Lecture 30 Computer Security

1
Lecture 30Computer Security

• Phillip G. Bradford
• Computer Science
• The University of Alabama

2
Outline

• Introduction and Overview of
• Secure Socket Layers (SSL)
• Introduction to Firewalls

3
Objectives

• Give a working knowledge of SSL
• Understand key issues for SSL
• Prepare detailed knowledge for building on SSL
• Give a working knowledge of Firewalls
• Understand the Basic Issues

4
References

• Freier, A. O., P. Karlton and P. C. Kocher.
  Secure socket layer 3.0, November 1996. IETF
  Draft http//wp.netscape.com/eng/ssl3/ssl-toc.html
  
• William Stallings Cryptography and Network
  Security, 3rd Edition Prentice Hall, 2003.

5
Secure Socket Layer (SSL)

• History
• Unix Sockets and Pipes
• Sockets and TCP/IP
• Netscape
• ITEF
• Goal privacy and reliability between two
  communicating applications

6
SSL Detailed Goals

• Secure Crypto Connection between two parties
• Interoperability with different programs
• Invisible to end-users
• Extensibility add new Cryptographic Methods as
  they appear
• Relative Efficiency

7
SSL, Cont.

• Two Layers
• Low Level Record Protocol (build on TCP/IP)
  encapsulates higher level protocols
• Top Level Protocol Handshake protocol
• Server and Client Authenticate Each Other
• Negotiates Encryption Algorithms and Keys
• Top Level Various Application Protocols
• Different programs
• Netscape, IE, etc.

8
The SSL Big Picture
Applications HTTP, FTP, Telent, etc.
SSL
Transport Layer TCP/IP
9
Secure Socket Layer (SSL)

• Originally by Netscape
• Motivation
• Secures Browser Transactions
• Gives
• Encryption for data
• Message Integrity
• Server Authentication
• Allows Client authentication

10
SSL

• IEFT Internet Standard
• TLS (Transport Layer Security) RFC 2246
• SSL actually a layer of protocols
• URLs that must have a SSL connection are prefixed
  with https not http
• Uses TCP to give reliable and secure
  point-to-point

11
SSL Protocols

• High Level Protocols
• SSL Record Protocol
• Encapsulates data from higher-level protocols
• Lets SSL take care of it
• Example HTTP on top of SSL
• Handshake Protocol
• Protocol Version
• Negotiate Cryptographic Algorithms
• Authenticate
• Generate Shared Secrets

12
SSL Protocols

• High Level SSL Protocols Continued
• Change Cipher-Spec Protocol
• Symmetric Encryption Algs (DES, IDEA, etc.)
• Asymmetric Algorithms (RSA, DH, etc.)
• MAC Algorithms (MD5, SHA-1, etc.)
• Alert Protocol

13
SSL Protocol Stack

• From Stallings book

14
SSL

• SSL Connection
• Transport Layer Connection
• One peer-to-peer connection
• SSL Session
• Client-Server association
• Avoid expensive negotiation
• Share security parameters among several
  connections

15
Fire-Wall FAQ

• Filter in/out access control
• Access control consistency
• Covers bad application protocols
• Cost/Service benefit
• Level of Network
• Application Level
• ftp
• Proxy
• Direct

16
Fire-Wall FAQ, Cont.

• Allow only what is necessary
• Consider Space between Extranet and Intranet to
  be DMZ
• Try to isolate a single point of failure
• There are few technical solutions for social
  problems
• Watch
• ICMP Re-directs
• Proxys and Mirrored Data
• DNS Spoofing IP hijacking, etc.

17
Fire-Wall FAQ, Cont.

• Watch for
• Port Scans
• Sniffing
• Password (use RSA, etc.)
• Clear Text Sniffing
• Preventatives
• Use sniffers yourself
• Monitor traffic
• Anomaly Detection

18
Fire-Wall Heuristics

• Increase the level of security as you go into
  your network site
• In other words Inner fire-walls stronger than
  outer fire-walls
• Why?
• Partition Intranet and Extranet into security
  zones, possibly orthogonal to each other
• Include an experienced human in the loop