Internet Securityinderjeetsinghit/im_notes/im_theory/third_session... · – Example Search:...

Internet Security

BIT-301Internet Methodologies

By:-Inderjeet Singh

BIT-301, IM Internet Security 1

Introduction

• Internet security is a branch of computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole.

• Its objective is to establish rules and measures to use against attacks over the Internet.

• The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing.


Need of Internet Security

• Identity Theft• Non- repudiation • establish rules and measures to use

against attacks over the Internet.• high risk of intrusion or fraud, such

as phishing.



What are Search Engines?• Designed to assist you in searching

through the enormous amount of information on the Web

• No single search tool has everything• Each engine is a large database which

utilizes different search techniques and tools (spiders or robots) to build indexes to the Internet (some also utilize submissions and administration)


Which Search Engine?

• Yahoo• Altavista• Excite• Google• NorthernLights• Hotbot• Infoseek


How to Choose

Consider• Size of the database (# of URLs)• Currency of the database

(updates)• Search interface• Help screens• Search features• Results listed (# of documents

retrieved)• Relevance of results


More About Search Engines

• Searches for matching terms (keywords or several keywords)

• Results “ranked” by relevancy (for some)• Can search by

– subject or category– keyword

• Learn about each search engine’s description, options, and rules and restrictions


GO TO

http://www.google.com/help.html


Searches for exact matches Try different versions of your search

term Example: “Boston hotel” vs. “Boston

hotels”

Rephrase query Example: “cheap plane tickets” vs.

“cheap airplane tickets”


• Automatically places “and” between words (expands search)

• To reduce search –– add more terms in original search

– refine search within the current search results. (adding terms to first words will return a subset of the original query)

• Exclude a word by using a – sign– Example: to search bass but not speaker bass –

speaker• Does not support “or” operator• Does not support “stemming” or “wildcard” searches• Not case sensitive


• Explicit Phrase– Example Search: "inbound marketing“

• Exclude Words– Example Search: inbound marketing –advertising

• Site-Specific Search– Example Search: "inbound marketing"

site:www.smallbusinesshub.com

• Similar Words/ Synonyms– Example Search: "inbound marketing" ~professional

• Specific Document Types– Example Search: "inbound marketing" filetype:ppt

• This OR That– Example Search: inbound marketing OR advertising

• Phone Listing– Example Search: phonebook:617-555-1212


• Numeric Ranges– Example Search: president 1940..1950

• Word Definition– Search Example: define:plethora

• Stock (Ticker ) Symbol– Search Example: define:plethora

• Calculator– Search Example: 48512 * 1.02


• Finds street maps– Just enter a U.S. street address,

including zip code or city/state into the search box

– Google recognizes query as a map request

Try your address


Phrase Searches and Connectors

• Phrase Searches are useful when searching for famous sayings or specific names “Gone with the Wind”

• Phrase Connectors are recognized– Hyphens– Slashes– Periods– Equal signs– Apostrophes

• Example: mother-in-law


Stop Words• Stop words are ignored • These rarely help narrow and slow down

search– http– com– certain single digits– certain single letters

• to include stop words use [space]+• Example

– Star Wars, Episode 1 Star wars episode +1

– OS/2 OS/ +2***don’t forget the space before the + - signs


How to Interpret Results

See Handout


• Basic Search• Power Search• Industry Search• Investext Search• News

Approaches to Searching

EDUC 478 Davina Pruitt-Mentle 18

“Meta” Search Tools• Multi-threaded search engines• Allows access to multiple databases

simultaneously or via a single interface• (-) Do not offer the same level of control

over search interface and logic as individual engines

• (+) Fast• (+) Improvements

– Results sorted by site used for search, or location of Website

– Able to select search engines to include– ability to modify results


Popular Meta-Search Engines

• Dogpile• Metacrawler• Profusion• SavvySearch


Subject-Specific Search Engines

• Do not index entire web• Focus within specific Websites/pages

within defined subject area, geographical area, type of resource

• Specialized search - depth rather than breath


Selected Subject-Specific Engines

Companies • Companies Online

(http://www.companiesonline.com/) • Hoover's Online (http://www.hoovers.com/) • Wall Street Research Net (http://www.wsrn.com/)

People (E-mail and Phone) • Bigfoot (http://bigfoot.com/) • WhoWhere? (http://www.whowhere.lycos.com) • Yahoo! People Search (http://people.yahoo.com/)

• Switchboard.Com (http://www.switchboard.com)



Images • The Amazing Picture Machine

(http://www.ncrtec.org/picture.htm) • Lycos Image Gallery

(http://www.lycos.com/picturethis/) • WebSeek

(http://disney.ctr.columbia.edu/webseek/)

• Yahoo! Image Surfer (http://ipix.yahoo.com/)



