TGS (Ticket
Granting
Server)
This still has security vulnerabilities? Can you see what them?
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
One more problem
(1) Give me a ticket to
access the TGS; Here’s
my ID and the IP addr. Of
the TGS
Client
Authentication
Server
Here is the ticket to the
TGS. It is encrypted with
your password.
Here is the ticket I got
from AS, now give me a
ticket to access exchange
server.
TGS (Ticket
Granting
Server)
PROBLEMS: An attacker can eavesdrop and get the ticket and reuse it.
Also, someone can spoof a TGS (i.e., install a fake TGS) and/or the
Slides
by
Prem
Uppuluri
based
oncan
material
from
variousagainst
sources.
ITEC
245.
Material
mainly
derived
from
Pfleeger;
Daswanithese
or Stallings.
Exchange
server.
How
we
protect
threats?
Solution
(i) Preventing reuse:
Fix a lifetime for the ticket.
This is not a perfect fix though as if the
lifetime is too small, then the convinience of
TGS is lost.
(ii) Spoofing TGS (or exchange server): Have some
way to authenticate the TGS. Use a session key.
Same solution for Exchange server.
Kerberos implements both these solutions.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Kerberos Usage Diagram (1)
Figure 7-31 Access to Services and Servers in Kerberos.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Kerberos Usage Diagram (2)
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Source: http://www.gutenberg.org/files/8789/8789-h/images/06-067.jpg
Kerberos Summary: Step 1: User authentication.
• Step 1: User sends their ID to the Authentication Server (AS).
(1) send: IDc ++ TS1
Look up password Kc
corresponding to
username IDc
User (Client)
(2a) reply: E( sessionKey ++ TS2 ++ TSexpire,
Authentication
Server (AS)
Kc )
Step (2a) AS sends a ticket consisting of a session key (for future use), an updated
timestamp, say TS2 = 14:10), and an expiration timestamp, say TSexpire = 15:10.
Is encrypted with user's password.
Step (2b) The AS also sends E( sessionKey++TS2++TSexpire, KTGS) to the TicketGranting-Server (encrypted with a previously-arranged key).
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Kerberos
Figure 7-29 Initiating a Kerberos Session.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Kerberos Summary: Step 2: Authorization to
access a server
• Step 2: User uses Ticket obtained from AS to
request authorization to access a server (E.g., a mail
server).
(3) Ticket and Id of server
(e.g., Exchange server)
Also send an authenticator --a token that is encrypted
with session key along
with updated time stamp.
Say TS3 = 14:20.
User (Client)
Ticket Granting
Server
(4) Sends a ticket to access the exchange mail server back. Time stamp
again updated (say 2:30 pm)
The ticket is first encrypted using a shared secret key between TGS and
the Exchange server. Then, the ticket is encrypted with the session key
(remember this key was created by the AS for secure comm. Between
TGSmainly
and
User).
Slides
Prem
Uppuluri
based
on material
from
various sources.
ITEC by
245.
Material
derived
from
Pfleeger;
Daswani or Stallings.
Figure 7-30 Obtaining a Ticket to Access a File.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Kerberos Summary: Step 3: Access Server with
Ticket
• Step 3: User accesses the exchange server with
the ticket given to it by the TGS.
(1) Ticket ++ Authenicator
Also send an authenticator --a token that is encrypted
with session key. Also
time stamp sent is
updated: TS4 = 14:40
User (Client)
Ticket Granting
Server
(2) Sends back updated time stamp, say 14:50
Authenticator called nonce.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Security Control: Access control.
• Firewalls are the most common
resource.
– Screen data packets from other systems
and can filter them based on:
• Source: e.g., which IP address?
• Destination: e.g., where is the packet being
sent?
• Type of service: e.g., Web service requested.
• Etc.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Figure 7-32 Layered Network Protection: Creating a perimeter security.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Security Control: Access control.
• Different types of firewalls:
– Packet filtering gateway: Examines each
individual packet and makes a decision.
– Stateful inspection: Examines a group of
packets across a period of time. (e.g., a
TCP 3-way handshake).
– Application proxies: Restricts the
network traffic out of a system.
– Personal firewalls: E.g., Windows
firewall.
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.
Other Controls
• Honey Pots.
• Alarms and Alerts (intrusion
detection systems)
Slides
Prem
Uppuluri
basedderived
on material
from
various sources.
ITEC by
245.
Material
mainly
from
Pfleeger;
Daswani or Stallings.