Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on...

Nixu Oy

PL 21

(Mäkelänkatu 91)

00601 Helsinki, Finland

tel. +358 9 478 1011

fax. +358 9 478 1030

[email protected]

http:/ /www.nixu.fi

Internetsolutions

Network Security

Copyright © 2000 Nixu Oy 2/37 Network Security

Internetsolutions

Contents

• Why security?

• Basic information security concepts

• Threats in network environment

• Solutions— Security perimeter— Firewalls— Intrusion detection— Cryptography


Internetsolutions

What is Information Security?

• Organizations and individuals have information, which has value

• This value must be protected against threats— Protection causes costs

• Computer and network threats are only one part of all threats— Physical threats— Logical threats


Internetsolutions

Terms of Data Security

• Confidentiality (We keep our secrets)

• Integrity (Nobody changes our data)

• Availability (We have access to our data)

• Authentication (We recognize another entity on the network)

• Non-repudiation (We can prove that something happened)

• Authorization (We control access to our data)


Internetsolutions

Different Kinds of Threats

• Physical breakdowns

• Operating mistakes

• Planning mistakes

• Intentional attacks for fun and profit

• Own personnel is usually considered the larges security threat


Internetsolutions

Typical Network Threats

• Eavesdropping — Easy on most LANs with physical access to media— More difficult on backbone networks

• Break ins— Network is a two way medium— Scripted tools make exploiting known faults easier— Access to the computer can be used to access the data on computer or to use the compu-

ter as a base for further attacks

• Connection capture— TCP connections can be captured and used (software is available)

• Replay


Internetsolutions

More Network Threats

• Denial of service— Overloading a server— Faulty data packets

• Pretension— Fake E-mail— IP address forgery (IP spoofing)

• Masquerade and man in the middle— Attacker can pretend to be a service

• Compund attacks— IP traffic can be rerouted to a different path and then eavesdropped or captured


Internetsolutions

Typical Attack from Outside

• First scan the internal network addresses for hosts and services— Can be done in a stealthy slow and low mode

• Then attack found targets— Known weaknesses, exploits— Scripted attacks, over in less than minute

• Get the data and run or

• Prepare a base for further attacks— Hide tracks— Install Rootkit


Internetsolutions

Viruses and other Malware

• Viruses are self-replicating programs

• Trojan horses are benig-looking programs that do something harmful, too

• Worms are network viruses

• Viruses spread mostly because of user’s misplaced trust and carelessness

• Modern viruses are often network aware


Internetsolutions

Solutions

• Security planning

• Personnel selection and training

• Physical security

• Technical solutions— Host based security— Firewalls— Cryptographic solutions


Internetsolutions

Cost of SecurityCosts

Level of security

Risks Security solutions


Internetsolutions

Risk Analysis

• Risk analysis is the assesment and evaluation of risks, to see what kind of protection is needed and where

• Risk analysis usually gives an rough estimate, which can still be used to direct security efforts

• A trivial example— A hard disk has information worth $10 000

> A customer address database, which can be regenerated— Mean life time of a hard disk is 4 years— It makes sense to use $2 500 yearly to protect the information


Internetsolutions

Modern Network Security Perimeter

• Firewalls limit acces to the network that they protect

• Encryption protetcts data in transit

• Cryptographic identification provides strong authentication

• Intrusion detection monitors the integrity


Internetsolutions

Conventional Network Security

InternetFirewall Internal

networkDMZ

Protectedoff-sitenetwork

VPNserver

WWWserver

VPNgateway

&Threats


Internetsolutions

Practical Reality

Internet

VPNserver

VPNgateway

Directconnection

Modemconnection

PPP overSSH

Quake2station


Internetsolutions

Host Based Security

• A host on the network is always a potential target

• Threats can be countered by:— Limiting available services— Limiting access to services (TCP wrapper)

• Once the attacker is inside the host, gaining additional priviledges is easier


Internetsolutions

Firewalls

• Firewalls limit access between networks

• Typically used to protect internal networks from external threats

• Two basic types— Filtering firewall— Application level firewall

• Usually both features combined to a hybrid product


Internetsolutions

Filtering Firewalls

• Each IP packet is inspected and passed on or dropped based on— Sender and receiver IP address— Protocol type (TCP, UDP, other)— Sender and receiver port address— IP or TCP options, SYN/ACK bits etc— Stateful knowledge of connections (TCP connections may be opened from internal to

external networks)

• Many routers have most of the basic functionality of a filtering firewall

• Network address translation is an additional feature


Internetsolutions

Application Level Firewalls

• Application must connect to the firewall— Eg. HTTP proxy server— Application must be aware of the firewall

• Firewall can inspect application data— Prevent ActiveX— Search for viruses

• Firewall can also be transparent to applications and still work on application level— More demanding for software


Internetsolutions

Intrusion Detection

• Intrusion detection is the art of detecting security break-ins and attempts— Network based ID can detect attempts before the break-in— Host based ID usually detects breaches after the fact— Intrusion detection demands active monitoring— Intrusion detection is expensive— Most people are already doing basic ID by reading logs

• In practise Intrusion Detection is often too expensive expect for special cases— High risk targets (banks, military networks)— Network/host behavior is well known


Internetsolutions

Network Based ID

• Traffic analysis— Internal profiling— External profiling— Detecting anomalies— Detecting changes in usage