Jobs • Hotjobs.com (http://www.hotjobs.com/)• Monster.com (http://www.monster.com/) • The Riley Guide (http://www.rileyguide.com/)

Games • CNET Gamecenter.com

(http://www.gamecenter.com/) • Games Domain (http://www.gamesdomain.com/) • Gamesmania (http://www.gamesmania.com/) • GameSpot (http://www.gamespot.com/)



Software • Jumbo (http://www.jumbo.com) • Shareware.com (http://www.shareware.com) • ZDNet Downloads

(http://www.zdnet.com/downloads/) Health/Medicine • Achoo (http://www.achoo.com/) • BioMedNet (http://www.bmn.com/) • Combined Health Information Database

(http://chid.nih.gov/) • Mayo Clinic Health Oasis (http://www.mayohealth.org/) • Medical World Search (http://www.mwsearch.com/) • OnHealth (http://www.onhealth.com)



Education/Children's Sites • AOL NetFind Kids Only

(http://www.aol.com/netfind/kids/) • Blue Web'n

(http://www.kn.pacbell.com/wired/bluewebn/) • Education World (http://www.education-

world.com/) • Kid Info (http://www.kidinfo.com/) • Kids Domain (http://www.kidsdomain.com) • KidsClick! (http://sunsite.berkeley.edu/KidsClick!/) • Yahooligans! (http://www.yahooligans.com)


Subject Directories

• Hierarchically organized indexes of subject categories

• User can browse through lists of Websites by subject in search of relevant information

• Maintained by human• May include a search engine for

searching their own database


Examples of Subject Directories

• INFOMINE (Academic Scholarly Subject Directory - http://infomine.ucr.edu/)

• LookSmart• Lycos• Magellan

(http://www.magellan.excite.com/)• Open Directory

(http://www.dmoz.org/)• Yahoo Many of these have aspects of both search and

directory

BIT-301, IM Internet Security

Cryptography

28


Summary

• Symmetric Encryption• Public Encryption• Digital Signature• Key Distribution

29


Basic Terminology

• plaintext - the original message • ciphertext - the coded message • cipher - algorithm for transforming plaintext to

ciphertext • key - info used in cipher known only to

sender/receiver • encipher (encrypt) - converting plaintext to

ciphertext • decipher (decrypt) - recovering ciphertext from

plaintext• cryptography - study of encryption

principles/methods• cryptanalysis (codebreaking) - the study of

principles/ methods of deciphering ciphertext without knowing key

• cryptology - the field of both cryptography and cryptanalysis

30


The language of cryptography

symmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption

key secret (private)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB

31


Symmetric Encryption

• or conventional / secret-key / single-key

• sender and recipient share a common key

• all classical encryption algorithms are private-key

• was only type prior to invention of public-key in 1970’s

32


Symmetric Cipher Model

33


Symmetric Key Cryptography

symmetric key crypto: Bob and Alice share know same (symmetric) key: K

• e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

plaintextciphertext

KA-B

encryptionalgorithm

decryption algorithm

A-B

KA-B

plaintextmessage, m

K (m)A-B

K (m)A-Bm = K ( )

A-B

34


Requirements

• two requirements for secure use of symmetric encryption:– a strong encryption algorithm– a secret key known only to sender /

receiverY = EK(X)

X = DK(Y)

• assume encryption algorithm is known

• implies a secure channel to distribute key

35


Cryptography

• can characterize by:– type of encryption operations used

• substitution / transposition / product

– number of keys used• single-key or private / two-key or public

– way in which plaintext is processed• block / stream

36


Summary

• Symmetric encryption• Public encryption• Digital Signature• Key distribution

37


Private-Key Cryptography

• traditional private/secret/single key cryptography uses one key

• shared by both sender and receiver • if this key is disclosed

communications are compromised • also is symmetric, parties are equal • hence does not protect sender from

receiver forging a message & claiming is sent by sender

38


Public-Key Cryptography

• probably most significant advance in the 3000 year history of cryptography

• uses two keys – a public & a private key

• asymmetric since parties are not equal

• uses clever application of number theoretic concepts to function

• complements rather than replaces private key crypto

39



• public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by

anybody, and can be used to encrypt messages, and verify signatures

– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• is asymmetric because– those who encrypt messages or verify

signatures cannot decrypt messages or create signatures

40



41


Public-Key Characteristics

• Public-Key algorithms rely on two keys with the characteristics that it is:– computationally infeasible to find

decryption key knowing only algorithm & encryption key

– computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known

– either of the two related keys can be used for encryption, with the other used for decryption (in some schemes)

42


Public-Key Cryptosystems

43


Public-Key Applications

• can classify uses into 3 categories:– encryption/decryption (provide

secrecy)– digital signatures (provide

authentication)– key exchange (of session keys)

• some algorithms are suitable for all uses, others are specific to one

44


Security of Public Key Schemes

• like private key schemes brute force exhaustive search attack is always theoretically possible

• but keys used are too large (>512bits) • security relies on a large enough

difference in difficulty between easy (en/decrypt) and hard (cryptanalysis) problems

• more generally the hard problem is known, its just made too hard to do in practise

• requires the use of very large numbers• hence is slow compared to secret key

schemes

45


Summary


46


Digital Signatures

Cryptographic technique analogous to hand-written signatures.