• Content analysis— Detecting exploits by key strings

• External traffic at or near firewall

• Internal traffic from LAN— Switches present a problem for ID


Internetsolutions

Host Based ID

• Log analysis

• File verification— Eg. Tripwire, http://tripwiresecurity.com/

• Anomaly analysis— System calls— Statistical analysis— Software behavior patterns


Internetsolutions

Secret Key (Symmetric) Cryptography

• Encryption and decryption are based on the same key

• Algorithm is usually based on bit pattern transformations and bit transponations

• Usually efficient and fast: suitable for encryption of large amounts of data

• Main problem is how to transport the secret key to both participants

S SMessage X#9Z Message


Internetsolutions

Public Key (Asymmetric) Crypto

• Encryption and Decryption use separate keys

• Keys are related to each other with a mathematical relation— Public key can be literally published, no way to find the private key

• Whatever is encrypted with one key, can be decrypted with the other key

• Encrypting with the private key proves the identity of the sender

Pub SecMessage X#9Z Message

Pub SecMessage G804 Message


Internetsolutions

Hash Functions

• A cryptographic checksum of the data (one way function)

• Difficult (impossible) to forge


Internetsolutions

Cryptographic Combinations

• Confidentiality is usually provided by encrypting the data with a secret key algorithm and by encrypting the secret key with a public key algorithm

• A message can be signed by encrypting the hash of the message with the private key, this can be used for non-repudiation

• An user can be authenticated by proving the posession of the private key by encrypting a message

• Hashes protect the integrity of data


Internetsolutions

PGP & SSH

• PGP (Pretty Good Privacy) encrypts e-mail— Sender must know receiver’s public key— Users can certify each other’s keys

• SSH (Secure SHell) provices an encrypted TCP connection between two hosts on the network— Replaces Berkeley R-tools (rlogin, rcp, rsh)— Any TCP-connection can be tunneled over SSH

• Both are vulnerable to "Man in the Middle" -attack— PGP key must be verified— SSH client does not know the host key until first connection


Internetsolutions

SSH 2.0 in action

• Client contacts a server (a TCP connection is initiated)

• Server sends two public keys (server and host) and available algotihms

• Client simultaneously sends available algorithms

• Client creates a session key (symmetric), encrypts it with server’s public keys and sends it to server

• A shared secret is now formed and a session is started

• Either side may request a renegotiation of keys

• User authentication is done after this


Internetsolutions

Certificates

• A certificate is a cryptographically signed formal statement, which certifies a public key with some properties, like identity or access permissions

• To verify the certificate the end user must have the public key of the signer— Or a certificate loop must be formed, with unbroken chain of trust, starting from the veri-

fyer

• Certificates can be issued by trusted third parties


Internetsolutions

S/MIME & SSL

• Certificate based authentication from a trusted third party— Why should we trust the third party?

• S/MIME (Secure/Multipurpose Internet Mail Extensions)— E-mail encryption and signature

• SSL (Secure Socket Layer)— Encrypted TCP connection, with server side authentication— Used mostly for WWW services


Internetsolutions

IPSec

• A protocol suite designed by the Internet Engineering Task Force (IETF) in 1995 - 1999

• Describes a standard architecture for securing Internet traffic at the IP layer

• A fixed part of IPv6, optional for the current IP protocol, IPv4

• Documented by the IETF as a set of Request For Comments (RFC) papers— main document is RFC 2401: "Security Architecture for the Internet Protocol"

• Independent of cryptographical algorithms used

• Independent of a key management protocol


Internetsolutions

IPsec Security Services

• Access control

• Connectionless (per-packet) integrity

• Data origin authentication

• Anti-replay service

• Confidentiality

• Limited traffic flow confidentiality


Internetsolutions

IPSec SummaryIn short, the most important features of IPSec are:

• Cryptographical protection of Internet traffic for all protocols and applications running over IP

• IPSec security services are transparent for applications and users

• IPSec enables construction of Virtual Private Networks

• Good support for implementing and maintaining an organization’s security policy

• High level of flexibility allows IPSec to be run over various types of public key infrastructure.


Internetsolutions

Certificate based Policy Management

• Certificates express trust

• Authorization can be bound to a public/private key with a certificate— Identity is not important

• Authorization certificates can be chained


Internetsolutions

SPKI Certificates

• Simple Public Key Infrastructure

• Being published as Experimental RFC

• The most important fields of a SPKI certificate— Issuer— Subject — Delegation— Tag (i.e. authorization)— Validity— Signature


Internetsolutions

Creating trust with a certificate loop

issuer

subject

(Self key, Trusted Party’s key,trusted for signalling)

Some

TPV keytrusted party

Another

TPP keytrusted party

Self keyVerifier

Peer key

Signalling

(Trusted Party’s key,Another Party’s key,trusted for signalling

(Another Party’s key,Peer key,trusted for signalling)

Proves possession of User keypeer


Internetsolutions

Summary

• Data security requires planning— Implementing technology without a security policy is useless

• Firewalls limit the effects of attacks

• Intrusion detection is a possible, but expensive solution

• Cryptography is the fast developing area— Cryptography can be applied to different uses at different network levels— Certificate based policy management is the newest area

Date post:	27-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Network Security - cse.tkk.fi · — Access to the computer can be used to access the data on...

Documents