• sender (Bob) digitally signs document, establishing he is document owner/creator.

• verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document

47


Digital Signatures

Simple digital signature for message m:

• Bob signs m by encrypting with his private key KB, creating “signed” message, KB(m)

--

Dear AliceOh, how I have missed you. I think of you all the time! …(blah blah blah)

Bob

Bob’s message, m

Public keyencryptionalgorithm

Bob’s privatekey

K B-

Bob’s message, m, signed

(encrypted) with his private key

K B-(m)

48


Digital Signatures (more)

• Suppose Alice receives msg m, digital signature KB(m)

• Alice verifies m signed by Bob by applying Bob’s public key KB to KB(m) then checks KB(KB(m) ) =

m.

• If KB(KB(m) ) = m, whoever signed m must have

used Bob’s private key.

+ +

-

-

- -

+

Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m’.

Non-repudiation: Alice can take m, and signature KB(m) to court and

prove that Bob signed m. -

49


large message

mH: Hashfunction H(m)

digitalsignature(encrypt)

Bob’s private

key K B-

+

Bob sends digitally signed message:

Alice verifies signature and integrity of digitally signed message:

KB(H(m))-

encrypted msg digest

KB(H(m))-

encrypted msg digest

large message

m

H: Hashfunction

H(m)

digitalsignature(decrypt)

H(m)

Bob’s public

key K B+

equal ?

Digital signature = signed message digest

50


Summary


51


Key Distribution

• symmetric schemes require both parties to share a common secret key

• issue is how to securely distribute this key

• often secure system failure due to a break in the key distribution scheme

52


Key Distribution

• given parties A and B have various key distribution alternatives:

1. A can select key and physically deliver to B

2. third party can select & deliver key to A & B

3. if A & B have communicated previously can use previous key to encrypt a new key

4. if A & B have secure communications with a third party C, C can relay key between A & B

53


Trusted Intermediaries

Symmetric key problem:• How do two entities

establish shared secret key over network?

Solution:• trusted key distribution

center (KDC) acting as intermediary between entities

Public key problem:• When Alice obtains

Bob’s public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s?

Solution:• trusted certification

authority (CA)

54


Key Distribution Center (KDC)

• Alice, Bob need shared symmetric key.• KDC: server shares different secret key

with each registered user (many users)• Alice, Bob know own symmetric keys, KA-KDC

KB-KDC , for communicating with KDC.

KB-KDC

KX-KDC

KY-KDC

KZ-KDC

KP-KDC

KB-KDC

KA-KDC

KA-KDC

KP-KDC

KDC

55


Key Distribution Center (KDC)

Aliceknows

R1

Bob knows to use R1 to communicate with Alice

Alice and Bob communicate: using R1 as session key for shared symmetric

encryption

Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other?

KDC generates

R1

KB-KDC(A,R1)

KA-KDC(A,B)

KA-KDC(R1, KB-KDC(A,R1) )

56


Key Management (public)

• public-key encryption helps address key distribution problems

• have two aspects of this:– distribution of public keys– use of public-key encryption to

distribute secret keys

57


Distribution of Public Keys

• can be considered as using one of:– Public announcement– Publicly available directory– Public-key authority– Public-key certificates

58


Public Announcement

• users distribute public keys to recipients or broadcast to community at large– eg. append PGP keys to email messages

or post to news groups or email list

• major weakness is forgery– anyone can create a key claiming to be

someone else and broadcast it– until forgery is discovered can

masquerade as claimed user

59


Certification Authorities

• Certification authority (CA): binds public key to particular entity, E.

• E (person, router) registers its public key with CA.– E provides “proof of identity” to CA. – CA creates certificate binding E to its public key.– certificate containing E’s public key digitally

signed by CA – CA says “this is E’s public key”Bob’s public

key K B+

Bob’s identifying informatio

n

digitalsignature(encrypt)

CA private

key K CA-

K B+

certificate for Bob’s public

key, signed by CA60


Certification Authorities

• When Alice wants Bob’s public key:– gets Bob’s certificate (Bob or

elsewhere).– apply CA’s public key to Bob’s

certificate, get Bob’s public key

Bob’s public

key K B+

digitalsignature(decrypt)

CA public

key K CA+

K B+

61


A certificate contains:• Serial number (unique to issuer)• info about certificate owner, including

algorithm and key value itself (not shown)

• info about certificate issuer

• valid dates

• digital signature by issuer62


Summary


63

Firewalls

• A choke point of control and monitoring • Interconnects networks with differing trust• Imposes restrictions on network services

– only authorized traffic is allowed

• Auditing and controlling access– can implement alarms for abnormal behavior

• Itself immune to penetration• Provides perimeter defence


Packet Filter Firewall• A router with filtering capabilities• The firewall uses packet-filters (Access Control List-

ACLs) to drop or pass traffic• Stateful inspection– keep state of every TCP/UDP flow and allow reverse traffic– traffic from inside “opens” the firewall for incoming traffic

dynamically

• Example:– permit out on eth0 from 77.2.3.0/24 to any proto

tcp keep state– permit inout on eth0 proto icmp– deny default


The ACK signifies that the packet is part of an ongoing conversation

Packets without the ACK are connection establishment messages, which we are only permitting from internal hosts


Security & Performance of Packet Filters• Tiny fragment attacks

– Split TCP header info over several tiny packets

– Either discard or reassemble before check• Degradation depends on number of

rules applied at any point• Order rules so that most common traffic

is dealt with first• Correctness is more important than

speed



Proxy firewall / Application-levelgateway

• Firewall runs set of proxy programs– Proxies filter incoming, outgoing packets– All incoming traffic directed to firewall – All outgoing traffic appears to come from firewall

• Policy embedded in proxy programs• Two kinds of proxies

– Application-level gateways/proxies• Tailored to http, ftp, smtp, etc.

– Circuit-level gateways/proxies• Working on TCP level


Proxy firewall / Application-levelgateway


Demilitarized Zone• In computer security, a DMZ or demilitarized

zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet.

• The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network.two levels of defence: defence in depth

• If a server is attacked, the intranet is still safe• Can be combined with application proxiesBIT-301, IM Internet Security 71

Demilitarized Zone


Application-Level Filtering• Has full access to protocol

– user requests service from proxy – proxy validates request as legal – then actions request and returns result to

user

• Need separate proxies for each service – E.g., SMTP (E-Mail)– NNTP (Net news)– DNS (Domain Name System)– NTP (Network Time Protocol)– custom services generally not supportedBIT-301, IM Internet Security 73

App-level Firewall Architecture

Daemon spawns proxy when communication detected

Network Connection

Telnet daemon

SMTP daemon

FTP daemon

Telnet

proxy

FTP proxy SMTP

proxy


Bastion Host

• A bastion host is a computer that is fully exposed to attack. The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router.

• Frequently the roles of these systems are critical to the network security system.


Where to Deploy App-level FirewallBastion Host: highly secure host system • Potentially exposed to "hostile"

elements • Hence is secured to withstand this

– Disable all non-required services; keep it simple

• Runs circuit / application level gateways – Install/modify services you want

• Or provides externally accessible services


Screened Host Architecture• The screened host firewall combines a packet-filtering

router with an application gateway located on the protected subnet side of the router.

• The application gateway needs only one network interface. The application gateway's proxy services would pass TELNET, FTP, and other services for which proxies exist, to site systems. The router filters or screens inherently dangerous protocols from reaching the application gateway and site systems.

• It rejects (or accepts) application traffic according to the following rules: – application traffic from Internet sites to the application

gateway gets routed, – all other traffic from Internet sites gets rejected, and – the router rejects any application traffic originating from

the inside unless it came from the application gatewayBIT-301, IM Internet Security 77

Screened Host Architecture


Screened Subnet using Two Routers

• The outer router restricts Internet access to specific systems on the screened subnet, and blocks all other traffic to the Internet originating from systems that should not be originating connections (such as the modem pool, the information server, and site systems).

• The inner router passes traffic to and from systems on the screened subnet according to the following rules:

– application traffic from the application gateway to site systems gets routed,

– e-mail traffic from the e-mail server to site systems gets routed, – application traffic to the application gateway from site systems

get routed, – e-mail traffic from site systems to the e-mail server gets routed, – ftp, gopher, etc., traffic from site systems to the information

server gets routed, – all other traffic gets rejected.


Screened Subnet Using Two Routers


Firewall Design Criteria• There is no absolute security

– It is always a question of economics

• Defense in depth– place several firewalls after each other

• Weakest link– The strength of your security system is bounded by

the weakness of your weakest link

• Least privilege– Give the smallest amount of privilege possible

• Fail safe– Even if everything is going wrong, the security system

should not leave any security hole in the system.

• Keep it simple!BIT-301, IM Internet Security 81

Date post:	18-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Internet Securityinderjeetsinghit/im_notes/im_theory/third_session... · – Example Search:...

Documents